1. /*

  2.  * @(#)NTLoginModule.java	1.10 04/05/05

  3.  *

  4.  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package com.sun.security.auth.module;

  9. 

  10. import java.util.*;

  11. import java.io.IOException;

  12. import javax.security.auth.*;

  13. import javax.security.auth.callback.*;

  14. import javax.security.auth.login.*;

  15. import javax.security.auth.spi.*;

  16. import com.sun.security.auth.NTUserPrincipal;

  17. import com.sun.security.auth.NTSidUserPrincipal;

  18. import com.sun.security.auth.NTDomainPrincipal;

  19. import com.sun.security.auth.NTSidDomainPrincipal;

  20. import com.sun.security.auth.NTSidPrimaryGroupPrincipal;

  21. import com.sun.security.auth.NTSidGroupPrincipal;

  22. import com.sun.security.auth.NTNumericCredential;

  23. 

  24. /**

  25.  * <p> This <code>LoginModule</code>

  26.  * renders a user's NT security information as some number of

  27.  * <code>Principal</code>s

  28.  * and associates them with a <code>Subject</code>.

  29.  *

  30.  * <p> This LoginModule recognizes the debug option.

  31.  * If set to true in the login Configuration,

  32.  * debug messages will be output to the output stream, System.out.

  33.  *

  34.  * <p> This LoginModule also recognizes the debugNative option.

  35.  * If set to true in the login Configuration,

  36.  * debug messages from the native component of the module

  37.  * will be output to the output stream, System.out.

  38.  *

  39.  * @version 1.10, 05/05/04

  40.  * @see javax.security.auth.spi.LoginModule

  41.  */

  42. public class NTLoginModule implements LoginModule {

  43. 

  44.     private NTSystem ntSystem;

  45. 

  46.     // initial state

  47.     private Subject subject;

  48.     private CallbackHandler callbackHandler;

  49.     private Map sharedState;

  50.     private Map options;

  51. 

  52.     // configurable option

  53.     private boolean debug = false;

  54.     private boolean debugNative = false;

  55. 

  56.     // the authentication status

  57.     private boolean succeeded = false;

  58.     private boolean commitSucceeded = false;

  59. 

  60.     private NTUserPrincipal userPrincipal;		// user name

  61.     private NTSidUserPrincipal userSID;			// user SID

  62.     private NTDomainPrincipal userDomain;		// user domain

  63.     private NTSidDomainPrincipal domainSID;		// domain SID

  64.     private NTSidPrimaryGroupPrincipal primaryGroup;	// primary group

  65.     private NTSidGroupPrincipal groups[];		// supplementary groups

  66.     private NTNumericCredential iToken;			// impersonation token

  67. 

  68.     /**

  69.      * Initialize this <code>LoginModule</code>.

  70.      *

  71.      * <p>

  72.      *

  73.      * @param subject the <code>Subject</code> to be authenticated. <p>

  74.      *

  75.      * @param callbackHandler a <code>CallbackHandler</code> for communicating

  76.      *		with the end user (prompting for usernames and

  77.      *		passwords, for example). This particular LoginModule only

  78.      *          extracts the underlying NT system information, so this

  79.      *          parameter is ignored.<p>

  80.      *

  81.      * @param sharedState shared <code>LoginModule</code> state. <p>

  82.      *

  83.      * @param options options specified in the login

  84.      *			<code>Configuration</code> for this particular

  85.      *			<code>LoginModule</code>.

  86.      */

  87.     public void initialize(Subject subject, CallbackHandler callbackHandler,

  88. 			   Map<String,?> sharedState,

  89. 			   Map<String,?> options)

  90.     {

  91.  

  92. 	this.subject = subject;

  93. 	this.callbackHandler = callbackHandler;

  94. 	this.sharedState = sharedState;

  95. 	this.options = options;

  96. 

  97. 	// initialize any configured options

  98. 	debug = "true".equalsIgnoreCase((String)options.get("debug"));

  99. 	debugNative="true".equalsIgnoreCase((String)options.get("debugNative"));

  100. 

  101. 	if (debugNative == true) {

  102. 	    debug = true;

  103. 	}

  104.     }

  105. 

  106.     /**

  107.      * Import underlying NT system identity information.

  108.      *

  109.      * <p>

  110.      *

  111.      * @return true in all cases since this <code>LoginModule</code>

  112.      *		should not be ignored.

  113.      *

  114.      * @exception FailedLoginException if the authentication fails. <p>

  115.      *

  116.      * @exception LoginException if this <code>LoginModule</code>

  117.      *		is unable to perform the authentication.

  118.      */

  119.     public boolean login() throws LoginException {

  120.         

  121. 	succeeded = false; // Indicate not yet successful

  122. 	

  123. 	ntSystem = new NTSystem(debugNative);

  124. 	if (ntSystem == null) {

  125. 	    if (debug) {

  126. 		System.out.println("\t\t[NTLoginModule] " +

  127. 				   "Failed in NT login");

  128. 	    }

  129. 	    throw new FailedLoginException

  130. 		("Failed in attempt to import the " +

  131. 		 "underlying NT system identity information");

  132. 	}

  133. 	

  134. 	if (ntSystem.getName() == null) {

  135. 	    throw new FailedLoginException

  136. 		("Failed in attempt to import the " +

  137. 		 "underlying NT system identity information");

  138. 	}

  139. 	userPrincipal = new NTUserPrincipal(ntSystem.getName());

  140. 	if (debug) {

  141. 	    System.out.println("\t\t[NTLoginModule] " +

  142. 			       "succeeded importing info: ");

  143. 	    System.out.println("\t\t\tuser name = " +

  144. 		userPrincipal.getName());

  145. 	}

  146. 

  147. 	if (ntSystem.getUserSID() != null) {

  148. 	    userSID = new NTSidUserPrincipal(ntSystem.getUserSID());

  149. 	    if (debug) {

  150. 		System.out.println("\t\t\tuser SID = " +

  151. 			userSID.getName());

  152. 	    }

  153. 	}

  154. 	if (ntSystem.getDomain() != null) {

  155. 	    userDomain = new NTDomainPrincipal(ntSystem.getDomain());

  156. 	    if (debug) {

  157. 		System.out.println("\t\t\tuser domain = " +

  158. 			userDomain.getName());

  159. 	    }

  160. 	}

  161. 	if (ntSystem.getDomainSID() != null) {

  162. 	    domainSID =

  163. 		new NTSidDomainPrincipal(ntSystem.getDomainSID());

  164. 	    if (debug) {

  165. 		System.out.println("\t\t\tuser domain SID = " +

  166. 			domainSID.getName());

  167. 	    }

  168. 	}

  169. 	if (ntSystem.getPrimaryGroupID() != null) {

  170. 	    primaryGroup = 

  171. 		new NTSidPrimaryGroupPrincipal(ntSystem.getPrimaryGroupID());

  172. 	    if (debug) {

  173. 		System.out.println("\t\t\tuser primary group = " +

  174. 			primaryGroup.getName());

  175. 	    }

  176. 	}

  177. 	if (ntSystem.getGroupIDs() != null &&

  178. 	    ntSystem.getGroupIDs().length > 0) {

  179. 

  180. 	    String groupSIDs[] = ntSystem.getGroupIDs();

  181. 	    groups = new NTSidGroupPrincipal[groupSIDs.length];

  182. 	    for (int i = 0; i < groupSIDs.length; i++) {

  183. 		groups[i] = new NTSidGroupPrincipal(groupSIDs[i]);

  184. 		if (debug) {

  185. 		    System.out.println("\t\t\tuser group = " +

  186. 			groups[i].getName());

  187. 		}

  188. 	    }

  189. 	}

  190. 	if (ntSystem.getImpersonationToken() != 0) {

  191. 	    iToken = new NTNumericCredential(ntSystem.getImpersonationToken());

  192. 	    if (debug) {

  193. 		System.out.println("\t\t\timpersonation token = " +

  194. 			ntSystem.getImpersonationToken());

  195. 	    }

  196. 	}

  197. 

  198. 	succeeded = true;

  199. 	return succeeded;

  200.     }

  201.     

  202.     /**

  203.      * <p> This method is called if the LoginContext's

  204.      * overall authentication succeeded

  205.      * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules

  206.      * succeeded).

  207.      *

  208.      * <p> If this LoginModule's own authentication attempt

  209.      * succeeded (checked by retrieving the private state saved by the

  210.      * <code>login</code> method), then this method associates some

  211.      * number of various <code>Principal</code>s

  212.      * with the <code>Subject</code> located in the

  213.      * <code>LoginModuleContext</code>.  If this LoginModule's own

  214.      * authentication attempted failed, then this method removes

  215.      * any state that was originally saved.

  216.      *

  217.      * <p>

  218.      *

  219.      * @exception LoginException if the commit fails.

  220.      *

  221.      * @return true if this LoginModule's own login and commit

  222.      *		attempts succeeded, or false otherwise.

  223.      */

  224.     public boolean commit() throws LoginException {

  225. 	if (succeeded == false) {

  226. 	    if (debug) {

  227. 		System.out.println("\t\t[NTLoginModule]: " +

  228. 		    "did not add any Principals to Subject " +

  229. 		    "because own authentication failed.");

  230. 	    }

  231. 	    return false;

  232. 	} 

  233. 	if (subject.isReadOnly()) {

  234. 	    throw new LoginException ("Subject is ReadOnly");

  235. 	}

  236. 	Set principals = subject.getPrincipals();

  237. 

  238. 	// we must have a userPrincipal - everything else is optional

  239. 	if (!principals.contains(userPrincipal)) {

  240. 	    principals.add(userPrincipal);

  241. 	}

  242. 	if (userSID != null && !principals.contains(userSID)) {

  243. 	    principals.add(userSID);

  244. 	}

  245. 

  246. 	if (userDomain != null && !principals.contains(userDomain)) {

  247. 	    principals.add(userDomain);

  248. 	}

  249. 	if (domainSID != null && !principals.contains(domainSID)) {

  250. 	    principals.add(domainSID);

  251. 	}

  252. 

  253. 	if (primaryGroup != null && !principals.contains(primaryGroup)) {

  254. 	    principals.add(primaryGroup);

  255. 	}

  256. 	for (int i = 0; groups != null && i < groups.length; i++) {

  257. 	    if (!principals.contains(groups[i])) {

  258. 		principals.add(groups[i]);

  259. 	    }

  260. 	}

  261. 	

  262. 	Set pubCreds = subject.getPublicCredentials();

  263. 	if (iToken != null && !pubCreds.contains(iToken)) {

  264. 	    pubCreds.add(iToken);

  265. 	}

  266. 	commitSucceeded = true;

  267. 	return true;

  268.     }

  269. 

  270. 

  271.     /**

  272.      * <p> This method is called if the LoginContext's

  273.      * overall authentication failed.

  274.      * (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules

  275.      * did not succeed).

  276.      *

  277.      * <p> If this LoginModule's own authentication attempt

  278.      * succeeded (checked by retrieving the private state saved by the

  279.      * <code>login</code> and <code>commit</code> methods),

  280.      * then this method cleans up any state that was originally saved.

  281.      *

  282.      * <p>

  283.      *

  284.      * @exception LoginException if the abort fails.

  285.      *

  286.      * @return false if this LoginModule's own login and/or commit attempts

  287.      *		failed, and true otherwise.

  288.      */

  289.     public boolean abort() throws LoginException {

  290. 	if (debug) {

  291. 	    System.out.println("\t\t[NTLoginModule]: " +

  292. 		"aborted authentication attempt");

  293. 	}

  294. 

  295. 	if (succeeded == false) {

  296. 	    return false;

  297. 	} else if (succeeded == true && commitSucceeded == false) {

  298. 	    ntSystem = null;

  299. 	    userPrincipal = null;

  300. 	    userSID = null;

  301. 	    userDomain = null;

  302. 	    domainSID = null;

  303. 	    primaryGroup = null;

  304. 	    groups = null;

  305. 	    iToken = null;

  306. 	    succeeded = false;

  307. 	} else {

  308. 	    // overall authentication succeeded and commit succeeded,

  309. 	    // but someone else's commit failed

  310. 	    logout();

  311. 	}

  312. 	return succeeded;

  313.     }

  314. 

  315.     /**

  316.      * Logout the user.

  317.      *

  318.      * <p> This method removes the <code>NTUserPrincipal</code>,

  319.      * <code>NTDomainPrincipal</code>, <code>NTSidUserPrincipal</code>,

  320.      * <code>NTSidDomainPrincipal</code>, <code>NTSidGroupPrincipal</code>s,

  321.      * and <code>NTSidPrimaryGroupPrincipal</code>

  322.      * that may have been added by the <code>commit</code> method.

  323.      *

  324.      * <p>

  325.      *

  326.      * @exception LoginException if the logout fails.

  327.      *

  328.      * @return true in all cases since this <code>LoginModule</code>

  329.      *          should not be ignored.

  330.      */

  331.     public boolean logout() throws LoginException {

  332. 

  333. 	if (subject.isReadOnly()) {

  334. 	    throw new LoginException ("Subject is ReadOnly");

  335. 	}

  336. 	Set principals = subject.getPrincipals();

  337. 	if (principals.contains(userPrincipal)) {

  338. 	    principals.remove(userPrincipal);

  339. 	}

  340. 	if (principals.contains(userSID)) {

  341. 	    principals.remove(userSID);

  342. 	}

  343. 	if (principals.contains(userDomain)) {

  344. 	    principals.remove(userDomain);

  345. 	}

  346. 	if (principals.contains(domainSID)) {

  347. 	    principals.remove(domainSID);

  348. 	}

  349. 	if (principals.contains(primaryGroup)) {

  350. 	    principals.remove(primaryGroup);

  351. 	}

  352. 	for (int i = 0; groups != null && i < groups.length; i++) {

  353. 	    if (principals.contains(groups[i])) {

  354. 		principals.remove(groups[i]);

  355. 	    }

  356. 	}

  357. 

  358. 	Set pubCreds = subject.getPublicCredentials();

  359. 	if (pubCreds.contains(iToken)) {

  360. 	    pubCreds.remove(iToken);

  361. 	}

  362. 	

  363. 	succeeded = false;

  364. 	commitSucceeded = false;

  365. 	userPrincipal = null;

  366. 	userDomain = null;

  367. 	userSID = null;

  368. 	domainSID = null;

  369. 	groups = null;

  370. 	primaryGroup = null;

  371. 	iToken = null;

  372. 	ntSystem = null;

  373. 		

  374. 	if (debug) {

  375. 		System.out.println("\t\t[NTLoginModule] " +

  376. 				"completed logout processing");

  377. 	}

  378. 	return true;

  379.     }

  380. }