001    /**
002     * Licensed to the Apache Software Foundation (ASF) under one or more
003     * contributor license agreements.  See the NOTICE file distributed with
004     * this work for additional information regarding copyright ownership.
005     * The ASF licenses this file to You under the Apache License, Version 2.0
006     * (the "License"); you may not use this file except in compliance with
007     * the License.  You may obtain a copy of the License at
008     *
009     *      http://www.apache.org/licenses/LICENSE-2.0
010     *
011     * Unless required by applicable law or agreed to in writing, software
012     * distributed under the License is distributed on an "AS IS" BASIS,
013     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014     * See the License for the specific language governing permissions and
015     * limitations under the License.
016     */
017    
018    package org.apache.activemq.jaas;
019    
020    import java.io.File;
021    import java.io.IOException;
022    import java.security.cert.X509Certificate;
023    import java.util.Enumeration;
024    import java.util.HashSet;
025    import java.util.Map;
026    import java.util.Properties;
027    import java.util.Set;
028    
029    import javax.security.auth.Subject;
030    import javax.security.auth.callback.CallbackHandler;
031    import javax.security.auth.login.LoginException;
032    
033    /**
034     * A LoginModule allowing for SSL certificate based authentication based on
035     * Distinguished Names (DN) stored in text files. The DNs are parsed using a
036     * Properties class where each line is <user_name>=<user_DN>. This class also
037     * uses a group definition file where each line is <group_name>=<user_name_1>,<user_name_2>,etc.
038     * The user and group files' locations must be specified in the
039     * org.apache.activemq.jaas.textfiledn.user and
040     * org.apache.activemq.jaas.textfiledn.user properties respectively. NOTE: This
041     * class will re-read user and group files for every authentication (i.e it does
042     * live updates of allowed groups and users).
043     * 
044     * @author sepandm@gmail.com (Sepand)
045     */
046    public class TextFileCertificateLoginModule extends CertificateLoginModule {
047    
048        private static final String USER_FILE = "org.apache.activemq.jaas.textfiledn.user";
049        private static final String GROUP_FILE = "org.apache.activemq.jaas.textfiledn.group";
050    
051        private File baseDir;
052        private String usersFilePathname;
053        private String groupsFilePathname;
054    
055        /**
056         * Performs initialization of file paths. A standard JAAS override.
057         */
058        @Override
059        public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
060            super.initialize(subject, callbackHandler, sharedState, options);
061            if (System.getProperty("java.security.auth.login.config") != null) {
062                baseDir = new File(System.getProperty("java.security.auth.login.config")).getParentFile();
063            } else {
064                baseDir = new File(".");
065            }
066    
067            usersFilePathname = (String)options.get(USER_FILE) + "";
068            groupsFilePathname = (String)options.get(GROUP_FILE) + "";
069        }
070    
071        /**
072         * Overriding to allow DN authorization based on DNs specified in text
073         * files.
074         * 
075         * @param certs The certificate the incoming connection provided.
076         * @return The user's authenticated name or null if unable to authenticate
077         *         the user.
078         * @throws LoginException Thrown if unable to find user file or connection
079         *                 certificate.
080         */
081        @Override
082        protected String getUserNameForCertificates(final X509Certificate[] certs) throws LoginException {
083            if (certs == null) {
084                throw new LoginException("Client certificates not found. Cannot authenticate.");
085            }
086    
087            File usersFile = new File(baseDir, usersFilePathname);
088    
089            Properties users = new Properties();
090    
091            try {
092                java.io.FileInputStream in = new java.io.FileInputStream(usersFile);
093                users.load(in);
094                in.close();
095            } catch (IOException ioe) {
096                throw new LoginException("Unable to load user properties file " + usersFile);
097            }
098    
099            String dn = getDistinguishedName(certs);
100    
101            Enumeration<Object> keys = users.keys();
102            for (Enumeration<Object> vals = users.elements(); vals.hasMoreElements();) {
103                if (((String)vals.nextElement()).equals(dn)) {
104                    return (String)keys.nextElement();
105                } else {
106                    keys.nextElement();
107                }
108            }
109    
110            return null;
111        }
112    
113        /**
114         * Overriding to allow for group discovery based on text files.
115         * 
116         * @param username The name of the user being examined. This is the same
117         *                name returned by getUserNameForCertificates.
118         * @return A Set of name Strings for groups this user belongs to.
119         * @throws LoginException Thrown if unable to find group definition file.
120         */
121        @Override
122        protected Set<String> getUserGroups(String username) throws LoginException {
123            File groupsFile = new File(baseDir, groupsFilePathname);
124    
125            Properties groups = new Properties();
126            try {
127                java.io.FileInputStream in = new java.io.FileInputStream(groupsFile);
128                groups.load(in);
129                in.close();
130            } catch (IOException ioe) {
131                throw new LoginException("Unable to load group properties file " + groupsFile);
132            }
133            Set<String> userGroups = new HashSet<String>();
134            for (Enumeration<Object> enumeration = groups.keys(); enumeration.hasMoreElements();) {
135                String groupName = (String)enumeration.nextElement();
136                String[] userList = (groups.getProperty(groupName) + "").split(",");
137                for (int i = 0; i < userList.length; i++) {
138                    if (username.equals(userList[i])) {
139                        userGroups.add(groupName);
140                        break;
141                    }
142                }
143            }
144    
145            return userGroups;
146        }
147    }