Source code

001/**
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017
018package org.apache.activemq.jaas;
019
020import java.security.cert.X509Certificate;
021import java.util.Enumeration;
022import java.util.HashSet;
023import java.util.Map;
024import java.util.Properties;
025import java.util.Set;
026
027import javax.security.auth.Subject;
028import javax.security.auth.callback.CallbackHandler;
029import javax.security.auth.login.LoginException;
030
031/**
032 * A LoginModule allowing for SSL certificate based authentication based on
033 * Distinguished Names (DN) stored in text files. The DNs are parsed using a
034 * Properties class where each line is <user_name>=<user_DN>. This class also
035 * uses a group definition file where each line is <group_name>=<user_name_1>,<user_name_2>,etc.
036 * The user and group files' locations must be specified in the
037 * org.apache.activemq.jaas.textfiledn.user and
038 * org.apache.activemq.jaas.textfiledn.user properties respectively. NOTE: This
039 * class will re-read user and group files for every authentication (i.e it does
040 * live updates of allowed groups and users).
041 *
042 * @author sepandm@gmail.com (Sepand)
043 */
044public class TextFileCertificateLoginModule extends CertificateLoginModule {
045
046    private static final String USER_FILE_PROP_NAME = "org.apache.activemq.jaas.textfiledn.user";
047    private static final String GROUP_FILE_PROP_NAME = "org.apache.activemq.jaas.textfiledn.group";
048
049    private Properties groups;
050    private Map<String, String> usersByDn;
051
052    /**
053     * Performs initialization of file paths. A standard JAAS override.
054     */
055    @Override
056    public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
057        super.initialize(subject, callbackHandler, sharedState, options);
058
059        usersByDn = load(USER_FILE_PROP_NAME, "", options).invertedPropertiesMap();
060        groups = load(GROUP_FILE_PROP_NAME, "", options).getProps();
061     }
062
063    /**
064     * Overriding to allow DN authorization based on DNs specified in text
065     * files.
066     *
067     * @param certs The certificate the incoming connection provided.
068     * @return The user's authenticated name or null if unable to authenticate
069     *         the user.
070     * @throws LoginException Thrown if unable to find user file or connection
071     *                 certificate.
072     */
073    @Override
074    protected String getUserNameForCertificates(final X509Certificate[] certs) throws LoginException {
075        if (certs == null) {
076            throw new LoginException("Client certificates not found. Cannot authenticate.");
077        }
078
079        return usersByDn.get(getDistinguishedName(certs));
080    }
081
082    /**
083     * Overriding to allow for group discovery based on text files.
084     *
085     * @param username The name of the user being examined. This is the same
086     *                name returned by getUserNameForCertificates.
087     * @return A Set of name Strings for groups this user belongs to.
088     * @throws LoginException Thrown if unable to find group definition file.
089     */
090    @Override
091    protected Set<String> getUserGroups(String username) throws LoginException {
092        Set<String> userGroups = new HashSet<String>();
093        for (Enumeration<Object> enumeration = groups.keys(); enumeration.hasMoreElements();) {
094            String groupName = (String)enumeration.nextElement();
095            String[] userList = (groups.getProperty(groupName) + "").split(",");
096            for (int i = 0; i < userList.length; i++) {
097                if (username.equals(userList[i])) {
098                    userGroups.add(groupName);
099                    break;
100                }
101            }
102        }
103
104        return userGroups;
105    }
106}