Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Bartel2015-11-24 21:58:27 -0500
committerJan Bartel2015-11-24 21:58:27 -0500
commit6e37f4886a4e04c0505d478e57122c13e6c25fd3 (patch)
tree80876efbfcc49258e61f66070e78a58a30633805 /jetty-security/src/main/java/org/eclipse
parent648ab51afa7d705554f2902aae6890a4c547bdb4 (diff)
downloadorg.eclipse.jetty.project-6e37f4886a4e04c0505d478e57122c13e6c25fd3.tar.gz
org.eclipse.jetty.project-6e37f4886a4e04c0505d478e57122c13e6c25fd3.tar.xz
org.eclipse.jetty.project-6e37f4886a4e04c0505d478e57122c13e6c25fd3.zip
Refactor jaas login sequence to only fetch role data if user is authenticated according to that module.
Diffstat (limited to 'jetty-security/src/main/java/org/eclipse')
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java73
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java114
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java39
3 files changed, 216 insertions, 10 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java
index 5d606528ee..659083b7cf 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/HashLoginService.java
@@ -19,7 +19,11 @@
package org.eclipse.jetty.security;
import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import org.eclipse.jetty.security.MappedLoginService.KnownUser;
import org.eclipse.jetty.security.PropertyUserStore.UserListener;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.Scanner;
@@ -54,6 +58,36 @@ public class HashLoginService extends MappedLoginService implements UserListener
private Resource _configResource;
private Scanner _scanner;
private boolean hotReload = false; // default is not to reload
+
+
+
+ public class HashKnownUser extends KnownUser
+ {
+ String[] _roles;
+
+ /**
+ * @param name
+ * @param credential
+ */
+ public HashKnownUser(String name, Credential credential)
+ {
+ super(name, credential);
+ }
+
+
+
+ public void setRoles (String[] roles)
+ {
+ _roles = roles;
+ }
+
+ public String[] getRoles()
+ {
+ return _roles;
+ }
+ }
+
+
/* ------------------------------------------------------------ */
public HashLoginService()
@@ -163,6 +197,41 @@ public class HashLoginService extends MappedLoginService implements UserListener
// TODO: Consider refactoring MappedLoginService to not have to override with unused methods
}
+
+
+ @Override
+ protected String[] loadRoleInfo(KnownUser user)
+ {
+ UserIdentity id = _propertyUserStore.getUserIdentity(user.getName());
+ if (id == null)
+ return null;
+
+
+ Set<RolePrincipal> roles = id.getSubject().getPrincipals(RolePrincipal.class);
+ if (roles == null)
+ return null;
+
+ List<String> list = new ArrayList<>();
+ for (RolePrincipal r:roles)
+ list.add(r.getName());
+
+ return list.toArray(new String[roles.size()]);
+ }
+
+ @Override
+ protected KnownUser loadUserInfo(String userName)
+ {
+ UserIdentity id = _propertyUserStore.getUserIdentity(userName);
+ if (id != null)
+ {
+ return (KnownUser)id.getUserPrincipal();
+ }
+
+ return null;
+ }
+
+
+
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart()
@@ -204,9 +273,11 @@ public class HashLoginService extends MappedLoginService implements UserListener
{
if (LOG.isDebugEnabled())
LOG.debug("update: " + userName + " Roles: " + roleArray.length);
- putUser(userName,credential,roleArray);
+ //TODO need to remove and replace the authenticated user?
}
+
+
/* ------------------------------------------------------------ */
@Override
public void remove(String userName)
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java
index 089b894911..9153064ae1 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/JDBCLoginService.java
@@ -77,6 +77,32 @@ public class JDBCLoginService extends MappedLoginService
protected String _userSql;
protected String _roleSql;
+
+ /**
+ * JDBCKnownUser
+ *
+ *
+ */
+ public class JDBCKnownUser extends KnownUser
+ {
+ int _userKey;
+
+ /**
+ * @param name
+ * @param credential
+ */
+ public JDBCKnownUser(String name, Credential credential, int key)
+ {
+ super(name, credential);
+ _userKey = key;
+ }
+
+
+ public int getUserKey ()
+ {
+ return _userKey;
+ }
+ }
/* ------------------------------------------------------------ */
public JDBCLoginService()
@@ -231,7 +257,7 @@ public class JDBCLoginService extends MappedLoginService
}
/* ------------------------------------------------------------ */
- @Override
+ @Deprecated
protected UserIdentity loadUser(String username)
{
try
@@ -251,6 +277,8 @@ public class JDBCLoginService extends MappedLoginService
{
int key = rs1.getInt(_userTableKey);
String credentials = rs1.getString(_userTablePasswordField);
+
+
List<String> roles = new ArrayList<String>();
try (PreparedStatement stat2 = _con.prepareStatement(_roleSql))
@@ -262,7 +290,7 @@ public class JDBCLoginService extends MappedLoginService
roles.add(rs2.getString(_roleTableRoleField));
}
}
- return putUser(username, credentials, roles.toArray(new String[roles.size()]));
+ return putUser(username, Credential.getCredential(credentials), roles.toArray(new String[roles.size()]));
}
}
}
@@ -274,13 +302,89 @@ public class JDBCLoginService extends MappedLoginService
}
return null;
}
+
+
+ /**
+ * @see org.eclipse.jetty.security.MappedLoginService#loadUserInfo(java.lang.String)
+ * @Override
+ */
+ public KnownUser loadUserInfo (String username)
+ {
+ try
+ {
+ if (null == _con)
+ connectDatabase();
+
+ if (null == _con)
+ throw new SQLException("Can't connect to database");
+
+ try (PreparedStatement stat1 = _con.prepareStatement(_userSql))
+ {
+ stat1.setObject(1, username);
+ try (ResultSet rs1 = stat1.executeQuery())
+ {
+ if (rs1.next())
+ {
+ int key = rs1.getInt(_userTableKey);
+ String credentials = rs1.getString(_userTablePasswordField);
+
+ return new JDBCKnownUser (username, Credential.getCredential(credentials), key);
+ }
+ }
+ }
+ }
+ catch (SQLException e)
+ {
+ LOG.warn("UserRealm " + getName() + " could not load user information from database", e);
+ closeConnection();
+ }
+
+ return null;
+ }
+
- /* ------------------------------------------------------------ */
- protected UserIdentity putUser (String username, String credentials, String[] roles)
+
+ /**
+ * @see org.eclipse.jetty.security.MappedLoginService#loadRoleInfo(org.eclipse.jetty.security.MappedLoginService.KnownUser)
+ * @Override
+ */
+ public String[] loadRoleInfo (KnownUser user)
{
- return putUser(username, Credential.getCredential(credentials),roles);
+ JDBCKnownUser jdbcUser = (JDBCKnownUser)user;
+
+ try
+ {
+ if (null == _con)
+ connectDatabase();
+
+ if (null == _con)
+ throw new SQLException("Can't connect to database");
+
+
+ List<String> roles = new ArrayList<String>();
+
+ try (PreparedStatement stat2 = _con.prepareStatement(_roleSql))
+ {
+ stat2.setInt(1, jdbcUser.getUserKey());
+ try (ResultSet rs2 = stat2.executeQuery())
+ {
+ while (rs2.next())
+ roles.add(rs2.getString(_roleTableRoleField));
+ return roles.toArray(new String[roles.size()]);
+ }
+ }
+ }
+ catch (SQLException e)
+ {
+ LOG.warn("UserRealm " + getName() + " could not load user information from database", e);
+ closeConnection();
+ }
+
+ return null;
}
+
+
/**
* Close an existing connection
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java
index 70b4c95329..310a4db8bc 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/MappedLoginService.java
@@ -139,6 +139,8 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
public void logout(UserIdentity identity)
{
LOG.debug("logout {}",identity);
+
+ //TODO should remove the user?????
}
/* ------------------------------------------------------------ */
@@ -200,6 +202,24 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
_users.put(userName,identity);
return identity;
}
+
+
+
+
+ public synchronized UserIdentity putUser (KnownUser userPrincipal, String[] roles)
+ {
+ Subject subject = new Subject();
+ subject.getPrincipals().add(userPrincipal);
+ subject.getPrivateCredentials().add(userPrincipal._credential);
+ if (roles!=null)
+ for (String role : roles)
+ subject.getPrincipals().add(new RolePrincipal(role));
+ subject.setReadOnly();
+ UserIdentity identity=_identityService.newUserIdentity(subject,userPrincipal,roles);
+ _users.put(userPrincipal._name,identity);
+ return identity;
+ }
+
/* ------------------------------------------------------------ */
public void removeUser(String username)
@@ -219,9 +239,17 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
UserIdentity user = _users.get(username);
if (user==null)
- user = loadUser(username);
-
- if (user!=null)
+ {
+ KnownUser userPrincipal = loadUserInfo(username);
+ if (userPrincipal.authenticate(credentials))
+ {
+ //safe to load the roles
+ String[] roles = loadRoleInfo(userPrincipal);
+ user = putUser(userPrincipal, roles);
+ return user;
+ }
+ }
+ else
{
UserPrincipal principal = (UserPrincipal)user.getUserPrincipal();
if (principal.authenticate(credentials))
@@ -241,7 +269,10 @@ public abstract class MappedLoginService extends AbstractLifeCycle implements Lo
return false;
}
-
+ /* ------------------------------------------------------------ */
+ protected abstract String[] loadRoleInfo (KnownUser user);
+ /* ------------------------------------------------------------ */
+ protected abstract KnownUser loadUserInfo (String username);
/* ------------------------------------------------------------ */
protected abstract UserIdentity loadUser(String username);

Back to the top