001/** 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017 018package org.apache.activemq.jaas; 019 020import java.security.cert.X509Certificate; 021import java.util.Collections; 022import java.util.Enumeration; 023import java.util.HashSet; 024import java.util.Map; 025import java.util.Properties; 026import java.util.Set; 027 028import javax.security.auth.Subject; 029import javax.security.auth.callback.CallbackHandler; 030import javax.security.auth.login.LoginException; 031 032/** 033 * A LoginModule allowing for SSL certificate based authentication based on 034 * Distinguished Names (DN) stored in text files. The DNs are parsed using a 035 * Properties class where each line is <user_name>=<user_DN>. This class also 036 * uses a group definition file where each line is <group_name>=<user_name_1>,<user_name_2>,etc. 037 * The user and group files' locations must be specified in the 038 * org.apache.activemq.jaas.textfiledn.user and 039 * org.apache.activemq.jaas.textfiledn.user properties respectively. NOTE: This 040 * class will re-read user and group files for every authentication (i.e it does 041 * live updates of allowed groups and users). 042 * 043 * @author sepandm@gmail.com (Sepand) 044 */ 045public class TextFileCertificateLoginModule extends CertificateLoginModule { 046 047 private static final String USER_FILE_PROP_NAME = "org.apache.activemq.jaas.textfiledn.user"; 048 private static final String GROUP_FILE_PROP_NAME = "org.apache.activemq.jaas.textfiledn.group"; 049 050 private Map<String, Set<String>> groupsByUser; 051 private Map<String, String> usersByDn; 052 053 /** 054 * Performs initialization of file paths. A standard JAAS override. 055 */ 056 @Override 057 public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { 058 super.initialize(subject, callbackHandler, sharedState, options); 059 060 usersByDn = load(USER_FILE_PROP_NAME, "", options).invertedPropertiesMap(); 061 groupsByUser = load(GROUP_FILE_PROP_NAME, "", options).invertedPropertiesValuesMap(); 062 } 063 064 /** 065 * Overriding to allow DN authorization based on DNs specified in text 066 * files. 067 * 068 * @param certs The certificate the incoming connection provided. 069 * @return The user's authenticated name or null if unable to authenticate 070 * the user. 071 * @throws LoginException Thrown if unable to find user file or connection 072 * certificate. 073 */ 074 @Override 075 protected String getUserNameForCertificates(final X509Certificate[] certs) throws LoginException { 076 if (certs == null) { 077 throw new LoginException("Client certificates not found. Cannot authenticate."); 078 } 079 080 return usersByDn.get(getDistinguishedName(certs)); 081 } 082 083 /** 084 * Overriding to allow for group discovery based on text files. 085 * 086 * @param username The name of the user being examined. This is the same 087 * name returned by getUserNameForCertificates. 088 * @return A Set of name Strings for groups this user belongs to. 089 * @throws LoginException Thrown if unable to find group definition file. 090 */ 091 @Override 092 protected Set<String> getUserGroups(String username) throws LoginException { 093 Set<String> userGroups = groupsByUser.get(username); 094 if (userGroups == null) { 095 userGroups = Collections.emptySet(); 096 } 097 return userGroups; 098 } 099}