1. /*

  2.  * @(#)NTLoginModule.java	1.8 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package com.sun.security.auth.module;

  9. 

  10. import java.util.*;

  11. import java.io.IOException;

  12. import javax.security.auth.*;

  13. import javax.security.auth.callback.*;

  14. import javax.security.auth.login.*;

  15. import javax.security.auth.spi.*;

  16. import com.sun.security.auth.NTUserPrincipal;

  17. import com.sun.security.auth.NTSidUserPrincipal;

  18. import com.sun.security.auth.NTDomainPrincipal;

  19. import com.sun.security.auth.NTSidDomainPrincipal;

  20. import com.sun.security.auth.NTSidPrimaryGroupPrincipal;

  21. import com.sun.security.auth.NTSidGroupPrincipal;

  22. import com.sun.security.auth.NTNumericCredential;

  23. 

  24. /**

  25.  * <p> This <code>LoginModule</code>

  26.  * renders a user's NT security information as some number of

  27.  * <code>Principal</code>s

  28.  * and associates them with a <code>Subject</code>.

  29.  *

  30.  * <p> This LoginModule recognizes the debug option.

  31.  * If set to true in the login Configuration,

  32.  * debug messages will be output to the output stream, System.out.

  33.  *

  34.  * <p> This LoginModule also recognizes the debugNative option.

  35.  * If set to true in the login Configuration,

  36.  * debug messages from the native component of the module

  37.  * will be output to the output stream, System.out.

  38.  *

  39.  * @version 1.8, 01/23/03

  40.  * @see javax.security.auth.spi.LoginModule

  41.  */

  42. public class NTLoginModule implements LoginModule {

  43. 

  44.     private NTSystem ntSystem;

  45. 

  46.     // initial state

  47.     private Subject subject;

  48.     private CallbackHandler callbackHandler;

  49.     private Map sharedState;

  50.     private Map options;

  51. 

  52.     // configurable option

  53.     private boolean debug = false;

  54.     private boolean debugNative = false;

  55. 

  56.     // the authentication status

  57.     private boolean succeeded = false;

  58.     private boolean commitSucceeded = false;

  59. 

  60.     private NTUserPrincipal userPrincipal;		// user name

  61.     private NTSidUserPrincipal userSID;			// user SID

  62.     private NTDomainPrincipal userDomain;		// user domain

  63.     private NTSidDomainPrincipal domainSID;		// domain SID

  64.     private NTSidPrimaryGroupPrincipal primaryGroup;	// primary group

  65.     private NTSidGroupPrincipal groups[];		// supplementary groups

  66.     private NTNumericCredential iToken;			// impersonation token

  67. 

  68.     /**

  69.      * Initialize this <code>LoginModule</code>.

  70.      *

  71.      * <p>

  72.      *

  73.      * @param subject the <code>Subject</code> to be authenticated. <p>

  74.      *

  75.      * @param callbackHandler a <code>CallbackHandler</code> for communicating

  76.      *		with the end user (prompting for usernames and

  77.      *		passwords, for example). This particular LoginModule only

  78.      *          extracts the underlying NT system information, so this

  79.      *          parameter is ignored.<p>

  80.      *

  81.      * @param sharedState shared <code>LoginModule</code> state. <p>

  82.      *

  83.      * @param options options specified in the login

  84.      *			<code>Configuration</code> for this particular

  85.      *			<code>LoginModule</code>.

  86.      */

  87.     public void initialize(Subject subject, CallbackHandler callbackHandler,

  88. 			Map sharedState, Map options) {

  89.  

  90. 	this.subject = subject;

  91. 	this.callbackHandler = callbackHandler;

  92. 	this.sharedState = sharedState;

  93. 	this.options = options;

  94. 

  95. 	// initialize any configured options

  96. 	debug = "true".equalsIgnoreCase((String)options.get("debug"));

  97. 	debugNative="true".equalsIgnoreCase((String)options.get("debugNative"));

  98. 

  99. 	if (debugNative == true) {

  100. 	    debug = true;

  101. 	}

  102.     }

  103. 

  104.     /**

  105.      * Import underlying NT system identity information.

  106.      *

  107.      * <p>

  108.      *

  109.      * @return true in all cases since this <code>LoginModule</code>

  110.      *		should not be ignored.

  111.      *

  112.      * @exception FailedLoginException if the authentication fails. <p>

  113.      *

  114.      * @exception LoginException if this <code>LoginModule</code>

  115.      *		is unable to perform the authentication.

  116.      */

  117.     public boolean login() throws LoginException {

  118.         

  119. 	succeeded = false; // Indicate not yet successful

  120. 	

  121. 	ntSystem = new NTSystem(debugNative);

  122. 	if (ntSystem == null) {

  123. 	    if (debug) {

  124. 		System.out.println("\t\t[NTLoginModule] " +

  125. 				   "Failed in NT login");

  126. 	    }

  127. 	    throw new FailedLoginException

  128. 		("Failed in attempt to import the " +

  129. 		 "underlying NT system identity information");

  130. 	}

  131. 	

  132. 	if (ntSystem.getName() == null) {

  133. 	    throw new FailedLoginException

  134. 		("Failed in attempt to import the " +

  135. 		 "underlying NT system identity information");

  136. 	}

  137. 	userPrincipal = new NTUserPrincipal(ntSystem.getName());

  138. 	if (debug) {

  139. 	    System.out.println("\t\t[NTLoginModule] " +

  140. 			       "succeeded importing info: ");

  141. 	    System.out.println("\t\t\tuser name = " +

  142. 		userPrincipal.getName());

  143. 	}

  144. 

  145. 	if (ntSystem.getUserSID() != null) {

  146. 	    userSID = new NTSidUserPrincipal(ntSystem.getUserSID());

  147. 	    if (debug) {

  148. 		System.out.println("\t\t\tuser SID = " +

  149. 			userSID.getName());

  150. 	    }

  151. 	}

  152. 	if (ntSystem.getDomain() != null) {

  153. 	    userDomain = new NTDomainPrincipal(ntSystem.getDomain());

  154. 	    if (debug) {

  155. 		System.out.println("\t\t\tuser domain = " +

  156. 			userDomain.getName());

  157. 	    }

  158. 	}

  159. 	if (ntSystem.getDomainSID() != null) {

  160. 	    domainSID =

  161. 		new NTSidDomainPrincipal(ntSystem.getDomainSID());

  162. 	    if (debug) {

  163. 		System.out.println("\t\t\tuser domain SID = " +

  164. 			domainSID.getName());

  165. 	    }

  166. 	}

  167. 	if (ntSystem.getPrimaryGroupID() != null) {

  168. 	    primaryGroup = 

  169. 		new NTSidPrimaryGroupPrincipal(ntSystem.getPrimaryGroupID());

  170. 	    if (debug) {

  171. 		System.out.println("\t\t\tuser primary group = " +

  172. 			primaryGroup.getName());

  173. 	    }

  174. 	}

  175. 	if (ntSystem.getGroupIDs() != null &&

  176. 	    ntSystem.getGroupIDs().length > 0) {

  177. 

  178. 	    String groupSIDs[] = ntSystem.getGroupIDs();

  179. 	    groups = new NTSidGroupPrincipal[groupSIDs.length];

  180. 	    for (int i = 0; i < groupSIDs.length; i++) {

  181. 		groups[i] = new NTSidGroupPrincipal(groupSIDs[i]);

  182. 		if (debug) {

  183. 		    System.out.println("\t\t\tuser group = " +

  184. 			groups[i].getName());

  185. 		}

  186. 	    }

  187. 	}

  188. 	if (ntSystem.getImpersonationToken() != 0) {

  189. 	    iToken = new NTNumericCredential(ntSystem.getImpersonationToken());

  190. 	    if (debug) {

  191. 		System.out.println("\t\t\timpersonation token = " +

  192. 			ntSystem.getImpersonationToken());

  193. 	    }

  194. 	}

  195. 

  196. 	succeeded = true;

  197. 	return succeeded;

  198.     }

  199.     

  200.     /**

  201.      * <p> This method is called if the LoginContext's

  202.      * overall authentication succeeded

  203.      * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules

  204.      * succeeded).

  205.      *

  206.      * <p> If this LoginModule's own authentication attempt

  207.      * succeeded (checked by retrieving the private state saved by the

  208.      * <code>login</code> method), then this method associates some

  209.      * number of various <code>Principal</code>s

  210.      * with the <code>Subject</code> located in the

  211.      * <code>LoginModuleContext</code>.  If this LoginModule's own

  212.      * authentication attempted failed, then this method removes

  213.      * any state that was originally saved.

  214.      *

  215.      * <p>

  216.      *

  217.      * @exception LoginException if the commit fails.

  218.      *

  219.      * @return true if this LoginModule's own login and commit

  220.      *		attempts succeeded, or false otherwise.

  221.      */

  222.     public boolean commit() throws LoginException {

  223. 	if (succeeded == false) {

  224. 	    if (debug) {

  225. 		System.out.println("\t\t[NTLoginModule]: " +

  226. 		    "did not add any Principals to Subject " +

  227. 		    "because own authentication failed.");

  228. 	    }

  229. 	    return false;

  230. 	} 

  231. 	if (subject.isReadOnly()) {

  232. 	    throw new LoginException ("Subject is ReadOnly");

  233. 	}

  234. 	Set principals = subject.getPrincipals();

  235. 

  236. 	// we must have a userPrincipal - everything else is optional

  237. 	if (!principals.contains(userPrincipal)) {

  238. 	    principals.add(userPrincipal);

  239. 	}

  240. 	if (userSID != null && !principals.contains(userSID)) {

  241. 	    principals.add(userSID);

  242. 	}

  243. 

  244. 	if (userDomain != null && !principals.contains(userDomain)) {

  245. 	    principals.add(userDomain);

  246. 	}

  247. 	if (domainSID != null && !principals.contains(domainSID)) {

  248. 	    principals.add(domainSID);

  249. 	}

  250. 

  251. 	if (primaryGroup != null && !principals.contains(primaryGroup)) {

  252. 	    principals.add(primaryGroup);

  253. 	}

  254. 	for (int i = 0; groups != null && i < groups.length; i++) {

  255. 	    if (!principals.contains(groups[i])) {

  256. 		principals.add(groups[i]);

  257. 	    }

  258. 	}

  259. 	

  260. 	Set pubCreds = subject.getPublicCredentials();

  261. 	if (iToken != null && !pubCreds.contains(iToken)) {

  262. 	    pubCreds.add(iToken);

  263. 	}

  264. 	commitSucceeded = true;

  265. 	return true;

  266.     }

  267. 

  268. 

  269.     /**

  270.      * <p> This method is called if the LoginContext's

  271.      * overall authentication failed.

  272.      * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules

  273.      * did not succeed).

  274.      *

  275.      * <p> If this LoginModule's own authentication attempt

  276.      * succeeded (checked by retrieving the private state saved by the

  277.      * <code>login</code> and <code>commit</code> methods),

  278.      * then this method cleans up any state that was originally saved.

  279.      *

  280.      * <p>

  281.      *

  282.      * @exception LoginException if the abort fails.

  283.      *

  284.      * @return false if this LoginModule's own login and/or commit attempts

  285.      *		failed, and true otherwise.

  286.      */

  287.     public boolean abort() throws LoginException {

  288. 	if (debug) {

  289. 	    System.out.println("\t\t[NTLoginModule]: " +

  290. 		"aborted authentication attempt");

  291. 	}

  292. 

  293. 	if (succeeded == false) {

  294. 	    return false;

  295. 	} else if (succeeded == true && commitSucceeded == false) {

  296. 	    ntSystem = null;

  297. 	    userPrincipal = null;

  298. 	    userSID = null;

  299. 	    userDomain = null;

  300. 	    domainSID = null;

  301. 	    primaryGroup = null;

  302. 	    groups = null;

  303. 	    iToken = null;

  304. 	    succeeded = false;

  305. 	} else {

  306. 	    // overall authentication succeeded and commit succeeded,

  307. 	    // but someone else's commit failed

  308. 	    logout();

  309. 	}

  310. 	return succeeded;

  311.     }

  312. 

  313.     /**

  314.      * Logout the user.

  315.      *

  316.      * <p> This method removes the <code>NTUserPrincipal</code>,

  317.      * <code>NTDomainPrincipal</code>, <code>NTSidUserPrincipal</code>,

  318.      * <code>NTSidDomainPrincipal</code>, <code>NTSidGroupPrincipal</code>s,

  319.      * and <code>NTSidPrimaryGroupPrincipal</code>

  320.      * that may have been added by the <code>commit</code> method.

  321.      *

  322.      * <p>

  323.      *

  324.      * @exception LoginException if the logout fails.

  325.      *

  326.      * @return true in all cases since this <code>LoginModule</code>

  327.      *          should not be ignored.

  328.      */

  329.     public boolean logout() throws LoginException {

  330. 

  331. 	if (subject.isReadOnly()) {

  332. 	    throw new LoginException ("Subject is ReadOnly");

  333. 	}

  334. 	Set principals = subject.getPrincipals();

  335. 	if (principals.contains(userPrincipal)) {

  336. 	    principals.remove(userPrincipal);

  337. 	}

  338. 	if (principals.contains(userSID)) {

  339. 	    principals.remove(userSID);

  340. 	}

  341. 	if (principals.contains(userDomain)) {

  342. 	    principals.remove(userDomain);

  343. 	}

  344. 	if (principals.contains(domainSID)) {

  345. 	    principals.remove(domainSID);

  346. 	}

  347. 	if (principals.contains(primaryGroup)) {

  348. 	    principals.remove(primaryGroup);

  349. 	}

  350. 	for (int i = 0; groups != null && i < groups.length; i++) {

  351. 	    if (principals.contains(groups[i])) {

  352. 		principals.remove(groups[i]);

  353. 	    }

  354. 	}

  355. 

  356. 	Set pubCreds = subject.getPublicCredentials();

  357. 	if (pubCreds.contains(iToken)) {

  358. 	    pubCreds.remove(iToken);

  359. 	}

  360. 	

  361. 	succeeded = false;

  362. 	commitSucceeded = false;

  363. 	userPrincipal = null;

  364. 	userDomain = null;

  365. 	userSID = null;

  366. 	domainSID = null;

  367. 	groups = null;

  368. 	primaryGroup = null;

  369. 	iToken = null;

  370. 	ntSystem = null;

  371. 		

  372. 	if (debug) {

  373. 		System.out.println("\t\t[NTLoginModule] " +

  374. 				"completed logout processing");

  375. 	}

  376. 	return true;

  377.     }

  378. }