1 | /** |
---|
2 | /* Copyright 2006-2009 the original author or authors. |
---|
3 | * |
---|
4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
---|
5 | * you may not use this file except in compliance with the License. |
---|
6 | * You may obtain a copy of the License at |
---|
7 | * |
---|
8 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
9 | * |
---|
10 | * Unless required by applicable law or agreed to in writing, software |
---|
11 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
13 | * See the License for the specific language governing permissions and |
---|
14 | * limitations under the License. |
---|
15 | */ |
---|
16 | package org.codehaus.groovy.grails.plugins.springsecurity |
---|
17 | |
---|
18 | import org.apache.log4j.Logger |
---|
19 | |
---|
20 | import org.springframework.security.GrantedAuthority |
---|
21 | import org.springframework.security.GrantedAuthorityImpl |
---|
22 | import org.springframework.security.userdetails.UserDetails |
---|
23 | import org.springframework.security.userdetails.UserDetailsService |
---|
24 | import org.springframework.security.userdetails.UsernameNotFoundException |
---|
25 | import org.springframework.dao.DataAccessException |
---|
26 | |
---|
27 | /** |
---|
28 | * {@link UserDetailsService} with {@link GrailsDomainClass} Data Access Object. |
---|
29 | * @author Tsuyoshi Yamamoto |
---|
30 | * @author <a href='mailto:beckwithb@studentsonly.com'>Burt Beckwith</a> |
---|
31 | */ |
---|
32 | class GrailsDaoImpl extends GrailsWebApplicationObjectSupport implements UserDetailsService { |
---|
33 | |
---|
34 | private final Logger logger = Logger.getLogger(getClass()) |
---|
35 | |
---|
36 | def authenticateService |
---|
37 | |
---|
38 | // dependency-injected fields |
---|
39 | String loginUserDomainClass |
---|
40 | String usernameFieldName |
---|
41 | String passwordFieldName |
---|
42 | String enabledFieldName |
---|
43 | String relationalAuthoritiesField |
---|
44 | String authorityFieldName |
---|
45 | String authoritiesMethodName |
---|
46 | |
---|
47 | /** |
---|
48 | * {@inheritDoc} |
---|
49 | * @see org.springframework.security.userdetails.UserDetailsService#loadUserByUsername(java.lang.String) |
---|
50 | */ |
---|
51 | UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { |
---|
52 | return loadUserByUsername(username, true) |
---|
53 | } |
---|
54 | |
---|
55 | /** |
---|
56 | * Load a user by username, optionally not loading roles. |
---|
57 | * @param username the login name |
---|
58 | * @param loadRoles if <code>true</code> load roles from the database |
---|
59 | * @return the user if found, otherwise throws {@link UsernameNotFoundException} |
---|
60 | * @throws UsernameNotFoundException if the user isn't found |
---|
61 | * @throws DataAccessException if there's a database problem |
---|
62 | */ |
---|
63 | UserDetails loadUserByUsername(String username, boolean loadRoles) |
---|
64 | throws UsernameNotFoundException, DataAccessException { |
---|
65 | |
---|
66 | if (authenticateService.securityConfig.security.useNtlm) { |
---|
67 | username = username.toLowerCase() |
---|
68 | } |
---|
69 | |
---|
70 | GrailsWebApplicationObjectSupport.SessionContainer container = setUpSession() |
---|
71 | try { |
---|
72 | def user = loadDomainUser(username, container.session) |
---|
73 | GrantedAuthority[] authorities = loadAuthorities(user, username, loadRoles) |
---|
74 | return createUserDetails( |
---|
75 | username, user."$passwordFieldName", user."$enabledFieldName", |
---|
76 | authorities, user) |
---|
77 | } |
---|
78 | finally { |
---|
79 | releaseSession(container) |
---|
80 | } |
---|
81 | } |
---|
82 | |
---|
83 | protected GrantedAuthority[] loadAuthorities(user, String username, boolean loadRoles) { |
---|
84 | if (!loadRoles) { |
---|
85 | return [] |
---|
86 | } |
---|
87 | |
---|
88 | if (relationalAuthoritiesField) { |
---|
89 | return createRolesByRelationalAuthorities(user, username) |
---|
90 | } |
---|
91 | |
---|
92 | if (authoritiesMethodName) { |
---|
93 | return createRolesByAuthoritiesMethod(user, username) |
---|
94 | } |
---|
95 | |
---|
96 | logger.error("User [${username}] has no GrantedAuthority") |
---|
97 | throw new UsernameNotFoundException("User has no GrantedAuthority") |
---|
98 | } |
---|
99 | |
---|
100 | protected def loadDomainUser(username, session) throws UsernameNotFoundException, DataAccessException { |
---|
101 | |
---|
102 | List users = session.createQuery( |
---|
103 | "from $loginUserDomainClass where $usernameFieldName=:username") |
---|
104 | .setString('username', username) |
---|
105 | .setCacheable(true) |
---|
106 | .list() |
---|
107 | |
---|
108 | if (users.empty) { |
---|
109 | logger.error "User not found: $username" |
---|
110 | throw new UsernameNotFoundException("User not found", username) |
---|
111 | } |
---|
112 | |
---|
113 | return users[0] |
---|
114 | } |
---|
115 | |
---|
116 | /** |
---|
117 | * Create the {@link UserDetails} instance. Subclasses can override to inherit core functionality |
---|
118 | * but determine the concrete class without reimplementing the entire class. |
---|
119 | * @param username the username |
---|
120 | * @param password the password |
---|
121 | * @param enabled set to <code>true</code> if the user is enabled |
---|
122 | * @param authorities the authorities that should be granted to the caller |
---|
123 | * @param user the user domain instance |
---|
124 | * @return the instance |
---|
125 | */ |
---|
126 | protected UserDetails createUserDetails( |
---|
127 | String username, String password, boolean enabled, |
---|
128 | GrantedAuthority[] authorities, Object user) { |
---|
129 | new GrailsUserImpl( |
---|
130 | username, password, enabled, |
---|
131 | true, true, true, authorities, user) |
---|
132 | } |
---|
133 | |
---|
134 | protected GrantedAuthority[] createRolesByAuthoritiesMethod(user, String username) { |
---|
135 | Set authorities = user."$authoritiesMethodName"() |
---|
136 | assertNotEmpty authorities, username |
---|
137 | |
---|
138 | authorities.collect { roleName -> new GrantedAuthorityImpl(roleName) } as GrantedAuthority[] |
---|
139 | } |
---|
140 | |
---|
141 | protected GrantedAuthority[] createRolesByRelationalAuthorities(user, String username) { |
---|
142 | // get authorities from LoginUser [LoginUser]--M:M--[Authority] |
---|
143 | |
---|
144 | Set authorities = user."$relationalAuthoritiesField" |
---|
145 | assertNotEmpty authorities, username |
---|
146 | |
---|
147 | authorities.collect { item -> new GrantedAuthorityImpl(item."$authorityFieldName") } as GrantedAuthority[] |
---|
148 | } |
---|
149 | |
---|
150 | protected void assertNotEmpty(Collection authorities, String username) { |
---|
151 | if (authorities == null || authorities.empty) { |
---|
152 | logger.error("User [${username}] has no GrantedAuthority") |
---|
153 | throw new UsernameNotFoundException("User has no GrantedAuthority") |
---|
154 | } |
---|
155 | } |
---|
156 | |
---|
157 | protected Logger getLog() { |
---|
158 | return logger |
---|
159 | } |
---|
160 | } |
---|