]> git.argeo.org Git - lgpl/argeo-commons.git/blob - CmsAuthUtils.java
projects / lgpl / argeo-commons.git / blob


928afc0d54960b102ac05b1b35388e00e0a1d6ad
[lgpl/argeo-commons.git] / CmsAuthUtils.java
1 package org.argeo.cms.auth;
2
3 import java.security.Principal;
4 import java.util.Locale;
5 import java.util.Set;
6 import java.util.UUID;
7
8 import javax.naming.InvalidNameException;
9 import javax.naming.ldap.LdapName;
10 import javax.security.auth.Subject;
11 import javax.security.auth.x500.X500Principal;
12
13 import org.argeo.api.cms.AnonymousPrincipal;
14 import org.argeo.api.cms.CmsConstants;
15 import org.argeo.api.cms.CmsSessionId;
16 import org.argeo.api.cms.DataAdminPrincipal;
17 import org.argeo.cms.internal.auth.CmsSessionImpl;
18 import org.argeo.cms.internal.auth.ImpliedByPrincipal;
19 import org.argeo.cms.internal.http.WebCmsSessionImpl;
20 import org.argeo.cms.internal.runtime.CmsContextImpl;
21 import org.argeo.cms.security.NodeSecurityUtils;
22 import org.argeo.osgi.useradmin.AuthenticatingUser;
23 import org.osgi.service.http.HttpContext;
24 import org.osgi.service.useradmin.Authorization;
25
26 /** Centralises security related registrations. */
27 class CmsAuthUtils {
28 // Standard
29 final static String SHARED_STATE_NAME = AuthenticatingUser.SHARED_STATE_NAME;
30 final static String SHARED_STATE_PWD = AuthenticatingUser.SHARED_STATE_PWD;
31 final static String HEADER_AUTHORIZATION = "Authorization";
32 final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
33
34 // Argeo specific
35 final static String SHARED_STATE_HTTP_REQUEST = "org.argeo.cms.auth.http.request";
36 final static String SHARED_STATE_SPNEGO_TOKEN = "org.argeo.cms.auth.spnegoToken";
37 final static String SHARED_STATE_SPNEGO_OUT_TOKEN = "org.argeo.cms.auth.spnegoOutToken";
38 final static String SHARED_STATE_CERTIFICATE_CHAIN = "org.argeo.cms.auth.certificateChain";
39 final static String SHARED_STATE_REMOTE_ADDR = "org.argeo.cms.auth.remote.addr";
40 final static String SHARED_STATE_REMOTE_PORT = "org.argeo.cms.auth.remote.port";
41
42 final static String SINGLE_USER_LOCAL_ID = "single-user";
43
44 static void addAuthorization(Subject subject, Authorization authorization) {
45 assert subject != null;
46 checkSubjectEmpty(subject);
47 assert authorization != null;
48
49 // required for display name:
50 subject.getPrivateCredentials().add(authorization);
51
52 boolean singleUser = authorization instanceof SingleUserAuthorization;
53
54 Set<Principal> principals = subject.getPrincipals();
55 try {
56 String authName = authorization.getName();
57
58 // determine user's principal
59 final LdapName name;
60 final Principal userPrincipal;
61 if (authName == null) {
62 name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME;
63 userPrincipal = new AnonymousPrincipal();
64 principals.add(userPrincipal);
65 } else {
66 name = new LdapName(authName);
67 NodeSecurityUtils.checkUserName(name);
68 userPrincipal = new X500Principal(name.toString());
69 principals.add(userPrincipal);
70
71 if (singleUser) {
72 principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_ADMIN_NAME, userPrincipal));
73 principals.add(new DataAdminPrincipal());
74 }
75 }
76
77 // Add roles provided by authorization
78 for (String role : authorization.getRoles()) {
79 LdapName roleName = new LdapName(role);
80 if (roleName.equals(name)) {
81 // skip
82 } else if (roleName.equals(NodeSecurityUtils.ROLE_ANONYMOUS_NAME)) {
83 // skip
84 } else {
85 NodeSecurityUtils.checkImpliedPrincipalName(roleName);
86 principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal));
87 if (roleName.equals(NodeSecurityUtils.ROLE_ADMIN_NAME))
88 principals.add(new DataAdminPrincipal());
89 }
90 }
91
92 } catch (InvalidNameException e) {
93 throw new IllegalArgumentException("Cannot commit", e);
94 }
95 }
96
97 private static void checkSubjectEmpty(Subject subject) {
98 if (!subject.getPrincipals(AnonymousPrincipal.class).isEmpty())
99 throw new IllegalStateException("Already logged in as anonymous: " + subject);
100 if (!subject.getPrincipals(X500Principal.class).isEmpty())
101 throw new IllegalStateException("Already logged in as user: " + subject);
102 if (!subject.getPrincipals(DataAdminPrincipal.class).isEmpty())
103 throw new IllegalStateException("Already logged in as data admin: " + subject);
104 if (!subject.getPrincipals(ImpliedByPrincipal.class).isEmpty())
105 throw new IllegalStateException("Already authorized: " + subject);
106 }
107
108 static void cleanUp(Subject subject) {
109 // Argeo
110 subject.getPrincipals().removeAll(subject.getPrincipals(X500Principal.class));
111 subject.getPrincipals().removeAll(subject.getPrincipals(ImpliedByPrincipal.class));
112 subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
113 subject.getPrincipals().removeAll(subject.getPrincipals(DataAdminPrincipal.class));
114
115 subject.getPrivateCredentials().removeAll(subject.getPrivateCredentials(CmsSessionId.class));
116 subject.getPrivateCredentials().removeAll(subject.getPrivateCredentials(Authorization.class));
117 // Jackrabbit
118 // subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class));
119 // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
120 }
121
122 @SuppressWarnings("unused")
123 synchronized static void registerSessionAuthorization(RemoteAuthRequest request, Subject subject,
124 Authorization authorization, Locale locale) {
125 // synchronized in order to avoid multiple registrations
126 // TODO move it to a service in order to avoid static synchronization
127 if (request != null) {
128 RemoteAuthSession httpSession = request.getSession();
129 assert httpSession != null;
130 String httpSessId = httpSession.getId();
131 boolean anonymous = authorization.getName() == null;
132 String remoteUser = !anonymous ? authorization.getName() : CmsConstants.ROLE_ANONYMOUS;
133 request.setAttribute(HttpContext.REMOTE_USER, remoteUser);
134 request.setAttribute(HttpContext.AUTHORIZATION, authorization);
135
136 CmsSessionImpl cmsSession;
137 CmsSessionImpl currentLocalSession = CmsContextImpl.getCmsContext().getCmsSessionByLocalId(httpSessId);
138 if (currentLocalSession != null) {
139 boolean currentLocalSessionAnonymous = currentLocalSession.getAuthorization().getName() == null;
140 if (!anonymous) {
141 if (currentLocalSessionAnonymous) {
142 currentLocalSession.close();
143 // new CMS session
144 cmsSession = new WebCmsSessionImpl(subject, authorization, locale, request);
145 CmsContextImpl.getCmsContext().registerCmsSession(cmsSession);
146 } else if (!authorization.getName().equals(currentLocalSession.getAuthorization().getName())) {
147 throw new IllegalStateException("Inconsistent user " + authorization.getName()
148 + " for existing CMS session " + currentLocalSession);
149 } else {
150 // keep current session
151 cmsSession = currentLocalSession;
152 // keyring
153 subject.getPrivateCredentials().addAll(cmsSession.getSecretKeys());
154 }
155 } else {// anonymous
156 if (!currentLocalSessionAnonymous) {
157 currentLocalSession.close();
158 throw new IllegalStateException(
159 "Existing CMS session " + currentLocalSession + " was not logged out properly.");
160 }
161 // keep current session
162 cmsSession = currentLocalSession;
163 }
164 } else {
165 // new CMS session
166 cmsSession = new WebCmsSessionImpl(subject, authorization, locale, request);
167 CmsContextImpl.getCmsContext().registerCmsSession(cmsSession);
168 }
169
170 if (cmsSession == null)// should be dead code (cf. SuppressWarning of the method)
171 throw new IllegalStateException("CMS session cannot be null");
172
173 CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid());
174 if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0) {
175 subject.getPrivateCredentials().add(nodeSessionId);
176 } else {
177 UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next().getUuid();
178 // if (storedSessionId.equals(httpSessionId.getValue()))
179 throw new IllegalStateException(
180 "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")");
181 }
182 } else {
183 CmsSessionImpl cmsSession = CmsContextImpl.getCmsContext().getCmsSessionByLocalId(SINGLE_USER_LOCAL_ID);
184 if (cmsSession == null) {
185 cmsSession = new CmsSessionImpl(subject, authorization, locale, SINGLE_USER_LOCAL_ID);
186 CmsContextImpl.getCmsContext().registerCmsSession(cmsSession);
187 }
188 CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid());
189 subject.getPrivateCredentials().add(nodeSessionId);
190 }
191 }
192
193 // public static CmsSessionImpl cmsSessionFromHttpSession(BundleContext bc, String httpSessionId) {
194 // Authorization authorization = null;
195 // Collection<ServiceReference<CmsSession>> sr;
196 // try {
197 // sr = bc.getServiceReferences(CmsSession.class,
198 // "(" + CmsSession.SESSION_LOCAL_ID + "=" + httpSessionId + ")");
199 // } catch (InvalidSyntaxException e) {
200 // throw new IllegalArgumentException("Cannot get CMS session for id " + httpSessionId, e);
201 // }
202 // CmsSessionImpl cmsSession;
203 // if (sr.size() == 1) {
204 // cmsSession = (CmsSessionImpl) bc.getService(sr.iterator().next());
205 //// locale = cmsSession.getLocale();
206 // authorization = cmsSession.getAuthorization();
207 // if (authorization.getName() == null)
208 // return null;// anonymous is not sufficient
209 // } else if (sr.size() == 0)
210 // return null;
211 // else
212 // throw new IllegalStateException(sr.size() + ">1 web sessions detected for http session " + httpSessionId);
213 // return cmsSession;
214 // }
215
216 public static <T extends Principal> T getSinglePrincipal(Subject subject, Class<T> clss) {
217 Set<T> principals = subject.getPrincipals(clss);
218 if (principals.isEmpty())
219 return null;
220 if (principals.size() > 1)
221 throw new IllegalStateException("Only one " + clss + " principal expected in " + subject);
222 return principals.iterator().next();
223 }
224
225 private CmsAuthUtils() {
226
227 }
228
229 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi