Google Git
Sign in
apache / jsecurity / refs/heads/0.9.0-beta / . / src / org / jsecurity / authc / pam / ModularRealmAuthenticator.java
blob: c2e7add86e79062c854da9b107c560de08e9ee4e [file] [log] [blame]
/*
* Copyright 2005-2008 Jeremy Haile, Les Hazlewood
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.jsecurity.authc.pam;
import org.jsecurity.authc.*;
import org.jsecurity.realm.Realm;
import org.jsecurity.subject.PrincipalCollection;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
/**
* A <tt>ModularRealmAuthenticator</tt> delgates account lookups to a pluggable (modular) collection of
* {@link Realm}s. This enables PAM (Pluggable Authentication Module) behavior in JSecurity.
* In addition to authorization duties, a JSecurity Realm can also be thought of a PAM 'module'.
*
* <p>Using this Authenticator allows you to &quot;plug-in&quot; your own
* <tt>Realm</tt>s as you see fit. Common realms are those based on accessing
* LDAP, relational databases, file systems, etc.
*
* <p>If only one realm is configured (this is often the case for most applications), authentication success is naturally
* only dependent upon invoking this one Realm's
* {@link Realm#getAccount(org.jsecurity.authc.AuthenticationToken) getAccount} method.
*
* <p>But if two or more realms are configured, PAM behavior is implemented by iterating over the collection of realms
* and interacting with each over the course of the authentication attempt. As this is more complicated, this
* authenticator allows customized behavior for interpreting what happens when interacting with multiple realms - for
* example, you might require all realms to be successful during the attempt, or perhaps only at least one must be
* successful, or some other interpretation. This customized behavior can be performed via the use of a
* {@link #setModularAuthenticationStrategy(ModularAuthenticationStrategy) ModularAuthenticationStrategy}, which
* you can inject as a property of this class.
*
* <p>The strategy object provides callback methods that allow you to
* determine what constitutes a success or failure in a multi-realm (PAM) scenario. And because this only makes sense
* in a mult-realm scenario, the strategy object is only utilized when more than one Realm is configured.
*
* <p>For greater security in a multi-realm configuration, unless overridden, the default implementation is the
* {@link AllSuccessfulModularAuthenticationStrategy AllSuccessfulModularAuthenticationStrategy}
*
* @see #setRealms
* @see AllSuccessfulModularAuthenticationStrategy
* @see AtLeastOneSuccessfulModularAuthenticationStrategy
*
* @since 0.1
* @author Jeremy Haile
* @author Les Hazlewood
*/
public class ModularRealmAuthenticator extends AbstractAuthenticator {
/*--------------------------------------------
| C O N S T A N T S |
============================================*/
/*--------------------------------------------
| I N S T A N C E V A R I A B L E S |
============================================*/
/**
* List of realms that will be iterated through when a user authenticates.
*/
private Collection<? extends Realm> realms;
private ModularAuthenticationStrategy modularAuthenticationStrategy =
new AllSuccessfulModularAuthenticationStrategy();
/*--------------------------------------------
| C O N S T R U C T O R S |
============================================*/
public ModularRealmAuthenticator() {
super();
}
public ModularRealmAuthenticator( Realm realm ) {
setRealm( realm );
}
public ModularRealmAuthenticator( List<Realm> realms ) {
setRealms( realms );
}
/*--------------------------------------------
| A C C E S S O R S / M O D I F I E R S |
============================================*/
/**
* Convenience setter for single-realm environments (fairly common). This method just wraps the realm in a
* collection and then calls {@link #setRealms}.
* @param realm the realm to consult during authentication attempts.
*/
public void setRealm( Realm realm ) {
List<Realm> realms = new ArrayList<Realm>(1);
realms.add( realm );
setRealms( realms );
}
/**
* Sets all realms used by this Authenticator, providing PAM (Pluggable Authentication Module) configuration.
* @param realms the realms to consult during authentication attempts.
*/
public void setRealms( Collection<Realm> realms ) {
this.realms = realms;
}
/**
* Returns the <tt>ModularAuthenticationStrategy</tt> utilized by this modular authenticator during a multi-realm
* log-in attempt. This object is only used when two or more Realms are configured.
*
* <p>Unless overridden by
* the {@link #setModularAuthenticationStrategy(ModularAuthenticationStrategy)} method, the default implementation
* is the {@link AllSuccessfulModularAuthenticationStrategy}.
*
* @return the <tt>ModularAuthenticationStrategy</tt> utilized by this modular authenticator during a log-in attempt.
* @since 0.2
*/
public ModularAuthenticationStrategy getModularAuthenticationStrategy() {
return modularAuthenticationStrategy;
}
/**
* Allows overriding the default <tt>ModularAuthenticationStrategy</tt> utilized during multi-realm log-in attempts.
* This object is only used when two or more Realms are configured.
*
* @param modularAuthenticationStrategy the strategy implementation to use during log-in attempts.
* @since 0.2
*/
public void setModularAuthenticationStrategy( ModularAuthenticationStrategy modularAuthenticationStrategy ) {
this.modularAuthenticationStrategy = modularAuthenticationStrategy;
}
/*--------------------------------------------
| M E T H O D S |
============================================*/
/**
* Used by the internal {@link #doAuthenticate} implementation to ensure that the <tt>realms</tt> property
* has been set. The default implementation ensures the property is not null and not empty.
* @throws IllegalStateException if the <tt>realms</tt> property is configured incorrectly.
*/
protected void assertRealmsConfigured() throws IllegalStateException {
if ( realms == null || realms.isEmpty() ) {
String msg = "No realms configured for this ModularRealmAuthenticator. Configuration error.";
throw new IllegalStateException( msg );
}
}
/**
* Performs the authentication attempt by interacting with the single configured realm, which is significantly
* simpler than performing multi-realm logic.
*
* @param realm the realm to consult for Account.
* @param token the submitted AuthenticationToken representing the subject's (user's) log-in principals and credentials.
* @return the Account associated with the user account corresponding to the specified <tt>token</tt>
*/
protected Account doSingleRealmAuthentication( Realm realm, AuthenticationToken token ) {
if ( !realm.supports( token ) ) {
String msg = "Realm [" + realm + "] does not support authentication token [" +
token + "]. Please ensure that the appropriate Realm implementation is " +
"configured correctly or that the realm accepts AuthenticationTokens of this type.";
throw new UnsupportedTokenException( msg );
}
Account account = realm.getAccount( token );
if ( account == null ) {
String msg = "Realm [" + realm + "] was unable to find account data for the " +
"submitted AuthenticationToken [" + token + "].";
throw new UnknownAccountException( msg );
}
return account;
}
/**
* Performs the multi-realm authentication attempt by calling back to a {@link ModularAuthenticationStrategy} object
* as each realm is consulted for <tt>Account</tt> for the specified <tt>token</tt>.
*
* @param realms the multiple realms configured on this Authenticator instance.
* @param token the submitted AuthenticationToken representing the subject's (user's) log-in principals and credentials.
* @return an aggregated Account instance representing account data across all the successfully
* consulted realms.
*/
protected Account doMultiRealmAuthentication( Collection<? extends Realm> realms, AuthenticationToken token ) {
ModularAuthenticationStrategy strategy = getModularAuthenticationStrategy();
Account aggregate = strategy.beforeAllAttempts( realms, token );
if (log.isDebugEnabled()) {
log.debug("Iterating through [" + realms.size() + "] realms for PAM authentication");
}
for( Realm realm : realms) {
aggregate = strategy.beforeAttempt( realm, token, aggregate );
if( realm.supports( token ) ) {
if (log.isDebugEnabled()) {
log.debug("Attempting to authenticate token [" + token + "] " +
"using realm of type [" + realm + "]");
}
Account account = null;
Throwable t = null;
try {
account = realm.getAccount( token );
} catch ( Throwable throwable ) {
t = throwable;
if ( log.isTraceEnabled() ) {
String msg = "Realm [" + realm + "] threw an exception during a multi-realm authentication attempt:";
log.trace( msg, t );
}
}
aggregate = strategy.afterAttempt( realm, token, account, aggregate, t );
} else {
if (log.isDebugEnabled()) {
log.debug("Realm of type [" + realm + "] does not support token " +
"[" + token + "]. Skipping realm." );
}
}
}
aggregate = strategy.afterAllAttempts( token, aggregate );
return aggregate;
}
/**
* <p>Attempts to authenticate the given token by iterating over the internal collection of
* {@link Realm}s. For each realm, first the {@link Realm#supports(org.jsecurity.authc.AuthenticationToken)}
* method will be called to determine if the realm supports the <tt>authenticationToken</tt> method argument.
*
* If a realm does support
* the token, its {@link Realm#getAccount(org.jsecurity.authc.AuthenticationToken)}
* method will be called. If the realm returns a non-null account, the token will be
* considered authenticated for that realm and the account data recorded. If the realm returns <tt>null</tt>,
* the next realm will be consulted. If no realms support the token or all supporting realms return null,
* an {@link AuthenticationException} will be thrown to indicate that the user could not be authenticated.
*
* <p>After all realms have been consulted, the information from each realm is aggregated into a single
* {@link org.jsecurity.authc.Account} object and returned.
*
* @param authenticationToken the token containing the authentication principal and credentials for the
* user being authenticated.
* @return account information attributed to the authenticated user.
* @throws AuthenticationException if the user could not be authenticated or the user is denied authentication
* for the given principal and credentials.
*/
protected Account doAuthenticate(AuthenticationToken authenticationToken) throws AuthenticationException {
assertRealmsConfigured();
if ( realms.size() == 1 ) {
return doSingleRealmAuthentication( realms.iterator().next(), authenticationToken );
} else {
return doMultiRealmAuthentication( realms, authenticationToken );
}
}
/**
* First calls <code>super.onLogout(principals)</code> to ensure a logout event is sent, and for each
* wrapped <tt>Realm</tt> that implements the {@link LogoutAware LogoutAware} interface, calls
* <code>((LogoutAware)realm).onLogout(principals)</code> to allow each realm the opportunity to perform
* logout/cleanup operations during an user-logout.
*
* <p>JSecurity's Realm implementations all implement the <tt>LogoutAware</tt> interface by default and can be
* overridden for realm-specific logout logic.
*
* @param principals the application-specific Subject/user identifier.
*/
public void onLogout(PrincipalCollection principals) {
super.onLogout(principals);
if ( realms != null && !realms.isEmpty() ) {
for( Realm realm : realms ) {
if ( realm instanceof LogoutAware ) {
((LogoutAware)realm).onLogout(principals);
}
}
}
}
}