View Javadoc
1   /*
2    * Copyright (C) 2007-2012 Argeo GmbH
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *         http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.argeo.cms.auth;
17  
18  import java.security.AccessController;
19  import java.util.Map;
20  import java.util.Set;
21  
22  import javax.crypto.SecretKey;
23  import javax.crypto.SecretKeyFactory;
24  import javax.crypto.spec.PBEKeySpec;
25  import javax.crypto.spec.SecretKeySpec;
26  import javax.security.auth.Subject;
27  import javax.security.auth.callback.Callback;
28  import javax.security.auth.callback.CallbackHandler;
29  import javax.security.auth.callback.PasswordCallback;
30  import javax.security.auth.login.LoginException;
31  import javax.security.auth.spi.LoginModule;
32  
33  import org.argeo.api.security.PBEKeySpecCallback;
34  import org.argeo.util.PasswordEncryption;
35  
36  /** Adds a secret key to the private credentials */
37  public class KeyringLoginModule implements LoginModule {
38  	private Subject subject;
39  	private CallbackHandler callbackHandler;
40  	private SecretKey secretKey;
41  
42  	public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
43  			Map<String, ?> options) {
44  		this.subject = subject;
45  		if (subject == null) {
46  			subject = Subject.getSubject(AccessController.getContext());
47  		}
48  		this.callbackHandler = callbackHandler;
49  	}
50  
51  	public boolean login() throws LoginException {
52  //		Set<SecretKey> pbes = subject.getPrivateCredentials(SecretKey.class);
53  //		if (pbes.size() > 0)
54  //			return true;
55  		PasswordCallback pc = new PasswordCallback("Master password", false);
56  		PBEKeySpecCallback pbeCb = new PBEKeySpecCallback();
57  		Callback[] callbacks = { pc, pbeCb };
58  		try {
59  			callbackHandler.handle(callbacks);
60  			char[] password = pc.getPassword();
61  
62  			SecretKeyFactory keyFac = SecretKeyFactory.getInstance(pbeCb.getSecretKeyFactory());
63  			PBEKeySpec keySpec;
64  			if (pbeCb.getKeyLength() != null)
65  				keySpec = new PBEKeySpec(password, pbeCb.getSalt(), pbeCb.getIterationCount(), pbeCb.getKeyLength());
66  			else
67  				keySpec = new PBEKeySpec(password, pbeCb.getSalt(), pbeCb.getIterationCount());
68  
69  			String secKeyEncryption = pbeCb.getSecretKeyEncryption();
70  			if (secKeyEncryption != null) {
71  				SecretKey tmp = keyFac.generateSecret(keySpec);
72  				secretKey = new SecretKeySpec(tmp.getEncoded(), secKeyEncryption);
73  			} else {
74  				secretKey = keyFac.generateSecret(keySpec);
75  			}
76  		} catch (Exception e) {
77  			LoginException le = new LoginException("Cannot login keyring");
78  			le.initCause(e);
79  			throw le;
80  		}
81  		return true;
82  	}
83  
84  	public boolean commit() throws LoginException {
85  		if (secretKey != null) {
86  			subject.getPrivateCredentials().removeAll(subject.getPrivateCredentials(SecretKey.class));
87  			subject.getPrivateCredentials().add(secretKey);
88  		}
89  		return true;
90  	}
91  
92  	public boolean abort() throws LoginException {
93  		return true;
94  	}
95  
96  	public boolean logout() throws LoginException {
97  		Set<PasswordEncryption> pbes = subject.getPrivateCredentials(PasswordEncryption.class);
98  		pbes.clear();
99  		return true;
100 	}
101 
102 }