001 /** 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017 018 package org.apache.activemq.jaas; 019 020 import java.io.File; 021 import java.io.IOException; 022 import java.security.cert.X509Certificate; 023 import java.util.Enumeration; 024 import java.util.HashSet; 025 import java.util.Map; 026 import java.util.Properties; 027 import java.util.Set; 028 029 import javax.security.auth.Subject; 030 import javax.security.auth.callback.CallbackHandler; 031 import javax.security.auth.login.LoginException; 032 033 /** 034 * A LoginModule allowing for SSL certificate based authentication based on 035 * Distinguished Names (DN) stored in text files. The DNs are parsed using a 036 * Properties class where each line is <user_name>=<user_DN>. This class also 037 * uses a group definition file where each line is <group_name>=<user_name_1>,<user_name_2>,etc. 038 * The user and group files' locations must be specified in the 039 * org.apache.activemq.jaas.textfiledn.user and 040 * org.apache.activemq.jaas.textfiledn.user properties respectively. NOTE: This 041 * class will re-read user and group files for every authentication (i.e it does 042 * live updates of allowed groups and users). 043 * 044 * @author sepandm@gmail.com (Sepand) 045 */ 046 public class TextFileCertificateLoginModule extends CertificateLoginModule { 047 048 private static final String USER_FILE = "org.apache.activemq.jaas.textfiledn.user"; 049 private static final String GROUP_FILE = "org.apache.activemq.jaas.textfiledn.group"; 050 051 private File baseDir; 052 private String usersFilePathname; 053 private String groupsFilePathname; 054 055 /** 056 * Performs initialization of file paths. A standard JAAS override. 057 */ 058 public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { 059 super.initialize(subject, callbackHandler, sharedState, options); 060 if (System.getProperty("java.security.auth.login.config") != null) { 061 baseDir = new File(System.getProperty("java.security.auth.login.config")).getParentFile(); 062 } else { 063 baseDir = new File("."); 064 } 065 066 usersFilePathname = (String)options.get(USER_FILE) + ""; 067 groupsFilePathname = (String)options.get(GROUP_FILE) + ""; 068 } 069 070 /** 071 * Overriding to allow DN authorization based on DNs specified in text 072 * files. 073 * 074 * @param certs The certificate the incoming connection provided. 075 * @return The user's authenticated name or null if unable to authenticate 076 * the user. 077 * @throws LoginException Thrown if unable to find user file or connection 078 * certificate. 079 */ 080 protected String getUserNameForCertificates(final X509Certificate[] certs) throws LoginException { 081 if (certs == null) { 082 throw new LoginException("Client certificates not found. Cannot authenticate."); 083 } 084 085 File usersFile = new File(baseDir, usersFilePathname); 086 087 Properties users = new Properties(); 088 089 try { 090 java.io.FileInputStream in = new java.io.FileInputStream(usersFile); 091 users.load(in); 092 in.close(); 093 } catch (IOException ioe) { 094 throw new LoginException("Unable to load user properties file " + usersFile); 095 } 096 097 String dn = getDistinguishedName(certs); 098 099 Enumeration<Object> keys = users.keys(); 100 for (Enumeration vals = users.elements(); vals.hasMoreElements();) { 101 if (((String)vals.nextElement()).equals(dn)) { 102 return (String)keys.nextElement(); 103 } else { 104 keys.nextElement(); 105 } 106 } 107 108 return null; 109 } 110 111 /** 112 * Overriding to allow for group discovery based on text files. 113 * 114 * @param username The name of the user being examined. This is the same 115 * name returned by getUserNameForCertificates. 116 * @return A Set of name Strings for groups this user belongs to. 117 * @throws LoginException Thrown if unable to find group definition file. 118 */ 119 protected Set<String> getUserGroups(String username) throws LoginException { 120 File groupsFile = new File(baseDir, groupsFilePathname); 121 122 Properties groups = new Properties(); 123 try { 124 java.io.FileInputStream in = new java.io.FileInputStream(groupsFile); 125 groups.load(in); 126 in.close(); 127 } catch (IOException ioe) { 128 throw new LoginException("Unable to load group properties file " + groupsFile); 129 } 130 Set<String> userGroups = new HashSet<String>(); 131 for (Enumeration enumeration = groups.keys(); enumeration.hasMoreElements();) { 132 String groupName = (String)enumeration.nextElement(); 133 String[] userList = (groups.getProperty(groupName) + "").split(","); 134 for (int i = 0; i < userList.length; i++) { 135 if (username.equals(userList[i])) { 136 userGroups.add(groupName); 137 break; 138 } 139 } 140 } 141 142 return userGroups; 143 } 144 }