Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.usergrid.security.shiro; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher; import org.apache.shiro.authc.credential.CredentialsMatcher; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.permission.PermissionResolver; import org.apache.shiro.cache.CacheManager; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.session.Session; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.Subject; import org.apache.usergrid.management.AccountCreationProps; import org.apache.usergrid.management.ManagementService; import org.apache.usergrid.persistence.EntityManagerFactory; import org.apache.usergrid.security.shiro.credentials.*; import org.apache.usergrid.security.shiro.principals.*; import org.apache.usergrid.security.tokens.TokenService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import static org.apache.usergrid.management.AccountCreationProps.PROPERTIES_SYSADMIN_LOGIN_ALLOWED; public class Realm extends AuthorizingRealm { private static final Logger logger = LoggerFactory.getLogger(Realm.class); public final static String ROLE_SERVICE_ADMIN = "service-admin"; public final static String ROLE_ADMIN_USER = "admin-user"; public final static String ROLE_ORGANIZATION_ADMIN = "organization-admin"; public final static String ROLE_APPLICATION_ADMIN = "application-admin"; public final static String ROLE_APPLICATION_USER = "application-user"; private EntityManagerFactory emf; private ManagementService management; private TokenService tokens; @Value("${" + PROPERTIES_SYSADMIN_LOGIN_ALLOWED + "}") private boolean superUserEnabled; @Value("${" + AccountCreationProps.PROPERTIES_SYSADMIN_LOGIN_NAME + ":admin}") private String superUser; public Realm() { setCredentialsMatcher(new AllowAllCredentialsMatcher()); setPermissionResolver(new CustomPermissionResolver()); } public Realm(CacheManager cacheManager) { super(cacheManager); setCredentialsMatcher(new AllowAllCredentialsMatcher()); setPermissionResolver(new CustomPermissionResolver()); setCachingEnabled(true); setAuthenticationCachingEnabled(true); } public Realm(CredentialsMatcher matcher) { super(new AllowAllCredentialsMatcher()); setPermissionResolver(new CustomPermissionResolver()); } public Realm(CacheManager cacheManager, CredentialsMatcher matcher) { super(cacheManager, new AllowAllCredentialsMatcher()); setPermissionResolver(new CustomPermissionResolver()); setCachingEnabled(true); setAuthenticationCachingEnabled(true); } @Override public void setCredentialsMatcher(CredentialsMatcher credentialsMatcher) { if (!(credentialsMatcher instanceof AllowAllCredentialsMatcher)) { if (logger.isDebugEnabled()) { logger.debug("Replacing {} with AllowAllCredentialsMatcher", credentialsMatcher); } credentialsMatcher = new AllowAllCredentialsMatcher(); } super.setCredentialsMatcher(credentialsMatcher); } @Override public void setPermissionResolver(PermissionResolver permissionResolver) { if (!(permissionResolver instanceof CustomPermissionResolver)) { if (logger.isDebugEnabled()) { logger.debug("Replacing {} with CustomPermissionResolver", permissionResolver); } permissionResolver = new CustomPermissionResolver(); } super.setPermissionResolver(permissionResolver); } @Autowired public void setEntityManagerFactory(EntityManagerFactory emf) { this.emf = emf; } @Autowired public void setManagementService(ManagementService management) { this.management = management; } @Autowired public void setTokenService(TokenService tokens) { this.tokens = tokens; } @Override protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) { UsergridAuthorizationInfo info = (UsergridAuthorizationInfo) super.getAuthorizationInfo(principals); Subject currentUser = SecurityUtils.getSubject(); Session session = currentUser.getSession(); session.setAttribute("applications", info.getApplicationSet()); session.setAttribute("organizations", info.getOrganizationSet()); if (info.getOrganization() != null) { session.setAttribute("organization", info.getOrganization()); } if (info.getApplication() != null) { session.setAttribute("application", info.getApplication()); } return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { PrincipalCredentialsToken pcToken = (PrincipalCredentialsToken) token; if (pcToken.getCredentials() == null) { throw new CredentialsException("Missing credentials"); } boolean authenticated = false; PrincipalIdentifier principal = pcToken.getPrincipal(); PrincipalCredentials credentials = pcToken.getCredentials(); if (credentials instanceof ClientCredentials) { authenticated = true; } else if ((principal instanceof AdminUserPrincipal) && (credentials instanceof AdminUserPassword)) { authenticated = true; } else if ((principal instanceof AdminUserPrincipal) && (credentials instanceof AdminUserAccessToken)) { authenticated = true; } else if ((principal instanceof ApplicationUserPrincipal) && (credentials instanceof ApplicationUserAccessToken)) { authenticated = true; } else if ((principal instanceof ApplicationPrincipal) && (credentials instanceof ApplicationAccessToken)) { authenticated = true; } else if ((principal instanceof OrganizationPrincipal) && (credentials instanceof OrganizationAccessToken)) { authenticated = true; } if (principal != null) { if (!principal.isActivated()) { throw new AuthenticationException("Unactivated identity"); } if (principal.isDisabled()) { throw new AuthenticationException("Disabled identity"); } } if (!authenticated) { throw new AuthenticationException("Unable to authenticate"); } if (logger.isTraceEnabled()) { logger.trace("Authenticated: {}", principal); } return new SimpleAuthenticationInfo(pcToken.getPrincipal(), pcToken.getCredentials(), getName()); } @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { UsergridAuthorizationInfo info = new UsergridAuthorizationInfo(); for (PrincipalIdentifier principal : principals.byType(PrincipalIdentifier.class)) { principal.grant(info, emf, management, tokens); } return info; } @Override public boolean isAuthorizationCachingEnabled() { return getCacheManager() != null; } public boolean isAuthenticationCachingEnabled() { return getCacheManager() != null; } @Override public boolean isCachingEnabled() { return getCacheManager() != null; } @Override public void setCacheManager(CacheManager cacheManager) { super.setCacheManager(cacheManager); } @Override public CacheManager getCacheManager() { return super.getCacheManager(); } @Override public boolean supports(AuthenticationToken token) { return token instanceof PrincipalCredentialsToken; } }