1 files changed, 137 insertions, 0 deletions
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/SubjectCreator.java b/java/broker/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
new file mode 100644
index 0000000000..8138745486
--- /dev/null
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/SubjectCreator.java
@@ -0,0 +1,137 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security;
+
+import java.security.Principal;
+
+import javax.security.auth.Subject;
+import javax.security.sasl.SaslException;
+import javax.security.sasl.SaslServer;
+
+import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
+import org.apache.qpid.server.security.auth.AuthenticationResult;
+import org.apache.qpid.server.security.auth.AuthenticationResult.AuthenticationStatus;
+import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
+import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
+import org.apache.qpid.server.security.group.GroupPrincipalAccessor;
+
+/**
+ * Creates a {@link Subject} formed by the {@link Principal}'s returned from:
+ * <ol>
+ * <li>Authenticating using an {@link AuthenticationManager}</li>
+ * <li>A {@link GroupPrincipalAccessor}</li>
+ * </ol>
+ *
+ * <p>
+ * SubjectCreator is a facade to the {@link AuthenticationManager}, and is intended to be
+ * the single place that {@link Subject}'s are created in the broker.
+ * </p>
+ */
+public class SubjectCreator
+{
+    private AuthenticationManager _authenticationManager;
+    private GroupPrincipalAccessor _groupAccessor;
+
+    public SubjectCreator(AuthenticationManager authenticationManager, GroupPrincipalAccessor groupAccessor)
+    {
+        _authenticationManager = authenticationManager;
+        _groupAccessor = groupAccessor;
+    }
+
+   /**
+    * Gets the known SASL mechanisms
+    *
+    * @return SASL mechanism names, space separated.
+    */
+    public String getMechanisms()
+    {
+        return _authenticationManager.getMechanisms();
+    }
+
+    /**
+     * @see AuthenticationManager#createSaslServer(String, String, Principal)
+     */
+    public SaslServer createSaslServer(String mechanism, String localFQDN, Principal externalPrincipal) throws SaslException
+    {
+        return _authenticationManager.createSaslServer(mechanism, localFQDN, externalPrincipal);
+    }
+
+    /**
+     * Authenticates a user using SASL negotiation.
+     *
+     * @param server SASL server
+     * @param response SASL response to process
+     */
+    public SubjectAuthenticationResult authenticate(SaslServer server, byte[] response)
+    {
+        AuthenticationResult authenticationResult = _authenticationManager.authenticate(server, response);
+        if(server.isComplete())
+        {
+            String username = server.getAuthorizationID();
+
+            return createResultWithGroups(username, authenticationResult);
+        }
+        else
+        {
+            return new SubjectAuthenticationResult(authenticationResult);
+        }
+    }
+
+    /**
+     * Authenticates a user using their username and password.
+     */
+    public SubjectAuthenticationResult authenticate(String username, String password)
+    {
+        final AuthenticationResult authenticationResult = _authenticationManager.authenticate(username, password);
+
+        return createResultWithGroups(username, authenticationResult);
+    }
+
+    private SubjectAuthenticationResult createResultWithGroups(String username, final AuthenticationResult authenticationResult)
+    {
+        if(authenticationResult.getStatus() == AuthenticationStatus.SUCCESS)
+        {
+            final Subject authenticationSubject = new Subject();
+
+            authenticationSubject.getPrincipals().addAll(authenticationResult.getPrincipals());
+            authenticationSubject.getPrincipals().addAll(_groupAccessor.getGroupPrincipals(username));
+
+            authenticationSubject.setReadOnly();
+
+            return new SubjectAuthenticationResult(authenticationResult, authenticationSubject);
+        }
+        else
+        {
+            return new SubjectAuthenticationResult(authenticationResult);
+        }
+    }
+
+    public Subject createSubjectWithGroups(String username)
+    {
+        Subject authenticationSubject = new Subject();
+
+        authenticationSubject.getPrincipals().add(new AuthenticatedPrincipal(username));
+        authenticationSubject.getPrincipals().addAll(_groupAccessor.getGroupPrincipals(username));
+        authenticationSubject.setReadOnly();
+
+        return authenticationSubject;
+    }
+}