trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java - jackrabbit-oak - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.jackrabbit.oak.security.authentication.token;

 import java.security.Principal;
 import java.util.Date;
 import javax.jcr.Credentials;
 import javax.security.auth.login.LoginException;

 import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
 import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;
 import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConstants;
 import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo;
 import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 /**
  * Implementation of the {@code Authentication} interface that deals with
  * token based login. {@link #authenticate(javax.jcr.Credentials) Authentication}
  * will be successful if the specified credentials are valid {@link TokenCredentials}
  * according to the characteristics and constraints enforced by {@link org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider}
  * and the information obtained using {@link org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider#getTokenInfo(String)}
  * respectively.
  */
 class TokenAuthentication implements Authentication {

     private static final Logger log = LoggerFactory.getLogger(TokenAuthentication.class);

     private final TokenProvider tokenProvider;
     private TokenInfo tokenInfo;

     TokenAuthentication(TokenProvider tokenProvider) {
         this.tokenProvider = tokenProvider;
     }

     //-----------------------------------------------------< Authentication >---
     @Override
     public boolean authenticate(@Nullable Credentials credentials) throws LoginException {
         if (tokenProvider != null && credentials instanceof TokenCredentials) {
             TokenCredentials tc = (TokenCredentials) credentials;
             if (!validateCredentials(tc)) {
                 throw new LoginException("Invalid token credentials.");
             } else {
                 return true;
             }
         }
         // no tokenProvider or other credentials implementation -> not handled here.
         return false;
     }

     @Nullable
     @Override
     public String getUserId() {
         if (tokenInfo == null) {
             throw new IllegalStateException("UserId can only be retrieved after successful authentication.");
         }
         return tokenInfo.getUserId();
     }

     @Nullable
     @Override
     public Principal getUserPrincipal() {
         if (tokenInfo == null) {
             throw new IllegalStateException("Token info can only be retrieved after successful authentication.");
         }
         if (tokenInfo instanceof TokenProviderImpl.TokenInfoImpl) {
             return ((TokenProviderImpl.TokenInfoImpl) tokenInfo).getPrincipal();
         } else {
             return null;
         }
     }

     //-----------------------------------------------------------< internal >---
     @NotNull
     TokenInfo getTokenInfo() {
         if (tokenInfo == null) {
             throw new IllegalStateException("Token info can only be retrieved after successful authentication.");
         }
         return tokenInfo;
     }

     //------------------------------------------------------------< private >---
     private boolean validateCredentials(TokenCredentials tokenCredentials) {
         // credentials without userID -> check if attributes provide
         // sufficient information for successful authentication.
         String token = tokenCredentials.getToken();

         tokenInfo = tokenProvider.getTokenInfo(token);
         if (tokenInfo == null) {
             log.debug("No valid TokenInfo for token.");
             return false;
         }

         long loginTime = new Date().getTime();
         if (tokenInfo.isExpired(loginTime)) {
             // token is expired
             log.debug("Token is expired");
             tokenInfo.remove();
             return false;
         }

         if (tokenInfo.matches(tokenCredentials)) {
             if (tokenCredentials.getAttribute(TokenConstants.TOKEN_SKIP_REFRESH) == null) {
                 boolean reset = tokenInfo.resetExpiration(loginTime);
                 log.debug("Token reset={}", reset);
             } else {
                 log.debug("Token reset skipped.");
             }
             return true;
         }

         return false;
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.jackrabbit.oak.security.authentication.token;

	import java.security.Principal;
	import java.util.Date;
	import javax.jcr.Credentials;
	import javax.security.auth.login.LoginException;

	import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
	import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;
	import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConstants;
	import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo;
	import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider;
	import org.jetbrains.annotations.NotNull;
	import org.jetbrains.annotations.Nullable;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	/**
	* Implementation of the {@code Authentication} interface that deals with
	* token based login. {@link #authenticate(javax.jcr.Credentials) Authentication}
	* will be successful if the specified credentials are valid {@link TokenCredentials}
	* according to the characteristics and constraints enforced by {@link org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider}
	* and the information obtained using {@link org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider#getTokenInfo(String)}
	* respectively.
	*/
	class TokenAuthentication implements Authentication {

	private static final Logger log = LoggerFactory.getLogger(TokenAuthentication.class);

	private final TokenProvider tokenProvider;
	private TokenInfo tokenInfo;

	TokenAuthentication(TokenProvider tokenProvider) {
	this.tokenProvider = tokenProvider;
	}

	//-----------------------------------------------------< Authentication >---
	@Override
	public boolean authenticate(@Nullable Credentials credentials) throws LoginException {
	if (tokenProvider != null && credentials instanceof TokenCredentials) {
	TokenCredentials tc = (TokenCredentials) credentials;
	if (!validateCredentials(tc)) {
	throw new LoginException("Invalid token credentials.");
	} else {
	return true;
	}
	}
	// no tokenProvider or other credentials implementation -> not handled here.
	return false;
	}

	@Nullable
	@Override
	public String getUserId() {
	if (tokenInfo == null) {
	throw new IllegalStateException("UserId can only be retrieved after successful authentication.");
	}
	return tokenInfo.getUserId();
	}

	@Nullable
	@Override
	public Principal getUserPrincipal() {
	if (tokenInfo == null) {
	throw new IllegalStateException("Token info can only be retrieved after successful authentication.");
	}
	if (tokenInfo instanceof TokenProviderImpl.TokenInfoImpl) {
	return ((TokenProviderImpl.TokenInfoImpl) tokenInfo).getPrincipal();
	} else {
	return null;
	}
	}

	//-----------------------------------------------------------< internal >---
	@NotNull
	TokenInfo getTokenInfo() {
	if (tokenInfo == null) {
	throw new IllegalStateException("Token info can only be retrieved after successful authentication.");
	}
	return tokenInfo;
	}

	//------------------------------------------------------------< private >---
	private boolean validateCredentials(TokenCredentials tokenCredentials) {
	// credentials without userID -> check if attributes provide
	// sufficient information for successful authentication.
	String token = tokenCredentials.getToken();

	tokenInfo = tokenProvider.getTokenInfo(token);
	if (tokenInfo == null) {
	log.debug("No valid TokenInfo for token.");
	return false;
	}

	long loginTime = new Date().getTime();
	if (tokenInfo.isExpired(loginTime)) {
	// token is expired
	log.debug("Token is expired");
	tokenInfo.remove();
	return false;
	}

	if (tokenInfo.matches(tokenCredentials)) {
	if (tokenCredentials.getAttribute(TokenConstants.TOKEN_SKIP_REFRESH) == null) {
	boolean reset = tokenInfo.resetExpiration(loginTime);
	log.debug("Token reset={}", reset);
	} else {
	log.debug("Token reset skipped.");
	}
	return true;
	}

	return false;
	}
	}