Source Code of org.jboss.as.jacorb.security.TrustedIdentityTokenLoginModule

package org.jboss.as.jacorb.security;

import java.io.IOException;
import java.io.InputStream;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Map;

import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;

import org.jboss.as.jacorb.csiv2.idl.SASCurrent;
import org.jboss.security.auth.callback.SecurityAssociationCallback;
import org.jboss.security.auth.spi.AbstractServerLoginModule;

/**
 * Login module that allows a user to authenticate as long as an identity token is present.
 * <p/>
 * Subclasses can override {@link #validateCredential(String, org.jboss.as.jacorb.csiv2.idl.SASCurrent)} to
 * implement identity token validation logic.
 * <p/>
 * WARNING: Installing this class as a login module without subclassing and implementing validation essentially
 * means that the server will trust any incoming CORBA invocation.
 *
 * @author Stuart Douglas
 */
public class TrustedIdentityTokenLoginModule extends AbstractServerLoginModule {

    /**
     * The login identity
     */
    private Principal identity;
    /**
     * The proof of login identity
     */
    private SASCurrent credential;

    @Override
    public void initialize(Subject subject, CallbackHandler callbackHandler,
                           Map<String, ?> sharedState, Map<String, ?> options) {
        super.initialize(subject, callbackHandler, sharedState, options);
    }

    @Override
    @SuppressWarnings("unchecked")
    public boolean login() throws LoginException {
        // See if shared credentials exist
        if (super.login() == true) {
            // Setup our view of the user
            Object username = sharedState.get("javax.security.auth.login.name");
            if (username instanceof Principal)
                identity = (Principal) username;
            else {
                String name = username.toString();
                try {
                    identity = createIdentity(name);
                } catch (Exception e) {
                    LoginException le = new LoginException();
                    le.initCause(e);
                    throw le;
                }
            }
            return true;
        }

        super.loginOk = false;

        if (callbackHandler == null) {
            throw new LoginException();
        }

        SecurityAssociationCallback callback = new SecurityAssociationCallback();
        Callback[] callbacks = {callback};
        final String username;
        try {
            callbackHandler.handle(callbacks);
            username = callback.getPrincipal().getName();
            final Object c = callback.getCredential();
            if (c instanceof SASCurrent) {
                credential = (SASCurrent) c;
            } else {
                return false;
            }

        } catch (IOException e) {
            LoginException le = new LoginException();
            le.initCause(e);
            throw le;
        } catch (UnsupportedCallbackException e) {
            LoginException le = new LoginException();
            le.initCause(e);
            throw le;
        }

        validateCredential(username, credential);

        if (username == null) {
            return false;
        }

        if (identity == null) {
            try {
                identity = createIdentity(username);
            } catch (Exception e) {
                LoginException le = new LoginException();
                le.initCause(e);
                throw le;
            }
        }

        if (getUseFirstPass() == true) {    // Add the principal to the shared state map
            sharedState.put("javax.security.auth.login.name", identity);
            sharedState.put("javax.security.auth.login.password", credential);
        }
        super.loginOk = true;
        return true;
    }


    /**
     * Validates the credential. Unfortunately there is not much we can do here by default.
     * <p/>
     * This method can be overridden to provide some real validation logic
     *
     * @param username   The username
     * @param credential The SASCurrent.
     */
    protected void validateCredential(final String username, final SASCurrent credential) throws LoginException {
        if (credential.get_incoming_principal_name() == null ||
                credential.get_incoming_principal_name().length == 0) {
            throw new LoginException();
        }
    }

    @Override
    protected Principal getIdentity() {
        return identity;
    }

    @Override
    protected Group[] getRoleSets() throws LoginException {
        return new Group[0];
    }

    @Override
    protected Principal getUnauthenticatedIdentity() {
        return unauthenticatedIdentity;
    }

    protected String getUsername() {
        String username = null;
        if (getIdentity() != null)
            username = getIdentity().getName();
        return username;
    }

    protected void safeClose(InputStream fis) {
        try {
            if (fis != null) {
                fis.close();
            }
        } catch (Exception e) {
        }
    }

}