Author: bdaw Date: 2007-02-16 11:21:24 -0500 (Fri, 16 Feb 2007) New Revision: 6321 Added: trunk/identity/src/main/org/jboss/portal/identity/auth/SynchronizingLdapExtLoginModule.java trunk/identity/src/main/org/jboss/portal/identity/auth/SynchronizingLdapLoginModule.java Modified: trunk/core/src/resources/portal-core-sar/conf/identity/ldap_identity-config.xml trunk/core/src/resources/portal-core-sar/conf/login-config.xml Log: - login modules that synchronize ldap users into db after successfull authentication Modified: trunk/core/src/resources/portal-core-sar/conf/identity/ldap_identity-config.xml =================================================================== --- trunk/core/src/resources/portal-core-sar/conf/identity/ldap_identity-config.xml 2007-02-16 15:31:35 UTC (rev 6320) +++ trunk/core/src/resources/portal-core-sar/conf/identity/ldap_identity-config.xml 2007-02-16 16:21:24 UTC (rev 6321) @@ -33,7 +33,7 @@ <config> <option> <name>host</name> - <value>localhost</value> + <value>example.com</value> </option> <option> <name>port</name> @@ -45,7 +45,7 @@ </option> <option> <name>adminPassword</name> - <value>password</value> + <value>lolo</value> </option> <!--<option> <name>protocol</name> Modified: trunk/core/src/resources/portal-core-sar/conf/login-config.xml =================================================================== --- trunk/core/src/resources/portal-core-sar/conf/login-config.xml 2007-02-16 15:31:35 UTC (rev 6320) +++ trunk/core/src/resources/portal-core-sar/conf/login-config.xml 2007-02-16 16:21:24 UTC (rev 6321) @@ -48,8 +48,45 @@ <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">HEX</module-option> <module-option name="additionalRole">Authenticated</module-option> - </login-module> ---> + </login-module>--> + + + <!--Use can use this module instead of IdentityLoginModule to bind to LDAP. It simply extends JBossSX LdapExtLoginModule so + all configuration that can be applied to LdapExtLoginModule also can be applied here. For user that + was authenticated successfully it will try to take identity modules from portal, check if such user (and roles it belongs to) + is present, and if not it will try to create them. Then for all roles assigned to this authenticated principal it will + try to check and create them using identity modules. This behaviour can be disabled using "synchronizeRoles". You can also + define one "defaultAssignRole" that will be always assigned to synchronized user. + It is also possible to set option "synchronizeIdentity" to "false" so this module will act exactly like LdapExtLoginModule + but it will inject role defined in "additionalRole". For obvious reasons + this is designed to use with portal identity modules configured with DB and not LDAP--> + <!--There is also SynchronizingLdapLoginModule which provide the same set of options on top of JBossSX LdapLoginModule--> + <!--<login-module code="org.jboss.portal.identity.auth.SynchronizingLdapExtLoginModule" flag="required"> + <module-option name="synchronizeIdentity">true</module-option> + <module-option name="synchronizeRoles">false</module-option> + <module-option name="additionalRole">Authenticated</module-option> + <module-option name="defaultAssignedRole">User</module-option> + <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> + <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> + <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option> + <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option> + <module-option name="java.naming.provider.url">ldap://dev39.qa.atl.jboss.com:10389/</module-option> + <module-option name="java.naming.security.authentication">simple</module-option> + <module-option name="bindDN">cn=Directory Manager</module-option> + <module-option name="bindCredential">qpq123qpq</module-option> + <module-option name="baseCtxDN">ou=People,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option> + <module-option name="baseFilter">(uid={0})</module-option> + <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=qa,dc=atl,dc=jboss,dc=com</module-option> + <module-option name="roleFilter">(member={1})</module-option> + <module-option name="roleAttributeID">cn</module-option> + <module-option name="roleRecursion">-1</module-option> + <module-option name="searchTimeLimit">10000</module-option> + <module-option name="searchScope">SUBTREE_SCOPE</module-option> + </login-module>--> + + + <!--To configure LDAP support with IdentityLoginModule please check documentation on how to + configure portal identity modules for this--> <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> Added: trunk/identity/src/main/org/jboss/portal/identity/auth/SynchronizingLdapExtLoginModule.java =================================================================== --- trunk/identity/src/main/org/jboss/portal/identity/auth/SynchronizingLdapExtLoginModule.java (rev 0) +++ trunk/identity/src/main/org/jboss/portal/identity/auth/SynchronizingLdapExtLoginModule.java 2007-02-16 16:21:24 UTC (rev 6321) @@ -0,0 +1,335 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ + +package org.jboss.portal.identity.auth; + +import org.jboss.security.auth.spi.LdapExtLoginModule; +import org.jboss.portal.identity.UserModule; +import org.jboss.portal.identity.RoleModule; +import org.jboss.portal.identity.MembershipModule; +import org.jboss.portal.identity.User; +import org.jboss.portal.identity.Role; +import org.jboss.portal.identity.IdentityException; +import org.jboss.portal.common.transaction.Transactions; + +import javax.security.auth.Subject; +import javax.security.auth.login.LoginException; +import javax.security.auth.callback.CallbackHandler; +import javax.naming.InitialContext; +import javax.transaction.TransactionManager; +import java.util.Map; +import java.util.Set; +import java.util.HashSet; +import java.util.Enumeration; +import java.security.acl.Group; +import java.security.Principal; + +/** + * @author <a href="mailto:boleslaw dot dawidowicz at redhat anotherdot com">Boleslaw Dawidowicz</a> + * @version $Revision: 0.1 $ + */ +public class SynchronizingLdapExtLoginModule extends LdapExtLoginModule +{ + protected String additionalRole; + protected String defaultAssignedRole; + protected String synchronizeIdentity; + protected String synchronizeRoles; + protected String userModuleJNDIName; + protected String roleModuleJNDIName; + protected String membershipModuleJNDIName; + + + private UserModule userModule; + private RoleModule roleModule; + private MembershipModule membershipModule; + + public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) + { + super.initialize(subject, callbackHandler, sharedState, options); + + + // Get data + userModuleJNDIName = (String)options.get("userModuleJNDIName"); + roleModuleJNDIName = (String)options.get("roleModuleJNDIName"); + membershipModuleJNDIName = (String)options.get("membershipModuleJNDIName"); + additionalRole = (String)options.get("additionalRole"); + synchronizeIdentity = (String)options.get("synchronizeIdentity"); + synchronizeRoles = (String)options.get("synchronizeRoles"); + defaultAssignedRole = (String)options.get("defaultAssignedRole"); + + // Some info + log.trace("additionalRole = " + additionalRole); + log.trace("userModuleJNDIName = " + userModuleJNDIName); + log.trace("roleModuleJNDIName = " + roleModuleJNDIName); + log.trace("membershipModuleJNDIName = " + membershipModuleJNDIName); + log.trace("synchronizeIdentity = " + synchronizeIdentity); + log.trace("synchronizeRoles = " + synchronizeRoles); + log.trace("defaultAssignedRole = " + defaultAssignedRole); + } + + protected UserModule getUserModule() throws Exception + { + if (userModule == null) + { + userModule = (UserModule)new InitialContext().lookup(userModuleJNDIName); + } + if (userModule == null) + { + throw new IdentityException("Cannot obtain UserModule using JNDI name:" + userModuleJNDIName); + } + + return userModule; + } + + protected RoleModule getRoleModule() throws Exception + { + + if (roleModule == null) + { + roleModule = (RoleModule)new InitialContext().lookup(roleModuleJNDIName); + } + if (roleModule == null) + { + throw new IdentityException("Cannot obtain RoleModule using JNDI name:" + roleModuleJNDIName); + } + return roleModule; + } + + protected MembershipModule getMembershipModule() throws Exception + { + + if (membershipModule == null) + { + membershipModule = (MembershipModule)new InitialContext().lookup(membershipModuleJNDIName); + } + if (membershipModule == null) + { + throw new IdentityException("Cannot obtain MembershipModule using JNDI name:" + membershipModuleJNDIName); + } + return membershipModule; + } + + + protected boolean validatePassword(String string, String string1) + { + boolean validate = super.validatePassword(string, string1); + + if (validate && isSynchronizeIdentity()) + { + try + { + performSynchronization(getUsername(), string); + } + catch (Throwable e) + { + log.warn("Failed to sychronize identity of user: " + string, e); + } + } + + return validate; + } + + protected Group[] getRoleSets() throws LoginException + { + Group[] rolesGroup = super.getRoleSets(); + if (additionalRole != null) + { + try + { + for (int i = 0; i < rolesGroup.length; i++) + { + Group group = rolesGroup[i]; + if (group.getName().equals("Roles")) + { + group.addMember(createIdentity(additionalRole)); + } + } + } + catch (Exception e) + { + //just a try + log.error("Error when adding additional role: ", e); + } + } + return rolesGroup; + } + + /** Subclass to use the PortalPrincipal to make the username easier to retrieve by the portal. */ + protected Principal createIdentity(String username) throws Exception + { + return new UserPrincipal(username); + } + + private void performSynchronization(final String name, final String password) throws Exception + { + final Group[] group = super.getRoleSets(); + + log.debug("$$Synchronizing user: " + name); + + if (log.isDebugEnabled()) + { + for (int i = 0; i < group.length; i++) + { + Group group1 = group[i]; + log.debug("$$Role Group: " + group1.getName()); + Enumeration xx = group1.members(); + while (xx.hasMoreElements()) + { + Principal o = (Principal)xx.nextElement(); + log.debug("$$Principal in group: " + o.getName() + "; " + o.toString()); + + } + } + } + try + { + TransactionManager tm = (TransactionManager)new InitialContext().lookup("java:/TransactionManager"); + Transactions.required(tm, new Transactions.Runnable() + { + public Object run() throws Exception + { + try + { + + + User user = null; + //check if user exist + try + { + + user = getUserModule().findUserByUserName(name); + + //synchronize password from LDAP to DB + if (!user.validatePassword(password)) + { + user.updatePassword(password); + } + } + catch (Exception e) + { + // nothing as user can simply not exist + } + + //if not try to synchronize it + if (user == null) + { + user = getUserModule().createUser(name, password); + } + + Set rolesToAssign = new HashSet(); + + //now check and try synchronize all the roles + if (isSynchronizeRoles()) + { + + //based on code implementation its just one SimpleGroup called "Roles" + Group roleGroup = group[0]; + Enumeration en = roleGroup.members(); + while (en.hasMoreElements()) + { + Principal p = (Principal)en.nextElement(); + String roleName = p.getName(); + log.debug("$$Processing role principal object related to current user: " + roleName); + //check if such role is present + + Role role = null; + try + { + role = getRoleModule().findRoleByName(roleName); + } + catch (Exception e) + { + // + } + + if (role == null) + { + try + { + role = getRoleModule().createRole(roleName, roleName); + } + catch (Throwable e) + { + log.warn("Error when trying to synchronize role: " + roleName, e); + continue; + } + } + + rolesToAssign.add(role); + } + } + + if (defaultAssignedRole != null) + { + try + { + rolesToAssign.add(getRoleModule().findRoleByName(defaultAssignedRole)); + } + catch(Exception e) + { + // + log.warn("Cannot find defaultAssignedRole: " + defaultAssignedRole, e); + } + } + + if (rolesToAssign.size() > 0) + { + getMembershipModule().assignRoles(user, rolesToAssign); + } + + return null; + + } + catch (Exception e) + { + throw new LoginException(e.toString()); + } + } + }); + } + catch (Exception e) + { + Throwable cause = e.getCause(); + throw new LoginException(cause.toString()); + } + } + + protected boolean isSynchronizeIdentity() + { + if (synchronizeIdentity != null && synchronizeIdentity.equalsIgnoreCase("false")) + { + return Boolean.FALSE.booleanValue(); + } + return Boolean.TRUE.booleanValue(); + } + + protected boolean isSynchronizeRoles() + { + if (synchronizeRoles != null && synchronizeRoles.equalsIgnoreCase("false")) + { + return Boolean.FALSE.booleanValue(); + } + return Boolean.TRUE.booleanValue(); + } + + +} Added: trunk/identity/src/main/org/jboss/portal/identity/auth/SynchronizingLdapLoginModule.java =================================================================== --- trunk/identity/src/main/org/jboss/portal/identity/auth/SynchronizingLdapLoginModule.java (rev 0) +++ trunk/identity/src/main/org/jboss/portal/identity/auth/SynchronizingLdapLoginModule.java 2007-02-16 16:21:24 UTC (rev 6321) @@ -0,0 +1,335 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ + +package org.jboss.portal.identity.auth; + +import org.jboss.security.auth.spi.LdapLoginModule; +import org.jboss.portal.identity.UserModule; +import org.jboss.portal.identity.RoleModule; +import org.jboss.portal.identity.MembershipModule; +import org.jboss.portal.identity.IdentityException; +import org.jboss.portal.identity.User; +import org.jboss.portal.identity.Role; +import org.jboss.portal.common.transaction.Transactions; + +import javax.security.auth.Subject; +import javax.security.auth.login.LoginException; +import javax.security.auth.callback.CallbackHandler; +import javax.naming.InitialContext; +import javax.transaction.TransactionManager; +import java.util.Map; +import java.util.Enumeration; +import java.util.Set; +import java.util.HashSet; +import java.security.acl.Group; +import java.security.Principal; + +/** + * @author <a href="mailto:boleslaw dot dawidowicz at redhat anotherdot com">Boleslaw Dawidowicz</a> + * @version $Revision: 0.1 $ + */ +public class SynchronizingLdapLoginModule extends LdapLoginModule +{ + protected String additionalRole; + protected String defaultAssignedRole; + protected String synchronizeIdentity; + protected String synchronizeRoles; + protected String userModuleJNDIName; + protected String roleModuleJNDIName; + protected String membershipModuleJNDIName; + + + private UserModule userModule; + private RoleModule roleModule; + private MembershipModule membershipModule; + + public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) + { + super.initialize(subject, callbackHandler, sharedState, options); + + + // Get data + userModuleJNDIName = (String)options.get("userModuleJNDIName"); + roleModuleJNDIName = (String)options.get("roleModuleJNDIName"); + membershipModuleJNDIName = (String)options.get("membershipModuleJNDIName"); + additionalRole = (String)options.get("additionalRole"); + synchronizeIdentity = (String)options.get("synchronizeIdentity"); + synchronizeRoles = (String)options.get("synchronizeRoles"); + defaultAssignedRole = (String)options.get("defaultAssignedRole"); + + // Some info + log.trace("additionalRole = " + additionalRole); + log.trace("userModuleJNDIName = " + userModuleJNDIName); + log.trace("roleModuleJNDIName = " + roleModuleJNDIName); + log.trace("membershipModuleJNDIName = " + membershipModuleJNDIName); + log.trace("synchronizeIdentity = " + synchronizeIdentity); + log.trace("synchronizeRoles = " + synchronizeRoles); + log.trace("defaultAssignedRole = " + defaultAssignedRole); + } + + protected UserModule getUserModule() throws Exception + { + if (userModule == null) + { + userModule = (UserModule)new InitialContext().lookup(userModuleJNDIName); + } + if (userModule == null) + { + throw new IdentityException("Cannot obtain UserModule using JNDI name:" + userModuleJNDIName); + } + + return userModule; + } + + protected RoleModule getRoleModule() throws Exception + { + + if (roleModule == null) + { + roleModule = (RoleModule)new InitialContext().lookup(roleModuleJNDIName); + } + if (roleModule == null) + { + throw new IdentityException("Cannot obtain RoleModule using JNDI name:" + roleModuleJNDIName); + } + return roleModule; + } + + protected MembershipModule getMembershipModule() throws Exception + { + + if (membershipModule == null) + { + membershipModule = (MembershipModule)new InitialContext().lookup(membershipModuleJNDIName); + } + if (membershipModule == null) + { + throw new IdentityException("Cannot obtain MembershipModule using JNDI name:" + membershipModuleJNDIName); + } + return membershipModule; + } + + + protected boolean validatePassword(String string, String string1) + { + boolean validate = super.validatePassword(string, string1); + + if (validate && isSynchronizeIdentity()) + { + try + { + performSynchronization(getUsername(), string); + } + catch (Throwable e) + { + log.warn("Failed to sychronize identity of user: " + string, e); + } + } + + return validate; + } + + protected Group[] getRoleSets() throws LoginException + { + Group[] rolesGroup = super.getRoleSets(); + if (additionalRole != null) + { + try + { + for (int i = 0; i < rolesGroup.length; i++) + { + Group group = rolesGroup[i]; + if (group.getName().equals("Roles")) + { + group.addMember(createIdentity(additionalRole)); + } + } + } + catch (Exception e) + { + //just a try + log.error("Error when adding additional role: ", e); + } + } + return rolesGroup; + } + + /** Subclass to use the PortalPrincipal to make the username easier to retrieve by the portal. */ + protected Principal createIdentity(String username) throws Exception + { + return new UserPrincipal(username); + } + + private void performSynchronization(final String name, final String password) throws Exception + { + final Group[] group = super.getRoleSets(); + + log.debug("$$Synchronizing user: " + name); + + if (log.isDebugEnabled()) + { + for (int i = 0; i < group.length; i++) + { + Group group1 = group[i]; + log.debug("$$Role Group: " + group1.getName()); + Enumeration xx = group1.members(); + while (xx.hasMoreElements()) + { + Principal o = (Principal)xx.nextElement(); + log.debug("$$Principal in group: " + o.getName() + "; " + o.toString()); + + } + } + } + try + { + TransactionManager tm = (TransactionManager)new InitialContext().lookup("java:/TransactionManager"); + Transactions.required(tm, new Transactions.Runnable() + { + public Object run() throws Exception + { + try + { + + + User user = null; + //check if user exist + try + { + + user = getUserModule().findUserByUserName(name); + + //synchronize password from LDAP to DB + if (!user.validatePassword(password)) + { + user.updatePassword(password); + } + } + catch (Exception e) + { + // nothing as user can simply not exist + } + + //if not try to synchronize it + if (user == null) + { + user = getUserModule().createUser(name, password); + } + + Set rolesToAssign = new HashSet(); + + //now check and try synchronize all the roles + if (isSynchronizeRoles()) + { + + //based on code implementation its just one SimpleGroup called "Roles" + Group roleGroup = group[0]; + Enumeration en = roleGroup.members(); + while (en.hasMoreElements()) + { + Principal p = (Principal)en.nextElement(); + String roleName = p.getName(); + log.debug("$$Processing role principal object related to current user: " + roleName); + //check if such role is present + + Role role = null; + try + { + role = getRoleModule().findRoleByName(roleName); + } + catch (Exception e) + { + // + } + + if (role == null) + { + try + { + role = getRoleModule().createRole(roleName, roleName); + } + catch (Throwable e) + { + log.warn("Error when trying to synchronize role: " + roleName, e); + continue; + } + } + + rolesToAssign.add(role); + } + } + + if (defaultAssignedRole != null) + { + try + { + rolesToAssign.add(getRoleModule().findRoleByName(defaultAssignedRole)); + } + catch(Exception e) + { + // + log.warn("Cannot find defaultAssignedRole: " + defaultAssignedRole, e); + } + } + + if (rolesToAssign.size() > 0) + { + getMembershipModule().assignRoles(user, rolesToAssign); + } + + return null; + + } + catch (Exception e) + { + throw new LoginException(e.toString()); + } + } + }); + } + catch (Exception e) + { + Throwable cause = e.getCause(); + throw new LoginException(cause.toString()); + } + } + + protected boolean isSynchronizeIdentity() + { + if (synchronizeIdentity != null && synchronizeIdentity.equalsIgnoreCase("false")) + { + return Boolean.FALSE.booleanValue(); + } + return Boolean.TRUE.booleanValue(); + } + + protected boolean isSynchronizeRoles() + { + if (synchronizeRoles != null && synchronizeRoles.equalsIgnoreCase("false")) + { + return Boolean.FALSE.booleanValue(); + } + return Boolean.TRUE.booleanValue(); + } + + +}