@Override
protected Group[] getRoleSets() throws LoginException {
SimpleGroup roles = new SimpleGroup("Roles");
Group[] roleSets = {roles};
for (Role role : access.getUser().getRoles()) {
roles.addMember(new SimplePrincipal(role.getName()));
}
return roleSets;
}
@Override
protected boolean login(Request request, HttpServletResponse response) throws LoginException {
String tokenHeader = request.getHeader("X-Auth-Signed-Token");
if (tokenHeader == null) return false; // throw new LoginException("No X-Auth-Signed-Token");
// if we don't have a trust store, we'll just use the key store.
KeyStore keyStore = null;
if (domain != null) {
if (domain instanceof SecurityDomain) {
keyStore = ((SecurityDomain) domain).getKeyStore();
} else if (domain instanceof JSSESecurityDomain) {
keyStore = ((JSSESecurityDomain) domain).getKeyStore();
}
}
if (keyStore == null) throw new LoginException("No trust store found");
X509Certificate certificate = null;
try {
certificate = (X509Certificate) keyStore.getCertificate(skeletonKeyCertificateAlias);
} catch (KeyStoreException e) {
throw new LoginException("Could not get certificate from keyStore");
}
try {
PKCS7SignatureInput input = new PKCS7SignatureInput(tokenHeader);
if (input.verify(certificate) == false) throw new LoginException("Bad Signature");
access = (Access) input.getEntity(Access.class, MediaType.APPLICATION_JSON_TYPE);
} catch (LoginException le) {
throw le;
} catch (Exception e) {
throw new LoginException("Bad Token");
}
if (access.getToken().expired()) {
throw new LoginException("Token expired");
}
if (!projectId.equals(access.getToken().getProject().getId())) {
throw new LoginException("Token project id doesn't match");
}
this.loginOk = true;
return true;
}
@Override
protected Principal getIdentity() {
Principal principal = new UserPrincipal(access.getUser());
return principal;
}
