001 /** 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017 018 package org.apache.activemq.jaas; 019 020 import java.io.File; 021 import java.io.IOException; 022 import java.security.cert.X509Certificate; 023 import java.util.Enumeration; 024 import java.util.HashSet; 025 import java.util.Map; 026 import java.util.Properties; 027 import java.util.Set; 028 029 import javax.security.auth.Subject; 030 import javax.security.auth.callback.CallbackHandler; 031 import javax.security.auth.login.LoginException; 032 033 /** 034 * A LoginModule allowing for SSL certificate based authentication based on 035 * Distinguished Names (DN) stored in text files. The DNs are parsed using a 036 * Properties class where each line is <user_name>=<user_DN>. This class also 037 * uses a group definition file where each line is <group_name>=<user_name_1>,<user_name_2>,etc. 038 * The user and group files' locations must be specified in the 039 * org.apache.activemq.jaas.textfiledn.user and 040 * org.apache.activemq.jaas.textfiledn.user properties respectively. NOTE: This 041 * class will re-read user and group files for every authentication (i.e it does 042 * live updates of allowed groups and users). 043 * 044 * @author sepandm@gmail.com (Sepand) 045 */ 046 public class TextFileCertificateLoginModule extends CertificateLoginModule { 047 048 private static final String USER_FILE = "org.apache.activemq.jaas.textfiledn.user"; 049 private static final String GROUP_FILE = "org.apache.activemq.jaas.textfiledn.group"; 050 051 private File baseDir; 052 private String usersFilePathname; 053 private String groupsFilePathname; 054 055 /** 056 * Performs initialization of file paths. A standard JAAS override. 057 */ 058 @Override 059 public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { 060 super.initialize(subject, callbackHandler, sharedState, options); 061 if (System.getProperty("java.security.auth.login.config") != null) { 062 baseDir = new File(System.getProperty("java.security.auth.login.config")).getParentFile(); 063 } else { 064 baseDir = new File("."); 065 } 066 067 usersFilePathname = (String)options.get(USER_FILE) + ""; 068 groupsFilePathname = (String)options.get(GROUP_FILE) + ""; 069 } 070 071 /** 072 * Overriding to allow DN authorization based on DNs specified in text 073 * files. 074 * 075 * @param certs The certificate the incoming connection provided. 076 * @return The user's authenticated name or null if unable to authenticate 077 * the user. 078 * @throws LoginException Thrown if unable to find user file or connection 079 * certificate. 080 */ 081 @Override 082 protected String getUserNameForCertificates(final X509Certificate[] certs) throws LoginException { 083 if (certs == null) { 084 throw new LoginException("Client certificates not found. Cannot authenticate."); 085 } 086 087 File usersFile = new File(baseDir, usersFilePathname); 088 089 Properties users = new Properties(); 090 091 try { 092 java.io.FileInputStream in = new java.io.FileInputStream(usersFile); 093 users.load(in); 094 in.close(); 095 } catch (IOException ioe) { 096 throw new LoginException("Unable to load user properties file " + usersFile); 097 } 098 099 String dn = getDistinguishedName(certs); 100 101 Enumeration<Object> keys = users.keys(); 102 for (Enumeration<Object> vals = users.elements(); vals.hasMoreElements();) { 103 if (((String)vals.nextElement()).equals(dn)) { 104 return (String)keys.nextElement(); 105 } else { 106 keys.nextElement(); 107 } 108 } 109 110 return null; 111 } 112 113 /** 114 * Overriding to allow for group discovery based on text files. 115 * 116 * @param username The name of the user being examined. This is the same 117 * name returned by getUserNameForCertificates. 118 * @return A Set of name Strings for groups this user belongs to. 119 * @throws LoginException Thrown if unable to find group definition file. 120 */ 121 @Override 122 protected Set<String> getUserGroups(String username) throws LoginException { 123 File groupsFile = new File(baseDir, groupsFilePathname); 124 125 Properties groups = new Properties(); 126 try { 127 java.io.FileInputStream in = new java.io.FileInputStream(groupsFile); 128 groups.load(in); 129 in.close(); 130 } catch (IOException ioe) { 131 throw new LoginException("Unable to load group properties file " + groupsFile); 132 } 133 Set<String> userGroups = new HashSet<String>(); 134 for (Enumeration<Object> enumeration = groups.keys(); enumeration.hasMoreElements();) { 135 String groupName = (String)enumeration.nextElement(); 136 String[] userList = (groups.getProperty(groupName) + "").split(","); 137 for (int i = 0; i < userList.length; i++) { 138 if (username.equals(userList[i])) { 139 userGroups.add(groupName); 140 break; 141 } 142 } 143 } 144 145 return userGroups; 146 } 147 }