001    /**
002     *  Licensed to the Apache Software Foundation (ASF) under one or more
003     *  contributor license agreements.  See the NOTICE file distributed with
004     *  this work for additional information regarding copyright ownership.
005     *  The ASF licenses this file to You under the Apache License, Version 2.0
006     *  (the "License"); you may not use this file except in compliance with
007     *  the License.  You may obtain a copy of the License at
008     *
009     *     http://www.apache.org/licenses/LICENSE-2.0
010     *
011     *  Unless required by applicable law or agreed to in writing, software
012     *  distributed under the License is distributed on an "AS IS" BASIS,
013     *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014     *  See the License for the specific language governing permissions and
015     *  limitations under the License.
016     */
017    
018    package org.apache.geronimo.security.realm.providers;
019    
020    import java.io.IOException;
021    import java.security.cert.Certificate;
022    import java.security.cert.X509Certificate;
023    import java.util.Map;
024    import java.util.Set;
025    import javax.security.auth.Subject;
026    import javax.security.auth.callback.Callback;
027    import javax.security.auth.callback.CallbackHandler;
028    import javax.security.auth.callback.UnsupportedCallbackException;
029    import javax.security.auth.login.FailedLoginException;
030    import javax.security.auth.login.LoginException;
031    import javax.security.auth.spi.LoginModule;
032    import javax.security.auth.x500.X500Principal;
033    
034    import org.apache.commons.logging.Log;
035    import org.apache.commons.logging.LogFactory;
036    
037    
038    /**
039     * An example LoginModule that reads a list of credentials and group from a file on disk.
040     * Authentication is provided by the SSL layer supplying the client certificate.
041     * All we check is that it is present.  The
042     * file should be formatted using standard Java properties syntax.  Expects
043     * to be run by a GenericSecurityRealm (doesn't work on its own).
044     *
045     * The usersURI property file should have lines of the form token=certificatename
046     * where certificate name is X509Certificate.getSubjectX500Principal().getName()
047     *
048     * The groupsURI property file should have lines of the form group=token1,token2,...
049     * where the tokens were associated to the certificate names in the usersURI properties file.
050     *
051     * This login module checks security credentials so the lifecycle methods must return true to indicate success
052     * or throw LoginException to indicate failure.
053     *
054     * @version $Rev: 565912 $ $Date: 2007-08-14 17:03:11 -0400 (Tue, 14 Aug 2007) $
055     */
056    public class CertificateChainLoginModule implements LoginModule {
057    
058        private Subject subject;
059        private CallbackHandler handler;
060        private X500Principal principal;
061    
062        public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
063            this.subject = subject;
064            this.handler = callbackHandler;
065        }
066    
067        public boolean login() throws LoginException {
068            Callback[] callbacks = new Callback[1];
069    
070            callbacks[0] = new CertificateChainCallback();
071            try {
072                handler.handle(callbacks);
073            } catch (IOException ioe) {
074                throw (LoginException) new LoginException().initCause(ioe);
075            } catch (UnsupportedCallbackException uce) {
076                throw (LoginException) new LoginException().initCause(uce);
077            }
078            assert callbacks.length == 1;
079            Certificate[] certificateChain = ((CertificateChainCallback)callbacks[0]).getCertificateChain();
080            if (certificateChain == null || certificateChain.length == 0) {
081                throw new FailedLoginException();
082            }
083            if (!(certificateChain[0] instanceof X509Certificate)) {
084                throw new FailedLoginException();
085            }
086            //TODO actually validate chain
087            principal = ((X509Certificate)certificateChain[0]).getSubjectX500Principal();
088    
089            return true;
090        }
091    
092        public boolean commit() throws LoginException {
093            Set principals = subject.getPrincipals();
094    
095            principals.add(principal);
096            principals.add(new GeronimoUserPrincipal(principal.getName()));
097    
098            return true;
099        }
100    
101        public boolean abort() throws LoginException {
102            principal = null;
103    
104            return true;
105        }
106    
107        public boolean logout() throws LoginException {
108            principal = null;
109    
110            return true;
111        }
112    
113    }