Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ package org.apache.hadoop.gateway.shirorealm; import java.util.LinkedHashSet; import java.util.Set; import org.apache.hadoop.gateway.GatewayMessages; import org.apache.hadoop.gateway.audit.api.Action; import org.apache.hadoop.gateway.audit.api.ActionOutcome; import org.apache.hadoop.gateway.audit.api.ResourceType; import org.apache.hadoop.gateway.audit.api.AuditService; import org.apache.hadoop.gateway.audit.api.AuditServiceFactory; import org.apache.hadoop.gateway.audit.api.Auditor; import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants; import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; import org.apache.hadoop.gateway.shirorealm.impl.i18n.KnoxShiroMessages; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.authc.credential.HashedCredentialsMatcher; import org.apache.shiro.crypto.hash.*; import org.jvnet.libpam.PAM; import org.jvnet.libpam.PAMException; import org.jvnet.libpam.UnixUser; /** * A Unix-style * <a href="http://www.kernel.org/pub/linux/libs/pam/index.html">PAM</a> * {@link org.apache.shiro.realm.Realm Realm} that uses * <a href="https://github.com/kohsuke/libpam4j">libpam4j</a> to interface with * the PAM system libraries. * <p> * This is a single Shiro {@code Realm} that interfaces with the OS's * {@code PAM} subsystem which itself can be connected to several authentication * methods (unix-crypt,Samba, LDAP, etc.) * <p> * This {@code Realm} can also take part in Shiro's Pluggable Realms concept. * <p> * Using a {@code KnoxPamRealm} requires a PAM {@code service} name. This is the * name of the file under {@code /etc/pam.d} that is used to initialise and * configure the PAM subsytem. Normally, this file reflects the application * using it. For example {@code gdm}, {@code su}, etc. There is no default value * for this propery. * <p> * For example, defining this realm in Shiro .ini: * * <pre> * [main] * pamRealm = org.apache.shiro.realm.libpam4j.KnoxPamRealm * pamRealm.service = [ knox-pam-ldap-service | knox-pam-os-service | knox-pam-winbind-service ] * [urls] * **=authcBasic * </pre> * */ public class KnoxPamRealm extends AuthorizingRealm { private static final String HASHING_ALGORITHM = "SHA-256"; private static final String SUBJECT_USER_ROLES = "subject.userRoles"; private static final String SUBJECT_USER_GROUPS = "subject.userGroups"; private HashService hashService = new DefaultHashService(); KnoxShiroMessages ShiroLog = MessagesFactory.get(KnoxShiroMessages.class); GatewayMessages GatewayLog = MessagesFactory.get(GatewayMessages.class); private static AuditService auditService = AuditServiceFactory.getAuditService(); private static Auditor auditor = auditService.getAuditor(AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME); private String service; public KnoxPamRealm() { HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher(HASHING_ALGORITHM); setCredentialsMatcher(credentialsMatcher); } public void setService(String service) { this.service = service; } public String getService() { return this.service; } @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { Set<String> roles = new LinkedHashSet<String>(); UnixUserPrincipal user = principals.oneByType(UnixUserPrincipal.class); if (user != null) { roles.addAll(user.getUnixUser().getGroups()); } SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_ROLES, roles); SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_GROUPS, roles); /* Coverity Scan CID 1361682 */ String userName = null; if (user != null) { userName = user.getName(); } GatewayLog.lookedUpUserRoles(roles, userName); return new SimpleAuthorizationInfo(roles); } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { UsernamePasswordToken upToken = (UsernamePasswordToken) token; UnixUser user = null; try { user = (new PAM(this.getService())).authenticate(upToken.getUsername(), new String(upToken.getPassword())); } catch (PAMException e) { handleAuthFailure(token, e.getMessage(), e); } HashRequest.Builder builder = new HashRequest.Builder(); Hash credentialsHash = hashService .computeHash(builder.setSource(token.getCredentials()).setAlgorithmName(HASHING_ALGORITHM).build()); /* Coverity Scan CID 1361684 */ if (credentialsHash == null) { handleAuthFailure(token, "Failed to compute hash", null); } return new SimpleAuthenticationInfo(new UnixUserPrincipal(user), credentialsHash.toHex(), credentialsHash.getSalt(), getName()); } private void handleAuthFailure(AuthenticationToken token, String errorMessage, Exception e) { auditor.audit(Action.AUTHENTICATION, token.getPrincipal().toString(), ResourceType.PRINCIPAL, ActionOutcome.FAILURE, errorMessage); ShiroLog.failedLoginInfo(token); if (e != null) { ShiroLog.failedLoginAttempt(e.getCause()); throw new AuthenticationException(e); } throw new AuthenticationException(errorMessage); } }