/*
* Copyright 2005 JBoss Inc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.drools.guvnor.server.security;
import java.util.List;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.drools.core.util.KeyStoreHelper;
import org.drools.guvnor.client.configurations.Capability;
import org.drools.guvnor.client.rpc.SecurityService;
import org.drools.guvnor.client.rpc.UserSecurityContext;
import org.jboss.seam.security.Credentials;
import org.jboss.seam.security.AuthorizationException;
import org.jboss.seam.security.Identity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* This implements security related services.
*/
@ApplicationScoped
public class SecurityServiceImpl
implements
SecurityService {
public static final String GUEST_LOGIN = "guest";
private static final Logger log = LoggerFactory.getLogger( SecurityServiceImpl.class );
private static final String[] serializationProperties = new String[]{
KeyStoreHelper.PROP_PVT_KS_URL,
KeyStoreHelper.PROP_PVT_KS_PWD,
KeyStoreHelper.PROP_PVT_ALIAS,
KeyStoreHelper.PROP_PVT_PWD,
KeyStoreHelper.PROP_PUB_KS_URL,
KeyStoreHelper.PROP_PUB_KS_PWD
};
@Inject
private RoleBasedPermissionManager roleBasedPermissionManager;
@Inject
private RoleBasedPermissionResolver roleBasedPermissionResolver;
@Inject
private Identity identity;
@Inject
private Credentials credentials;
public boolean login(String userName,
String password) {
if ( userName == null || userName.trim().equals( "" ) ) {
userName = "admin";
}
log.info( "Logging in user [" + userName + "]" );
// Check for banned characters in user name
// These will cause the session to jam if you let them go further
char[] bannedChars = {'\'', '*', '[', ']'};
for ( char bannedChar : bannedChars ) {
if ( userName.indexOf( bannedChar ) >= 0 ) {
log.error( "Not a valid name character " + bannedChar );
return false;
}
}
credentials.setUsername( userName );
credentials.setCredential( new org.picketlink.idm.impl.api.PasswordCredential( password ) );
identity.login();
if ( !identity.isLoggedIn() ) {
log.error( "Unable to login." );
}
return identity.isLoggedIn();
}
public void logout() {
identity.logout();
}
public UserSecurityContext getCurrentUser() {
tryAutoLoginAsGuest();
final String userName = identity.isLoggedIn() ? credentials.getUsername() : null;
final boolean isAdministrator = userName == null ? false : getUserCapabilities().contains( Capability.SHOW_ADMIN );
return new UserSecurityContext( userName,
isAdministrator );
}
private void tryAutoLoginAsGuest() {
if ( !identity.isLoggedIn() ) {
// Note: the DemoAuthenticator upgrades guest to admin
credentials.setUsername( GUEST_LOGIN );
identity.login();
}
}
public List<Capability> getUserCapabilities() {
if ( identity.hasRole( RoleType.ADMIN.getName(),
null,
null ) ) {
return CapabilityCalculator.grantAllCapabilities();
}
if ( !roleBasedPermissionResolver.isEnableRoleBasedAuthorization() ) {
return CapabilityCalculator.grantAllCapabilities();
}
List<RoleBasedPermission> permissions = roleBasedPermissionManager.getRoleBasedPermission();
if ( permissions.size() == 0 ) {
identity.logout();
throw new AuthorizationException( "This user has no permissions setup." );
}
if ( invalidSecuritySerializationSetup() ) {
identity.logout();
throw new AuthorizationException( " Configuration error - Please refer to the Administration Guide section on installation. You must configure a key store before proceding. " );
}
return new CapabilityCalculator().calcCapabilities( permissions );
}
private boolean invalidSecuritySerializationSetup() {
String serializationSign = System.getProperty( "drools.serialization.sign" );
if ( serializationSign != null && serializationSign.equalsIgnoreCase( "true" ) ) {
for ( String nextProp : serializationProperties ) {
String nextPropVal = System.getProperty( nextProp );
if ( nextPropVal == null || nextPropVal.trim().equals( "" ) ) {
return true;
}
}
}
return false;
}
}