| // |
| // ======================================================================== |
| // Copyright (c) 1995-2016 Mort Bay Consulting Pty. Ltd. |
| // ------------------------------------------------------------------------ |
| // All rights reserved. This program and the accompanying materials |
| // are made available under the terms of the Eclipse Public License v1.0 |
| // and Apache License v2.0 which accompanies this distribution. |
| // |
| // The Eclipse Public License is available at |
| // http://www.eclipse.org/legal/epl-v10.html |
| // |
| // The Apache License v2.0 is available at |
| // http://www.opensource.org/licenses/apache2.0.php |
| // |
| // You may elect to redistribute this code under either of these licenses. |
| // ======================================================================== |
| // |
| |
| package org.eclipse.jetty.security; |
| |
| import java.io.File; |
| import java.io.IOException; |
| import java.nio.file.Path; |
| import java.security.Principal; |
| import java.util.ArrayList; |
| import java.util.HashMap; |
| import java.util.HashSet; |
| import java.util.Iterator; |
| import java.util.List; |
| import java.util.Map; |
| import java.util.Properties; |
| import java.util.Set; |
| |
| import javax.security.auth.Subject; |
| |
| |
| import org.eclipse.jetty.server.UserIdentity; |
| import org.eclipse.jetty.util.PathWatcher; |
| import org.eclipse.jetty.util.PathWatcher.PathWatchEvent; |
| import org.eclipse.jetty.util.StringUtil; |
| import org.eclipse.jetty.util.component.AbstractLifeCycle; |
| import org.eclipse.jetty.util.log.Log; |
| import org.eclipse.jetty.util.log.Logger; |
| import org.eclipse.jetty.util.resource.PathResource; |
| import org.eclipse.jetty.util.resource.Resource; |
| import org.eclipse.jetty.util.security.Credential; |
| |
| /** |
| * PropertyUserStore |
| * <p> |
| * This class monitors a property file of the format mentioned below and notifies registered listeners of the changes to the the given file. |
| * |
| * <pre> |
| * username: password [,rolename ...] |
| * </pre> |
| * |
| * Passwords may be clear text, obfuscated or checksummed. The class com.eclipse.Util.Password should be used to generate obfuscated passwords or password |
| * checksums. |
| * |
| * If DIGEST Authentication is used, the password must be in a recoverable format, either plain text or OBF:. |
| */ |
| public class PropertyUserStore extends AbstractLifeCycle implements PathWatcher.Listener |
| { |
| private static final Logger LOG = Log.getLogger(PropertyUserStore.class); |
| |
| protected Path _configPath; |
| protected Resource _configResource; |
| |
| protected PathWatcher pathWatcher; |
| protected boolean hotReload = false; // default is not to reload |
| |
| protected IdentityService _identityService = new DefaultIdentityService(); |
| protected boolean _firstLoad = true; // true if first load, false from that point on |
| protected final List<String> _knownUsers = new ArrayList<String>(); |
| protected final Map<String, UserIdentity> _knownUserIdentities = new HashMap<String, UserIdentity>(); |
| protected List<UserListener> _listeners; |
| |
| /** |
| * Get the config (as a string) |
| * @return the config path as a string |
| * @deprecated use {@link #getConfigPath()} instead |
| */ |
| @Deprecated |
| public String getConfig() |
| { |
| return _configPath.toString(); |
| } |
| |
| /** |
| * Set the Config Path from a String reference to a file |
| * @param configFile the config file |
| * @deprecated use {@link #setConfigPath(String)} instead |
| */ |
| @Deprecated |
| public void setConfig(String configFile) |
| { |
| setConfigPath(configFile); |
| } |
| |
| /** |
| * Get the Config {@link Path} reference. |
| * @return the config path |
| */ |
| public Path getConfigPath() |
| { |
| return _configPath; |
| } |
| |
| /** |
| * Set the Config Path from a String reference to a file |
| * @param configFile the config file |
| */ |
| public void setConfigPath(String configFile) |
| { |
| if (configFile == null) |
| { |
| _configPath = null; |
| } |
| else |
| { |
| _configPath = new File(configFile).toPath(); |
| } |
| } |
| |
| /** |
| * Set the Config Path from a {@link File} reference |
| * @param configFile the config file |
| */ |
| public void setConfigPath(File configFile) |
| { |
| _configPath = configFile.toPath(); |
| } |
| |
| /** |
| * Set the Config Path |
| * @param configPath the config path |
| */ |
| public void setConfigPath(Path configPath) |
| { |
| _configPath = configPath; |
| } |
| |
| /* ------------------------------------------------------------ */ |
| public UserIdentity getUserIdentity(String userName) |
| { |
| return _knownUserIdentities.get(userName); |
| } |
| |
| /* ------------------------------------------------------------ */ |
| /** |
| * @return the resource associated with the configured properties file, creating it if necessary |
| * @throws IOException if unable to get the resource |
| */ |
| public Resource getConfigResource() throws IOException |
| { |
| if (_configResource == null) |
| { |
| _configResource = new PathResource(_configPath); |
| } |
| |
| return _configResource; |
| } |
| |
| /** |
| * Is hot reload enabled on this user store |
| * |
| * @return true if hot reload was enabled before startup |
| */ |
| public boolean isHotReload() |
| { |
| return hotReload; |
| } |
| |
| /** |
| * Enable Hot Reload of the Property File |
| * |
| * @param enable true to enable, false to disable |
| */ |
| public void setHotReload(boolean enable) |
| { |
| if (isRunning()) |
| { |
| throw new IllegalStateException("Cannot set hot reload while user store is running"); |
| } |
| this.hotReload = enable; |
| } |
| |
| |
| |
| @Override |
| public String toString() |
| { |
| StringBuilder s = new StringBuilder(); |
| s.append(this.getClass().getName()); |
| s.append("["); |
| s.append("users.count=").append(this._knownUsers.size()); |
| s.append("identityService=").append(this._identityService); |
| s.append("]"); |
| return s.toString(); |
| } |
| |
| /* ------------------------------------------------------------ */ |
| protected void loadUsers() throws IOException |
| { |
| if (_configPath == null) |
| return; |
| |
| if (LOG.isDebugEnabled()) |
| { |
| LOG.debug("Loading " + this + " from " + _configPath); |
| } |
| |
| Properties properties = new Properties(); |
| if (getConfigResource().exists()) |
| properties.load(getConfigResource().getInputStream()); |
| |
| Set<String> known = new HashSet<String>(); |
| |
| for (Map.Entry<Object, Object> entry : properties.entrySet()) |
| { |
| String username = ((String)entry.getKey()).trim(); |
| String credentials = ((String)entry.getValue()).trim(); |
| String roles = null; |
| int c = credentials.indexOf(','); |
| if (c > 0) |
| { |
| roles = credentials.substring(c + 1).trim(); |
| credentials = credentials.substring(0,c).trim(); |
| } |
| |
| if (username != null && username.length() > 0 && credentials != null && credentials.length() > 0) |
| { |
| String[] roleArray = IdentityService.NO_ROLES; |
| if (roles != null && roles.length() > 0) |
| { |
| roleArray = StringUtil.csvSplit(roles); |
| } |
| known.add(username); |
| Credential credential = Credential.getCredential(credentials); |
| |
| Principal userPrincipal = new AbstractLoginService.UserPrincipal(username,credential); |
| Subject subject = new Subject(); |
| subject.getPrincipals().add(userPrincipal); |
| subject.getPrivateCredentials().add(credential); |
| |
| if (roles != null) |
| { |
| for (String role : roleArray) |
| { |
| subject.getPrincipals().add(new AbstractLoginService.RolePrincipal(role)); |
| } |
| } |
| |
| subject.setReadOnly(); |
| |
| _knownUserIdentities.put(username,_identityService.newUserIdentity(subject,userPrincipal,roleArray)); |
| notifyUpdate(username,credential,roleArray); |
| } |
| } |
| |
| synchronized (_knownUsers) |
| { |
| /* |
| * if its not the initial load then we want to process removed users |
| */ |
| if (!_firstLoad) |
| { |
| Iterator<String> users = _knownUsers.iterator(); |
| while (users.hasNext()) |
| { |
| String user = users.next(); |
| if (!known.contains(user)) |
| { |
| _knownUserIdentities.remove(user); |
| notifyRemove(user); |
| } |
| } |
| } |
| |
| /* |
| * reset the tracked _users list to the known users we just processed |
| */ |
| |
| _knownUsers.clear(); |
| _knownUsers.addAll(known); |
| |
| } |
| |
| /* |
| * set initial load to false as there should be no more initial loads |
| */ |
| _firstLoad = false; |
| |
| if (LOG.isDebugEnabled()) |
| { |
| LOG.debug("Loaded " + this + " from " + _configPath); |
| } |
| } |
| |
| /* ------------------------------------------------------------ */ |
| /** |
| * Depending on the value of the refresh interval, this method will either start up a scanner thread that will monitor the properties file for changes after |
| * it has initially loaded it. Otherwise the users will be loaded and there will be no active monitoring thread so changes will not be detected. |
| * |
| * |
| * @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart() |
| */ |
| protected void doStart() throws Exception |
| { |
| super.doStart(); |
| |
| loadUsers(); |
| if ( isHotReload() && (_configPath != null) ) |
| { |
| this.pathWatcher = new PathWatcher(); |
| this.pathWatcher.watch(_configPath); |
| this.pathWatcher.addListener(this); |
| this.pathWatcher.setNotifyExistingOnStart(false); |
| this.pathWatcher.start(); |
| } |
| |
| } |
| |
| @Override |
| public void onPathWatchEvent(PathWatchEvent event) |
| { |
| try |
| { |
| loadUsers(); |
| } |
| catch (IOException e) |
| { |
| LOG.warn(e); |
| } |
| } |
| |
| /* ------------------------------------------------------------ */ |
| /** |
| * @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStop() |
| */ |
| protected void doStop() throws Exception |
| { |
| super.doStop(); |
| if (this.pathWatcher != null) |
| this.pathWatcher.stop(); |
| this.pathWatcher = null; |
| } |
| |
| /** |
| * Notifies the registered listeners of potential updates to a user |
| * |
| * @param username |
| * @param credential |
| * @param roleArray |
| */ |
| private void notifyUpdate(String username, Credential credential, String[] roleArray) |
| { |
| if (_listeners != null) |
| { |
| for (Iterator<UserListener> i = _listeners.iterator(); i.hasNext();) |
| { |
| i.next().update(username,credential,roleArray); |
| } |
| } |
| } |
| |
| /** |
| * notifies the registered listeners that a user has been removed. |
| * |
| * @param username |
| */ |
| private void notifyRemove(String username) |
| { |
| if (_listeners != null) |
| { |
| for (Iterator<UserListener> i = _listeners.iterator(); i.hasNext();) |
| { |
| i.next().remove(username); |
| } |
| } |
| } |
| |
| /** |
| * registers a listener to be notified of the contents of the property file |
| * @param listener the user listener |
| */ |
| public void registerUserListener(UserListener listener) |
| { |
| if (_listeners == null) |
| { |
| _listeners = new ArrayList<UserListener>(); |
| } |
| _listeners.add(listener); |
| } |
| |
| /** |
| * UserListener |
| */ |
| public interface UserListener |
| { |
| public void update(String username, Credential credential, String[] roleArray); |
| |
| public void remove(String username); |
| } |
| } |