/**
* Copyright (C) 2009 eXo Platform SAS.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.exoplatform.services.organization.idm;
import javax.security.auth.login.LoginException;
import org.exoplatform.container.component.ComponentRequestLifecycle;
import org.exoplatform.container.component.RequestLifeCycle;
import org.exoplatform.services.log.ExoLogger;
import org.exoplatform.services.log.Log;
import org.exoplatform.services.organization.Group;
import org.exoplatform.services.organization.MembershipType;
import org.exoplatform.services.organization.OrganizationService;
import org.exoplatform.services.organization.User;
import org.exoplatform.services.security.Authenticator;
import org.exoplatform.services.security.Identity;
import org.exoplatform.services.security.MembershipEntry;
import org.exoplatform.services.security.jaas.AbstractLoginModule;
/**
* Login module can be used to add authenticated user to some group after successful login.<br>
* For example, user can be add as "member" to group "/platform/users" after his login. Group name and Membership type are
* configurable and if they are not provided by configuration, then value "member" is used as default value for membership type
* and "/platform/users" for group.
*
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
* @author <a href="mailto:vrockai@redhat.com">Viliam Rockai</a>
* @author <a href="mailto:boleslaw.dawidowicz at redhat.com">Boleslaw Dawidowicz</a>
*/
public class CustomMembershipLoginModule extends AbstractLoginModule {
/** Logger. */
private static final Log log = ExoLogger.getLogger(CustomMembershipLoginModule.class);
private static final String OPTION_MEMBERSHIP_TYPE = "membershipType";
private static final String OPTION_GROUP_ID = "groupId";
// values obtained from configuration options
private String membershipType;
private String groupId;
// MembershipEntry with values provided from configuration. We will use it to check if user is not already presented in our
// group.
private MembershipEntry requestedMembershipEntry;
/**
* Read values from configuration. Default values ("member" and "/platform/users") are used if options are missing in
* configuration.
*/
protected void afterInitialize() {
membershipType = options.get(OPTION_MEMBERSHIP_TYPE) != null ? (String) options.get(OPTION_MEMBERSHIP_TYPE) : "member";
groupId = options.get(OPTION_GROUP_ID) != null ? (String) options.get(OPTION_GROUP_ID) : "/platform/users";
// membershipType is * so we are not checking exact value of membershipType in method login
requestedMembershipEntry = new MembershipEntry(groupId);
}
/**
* @see javax.security.auth.spi.LoginModule#login()
*/
@SuppressWarnings("unchecked")
public boolean login() throws LoginException {
if (log.isDebugEnabled()) {
log.debug("login invoked!");
}
try {
// Get identity set by SharedStateLoginModule in case of successful authentication
Identity identity = null;
if (sharedState.containsKey("exo.security.identity")) {
identity = (Identity) sharedState.get("exo.security.identity");
}
// Return if identity is not present (this means that user authentication failed in SharedStateLoginModule)
if (identity == null) {
log.warn("Identity not found in shared state under exo.security.identity. This login module will be ignored");
return false;
}
// Check if user is already added to our group with given membershipType. If yes, we don't need to do something.
if (identity.getMemberships().contains(requestedMembershipEntry)) {
if (log.isTraceEnabled()) {
log.trace("Requested membership entry " + requestedMembershipEntry + " already presented for user "
+ identity.getUserId());
}
return true;
}
// Now add our user to requested group
log.info("User " + identity.getUserId() + " will be added to group " + groupId + " as " + membershipType + ".");
addUserToPlatformUsers(identity.getUserId());
// Recreate identity
Authenticator authenticator = (Authenticator) getContainer().getComponentInstanceOfType(Authenticator.class);
identity = authenticator.createIdentity(identity.getUserId());
sharedState.put("exo.security.identity", identity);
return true;
} catch (Exception e) {
LoginException le = new LoginException();
le.initCause(e);
throw le;
}
}
/**
* @see javax.security.auth.spi.LoginModule#commit()
*/
public boolean commit() throws LoginException {
return true;
}
/**
* @see javax.security.auth.spi.LoginModule#abort()
*/
public boolean abort() throws LoginException {
return true;
}
/**
* @see javax.security.auth.spi.LoginModule#logout()
*/
public boolean logout() throws LoginException {
return true;
}
@Override
protected Log getLogger() {
return log;
}
/**
* Add given user to our group with given membershipType.
*
* @param userId
*/
private void addUserToPlatformUsers(String userId) throws Exception {
OrganizationService orgService = (OrganizationService) getContainer().getComponentInstanceOfType(
OrganizationService.class);
try {
begin(orgService);
User user = orgService.getUserHandler().findUserByName(userId);
MembershipType memberType = orgService.getMembershipTypeHandler().findMembershipType(membershipType);
Group platformUsersGroup = orgService.getGroupHandler().findGroupById(groupId);
orgService.getMembershipHandler().linkMembership(user, platformUsersGroup, memberType, true);
} catch (Exception e) {
log.error("Failed to add user " + userId + " to group " + groupId + ".", e);
// don't rethrow login exception in case of failure.
// throw e;
} finally {
end(orgService);
}
}
private void begin(OrganizationService orgService) {
if (orgService instanceof ComponentRequestLifecycle) {
RequestLifeCycle.begin((ComponentRequestLifecycle) orgService);
}
}
private void end(OrganizationService orgService) {
if (orgService instanceof ComponentRequestLifecycle) {
RequestLifeCycle.end();
}
}
}