Package org.jboss.security.srp.jaas

Source Code of org.jboss.security.srp.jaas.SRPCacheLoginModule

/*
* JBoss, Home of Professional Open Source.
* Copyright 2008, Red Hat Middleware LLC, and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.security.srp.jaas;

import java.security.Principal;
import java.util.Arrays;
import java.util.Map;
import java.util.Set;
import javax.crypto.spec.SecretKeySpec;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;

import org.jboss.logging.Logger;
import org.jboss.security.auth.callback.SecurityAssociationCallback;
import org.jboss.security.srp.SRPParameters;
import org.jboss.security.srp.SRPServerSession;
import org.jboss.security.srp.SRPSessionKey;
import org.jboss.util.CachePolicy;

/** A server side login module that validates a username and
session client challenge response against the cache of authentication
info maintained by the SRPService mbean. This module needs
a CallbackHandler that supplies the user principal and
credential via the SecurityAssociationCallback object.
module options:
cacheJndiName, the JNDI name of the CachePolicy of <Principal,SRPServerSession>
information managed by the SRPSerice.
domainName,
@author Scott.Stark@jboss.org
@version $Revision: 81038 $
*/
public class SRPCacheLoginModule implements LoginModule
{
   private static Logger log = Logger.getLogger(SRPCacheLoginModule.class);
   private Subject subject;
   private CallbackHandler handler;
   private Map sharedState;
   private String domainName;
   private String cacheJndiName;
   private byte[] clientChallenge;
   private SRPServerSession session;
   private Principal userPrincipal;
   private boolean loginFailed;
  
   public SRPCacheLoginModule()
   {
   }
  
   // --- Begin LoginModule interface methods
   /** Initialize the login module.
    @param subject, the subject to authenticate
    @param handler, the app CallbackHandler used to obtain username & password
    @param sharedState, used to propagate the authenticated principal and
    credential hash.
    @param options, the login module options. These include:
    cacheJndiName: the JNDI name of the CachePolicy of <Principal,Subject>
    information managed by the SRPSerice.
    domainName: the security domain name.
    */
   public void initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)
   {
      this.subject = subject;
      this.handler = handler;
      this.sharedState = sharedState;
      cacheJndiName = (String) options.get("cacheJndiName");
      log.trace("cacheJndiName="+cacheJndiName);
      domainName = (String) options.get("domainName");
   }
  
   /** Access the user Principal object and credentials by passing a
    SecurityAssociationCallback object to the registered CallbackHandler. This
    method then validates the user by looking up the cache information using
    the Principal object as the key and compares the cache credential against the
    the credential obtained from the SecurityAssociationCallback. The
    login credential should be the M1 verifcation challenge byte[].
   
    @return true is login succeeds, false if login does not apply.
    @exception LoginException, thrown on login failure.
    */
   public boolean login() throws LoginException
   {
      loginFailed = true;
      getUserInfo();
     
      String username = userPrincipal.getName();
      // First try to locate an SRPServerInterface using JNDI
      try
      {
         if( cacheJndiName == null )
            throw new LoginException("Required cacheJndiName option not set");
         InitialContext iniCtx = new InitialContext();
         CachePolicy cache = (CachePolicy) iniCtx.lookup(cacheJndiName);
         SRPSessionKey key;
         if( userPrincipal instanceof SRPPrincipal )
         {
            SRPPrincipal srpPrincpal = (SRPPrincipal) userPrincipal;
            key = new SRPSessionKey(username, srpPrincpal.getSessionID());
         }
         else
         {
            key = new SRPSessionKey(username);
         }
         Object cacheCredential = cache.get(key);
         if( cacheCredential == null )
         {
            throw new LoginException("No SRP session found for: "+key);
         }
         log.trace("Found SRP cache credential: "+cacheCredential);
         /** The cache object should be the SRPServerSession object used in the
          authentication of the client.
          */
         if( cacheCredential instanceof SRPServerSession )
         {
            session = (SRPServerSession) cacheCredential;
            if( validateCache(session) == false )
               throw new LoginException("Failed to validate SRP session key for: "+key);
         }
         else
         {
            throw new LoginException("Unknown type of cache credential: "+cacheCredential.getClass());
         }
      }
      catch(NamingException e)
      {
         log.error("Failed to load SRP auth cache", e);
         throw new LoginException("Failed to load SRP auth cache: "+e.toString(true));
      }
     
      log.trace("Login succeeded");
      // Put the username and the client challenge into the sharedState map
      sharedState.put("javax.security.auth.login.name", username);
      sharedState.put("javax.security.auth.login.password", clientChallenge);
      loginFailed = false;
      return true;
   }
  
   /** All login modules have completed the login() phase, commit if we
    succeeded. This entails adding the princial to the subject Principals set.
    It also adds the client challenge response to the PublicCredentials set
    and the private session key to the PrivateCredentials set as a SecretKeySpec.
    @return false, if the login() failed, true if the commit succeeds.
    @exception LoginException, thrown on failure to add the principal.
    */
   public boolean commit() throws LoginException
   {
      if( loginFailed == true )
         return false;
      Set principals = subject.getPrincipals();
      principals.add(userPrincipal);
      subject.getPublicCredentials().add(clientChallenge);
      byte[] sessionKey = session.getSessionKey();
      SRPParameters params = session.getParameters();
      Set privateCredentials = subject.getPrivateCredentials();
      privateCredentials.add(params);
      if( params.cipherAlgorithm != null )
      {
         SecretKeySpec secretKey = new SecretKeySpec(sessionKey, params.cipherAlgorithm);
         privateCredentials.add(secretKey);
      }
      else
      {
         privateCredentials.add(sessionKey);
      }

      return true;
   }

   public boolean abort() throws LoginException
   {
      userPrincipal = null;
      clientChallenge = null;
      return true;
   }

   /** Remove the userPrincipal, clientChallenge and sessionKey associated
    with the subject during commit().
    @return true always.
    @exception LoginException, thrown on exception during remove of the Principal
    added during the commit.
    */
   public boolean logout() throws LoginException
   {
      try
      {
         if( subject.isReadOnly() == false )
         {   // Remove userPrincipal
            Set s = subject.getPrincipals(userPrincipal.getClass());
            s.remove(userPrincipal);
            subject.getPublicCredentials().remove(clientChallenge);
            byte[] sessionKey = session.getSessionKey();
            SRPParameters params = session.getParameters();
            Set privateCredentials = subject.getPrivateCredentials();
            if( params.cipherAlgorithm != null )
            {
               SecretKeySpec secretKey = new SecretKeySpec(sessionKey, params.cipherAlgorithm);
               privateCredentials.remove(secretKey);
            }
            else
            {
               privateCredentials.remove(sessionKey);
            }
            privateCredentials.remove(params);
         }
      }
      catch(Exception e)
      {
         throw new LoginException("Failed to remove commit information, "+e.getMessage());
      }
      return true;
   }
  
// --- End LoginModule interface methods
  
   /** Obtain the Principal and credentials that are to be authenticated.
    */
   private void getUserInfo() throws LoginException
   {
      // Get the security association info
      if( handler == null )
         throw new LoginException("No CallbackHandler provied");

      SecurityAssociationCallback sac = new SecurityAssociationCallback();
      Callback[] callbacks = { sac };
      try
      {
         handler.handle(callbacks);
         userPrincipal = sac.getPrincipal();
         clientChallenge = (byte[]) sac.getCredential();
         sac.clearCredential();
      }
      catch(java.io.IOException e)
      {
         throw new LoginException(e.toString());
      }
      catch(UnsupportedCallbackException uce)
      {
         throw new LoginException("UnsupportedCallback: " + uce.getCallback().toString());
      }
      catch(ClassCastException e)
      {
         throw new LoginException("Credential info is not of type byte[], "+ e.getMessage());
      }
   }
  
   /** This method obtains the session getClientResponse() value which
    contains the challenge the client used to verify the session key.
    */
   private boolean validateCache(SRPServerSession session)
   {
      byte[] challenge = session.getClientResponse();
      boolean isValid = Arrays.equals(challenge, clientChallenge);
      return isValid;
   }
  
}
TOP

Related Classes of org.jboss.security.srp.jaas.SRPCacheLoginModule

TOP
Copyright © 2018 www.massapi.com. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.