001 /**
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements. See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License. You may obtain a copy of the License at
008 *
009 * http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017
018 package org.apache.activemq.jaas;
019
020 import java.io.File;
021 import java.io.IOException;
022 import java.security.cert.X509Certificate;
023 import java.util.Enumeration;
024 import java.util.HashSet;
025 import java.util.Map;
026 import java.util.Properties;
027 import java.util.Set;
028
029 import javax.security.auth.Subject;
030 import javax.security.auth.callback.CallbackHandler;
031 import javax.security.auth.login.LoginException;
032
033 /**
034 * A LoginModule allowing for SSL certificate based authentication based on
035 * Distinguished Names (DN) stored in text files. The DNs are parsed using a
036 * Properties class where each line is <user_name>=<user_DN>. This class also
037 * uses a group definition file where each line is <group_name>=<user_name_1>,<user_name_2>,etc.
038 * The user and group files' locations must be specified in the
039 * org.apache.activemq.jaas.textfiledn.user and
040 * org.apache.activemq.jaas.textfiledn.user properties respectively. NOTE: This
041 * class will re-read user and group files for every authentication (i.e it does
042 * live updates of allowed groups and users).
043 *
044 * @author sepandm@gmail.com (Sepand)
045 */
046 public class TextFileCertificateLoginModule extends CertificateLoginModule {
047
048 private static final String USER_FILE = "org.apache.activemq.jaas.textfiledn.user";
049 private static final String GROUP_FILE = "org.apache.activemq.jaas.textfiledn.group";
050
051 private File baseDir;
052 private String usersFilePathname;
053 private String groupsFilePathname;
054
055 /**
056 * Performs initialization of file paths. A standard JAAS override.
057 */
058 @Override
059 public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
060 super.initialize(subject, callbackHandler, sharedState, options);
061 if (System.getProperty("java.security.auth.login.config") != null) {
062 baseDir = new File(System.getProperty("java.security.auth.login.config")).getParentFile();
063 } else {
064 baseDir = new File(".");
065 }
066
067 usersFilePathname = (String)options.get(USER_FILE) + "";
068 groupsFilePathname = (String)options.get(GROUP_FILE) + "";
069 }
070
071 /**
072 * Overriding to allow DN authorization based on DNs specified in text
073 * files.
074 *
075 * @param certs The certificate the incoming connection provided.
076 * @return The user's authenticated name or null if unable to authenticate
077 * the user.
078 * @throws LoginException Thrown if unable to find user file or connection
079 * certificate.
080 */
081 @Override
082 protected String getUserNameForCertificates(final X509Certificate[] certs) throws LoginException {
083 if (certs == null) {
084 throw new LoginException("Client certificates not found. Cannot authenticate.");
085 }
086
087 File usersFile = new File(baseDir, usersFilePathname);
088
089 Properties users = new Properties();
090
091 try {
092 java.io.FileInputStream in = new java.io.FileInputStream(usersFile);
093 users.load(in);
094 in.close();
095 } catch (IOException ioe) {
096 throw new LoginException("Unable to load user properties file " + usersFile);
097 }
098
099 String dn = getDistinguishedName(certs);
100
101 Enumeration<Object> keys = users.keys();
102 for (Enumeration<Object> vals = users.elements(); vals.hasMoreElements();) {
103 if (((String)vals.nextElement()).equals(dn)) {
104 return (String)keys.nextElement();
105 } else {
106 keys.nextElement();
107 }
108 }
109
110 return null;
111 }
112
113 /**
114 * Overriding to allow for group discovery based on text files.
115 *
116 * @param username The name of the user being examined. This is the same
117 * name returned by getUserNameForCertificates.
118 * @return A Set of name Strings for groups this user belongs to.
119 * @throws LoginException Thrown if unable to find group definition file.
120 */
121 @Override
122 protected Set<String> getUserGroups(String username) throws LoginException {
123 File groupsFile = new File(baseDir, groupsFilePathname);
124
125 Properties groups = new Properties();
126 try {
127 java.io.FileInputStream in = new java.io.FileInputStream(groupsFile);
128 groups.load(in);
129 in.close();
130 } catch (IOException ioe) {
131 throw new LoginException("Unable to load group properties file " + groupsFile);
132 }
133 Set<String> userGroups = new HashSet<String>();
134 for (Enumeration<Object> enumeration = groups.keys(); enumeration.hasMoreElements();) {
135 String groupName = (String)enumeration.nextElement();
136 String[] userList = (groups.getProperty(groupName) + "").split(",");
137 for (int i = 0; i < userList.length; i++) {
138 if (username.equals(userList[i])) {
139 userGroups.add(groupName);
140 break;
141 }
142 }
143 }
144
145 return userGroups;
146 }
147 }