1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 package org.argeo.cms.auth;
17
18 import java.security.AccessController;
19 import java.util.Map;
20 import java.util.Set;
21
22 import javax.crypto.SecretKey;
23 import javax.crypto.SecretKeyFactory;
24 import javax.crypto.spec.PBEKeySpec;
25 import javax.crypto.spec.SecretKeySpec;
26 import javax.security.auth.Subject;
27 import javax.security.auth.callback.Callback;
28 import javax.security.auth.callback.CallbackHandler;
29 import javax.security.auth.callback.PasswordCallback;
30 import javax.security.auth.login.LoginException;
31 import javax.security.auth.spi.LoginModule;
32
33 import org.argeo.api.security.PBEKeySpecCallback;
34 import org.argeo.util.PasswordEncryption;
35
36
37 public class KeyringLoginModule implements LoginModule {
38 private Subject subject;
39 private CallbackHandler callbackHandler;
40 private SecretKey secretKey;
41
42 public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
43 Map<String, ?> options) {
44 this.subject = subject;
45 if (subject == null) {
46 subject = Subject.getSubject(AccessController.getContext());
47 }
48 this.callbackHandler = callbackHandler;
49 }
50
51 public boolean login() throws LoginException {
52
53
54
55 PasswordCallback pc = new PasswordCallback("Master password", false);
56 PBEKeySpecCallback pbeCb = new PBEKeySpecCallback();
57 Callback[] callbacks = { pc, pbeCb };
58 try {
59 callbackHandler.handle(callbacks);
60 char[] password = pc.getPassword();
61
62 SecretKeyFactory keyFac = SecretKeyFactory.getInstance(pbeCb.getSecretKeyFactory());
63 PBEKeySpec keySpec;
64 if (pbeCb.getKeyLength() != null)
65 keySpec = new PBEKeySpec(password, pbeCb.getSalt(), pbeCb.getIterationCount(), pbeCb.getKeyLength());
66 else
67 keySpec = new PBEKeySpec(password, pbeCb.getSalt(), pbeCb.getIterationCount());
68
69 String secKeyEncryption = pbeCb.getSecretKeyEncryption();
70 if (secKeyEncryption != null) {
71 SecretKey tmp = keyFac.generateSecret(keySpec);
72 secretKey = new SecretKeySpec(tmp.getEncoded(), secKeyEncryption);
73 } else {
74 secretKey = keyFac.generateSecret(keySpec);
75 }
76 } catch (Exception e) {
77 LoginException le = new LoginException("Cannot login keyring");
78 le.initCause(e);
79 throw le;
80 }
81 return true;
82 }
83
84 public boolean commit() throws LoginException {
85 if (secretKey != null) {
86 subject.getPrivateCredentials().removeAll(subject.getPrivateCredentials(SecretKey.class));
87 subject.getPrivateCredentials().add(secretKey);
88 }
89 return true;
90 }
91
92 public boolean abort() throws LoginException {
93 return true;
94 }
95
96 public boolean logout() throws LoginException {
97 Set<PasswordEncryption> pbes = subject.getPrivateCredentials(PasswordEncryption.class);
98 pbes.clear();
99 return true;
100 }
101
102 }