Implement #421

hawtio · Jul 29, 2013 · 30f3d62 · 30f3d62
1 parent 887f657
commit 30f3d62
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 26 deletions.
diff --git a/hawtio-web/src/main/java/io/hawt/HawtioContextListener.java b/hawtio-web/src/main/java/io/hawt/HawtioContextListener.java
@@ -20,10 +20,12 @@ public void contextInitialized(ServletContextEvent servletContextEvent) {
 
         String realm = System.getProperty("hawtio.realm", "karaf");
         String role = System.getProperty("hawtio.role", "admin");
+        String rolePrincipalClasses = System.getProperty("hawtio.rolePrincipalClasses", "org.apache.karaf.jaas.boot.principal.RolePrincipal");
         Boolean authEnabled = Boolean.valueOf(System.getProperty("hawtio.authenticationEnabled", "true"));
 
         servletContextEvent.getServletContext().setAttribute("realm", realm);
         servletContextEvent.getServletContext().setAttribute("role", role);
+        servletContextEvent.getServletContext().setAttribute("rolePrincipalClasses", rolePrincipalClasses);
         servletContextEvent.getServletContext().setAttribute("authEnabled", authEnabled);
 
         try {

diff --git a/hawtio-web/src/main/java/io/hawt/system/Authenticator.java b/hawtio-web/src/main/java/io/hawt/system/Authenticator.java
@@ -49,7 +49,7 @@ public static void extractAuthInfo(String authHeader, ExtractAuthInfoCallback cb
 
     }
 
-    public static AuthenticateResult authenticate(String realm, String role, HttpServletRequest request) {
+    public static AuthenticateResult authenticate(String realm, String role, String rolePrincipalClasses, HttpServletRequest request) {
 
         String authHeader = request.getHeader(HEADER_AUTHORIZATION);
 
@@ -73,27 +73,19 @@ public void getAuthInfo(String userName, String password) {
 
         if (info.set()) {
 
-            Subject subject = doAuthenticate(realm, role, info.username, info.password);
+            Subject subject = doAuthenticate(realm, role, rolePrincipalClasses, info.username, info.password);
             if (subject == null) {
                 return AuthenticateResult.NOT_AUTHORIZED;
             }
 
             SubjectThreadLocal.put(subject);
-
-            /*
-            HttpSession session = request.getSession(true);
-            session.setAttribute("user", user);
-            session.setAttribute("org.osgi.service.http.authentication.remote.user", user);
-            session.setAttribute("org.osgi.service.http.authentication.type", HttpServletRequest.BASIC_AUTH);
-            */
             return AuthenticateResult.AUTHORIZED;
         }
 
-
         return AuthenticateResult.NO_CREDENTIALS;
     }
 
-    private static Subject doAuthenticate(String realm, String role, final String username, final String password) {
+    private static Subject doAuthenticate(String realm, String role,  String rolePrincipalClasses, final String username, final String password) {
         try {
 
             Subject subject = new Subject();
@@ -113,19 +105,25 @@ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallback
             });
             loginContext.login();
 
-            if (role != null && role.length() > 0) {
-                String clazz = "org.apache.karaf.jaas.boot.principal.RolePrincipal";
-                String name = role;
-                int idx = role.indexOf(':');
-                if (idx > 0) {
-                    clazz = role.substring(0, idx);
-                    name = role.substring(idx + 1);
-                }
+            if (role != null && role.length() > 0 && rolePrincipalClasses != null && rolePrincipalClasses.length() > 0) {
+
+                String[] rolePrincipalClazzes = rolePrincipalClasses.split(",");
                 boolean found = false;
-                for (Principal p : subject.getPrincipals()) {
-                    if (p.getClass().getName().equals(clazz)
-                            && p.getName().equals(name)) {
-                        found = true;
+                for (String clazz : rolePrincipalClazzes) {
+                    String name = role;
+                    int idx = role.indexOf(':');
+                    if (idx > 0) {
+                        clazz = role.substring(0, idx);
+                        name = role.substring(idx + 1);
+                    }
+                    for (Principal p : subject.getPrincipals()) {
+                        if (p.getClass().getName().equals(clazz.trim())
+                                && p.getName().equals(name)) {
+                            found = true;
+                            break;
+                        }
+                    }
+                    if (found) {
                         break;
                     }
                 }

diff --git a/hawtio-web/src/main/java/io/hawt/web/AuthenticationFilter.java b/hawtio-web/src/main/java/io/hawt/web/AuthenticationFilter.java
@@ -21,19 +21,21 @@ public class AuthenticationFilter implements Filter {
     private String realm;
     private String role;
     private boolean enabled;
+    private String rolePrincipalClasses;
 
 
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
 
         realm = (String) filterConfig.getServletContext().getAttribute("realm");
         role = (String) filterConfig.getServletContext().getAttribute("role");
+        rolePrincipalClasses = (String) filterConfig.getServletContext().getAttribute("rolePrincipalClasses");
         enabled = (Boolean) filterConfig.getServletContext().getAttribute("authEnabled");
 
         if (enabled) {
-            LOG.info("Starting hawtio authentication filter, authentication realm: \"" + realm + "\" authorized role: \"" + role + "\"");
+            LOG.info("Starting hawtio authentication filter, JAAS realm: \"" + realm + "\" authorized role: \"" + role + "\"" + " role principal classes: \"" + rolePrincipalClasses + "\"");
         } else {
-            LOG.info("Starting hawtio authentication filter, authentication disabled");
+            LOG.info("Starting hawtio authentication filter, JAAS authentication disabled");
         }
 
     }
@@ -64,7 +66,7 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 
         if (doAuthenticate) {
             LOG.debug("Doing authentication and authorization for path {}", path);
-            switch (Authenticator.authenticate(realm, role, httpRequest)) {
+            switch (Authenticator.authenticate(realm, role, rolePrincipalClasses, httpRequest)) {
                 case AUTHORIZED:
                     chain.doFilter(request, response);
                     break;