Source code

001/**
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017
018package org.apache.activemq.jaas;
019
020import java.security.cert.X509Certificate;
021import java.util.Collections;
022import java.util.Enumeration;
023import java.util.HashSet;
024import java.util.Map;
025import java.util.Properties;
026import java.util.Set;
027import java.util.regex.Pattern;
028
029import javax.security.auth.Subject;
030import javax.security.auth.callback.CallbackHandler;
031import javax.security.auth.login.LoginException;
032
033/**
034 * A LoginModule allowing for SSL certificate based authentication based on
035 * Distinguished Names (DN) stored in text files. The DNs are parsed using a
036 * Properties class where each line is either <UserName>=<StringifiedSubjectDN>
037 * or <UserName>=/<SubjectDNRegExp>/. This class also uses a group definition
038 * file where each line is <GroupName>=<UserName1>,<UserName2>,etc.
039 * The user and group files' locations must be specified in the
040 * org.apache.activemq.jaas.textfiledn.user and
041 * org.apache.activemq.jaas.textfiledn.group properties respectively.
042 * NOTE: This class will re-read user and group files for every authentication
043 * (i.e it does live updates of allowed groups and users).
044 *
045 * @author sepandm@gmail.com (Sepand)
046 */
047public class TextFileCertificateLoginModule extends CertificateLoginModule {
048
049    private static final String USER_FILE_PROP_NAME = "org.apache.activemq.jaas.textfiledn.user";
050    private static final String GROUP_FILE_PROP_NAME = "org.apache.activemq.jaas.textfiledn.group";
051
052    private Map<String, Set<String>> groupsByUser;
053    private Map<String, Pattern> regexpByUser;
054    private Map<String, String> usersByDn;
055
056    /**
057     * Performs initialization of file paths. A standard JAAS override.
058     */
059    @Override
060    public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
061        super.initialize(subject, callbackHandler, sharedState, options);
062
063        usersByDn = load(USER_FILE_PROP_NAME, "", options).invertedPropertiesMap();
064        regexpByUser = load(USER_FILE_PROP_NAME, "", options).regexpPropertiesMap();
065        groupsByUser = load(GROUP_FILE_PROP_NAME, "", options).invertedPropertiesValuesMap();
066     }
067
068    /**
069     * Overriding to allow DN authorization based on DNs specified in text
070     * files.
071     *
072     * @param certs The certificate the incoming connection provided.
073     * @return The user's authenticated name or null if unable to authenticate
074     *         the user.
075     * @throws LoginException Thrown if unable to find user file or connection
076     *                 certificate.
077     */
078    @Override
079    protected String getUserNameForCertificates(final X509Certificate[] certs) throws LoginException {
080        if (certs == null) {
081            throw new LoginException("Client certificates not found. Cannot authenticate.");
082        }
083        String dn = getDistinguishedName(certs);
084        return usersByDn.containsKey(dn) ? usersByDn.get(dn) : getUserByRegexp(dn);
085    }
086
087    /**
088     * Overriding to allow for group discovery based on text files.
089     *
090     * @param username The name of the user being examined. This is the same
091     *                name returned by getUserNameForCertificates.
092     * @return A Set of name Strings for groups this user belongs to.
093     * @throws LoginException Thrown if unable to find group definition file.
094     */
095    @Override
096    protected Set<String> getUserGroups(String username) throws LoginException {
097        Set<String> userGroups = groupsByUser.get(username);
098        if (userGroups == null) {
099            userGroups = Collections.emptySet();
100        }
101        return userGroups;
102    }
103
104    private synchronized String getUserByRegexp(String dn) {
105        String name = null;
106        for (Map.Entry<String, Pattern> val : regexpByUser.entrySet()) {
107            if (val.getValue().matcher(dn).matches()) {
108                name = val.getKey();
109                break;
110            }
111        }
112        usersByDn.put(dn, name);
113        return name;
114    }
115
116}