diff --git a/core/src/main/java/org/acegisecurity/providers/x509/populator/DaoX509AuthoritiesPopulator.java b/core/src/main/java/org/acegisecurity/providers/x509/populator/DaoX509AuthoritiesPopulator.java index 5dc82e3ac5..71d263f11d 100644 --- a/core/src/main/java/org/acegisecurity/providers/x509/populator/DaoX509AuthoritiesPopulator.java +++ b/core/src/main/java/org/acegisecurity/providers/x509/populator/DaoX509AuthoritiesPopulator.java @@ -17,16 +17,19 @@ package net.sf.acegisecurity.providers.x509.populator; import net.sf.acegisecurity.AuthenticationException; import net.sf.acegisecurity.UserDetails; +import net.sf.acegisecurity.BadCredentialsException; import net.sf.acegisecurity.providers.dao.AuthenticationDao; import net.sf.acegisecurity.providers.x509.X509AuthoritiesPopulator; import org.springframework.beans.factory.InitializingBean; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.oro.text.regex.*; import java.security.cert.X509Certificate; + /** * Populates the X509 authorities via an {@link net.sf.acegisecurity.providers.dao.AuthenticationDao}. * @@ -42,7 +45,8 @@ public class DaoX509AuthoritiesPopulator implements X509AuthoritiesPopulator, //~ Instance fields ======================================================== private AuthenticationDao authenticationDao; - private String userPattern; + private String subjectDNRegex = "CN=(.*?),"; + private Pattern subjectDNPattern; //~ Methods ================================================================ @@ -54,16 +58,56 @@ public class DaoX509AuthoritiesPopulator implements X509AuthoritiesPopulator, return authenticationDao; } + /** + * Sets the regular expression which will by used to extract the user name + * from the certificate's Subject DN. + *

+ * It should contain a single group; for example the default expression + * "CN=(.*?)," matches the common name field. So "CN=Jimi Hendrix, OU=..." + * will give a user name of "Jimi Hendrix". + *

+ *

+ * The matches are case insensitive. So "emailAddress=(.*?)," will match + * "EMAILADDRESS=jimi@hendrix.org, CN=..." giving a user name "jimi@hendrix.org" + *

+ * + * @param subjectDNRegex the regular expression to find in the subject + */ + public void setSubjectDNRegex(String subjectDNRegex) { + this.subjectDNRegex = subjectDNRegex; + } + public UserDetails getUserDetails(X509Certificate clientCert) throws AuthenticationException { - logger.debug("Populating authorities for " + clientCert.getSubjectDN().getName()); - return this.authenticationDao.loadUserByUsername("marissa"/*clientCert.getSubjectDN().getName()*/); + + String subjectDN = clientCert.getSubjectDN().getName(); + PatternMatcher matcher = new Perl5Matcher(); + + if(!matcher.contains(subjectDN , subjectDNPattern)) { + throw new BadCredentialsException("No matching pattern was found in subjectDN: " + subjectDN); + } + + MatchResult match = matcher.getMatch(); + if(match.groups() != 2) { // 2 = 1 + the entire match + throw new IllegalArgumentException("Regular expression must contain a single group "); + } + String userName = match.group(1); + + return this.authenticationDao.loadUserByUsername(userName); } public void afterPropertiesSet() throws Exception { if (this.authenticationDao == null) { - throw new IllegalArgumentException( - "An authenticationDao must be set"); + throw new IllegalArgumentException("An authenticationDao must be set"); + } + + Perl5Compiler compiler = new Perl5Compiler(); + + try { + subjectDNPattern = compiler.compile(subjectDNRegex, + Perl5Compiler.READ_ONLY_MASK | Perl5Compiler.CASE_INSENSITIVE_MASK); + } catch (MalformedPatternException mpe) { + throw new IllegalArgumentException("Malformed regular expression: " + subjectDNRegex); } } }