HybridAuthProvider.java 10.6 KB
/**
 * $Revision: 1116 $
 * $Date: 2005-03-10 15:18:08 -0800 (Thu, 10 Mar 2005) $
 *
 * Copyright (C) 2005-2008 Jive Software. All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.jivesoftware.openfire.auth;

import java.util.HashSet;
import java.util.Set;

import org.jivesoftware.openfire.user.UserNotFoundException;
import org.jivesoftware.util.ClassUtils;
import org.jivesoftware.util.JiveGlobals;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * The hybrid auth provider allows up to three AuthProvider implementations to
 * be strung together to do chained authentication checking. The algorithm is
 * as follows:
 * <ol>
 *      <li>Attempt authentication using the primary provider. If that fails:
 *      <li>If the secondary provider is defined, attempt authentication (otherwise return).
 *          If that fails:
 *      <li>If the tertiary provider is defined, attempt authentication.
 * </ol>
 *
 * To enable this provider, set the <tt>provider.auth.className</tt> system property to
 * <tt>org.jivesoftware.openfire.auth.HybridAuthProvider</tt>.
 *
 * The primary, secondary, and tertiary providers are configured be setting system properties similar to
 * the following:
 *
 * <ul>
 * <li><tt>hybridAuthProvider.primaryProvider = org.jivesoftware.openfire.auth.DefaultAuthProvider</tt></li>
 * <li><tt>hybridAuthProvider.secondaryProvider = org.jivesoftware.openfire.auth.NativeAuthProvider</tt></li>
 * </ul>
 *
 * Each of the chained providers can have a list of override users. If a user is in
 * an override list, authentication will only be attempted with the associated provider
 * (bypassing the chaining logic).<p>
 *
 * The full list of properties:
 * <ul>
 *      <li><tt>hybridAuthProvider.primaryProvider.className</tt> (required) -- the class name
 *          of the auth provider.
 *      <li><tt>hybridAuthProvider.primaryProvider.overrideList</tt> -- a comma-delimitted list
 *          of usernames for which authentication will only be tried with this provider.
 *      <li><tt>hybridAuthProvider.secondaryProvider.className</tt> -- the class name
 *          of the auth provider.
 *      <li><tt>hybridAuthProvider.secondaryProvider.overrideList</tt> -- a comma-delimitted list
 *          of usernames for which authentication will only be tried with this provider.
 *      <li><tt>hybridAuthProvider.tertiaryProvider.className</tt> -- the class name
 *          of the auth provider.
 *      <li><tt>hybridAuthProvider.tertiaryProvider.overrideList</tt> -- a comma-delimitted list
 *          of usernames for which authentication will only be tried with this provider.
 * </ul>
 *
 * The primary provider is required, but all other properties are optional. Each provider
 * should be configured as it is normally, using whatever XML configuration options it specifies.
 *
 * @author Matt Tucker
 */
public class HybridAuthProvider implements AuthProvider {

	private static final Logger Log = LoggerFactory.getLogger(HybridAuthProvider.class);

    private AuthProvider primaryProvider;
    private AuthProvider secondaryProvider;
    private AuthProvider tertiaryProvider;

    private Set<String> primaryOverrides = new HashSet<>();
    private Set<String> secondaryOverrides = new HashSet<>();
    private Set<String> tertiaryOverrides = new HashSet<>();

    public HybridAuthProvider() {
        // Convert XML based provider setup to Database based
        JiveGlobals.migrateProperty("hybridAuthProvider.primaryProvider.className");
        JiveGlobals.migrateProperty("hybridAuthProvider.secondaryProvider.className");
        JiveGlobals.migrateProperty("hybridAuthProvider.tertiaryProvider.className");
        JiveGlobals.migrateProperty("hybridAuthProvider.primaryProvider.overrideList");
        JiveGlobals.migrateProperty("hybridAuthProvider.secondaryProvider.overrideList");
        JiveGlobals.migrateProperty("hybridAuthProvider.tertiaryProvider.overrideList");

        // Load primary, secondary, and tertiary auth providers.
        String primaryClass = JiveGlobals.getProperty(
                "hybridAuthProvider.primaryProvider.className");
        if (primaryClass == null) {
            Log.error("A primary AuthProvider must be specified. Authentication will be disabled.");
            return;
        }
        try {
            Class c = ClassUtils.forName(primaryClass);
            primaryProvider = (AuthProvider)c.newInstance();
            // All providers must support plain auth.
            if (!primaryProvider.isPlainSupported()) {
                Log.error("Provider " + primaryClass + " must support plain authentication. " +
                        "Authentication disabled.");
                primaryProvider = null;
                return;
            }
            Log.debug("Primary auth provider: " + primaryClass);
        }
        catch (Exception e) {
            Log.error("Unable to load primary auth provider: " + primaryClass +
                    ". Authentication will be disabled.", e);
            return;
        }

        String secondaryClass = JiveGlobals.getProperty(
                "hybridAuthProvider.secondaryProvider.className");
        if (secondaryClass != null) {
            try {
                Class c = ClassUtils.forName(secondaryClass);
                secondaryProvider = (AuthProvider)c.newInstance();
                // All providers must support plain auth.
                if (!secondaryProvider.isPlainSupported()) {
                    Log.error("Provider " + secondaryClass + " must support plain authentication. " +
                            "Authentication disabled.");
                    primaryProvider = null;
                    secondaryProvider = null;
                    return;
                }
                Log.debug("Secondary auth provider: " + secondaryClass);
            }
            catch (Exception e) {
                Log.error("Unable to load secondary auth provider: " + secondaryClass, e);
            }
        }

        String tertiaryClass = JiveGlobals.getProperty(
                "hybridAuthProvider.tertiaryProvider.className");
        if (tertiaryClass != null) {
            try {
                Class c = ClassUtils.forName(tertiaryClass);
                tertiaryProvider = (AuthProvider)c.newInstance();
                // All providers must support plain auth.
                if (!tertiaryProvider.isPlainSupported()) {
                    Log.error("Provider " + tertiaryClass + " must support plain authentication. " +
                            "Authentication disabled.");
                    primaryProvider = null;
                    secondaryProvider = null;
                    tertiaryProvider = null;
                    return;
                }
                Log.debug("Tertiary auth provider: " + tertiaryClass);
            }
            catch (Exception e) {
                Log.error("Unable to load tertiary auth provider: " + tertiaryClass, e);
            }
        }

        // Now, load any overrides.
        String overrideList = JiveGlobals.getProperty(
                "hybridAuthProvider.primaryProvider.overrideList", "");
        for (String user: overrideList.split(",")) {
            primaryOverrides.add(user.trim().toLowerCase());
        }

        if (secondaryProvider != null) {
            overrideList = JiveGlobals.getProperty(
                    "hybridAuthProvider.secondaryProvider.overrideList", "");
            for (String user: overrideList.split(",")) {
                secondaryOverrides.add(user.trim().toLowerCase());
            }
        }

        if (tertiaryProvider != null) {
            overrideList = JiveGlobals.getProperty(
                    "hybridAuthProvider.tertiaryProvider.overrideList", "");
            for (String user: overrideList.split(",")) {
                tertiaryOverrides.add(user.trim().toLowerCase());
            }
        }
    }

    @Override
    public boolean isPlainSupported() {
        return true;
    }

    @Override
    public boolean isDigestSupported() {
        return false;
    }

    @Override
    public void authenticate(String username, String password) throws UnauthorizedException, ConnectionException, InternalUnauthenticatedException {
        // Check overrides first.
        if (primaryOverrides.contains(username.toLowerCase())) {
            primaryProvider.authenticate(username, password);
            return;
        }
        else if (secondaryOverrides.contains(username.toLowerCase())) {
            secondaryProvider.authenticate(username, password);
            return;
        }
        else if (tertiaryOverrides.contains(username.toLowerCase())) {
            tertiaryProvider.authenticate(username, password);
            return;
        }

        // Now perform normal
        try {
            primaryProvider.authenticate(username, password);
        }
        catch (UnauthorizedException ue) {
            if (secondaryProvider != null) {
                try {
                    secondaryProvider.authenticate(username, password);
                }
                catch (UnauthorizedException ue2) {
                    if (tertiaryProvider != null) {
                        tertiaryProvider.authenticate(username, password);
                    }
                    else {
                        throw ue2;
                    }
                }
            }
            else {
                throw ue;
            }
        }
    }

    @Override
    public void authenticate(String username, String token, String digest)
            throws UnauthorizedException
    {
        throw new UnauthorizedException("Digest authentication not supported.");
    }

    @Override
    public String getPassword(String username)
            throws UserNotFoundException, UnsupportedOperationException
    {
        throw new UnsupportedOperationException();
    }

    @Override
    public void setPassword(String username, String password)
            throws UserNotFoundException, UnsupportedOperationException
    {
        throw new UnsupportedOperationException();
    }

    @Override
    public boolean supportsPasswordRetrieval() {
        return false;
    }

    @Override
    public boolean isScramSupported() {
        // TODO Auto-generated method stub
        return false;
    }
}