001 /** 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017 018 package org.apache.geronimo.security.realm.providers; 019 020 import java.io.IOException; 021 import java.security.cert.Certificate; 022 import java.security.cert.X509Certificate; 023 import java.util.Map; 024 import java.util.Set; 025 import javax.security.auth.Subject; 026 import javax.security.auth.callback.Callback; 027 import javax.security.auth.callback.CallbackHandler; 028 import javax.security.auth.callback.UnsupportedCallbackException; 029 import javax.security.auth.login.FailedLoginException; 030 import javax.security.auth.login.LoginException; 031 import javax.security.auth.spi.LoginModule; 032 import javax.security.auth.x500.X500Principal; 033 034 import org.apache.commons.logging.Log; 035 import org.apache.commons.logging.LogFactory; 036 037 038 /** 039 * An example LoginModule that reads a list of credentials and group from a file on disk. 040 * Authentication is provided by the SSL layer supplying the client certificate. 041 * All we check is that it is present. The 042 * file should be formatted using standard Java properties syntax. Expects 043 * to be run by a GenericSecurityRealm (doesn't work on its own). 044 * 045 * The usersURI property file should have lines of the form token=certificatename 046 * where certificate name is X509Certificate.getSubjectX500Principal().getName() 047 * 048 * The groupsURI property file should have lines of the form group=token1,token2,... 049 * where the tokens were associated to the certificate names in the usersURI properties file. 050 * 051 * This login module checks security credentials so the lifecycle methods must return true to indicate success 052 * or throw LoginException to indicate failure. 053 * 054 * @version $Rev: 565912 $ $Date: 2007-08-14 17:03:11 -0400 (Tue, 14 Aug 2007) $ 055 */ 056 public class CertificateChainLoginModule implements LoginModule { 057 058 private Subject subject; 059 private CallbackHandler handler; 060 private X500Principal principal; 061 062 public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { 063 this.subject = subject; 064 this.handler = callbackHandler; 065 } 066 067 public boolean login() throws LoginException { 068 Callback[] callbacks = new Callback[1]; 069 070 callbacks[0] = new CertificateChainCallback(); 071 try { 072 handler.handle(callbacks); 073 } catch (IOException ioe) { 074 throw (LoginException) new LoginException().initCause(ioe); 075 } catch (UnsupportedCallbackException uce) { 076 throw (LoginException) new LoginException().initCause(uce); 077 } 078 assert callbacks.length == 1; 079 Certificate[] certificateChain = ((CertificateChainCallback)callbacks[0]).getCertificateChain(); 080 if (certificateChain == null || certificateChain.length == 0) { 081 throw new FailedLoginException(); 082 } 083 if (!(certificateChain[0] instanceof X509Certificate)) { 084 throw new FailedLoginException(); 085 } 086 //TODO actually validate chain 087 principal = ((X509Certificate)certificateChain[0]).getSubjectX500Principal(); 088 089 return true; 090 } 091 092 public boolean commit() throws LoginException { 093 Set principals = subject.getPrincipals(); 094 095 principals.add(principal); 096 principals.add(new GeronimoUserPrincipal(principal.getName())); 097 098 return true; 099 } 100 101 public boolean abort() throws LoginException { 102 principal = null; 103 104 return true; 105 } 106 107 public boolean logout() throws LoginException { 108 principal = null; 109 110 return true; 111 } 112 113 }