diff --git oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationConfigurationImpl.java oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationConfigurationImpl.java index af61206..0cda296 100644 --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationConfigurationImpl.java +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationConfigurationImpl.java @@ -21,6 +21,8 @@ import javax.annotation.Nonnull; import org.apache.felix.scr.annotations.Activate; import org.apache.felix.scr.annotations.Component; +import org.apache.felix.scr.annotations.Properties; +import org.apache.felix.scr.annotations.Property; import org.apache.felix.scr.annotations.Service; import org.apache.jackrabbit.oak.api.ContentRepository; import org.apache.jackrabbit.oak.spi.security.ConfigurationBase; @@ -47,8 +49,19 @@ import org.slf4j.LoggerFactory; * * */ -@Component +@Component(metatype = true, label = "Apache Jackrabbit Oak AuthenticationConfiguration") @Service({AuthenticationConfiguration.class, SecurityConfiguration.class}) +@Properties({ + @Property(name = AuthenticationConfiguration.PARAM_APP_NAME, + label = "Application Name", + value = AuthenticationConfiguration.DEFAULT_APP_NAME, + description = "Application named used for JAAS authentication"), + @Property(name = AuthenticationConfiguration.PARAM_CONFIG_SPI_NAME, + label = "JAAS Config SPI Name", + description = "Name of JAAS Configuration Spi. This needs to be set to JAAS config provider " + + "name if JAAS authentication " + + "is managed by Felix JAAS Support with its Global Configuration Policy set to 'default'.") +}) public class AuthenticationConfigurationImpl extends ConfigurationBase implements AuthenticationConfiguration { private static final Logger log = LoggerFactory.getLogger(AuthenticationConfigurationImpl.class); diff --git oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java index d821dde..c18c7f2 100644 --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java @@ -17,6 +17,9 @@ package org.apache.jackrabbit.oak.security.authentication; import java.security.AccessController; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; + import javax.annotation.CheckForNull; import javax.annotation.Nonnull; import javax.jcr.Credentials; @@ -37,6 +40,8 @@ import org.apache.jackrabbit.oak.spi.whiteboard.Whiteboard; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import static org.apache.jackrabbit.oak.spi.security.authentication.AuthenticationConfiguration.PARAM_CONFIG_SPI_NAME; + /** * {@code LoginContextProvider} */ @@ -101,15 +106,39 @@ class LoginContextProviderImpl implements LoginContextProvider { private Configuration getConfiguration() { if (configuration == null) { Configuration loginConfig = null; - try { - loginConfig = Configuration.getConfiguration(); - // NOTE: workaround for Java7 behavior (see OAK-497) - if (loginConfig.getAppConfigurationEntry(appName) == null) { - loginConfig = null; + + if(params.containsKey(PARAM_CONFIG_SPI_NAME)){ + String configSpiName = null; + try { + configSpiName = params.getConfigValue(PARAM_CONFIG_SPI_NAME, ""); + loginConfig = Configuration.getInstance( + "JavaLoginConfig", //Algorithm name + null, //Extra params to be passed. For this impl its null + configSpiName //Name of the config provider + ); + if (loginConfig.getAppConfigurationEntry(appName) == null) { + log.warn("No configuration found for application {} though fetching JAAS " + + "configuration from SPI {} is enabled.", appName, configSpiName); + } + } catch (NoSuchAlgorithmException e) { + log.warn("Error fetching JAAS config from SPI {}", configSpiName, e); + } catch (NoSuchProviderException e) { + log.warn("Error fetching JAAS config from SPI {}", configSpiName, e); } - } catch (SecurityException e) { - log.info("Failed to retrieve login configuration: using default. " + e); } + + if(loginConfig == null) { + try { + loginConfig = Configuration.getConfiguration(); + // NOTE: workaround for Java7 behavior (see OAK-497) + if (loginConfig.getAppConfigurationEntry(appName) == null) { + loginConfig = null; + } + } catch (SecurityException e) { + log.info("Failed to retrieve login configuration: using default. " + e); + } + } + if (loginConfig == null) { log.debug("No login configuration available for {}; using default", appName); loginConfig = ConfigurationUtil.getDefaultConfiguration(params); diff --git oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.java oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.java index 50f679b..bc011a1 100644 --- oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.java +++ oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.java @@ -31,6 +31,8 @@ public interface AuthenticationConfiguration extends SecurityConfiguration { String PARAM_APP_NAME = "org.apache.jackrabbit.oak.authentication.appName"; String DEFAULT_APP_NAME = "jackrabbit.oak"; + String PARAM_CONFIG_SPI_NAME = "org.apache.jackrabbit.oak.authentication.configSpiName"; + @Nonnull LoginContextProvider getLoginContextProvider(ContentRepository contentRepository); } diff --git oak-pojosr/src/test/groovy/org/apache/jackrabbit/oak/run/osgi/JaasConfigSpiTest.groovy oak-pojosr/src/test/groovy/org/apache/jackrabbit/oak/run/osgi/JaasConfigSpiTest.groovy new file mode 100644 index 0000000..b118f18 --- /dev/null +++ oak-pojosr/src/test/groovy/org/apache/jackrabbit/oak/run/osgi/JaasConfigSpiTest.groovy @@ -0,0 +1,121 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.jackrabbit.oak.run.osgi + +import com.google.common.collect.ImmutableSet +import org.apache.felix.jaas.LoginModuleFactory +import org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule +import org.apache.jackrabbit.oak.spi.security.authentication.AuthenticationConfiguration +import org.junit.Before +import org.junit.Test + +import javax.jcr.Credentials +import javax.jcr.Session +import javax.jcr.SimpleCredentials +import javax.security.auth.login.LoginException +import javax.security.auth.spi.LoginModule +import java.security.Principal + +import static org.apache.jackrabbit.oak.run.osgi.OakOSGiRepositoryFactory.REPOSITORY_CONFIG + + +class JaasConfigSpiTest extends AbstractRepositoryFactoryTest{ + @Before + void setupRepo(){ + //System.setProperty("ds.loglevel","debug") + config[REPOSITORY_CONFIG] = [ + 'org.apache.felix.jaas.Configuration.factory-LoginModuleImpl' : [ + 'jaas.controlFlag' : 'required', + 'jaas.classname' : 'org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl' + ], + 'org.apache.felix.jaas.ConfigurationSpi' : [ + 'jaas.defaultRealmName' : 'jackrabbit.oak', + 'jaas.configProviderName' : 'FelixJaasProvider', +// 'jaas.globalConfigPolicy' : 'proxy' + ], + 'org.apache.jackrabbit.oak.security.authentication.AuthenticationConfigurationImpl' :[ + (AuthenticationConfiguration.PARAM_CONFIG_SPI_NAME) : 'FelixJaasProvider' + ], + 'org.apache.jackrabbit.oak.jcr.osgi.RepositoryManager' : [:], + 'org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStoreService' : [:] + ] + } + + @Test + public void defaultConfigSpiAuth() throws Exception{ + repository = repositoryFactory.getRepository(config) + registry.registerService(LoginModuleFactory.class.name, new LoginModuleFactory() { + @Override + LoginModule createLoginModule() { + return new TestLoginModule(); + } + }, [ + 'jaas.controlFlag' : 'sufficient', + 'jaas.realmName' : 'jackrabbit.oak', + 'jaas.ranking' : '150', + + ] as Hashtable) + + Session session = repository.login(new SimpleCredentials("batman", "password".toCharArray())) + assert session + } + + public static class TestLoginModule extends AbstractLoginModule { + private Credentials credentials; + private Set principals; + private String userId; + + @Override + protected Set getSupportedCredentials() { + return ImmutableSet.of(SimpleCredentials.class) + } + + @Override + boolean login() throws LoginException { + credentials = getCredentials(); + if(credentials instanceof SimpleCredentials){ + SimpleCredentials scred = (SimpleCredentials)credentials; + if(scred.getPassword() == "password".toCharArray() + && scred.getUserID() == 'batman'){ + userId = 'admin'; + principals = getPrincipals(userId); + sharedState.put(SHARED_KEY_CREDENTIALS, credentials); + sharedState.put(SHARED_KEY_LOGIN_NAME, userId); + return true; + } + } + return false + } + + @Override + public boolean commit() { + if (credentials == null || principals == null) { + // login attempt in this login module was not successful + clearState(); + return false; + } else if (!subject.isReadOnly()) { + subject.getPrincipals().addAll(principals); + subject.getPublicCredentials().add(credentials); + return true; + } + return false; + } + } +}