在CQ5中实现自定义AuthenticationHandler

Question

I want to have a remote system to do the user authentication for our CQ5. I'm guessing AuthenticationHandler on a path is the direction to go. If so, how does AuthenticationHandler works in general. And, In CQ5, how I implement a Custom AuthenticationHandler? How do I go about making it an OSGi bundle (or fragment bundle) and install it into CQ5?

If possible, some code sample with OSGi manifest is appreciated.

Answer 1

You can find a description of how the Sling AuthenticationHandler works here . Also you can take a look at the Sling FormAuthenticationHandler source for an example. You can see the details of the OSGi configuration in the POM file for the project, under the configuration for the maven-bundle-plugin.

If you just need to check passwords or sync user accounts you can use a custom CQ5 LoginModule .

Answer 2

I would start by looking into the jackrabbit AbstractLoginModule http://jackrabbit.apache.org/api/2.4/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.html

I have example of a custom solution/fragment bundle that was written, but it has a lot of pieces. We were implementing stuff from Gigya (social network login).

We have a few other classes that implement the MyAbstractLoginModule. I can dig in further and get you more examples if you need. Hopefully this can get you started down the right path.

public abstract class MyAbstractLoginModule extends AbstractLoginModule {
    static private final Logger logger = LoggerFactory.getLogger(MyAbstractLoginModule.class);
    protected Session session;
    protected UserManager userManager;
    protected ValueFactory valueFactory;
    protected long tokenExpiration = 7200000L;

    @Override
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
        if (options.containsKey("tokenExpiration")) {
            try {
                this.tokenExpiration = Long.parseLong(options.get("tokenExpiration").toString());
                logger.debug("- Token expiration -> '" + this.tokenExpiration + "'");
            } catch (NumberFormatException e) {
                logger.warn("Unabled to parse token expiration: ", e);
            }
        }
        super.initialize(subject, callbackHandler, sharedState, options);
    }

    /**
    * Initiates the login module
    *
    * @param ch
    * @param ses
    * @param map
    * @throws LoginException
    */
    @Override
    protected void doInit(CallbackHandler ch, Session ses, Map map) throws LoginException {
        logger.trace("doInit");

        SessionImpl session = (SessionImpl) ses;

        try {
            this.session = session;
            this.userManager = session.getUserManager();
            this.valueFactory = session.getValueFactory();
        } catch (RepositoryException e) {
            throw new LoginException("Unable to retrieve principal editor: " + e.toString());
        }
    }

    /**
    * Impersonates users
    *
    * @param prncpl
    * @param c
    * @return
    * @throws RepositoryException
    * @throws LoginException
    */
    @Override
    protected boolean impersonate(Principal prncpl, Credentials c) throws RepositoryException, LoginException {
        Authorizable authrz = this.userManager.getAuthorizable(principal);
        if ((authrz == null) || (authrz.isGroup())) {
            return false;
        }
        Subject impersSubject = getImpersonatorSubject(credentials);
        User user = (User) authrz;
        if (user.getImpersonation().allows(impersSubject)) {
            return true;
        }
        throw new FailedLoginException("attempt to impersonate denied for " + principal.getName());
    }

    @Override
    protected boolean isPreAuthenticated(Credentials creds) {
        return false;
    }
}