DaoX509AuthoritiesPopulator xref

View Javadoc

1   /* Copyright 2004, 2005 Acegi Technology Pty Limited
2    *
3    * Licensed under the Apache License, Version 2.0 (the "License");
4    * you may not use this file except in compliance with the License.
5    * You may obtain a copy of the License at
6    *
7    *     http://www.apache.org/licenses/LICENSE-2.0
8    *
9    * Unless required by applicable law or agreed to in writing, software
10   * distributed under the License is distributed on an "AS IS" BASIS,
11   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12   * See the License for the specific language governing permissions and
13   * limitations under the License.
14   */
15  
16  package org.acegisecurity.providers.x509.populator;
17  
18  import java.security.cert.X509Certificate;
19  
20  import org.acegisecurity.AcegiMessageSource;
21  import org.acegisecurity.AuthenticationException;
22  import org.acegisecurity.BadCredentialsException;
23  import org.acegisecurity.providers.x509.X509AuthoritiesPopulator;
24  import org.acegisecurity.userdetails.UserDetails;
25  import org.acegisecurity.userdetails.UserDetailsService;
26  import org.apache.commons.logging.Log;
27  import org.apache.commons.logging.LogFactory;
28  import org.apache.oro.text.regex.MalformedPatternException;
29  import org.apache.oro.text.regex.MatchResult;
30  import org.apache.oro.text.regex.Pattern;
31  import org.apache.oro.text.regex.PatternMatcher;
32  import org.apache.oro.text.regex.Perl5Compiler;
33  import org.apache.oro.text.regex.Perl5Matcher;
34  import org.springframework.beans.factory.InitializingBean;
35  import org.springframework.context.MessageSource;
36  import org.springframework.context.MessageSourceAware;
37  import org.springframework.context.support.MessageSourceAccessor;
38  import org.springframework.util.Assert;
39  
40  
41  /***
42   * Populates the X509 authorities via an {@link
43   * org.acegisecurity.userdetails.UserDetailsService}.
44   */
45  public class DaoX509AuthoritiesPopulator implements X509AuthoritiesPopulator,
46      InitializingBean, MessageSourceAware {
47      //~ Static fields/initializers =============================================
48  
49      private static final Log logger = LogFactory.getLog(DaoX509AuthoritiesPopulator.class);
50  
51      //~ Instance fields ========================================================
52  
53      private UserDetailsService userDetailsService;
54      protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
55      private Pattern subjectDNPattern;
56      private String subjectDNRegex = "CN=(.*?),";
57  
58      //~ Methods ================================================================
59  
60      public void afterPropertiesSet() throws Exception {
61          Assert.notNull(userDetailsService, "An authenticationDao must be set");
62          Assert.notNull(this.messages, "A message source must be set");
63  
64          Perl5Compiler compiler = new Perl5Compiler();
65  
66          try {
67              subjectDNPattern = compiler.compile(subjectDNRegex,
68                      Perl5Compiler.READ_ONLY_MASK
69                      | Perl5Compiler.CASE_INSENSITIVE_MASK);
70          } catch (MalformedPatternException mpe) {
71              throw new IllegalArgumentException("Malformed regular expression: "
72                  + subjectDNRegex);
73          }
74      }
75  
76      public UserDetails getUserDetails(X509Certificate clientCert)
77          throws AuthenticationException {
78          String subjectDN = clientCert.getSubjectDN().getName();
79          PatternMatcher matcher = new Perl5Matcher();
80  
81          if (!matcher.contains(subjectDN, subjectDNPattern)) {
82              throw new BadCredentialsException(messages.getMessage(
83                      "DaoX509AuthoritiesPopulator.noMatching",
84                      new Object[] {subjectDN},
85                      "No matching pattern was found in subjectDN: {0}"));
86          }
87  
88          MatchResult match = matcher.getMatch();
89  
90          if (match.groups() != 2) { // 2 = 1 + the entire match
91              throw new IllegalArgumentException(
92                  "Regular expression must contain a single group ");
93          }
94  
95          String userName = match.group(1);
96  
97          return this.userDetailsService.loadUserByUsername(userName);
98      }
99  
100     public void setUserDetailsService(UserDetailsService authenticationDao) {
101         this.userDetailsService = authenticationDao;
102     }
103 
104     public void setMessageSource(MessageSource messageSource) {
105         this.messages = new MessageSourceAccessor(messageSource);
106     }
107 
108     /***
109      * Sets the regular expression which will by used to extract the user name
110      * from the certificate's Subject DN.
111      *
112      * <p>
113      * It should contain a single group; for example the default expression
114      * "CN=(.*?)," matches the common name field. So "CN=Jimi Hendrix, OU=..."
115      * will give a user name of "Jimi Hendrix".
116      * </p>
117      * <p>
118      * The matches are case insensitive. So "emailAddress=(.*?)," will match
119      * "EMAILADDRESS=jimi@hendrix.org, CN=..." giving a user name "jimi@hendrix.org"
120      * </p>
121      *
122      * @param subjectDNRegex the regular expression to find in the subject
123      */
124     public void setSubjectDNRegex(String subjectDNRegex) {
125         this.subjectDNRegex = subjectDNRegex;
126     }
127 }