001/* 002 Licensed to the Apache Software Foundation (ASF) under one 003 or more contributor license agreements. See the NOTICE file 004 distributed with this work for additional information 005 regarding copyright ownership. The ASF licenses this file 006 to you under the Apache License, Version 2.0 (the 007 "License"); you may not use this file except in compliance 008 with the License. You may obtain a copy of the License at 009 010 http://www.apache.org/licenses/LICENSE-2.0 011 012 Unless required by applicable law or agreed to in writing, 013 software distributed under the License is distributed on an 014 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 KIND, either express or implied. See the License for the 016 specific language governing permissions and limitations 017 under the License. 018 */ 019package org.apache.wiki.auth; 020 021import org.apache.logging.log4j.LogManager; 022import org.apache.logging.log4j.Logger; 023import org.apache.wiki.api.core.Engine; 024import org.apache.wiki.api.core.Session; 025import org.apache.wiki.api.exceptions.WikiException; 026import org.apache.wiki.api.spi.Wiki; 027import org.apache.wiki.auth.authorize.WebAuthorizer; 028import org.apache.wiki.auth.authorize.WebContainerAuthorizer; 029import org.apache.wiki.auth.login.AnonymousLoginModule; 030import org.apache.wiki.auth.login.CookieAssertionLoginModule; 031import org.apache.wiki.auth.login.CookieAuthenticationLoginModule; 032import org.apache.wiki.auth.login.UserDatabaseLoginModule; 033import org.apache.wiki.auth.login.WebContainerCallbackHandler; 034import org.apache.wiki.auth.login.WebContainerLoginModule; 035import org.apache.wiki.auth.login.WikiCallbackHandler; 036import org.apache.wiki.event.WikiEventListener; 037import org.apache.wiki.event.WikiEventManager; 038import org.apache.wiki.event.WikiSecurityEvent; 039import org.apache.wiki.util.ClassUtil; 040import org.apache.wiki.util.TextUtil; 041import org.apache.wiki.util.TimedCounterList; 042 043import javax.security.auth.Subject; 044import javax.security.auth.callback.CallbackHandler; 045import javax.security.auth.login.LoginException; 046import javax.security.auth.spi.LoginModule; 047import javax.servlet.http.HttpServletRequest; 048import javax.servlet.http.HttpSession; 049import java.security.Principal; 050import java.util.Collections; 051import java.util.HashMap; 052import java.util.HashSet; 053import java.util.Map; 054import java.util.Properties; 055import java.util.Set; 056 057 058/** 059 * Default implementation for {@link AuthenticationManager} 060 * 061 * {@inheritDoc} 062 * 063 * @since 2.3 064 */ 065public class DefaultAuthenticationManager implements AuthenticationManager { 066 067 /** How many milliseconds the logins are stored before they're cleaned away. */ 068 private static final long LASTLOGINS_CLEANUP_TIME = 10 * 60 * 1_000L; // Ten minutes 069 070 private static final long MAX_LOGIN_DELAY = 20 * 1_000L; // 20 seconds 071 072 private static final Logger LOG = LogManager.getLogger( DefaultAuthenticationManager.class ); 073 074 /** Empty Map passed to JAAS {@link #doJAASLogin(Class, CallbackHandler, Map)} method. */ 075 protected static final Map< String, String > EMPTY_MAP = Collections.unmodifiableMap( new HashMap<>() ); 076 077 /** Class (of type LoginModule) to use for custom authentication. */ 078 protected Class< ? extends LoginModule > m_loginModuleClass = UserDatabaseLoginModule.class; 079 080 /** Options passed to {@link LoginModule#initialize(Subject, CallbackHandler, Map, Map)}; 081 * initialized by {@link #initialize(Engine, Properties)}. */ 082 protected final Map< String, String > m_loginModuleOptions = new HashMap<>(); 083 084 /** The default {@link LoginModule} class name to use for custom authentication. */ 085 private static final String DEFAULT_LOGIN_MODULE = "org.apache.wiki.auth.login.UserDatabaseLoginModule"; 086 087 /** Empty principal set. */ 088 private static final Set<Principal> NO_PRINCIPALS = new HashSet<>(); 089 090 /** Static Boolean for lazily-initializing the "allows assertions" flag */ 091 private boolean m_allowsCookieAssertions = true; 092 093 private boolean m_throttleLogins = true; 094 095 /** Static Boolean for lazily-initializing the "allows cookie authentication" flag */ 096 private boolean m_allowsCookieAuthentication; 097 098 private Engine m_engine; 099 100 /** If true, logs the IP address of the editor */ 101 private boolean m_storeIPAddress = true; 102 103 /** Keeps a list of the usernames who have attempted a login recently. */ 104 private final TimedCounterList< String > m_lastLoginAttempts = new TimedCounterList<>(); 105 106 /** 107 * {@inheritDoc} 108 */ 109 @Override 110 public void initialize( final Engine engine, final Properties props ) throws WikiException { 111 m_engine = engine; 112 m_storeIPAddress = TextUtil.getBooleanProperty( props, PROP_STOREIPADDRESS, m_storeIPAddress ); 113 114 // Should we allow cookies for assertions? (default: yes) 115 m_allowsCookieAssertions = TextUtil.getBooleanProperty( props, PROP_ALLOW_COOKIE_ASSERTIONS,true ); 116 117 // Should we allow cookies for authentication? (default: no) 118 m_allowsCookieAuthentication = TextUtil.getBooleanProperty( props, PROP_ALLOW_COOKIE_AUTH, false ); 119 120 // Should we throttle logins? (default: yes) 121 m_throttleLogins = TextUtil.getBooleanProperty( props, PROP_LOGIN_THROTTLING, true ); 122 123 // Look up the LoginModule class 124 final String loginModuleClassName = TextUtil.getStringProperty( props, PROP_LOGIN_MODULE, DEFAULT_LOGIN_MODULE ); 125 try { 126 m_loginModuleClass = ClassUtil.findClass( "", loginModuleClassName ); 127 } catch( final ClassNotFoundException e ) { 128 LOG.error( e.getMessage(), e ); 129 throw new WikiException( "Could not instantiate LoginModule class.", e ); 130 } 131 132 // Initialize the LoginModule options 133 initLoginModuleOptions( props ); 134 } 135 136 /** 137 * {@inheritDoc} 138 */ 139 @Override 140 public boolean isContainerAuthenticated() { 141 try { 142 final Authorizer authorizer = m_engine.getManager( AuthorizationManager.class ).getAuthorizer(); 143 if ( authorizer instanceof WebContainerAuthorizer ) { 144 return ( ( WebContainerAuthorizer )authorizer ).isContainerAuthorized(); 145 } 146 } catch ( final WikiException e ) { 147 // It's probably ok to fail silently... 148 } 149 return false; 150 } 151 152 /** 153 * {@inheritDoc} 154 */ 155 @Override 156 public boolean login( final HttpServletRequest request ) throws WikiSecurityException { 157 final HttpSession httpSession = request.getSession(); 158 final Session session = SessionMonitor.getInstance( m_engine ).find( httpSession ); 159 final AuthenticationManager authenticationMgr = m_engine.getManager( AuthenticationManager.class ); 160 final AuthorizationManager authorizationMgr = m_engine.getManager( AuthorizationManager.class ); 161 CallbackHandler handler = null; 162 final Map< String, String > options = EMPTY_MAP; 163 164 // If user not authenticated, check if container logged them in, or if there's an authentication cookie 165 if ( !session.isAuthenticated() ) { 166 // Create a callback handler 167 handler = new WebContainerCallbackHandler( m_engine, request ); 168 169 // Execute the container login module, then (if that fails) the cookie auth module 170 Set< Principal > principals = authenticationMgr.doJAASLogin( WebContainerLoginModule.class, handler, options ); 171 if ( principals.size() == 0 && authenticationMgr.allowsCookieAuthentication() ) { 172 principals = authenticationMgr.doJAASLogin( CookieAuthenticationLoginModule.class, handler, options ); 173 } 174 175 // If the container logged the user in successfully, tell the Session (and add all the Principals) 176 if ( principals.size() > 0 ) { 177 fireEvent( WikiSecurityEvent.LOGIN_AUTHENTICATED, getLoginPrincipal( principals ), session ); 178 for( final Principal principal : principals ) { 179 fireEvent( WikiSecurityEvent.PRINCIPAL_ADD, principal, session ); 180 } 181 182 // Add all appropriate Authorizer roles 183 injectAuthorizerRoles( session, authorizationMgr.getAuthorizer(), request ); 184 } 185 } 186 187 // If user still not authenticated, check if assertion cookie was supplied 188 if ( !session.isAuthenticated() && authenticationMgr.allowsCookieAssertions() ) { 189 // Execute the cookie assertion login module 190 final Set< Principal > principals = authenticationMgr.doJAASLogin( CookieAssertionLoginModule.class, handler, options ); 191 if ( principals.size() > 0 ) { 192 fireEvent( WikiSecurityEvent.LOGIN_ASSERTED, getLoginPrincipal( principals ), session); 193 } 194 } 195 196 // If user still anonymous, use the remote address 197 if( session.isAnonymous() ) { 198 final Set< Principal > principals = authenticationMgr.doJAASLogin( AnonymousLoginModule.class, handler, options ); 199 if( principals.size() > 0 ) { 200 fireEvent( WikiSecurityEvent.LOGIN_ANONYMOUS, getLoginPrincipal( principals ), session ); 201 return true; 202 } 203 } 204 205 // If by some unusual turn of events the Anonymous login module doesn't work, login failed! 206 return false; 207 } 208 209 /** 210 * {@inheritDoc} 211 */ 212 @Override 213 public boolean login( final Session session, final HttpServletRequest request, final String username, final String password ) throws WikiSecurityException { 214 if ( session == null ) { 215 LOG.error( "No wiki session provided, cannot log in." ); 216 return false; 217 } 218 219 // Protect against brute-force password guessing if configured to do so 220 if ( m_throttleLogins ) { 221 delayLogin( username ); 222 } 223 224 final CallbackHandler handler = new WikiCallbackHandler( m_engine, null, username, password ); 225 226 // Execute the user's specified login module 227 final Set< Principal > principals = doJAASLogin( m_loginModuleClass, handler, m_loginModuleOptions ); 228 if( principals.size() > 0 ) { 229 fireEvent(WikiSecurityEvent.LOGIN_AUTHENTICATED, getLoginPrincipal( principals ), session ); 230 for ( final Principal principal : principals ) { 231 fireEvent( WikiSecurityEvent.PRINCIPAL_ADD, principal, session ); 232 } 233 234 // Add all appropriate Authorizer roles 235 injectAuthorizerRoles( session, m_engine.getManager( AuthorizationManager.class ).getAuthorizer(), null ); 236 237 return true; 238 } 239 return false; 240 } 241 242 /** 243 * This method builds a database of login names that are being attempted, and will try to delay if there are too many requests coming 244 * in for the same username. 245 * <p> 246 * The current algorithm uses 2^loginattempts as the delay in milliseconds, i.e. at 10 login attempts it'll add 1.024 seconds to the login. 247 * 248 * @param username The username that is being logged in 249 */ 250 private void delayLogin( final String username ) { 251 try { 252 m_lastLoginAttempts.cleanup( LASTLOGINS_CLEANUP_TIME ); 253 final int count = m_lastLoginAttempts.count( username ); 254 255 final long delay = Math.min( 1L << count, MAX_LOGIN_DELAY ); 256 LOG.debug( "Sleeping for " + delay + " ms to allow login." ); 257 Thread.sleep( delay ); 258 259 m_lastLoginAttempts.add( username ); 260 } catch( final InterruptedException e ) { 261 // FALLTHROUGH is fine 262 } 263 } 264 265 /** 266 * {@inheritDoc} 267 */ 268 @Override 269 public void logout( final HttpServletRequest request ) { 270 if( request == null ) { 271 LOG.error( "No HTTP reqest provided; cannot log out." ); 272 return; 273 } 274 275 final HttpSession session = request.getSession(); 276 final String sid = ( session == null ) ? "(null)" : session.getId(); 277 LOG.debug( "Invalidating Session for session ID= {}", sid ); 278 // Retrieve the associated Session and clear the Principal set 279 final Session wikiSession = Wiki.session().find( m_engine, request ); 280 final Principal originalPrincipal = wikiSession.getLoginPrincipal(); 281 wikiSession.invalidate(); 282 283 // Remove the wikiSession from the WikiSession cache 284 Wiki.session().remove( m_engine, request ); 285 286 // We need to flush the HTTP session too 287 if( session != null ) { 288 session.invalidate(); 289 } 290 291 // Log the event 292 fireEvent( WikiSecurityEvent.LOGOUT, originalPrincipal, null ); 293 } 294 295 /** 296 * {@inheritDoc} 297 */ 298 @Override 299 public boolean allowsCookieAssertions() { 300 return m_allowsCookieAssertions; 301 } 302 303 /** 304 * {@inheritDoc} 305 */ 306 @Override 307 public boolean allowsCookieAuthentication() { 308 return m_allowsCookieAuthentication; 309 } 310 311 /** 312 * {@inheritDoc} 313 */ 314 @Override 315 public Set< Principal > doJAASLogin( final Class< ? extends LoginModule > clazz, 316 final CallbackHandler handler, 317 final Map< String, String > options ) throws WikiSecurityException { 318 // Instantiate the login module 319 final LoginModule loginModule; 320 try { 321 loginModule = ClassUtil.buildInstance( clazz ); 322 } catch( final ReflectiveOperationException e ) { 323 throw new WikiSecurityException( e.getMessage(), e ); 324 } 325 326 // Initialize the LoginModule 327 final Subject subject = new Subject(); 328 loginModule.initialize( subject, handler, EMPTY_MAP, options ); 329 330 // Try to log in: 331 boolean loginSucceeded = false; 332 boolean commitSucceeded = false; 333 try { 334 loginSucceeded = loginModule.login(); 335 if( loginSucceeded ) { 336 commitSucceeded = loginModule.commit(); 337 } 338 } catch( final LoginException e ) { 339 // Login or commit failed! No principal for you! 340 } 341 342 // If we successfully logged in & committed, return all the principals 343 if( loginSucceeded && commitSucceeded ) { 344 return subject.getPrincipals(); 345 } 346 return NO_PRINCIPALS; 347 } 348 349 // events processing ....................................................... 350 351 /** 352 * {@inheritDoc} 353 */ 354 @Override 355 public synchronized void addWikiEventListener( final WikiEventListener listener ) { 356 WikiEventManager.addWikiEventListener( this, listener ); 357 } 358 359 /** 360 * {@inheritDoc} 361 */ 362 @Override 363 public synchronized void removeWikiEventListener( final WikiEventListener listener ) { 364 WikiEventManager.removeWikiEventListener( this, listener ); 365 } 366 367 /** 368 * Initializes the options Map supplied to the configured LoginModule every time it is invoked. The properties and values extracted from 369 * <code>jspwiki.properties</code> are of the form <code>jspwiki.loginModule.options.<var>param</var> = <var>value</var>, where 370 * <var>param</var> is the key name, and <var>value</var> is the value. 371 * 372 * @param props the properties used to initialize JSPWiki 373 * @throws IllegalArgumentException if any of the keys are duplicated 374 */ 375 private void initLoginModuleOptions( final Properties props ) { 376 for( final Object key : props.keySet() ) { 377 final String propName = key.toString(); 378 if( propName.startsWith( PREFIX_LOGIN_MODULE_OPTIONS ) ) { 379 // Extract the option name and value 380 final String optionKey = propName.substring( PREFIX_LOGIN_MODULE_OPTIONS.length() ).trim(); 381 if( !optionKey.isEmpty() ) { 382 final String optionValue = props.getProperty( propName ); 383 384 // Make sure the key is unique before stashing the key/value pair 385 if ( m_loginModuleOptions.containsKey( optionKey ) ) { 386 throw new IllegalArgumentException( "JAAS LoginModule key " + propName + " cannot be specified twice!" ); 387 } 388 m_loginModuleOptions.put( optionKey, optionValue ); 389 } 390 } 391 } 392 } 393 394 /** 395 * After successful login, this method is called to inject authorized role Principals into the Session. To determine which roles 396 * should be injected, the configured Authorizer is queried for the roles it knows about by calling {@link Authorizer#getRoles()}. 397 * Then, each role returned by the authorizer is tested by calling {@link Authorizer#isUserInRole(Session, Principal)}. If this 398 * check fails, and the Authorizer is of type WebAuthorizer, the role is checked again by calling 399 * {@link WebAuthorizer#isUserInRole(HttpServletRequest, Principal)}). Any roles that pass the test are injected into the Subject by 400 * firing appropriate authentication events. 401 * 402 * @param session the user's current Session 403 * @param authorizer the Engine's configured Authorizer 404 * @param request the user's HTTP session, which may be <code>null</code> 405 */ 406 private void injectAuthorizerRoles( final Session session, final Authorizer authorizer, final HttpServletRequest request ) { 407 // Test each role the authorizer knows about 408 for( final Principal role : authorizer.getRoles() ) { 409 // Test the Authorizer 410 if( authorizer.isUserInRole( session, role ) ) { 411 fireEvent( WikiSecurityEvent.PRINCIPAL_ADD, role, session ); 412 LOG.debug( "Added authorizer role {}.", role.getName() ); 413 // If web authorizer, test the request.isInRole() method also 414 } else if ( request != null && authorizer instanceof WebAuthorizer ) { 415 final WebAuthorizer wa = ( WebAuthorizer )authorizer; 416 if ( wa.isUserInRole( request, role ) ) { 417 fireEvent( WikiSecurityEvent.PRINCIPAL_ADD, role, session ); 418 LOG.debug( "Added container role {}.",role.getName() ); 419 } 420 } 421 } 422 } 423 424}