1. /*

  2.  * @(#)Configuration.java	1.55 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7.  

  8. package javax.security.auth.login;

  9. 

  10. import javax.security.auth.AuthPermission;

  11.  

  12. import java.io.*;

  13. import java.util.*;

  14. import java.net.URL;

  15. import java.security.PrivilegedActionException;

  16.  

  17. /**

  18.  * <p> This is an abstract class for representing the configuration of

  19.  * LoginModules under an application.  The <code>Configuration</code> specifies

  20.  * which LoginModules should be used for a particular application, and in what

  21.  * order the LoginModules should be invoked.

  22.  * This abstract class needs to be subclassed to provide an implementation

  23.  * which reads and loads the actual <code>Configuration</code>.

  24.  *

  25.  * <p> When the <code>LoginContext</code> needs to read the Configuration

  26.  * to determine which LoginModules are configured for a particular

  27.  * application, <i>appName</i>, it makes the following calls:

  28.  * <pre>

  29.  *	config = Configuration.getConfiguration();

  30.  *	entries = config.getAppConfigurationEntry(appName);

  31.  * </pre>

  32.  *

  33.  * <p> A login configuration contains the following information.

  34.  * Note that this example only represents the default syntax for the

  35.  * <code>Configuration</code>.  Subclass implementations of this class

  36.  * may implement alternative syntaxes and may retrieve the

  37.  * <code>Configuration</code> from any source such as files, databases,

  38.  * or servers.

  39.  *

  40.  * <pre>

  41.  *      Application {

  42.  *	      ModuleClass  Flag    ModuleOptions;

  43.  *	      ModuleClass  Flag    ModuleOptions;

  44.  *	      ModuleClass  Flag    ModuleOptions;

  45.  *      };

  46.  *      Application {

  47.  *	      ModuleClass  Flag    ModuleOptions;

  48.  *	      ModuleClass  Flag    ModuleOptions;

  49.  *      };

  50.  *      other {

  51.  *	      ModuleClass  Flag    ModuleOptions;

  52.  *	      ModuleClass  Flag    ModuleOptions;

  53.  *      };

  54.  * </pre>

  55.  *

  56.  * <p> Each entry in the <code>Configuration</code> is indexed via an

  57.  * application name, <i>Application</i>, and contains a list of

  58.  * LoginModules configured for that application.  Each <code>LoginModule</code>

  59.  * is specified via its fully qualified class name.

  60.  * Authentication proceeds down the module list in the exact order specified.

  61.  * If an application does not have specific entry,

  62.  * it defaults to the specific entry for "<i>other</i>".

  63.  *

  64.  * <p> The <i>Flag</i> value controls the overall behavior as authentication

  65.  * proceeds down the stack.  The following represents a description of the

  66.  * valid values for <i>Flag</i> and their respective semantics:

  67.  *

  68.  * <pre>

  69.  *      1) Required     - The <code>LoginModule</code> is required to succeed.

  70.  *			If it succeeds or fails, authentication still continues

  71.  *			to proceed down the <code>LoginModule</code> list.

  72.  *

  73.  *      2) Requisite    - The <code>LoginModule</code> is required to succeed.

  74.  *			If it succeeds, authentication continues down the

  75.  *			<code>LoginModule</code> list.  If it fails,

  76.  *			control immediately returns to the application

  77.  *			(authentication does not proceed down the

  78.  *			<code>LoginModule</code> list).

  79.  *

  80.  *      3) Sufficient   - The <code>LoginModule</code> is not required to

  81.  *			succeed.  If it does succeed, control immediately

  82.  *			returns to the application (authentication does not

  83.  *			proceed down the <code>LoginModule</code> list).

  84.  *			If it fails, authentication continues down the

  85.  *			<code>LoginModule</code> list.

  86.  *

  87.  *      4) Optional     - The <code>LoginModule</code> is not required to

  88.  *			succeed.  If it succeeds or fails,

  89.  *			authentication still continues to proceed down the

  90.  *			<code>LoginModule</code> list.

  91.  * </pre>

  92.  *

  93.  * <p> The overall authentication succeeds only if all <i>Required</i> and

  94.  * <i>Requisite</i> LoginModules succeed.  If a <i>Sufficient</i>

  95.  * <code>LoginModule</code> is configured and succeeds,

  96.  * then only the <i>Required</i> and <i>Requisite</i> LoginModules prior to 

  97.  * that <i>Sufficient</i> <code>LoginModule</code> need to have succeeded for

  98.  * the overall authentication to succeed. If no <i>Required</i> or

  99.  * <i>Requisite</i> LoginModules are configured for an application,

  100.  * then at least one <i>Sufficient</i> or <i>Optional</i>

  101.  * <code>LoginModule</code> must succeed.

  102.  *

  103.  * <p> <i>ModuleOptions</i> is a space separated list of

  104.  * <code>LoginModule</code>-specific values which are passed directly to

  105.  * the underlying LoginModules.  Options are defined by the

  106.  * <code>LoginModule</code> itself, and control the behavior within it.

  107.  * For example, a <code>LoginModule</code> may define options to support

  108.  * debugging/testing capabilities.  The correct way to specify options in the

  109.  * <code>Configuration</code> is by using the following key-value pairing:

  110.  * <i>debug="true"</i>.  The key and value should be separated by an

  111.  * 'equals' symbol, and the value should be surrounded by double quotes.

  112.  * If a String in the form, ${system.property}, occurs in the value,

  113.  * it will be expanded to the value of the system property.

  114.  * Note that there is no limit to the number of

  115.  * options a <code>LoginModule</code> may define.

  116.  *

  117.  * <p> The following represents an example <code>Configuration</code> entry

  118.  * based on the syntax above:

  119.  *

  120.  * <pre>

  121.  * Login {

  122.  *   com.sun.security.auth.module.UnixLoginModule required;

  123.  *   com.sun.security.auth.module.Krb5LoginModule optional

  124.  *                   useTicketCache="true"

  125.  *                   ticketCache="${user.home}${/}tickets";

  126.  * };

  127.  * </pre>

  128.  *

  129.  * <p> This <code>Configuration</code> specifies that an application named,

  130.  * "Login", requires users to first authenticate to the

  131.  * <i>com.sun.security.auth.module.UnixLoginModule</i>, which is

  132.  * required to succeed.  Even if the <i>UnixLoginModule</i>

  133.  * authentication fails, the

  134.  * <i>com.sun.security.auth.module.Krb5LoginModule</i>

  135.  * still gets invoked.  This helps hide the source of failure.

  136.  * Since the <i>Krb5LoginModule</i> is <i>Optional</i>, the overall

  137.  * authentication succeeds only if the <i>UnixLoginModule</i>

  138.  * (<i>Required</i>) succeeds.

  139.  *

  140.  * <p> Also note that the LoginModule-specific options,

  141.  * <i>useTicketCache="true"</i> and

  142.  * <i>ticketCache=${user.home}${/}tickets"</i>,

  143.  * are passed to the <i>Krb5LoginModule</i>.

  144.  * These options instruct the <i>Krb5LoginModule</i> to

  145.  * use the ticket cache at the specified location.

  146.  * The system properties, <i>user.home</i> and <i>/</i>

  147.  * (file.separator), are expanded to their respective values.

  148.  *

  149.  * <p> The default Configuration implementation can be changed by setting the

  150.  * value of the "login.configuration.provider" security property (in the Java

  151.  * security properties file) to the fully qualified name of

  152.  * the desired Configuration implementation class.

  153.  * The Java security properties file is located in the file named

  154.  * <JAVA_HOME>/lib/security/java.security, where <JAVA_HOME>

  155.  * refers to the directory where the JDK was installed.

  156.  *

  157.  * @version 1.55, 01/23/03

  158.  * @see javax.security.auth.login.LoginContext

  159.  */

  160. public abstract class Configuration {

  161. 

  162.     private static Configuration configuration;

  163.     private static ClassLoader contextClassLoader;

  164. 

  165.     static {

  166. 	contextClassLoader =

  167. 		(ClassLoader)java.security.AccessController.doPrivileged

  168. 		(new java.security.PrivilegedAction() {

  169. 		public Object run() {

  170. 		    return Thread.currentThread().getContextClassLoader();	

  171. 		}

  172. 	});

  173.     };

  174. 

  175.     /**

  176.      * Sole constructor.  (For invocation by subclass constructors, typically

  177.      * implicit.)

  178.      */

  179.     protected Configuration() { }

  180. 

  181.     /**

  182.      * Get the current Login Configuration.

  183.      *

  184.      * <p>

  185.      *

  186.      * @return the current Login Configuration.

  187.      *

  188.      * @exception SecurityException if the caller does not have permission

  189.      *				to retrieve the Configuration.

  190.      *

  191.      * @see #setConfiguration

  192.      */

  193.     public static synchronized Configuration getConfiguration() {

  194. 

  195. 	SecurityManager sm = System.getSecurityManager();

  196. 	if (sm != null)

  197. 	    sm.checkPermission(new AuthPermission("getLoginConfiguration"));

  198. 

  199. 	if (configuration == null) {

  200. 	    String config_class = null;

  201. 	    config_class = (String)

  202. 		java.security.AccessController.doPrivileged

  203. 		(new java.security.PrivilegedAction() {

  204. 		public Object run() {

  205. 		    return java.security.Security.getProperty

  206. 				("login.configuration.provider");

  207. 		}

  208. 	    });

  209. 	    if (config_class == null) {

  210. 		config_class = "com.sun.security.auth.login.ConfigFile";

  211. 	    }

  212.  

  213. 	    try {

  214. 		final String finalClass = config_class;

  215. 		configuration = (Configuration)

  216. 		    java.security.AccessController.doPrivileged

  217. 		    (new java.security.PrivilegedExceptionAction() {

  218. 		    public Object run() throws ClassNotFoundException,

  219. 					InstantiationException,

  220. 					IllegalAccessException {

  221. 			return Class.forName

  222. 				(finalClass,

  223. 				true,

  224. 				contextClassLoader).newInstance();

  225. 		    }

  226. 		});

  227. 	    } catch (PrivilegedActionException e) {

  228. 		Exception ee = e.getException();

  229. 		if (ee instanceof InstantiationException) {

  230. 		    throw (SecurityException) new

  231. 			SecurityException

  232. 				("Configuration error:" +

  233. 				 ee.getCause().getMessage() + 

  234. 				 "\n").initCause(ee.getCause());

  235. 		} else {

  236. 		    throw (SecurityException) new

  237. 			SecurityException

  238. 				("Configuration error: " +

  239. 				 ee.toString() + 

  240. 				 "\n").initCause(ee);

  241. 		}

  242. 	    }

  243. 	}

  244. 	return configuration;

  245.     }

  246.     

  247.     /**

  248.      * Set the current Login <code>Configuration</code>.

  249.      *

  250.      * <p>

  251.      *

  252.      * @param configuration the new <code>Configuration</code>

  253.      *

  254.      * @exception SecurityException if the current thread does not have

  255.      *			Permission to set the <code>Configuration</code>.

  256.      *

  257.      * @see #getConfiguration

  258.      */

  259.     public static void setConfiguration(Configuration configuration) {

  260. 	SecurityManager sm = System.getSecurityManager();

  261. 	if (sm != null)

  262. 	    sm.checkPermission(new AuthPermission("setLoginConfiguration"));

  263. 	Configuration.configuration = configuration;

  264.     }

  265. 

  266.     /**

  267.      * Retrieve an array of AppConfigurationEntries which corresponds to

  268.      *		the configuration of LoginModules for this application.

  269.      *

  270.      * <p>

  271.      *

  272.      * @param applicationName the name used to index the Configuration.

  273.      * 

  274.      * @return an array of AppConfigurationEntries which corresponds to

  275.      *		the configuration of LoginModules for this

  276.      *		application, or null if this application has no configured

  277.      *		LoginModules.

  278.      */

  279.     public abstract AppConfigurationEntry[] getAppConfigurationEntry

  280.     (String applicationName);

  281. 

  282.     /**

  283.      * Refresh and reload the Configuration.

  284.      *

  285.      * <p> This method causes this object to refresh/reload its current

  286.      * Configuration. This is implementation-dependent.

  287.      * For example, if the Configuration object is stored

  288.      * a file, calling <code>refresh</code> will cause the file to be re-read.

  289.      *

  290.      * <p>

  291.      *

  292.      * @exception SecurityException if the caller does not have permission

  293.      *				to refresh the Configuration.

  294.      */

  295.     public abstract void refresh();

  296. }