1 package org
.argeo
.cms
.auth
;
3 import java
.security
.Principal
;
4 import java
.util
.Locale
;
8 import javax
.naming
.InvalidNameException
;
9 import javax
.naming
.ldap
.LdapName
;
10 import javax
.security
.auth
.Subject
;
11 import javax
.security
.auth
.x500
.X500Principal
;
13 import org
.argeo
.api
.cms
.AnonymousPrincipal
;
14 import org
.argeo
.api
.cms
.CmsConstants
;
15 import org
.argeo
.api
.cms
.CmsSessionId
;
16 import org
.argeo
.api
.cms
.DataAdminPrincipal
;
17 import org
.argeo
.cms
.internal
.auth
.CmsSessionImpl
;
18 import org
.argeo
.cms
.internal
.auth
.ImpliedByPrincipal
;
19 import org
.argeo
.cms
.internal
.http
.WebCmsSessionImpl
;
20 import org
.argeo
.cms
.internal
.runtime
.CmsContextImpl
;
21 import org
.argeo
.cms
.security
.NodeSecurityUtils
;
22 import org
.argeo
.osgi
.useradmin
.AuthenticatingUser
;
23 import org
.osgi
.service
.http
.HttpContext
;
24 import org
.osgi
.service
.useradmin
.Authorization
;
26 /** Centralises security related registrations. */
29 final static String SHARED_STATE_NAME
= AuthenticatingUser
.SHARED_STATE_NAME
;
30 final static String SHARED_STATE_PWD
= AuthenticatingUser
.SHARED_STATE_PWD
;
31 final static String HEADER_AUTHORIZATION
= "Authorization";
32 final static String HEADER_WWW_AUTHENTICATE
= "WWW-Authenticate";
35 final static String SHARED_STATE_HTTP_REQUEST
= "org.argeo.cms.auth.http.request";
36 final static String SHARED_STATE_SPNEGO_TOKEN
= "org.argeo.cms.auth.spnegoToken";
37 final static String SHARED_STATE_SPNEGO_OUT_TOKEN
= "org.argeo.cms.auth.spnegoOutToken";
38 final static String SHARED_STATE_CERTIFICATE_CHAIN
= "org.argeo.cms.auth.certificateChain";
39 final static String SHARED_STATE_REMOTE_ADDR
= "org.argeo.cms.auth.remote.addr";
40 final static String SHARED_STATE_REMOTE_PORT
= "org.argeo.cms.auth.remote.port";
42 final static String SINGLE_USER_LOCAL_ID
= "single-user";
44 static void addAuthorization(Subject subject
, Authorization authorization
) {
45 assert subject
!= null;
46 checkSubjectEmpty(subject
);
47 assert authorization
!= null;
49 // required for display name:
50 subject
.getPrivateCredentials().add(authorization
);
52 boolean singleUser
= authorization
instanceof SingleUserAuthorization
;
54 Set
<Principal
> principals
= subject
.getPrincipals();
56 String authName
= authorization
.getName();
58 // determine user's principal
60 final Principal userPrincipal
;
61 if (authName
== null) {
62 name
= NodeSecurityUtils
.ROLE_ANONYMOUS_NAME
;
63 userPrincipal
= new AnonymousPrincipal();
64 principals
.add(userPrincipal
);
66 name
= new LdapName(authName
);
67 NodeSecurityUtils
.checkUserName(name
);
68 userPrincipal
= new X500Principal(name
.toString());
69 principals
.add(userPrincipal
);
72 principals
.add(new ImpliedByPrincipal(NodeSecurityUtils
.ROLE_ADMIN_NAME
, userPrincipal
));
73 principals
.add(new DataAdminPrincipal());
77 // Add roles provided by authorization
78 for (String role
: authorization
.getRoles()) {
79 LdapName roleName
= new LdapName(role
);
80 if (roleName
.equals(name
)) {
82 } else if (roleName
.equals(NodeSecurityUtils
.ROLE_ANONYMOUS_NAME
)) {
85 NodeSecurityUtils
.checkImpliedPrincipalName(roleName
);
86 principals
.add(new ImpliedByPrincipal(roleName
.toString(), userPrincipal
));
87 if (roleName
.equals(NodeSecurityUtils
.ROLE_ADMIN_NAME
))
88 principals
.add(new DataAdminPrincipal());
92 } catch (InvalidNameException e
) {
93 throw new IllegalArgumentException("Cannot commit", e
);
97 private static void checkSubjectEmpty(Subject subject
) {
98 if (!subject
.getPrincipals(AnonymousPrincipal
.class).isEmpty())
99 throw new IllegalStateException("Already logged in as anonymous: " + subject
);
100 if (!subject
.getPrincipals(X500Principal
.class).isEmpty())
101 throw new IllegalStateException("Already logged in as user: " + subject
);
102 if (!subject
.getPrincipals(DataAdminPrincipal
.class).isEmpty())
103 throw new IllegalStateException("Already logged in as data admin: " + subject
);
104 if (!subject
.getPrincipals(ImpliedByPrincipal
.class).isEmpty())
105 throw new IllegalStateException("Already authorized: " + subject
);
108 static void cleanUp(Subject subject
) {
110 subject
.getPrincipals().removeAll(subject
.getPrincipals(X500Principal
.class));
111 subject
.getPrincipals().removeAll(subject
.getPrincipals(ImpliedByPrincipal
.class));
112 subject
.getPrincipals().removeAll(subject
.getPrincipals(AnonymousPrincipal
.class));
113 subject
.getPrincipals().removeAll(subject
.getPrincipals(DataAdminPrincipal
.class));
115 subject
.getPrivateCredentials().removeAll(subject
.getPrivateCredentials(CmsSessionId
.class));
116 subject
.getPrivateCredentials().removeAll(subject
.getPrivateCredentials(Authorization
.class));
118 // subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class));
119 // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
122 @SuppressWarnings("unused")
123 synchronized static void registerSessionAuthorization(RemoteAuthRequest request
, Subject subject
,
124 Authorization authorization
, Locale locale
) {
125 // synchronized in order to avoid multiple registrations
126 // TODO move it to a service in order to avoid static synchronization
127 if (request
!= null) {
128 RemoteAuthSession httpSession
= request
.getSession();
129 assert httpSession
!= null;
130 String httpSessId
= httpSession
.getId();
131 boolean anonymous
= authorization
.getName() == null;
132 String remoteUser
= !anonymous ? authorization
.getName() : CmsConstants
.ROLE_ANONYMOUS
;
133 request
.setAttribute(HttpContext
.REMOTE_USER
, remoteUser
);
134 request
.setAttribute(HttpContext
.AUTHORIZATION
, authorization
);
136 CmsSessionImpl cmsSession
;
137 CmsSessionImpl currentLocalSession
= CmsContextImpl
.getCmsContext().getCmsSessionByLocalId(httpSessId
);
138 if (currentLocalSession
!= null) {
139 boolean currentLocalSessionAnonymous
= currentLocalSession
.getAuthorization().getName() == null;
141 if (currentLocalSessionAnonymous
) {
142 currentLocalSession
.close();
144 cmsSession
= new WebCmsSessionImpl(subject
, authorization
, locale
, request
);
145 CmsContextImpl
.getCmsContext().registerCmsSession(cmsSession
);
146 } else if (!authorization
.getName().equals(currentLocalSession
.getAuthorization().getName())) {
147 throw new IllegalStateException("Inconsistent user " + authorization
.getName()
148 + " for existing CMS session " + currentLocalSession
);
150 // keep current session
151 cmsSession
= currentLocalSession
;
153 subject
.getPrivateCredentials().addAll(cmsSession
.getSecretKeys());
156 if (!currentLocalSessionAnonymous
) {
157 currentLocalSession
.close();
158 throw new IllegalStateException(
159 "Existing CMS session " + currentLocalSession
+ " was not logged out properly.");
161 // keep current session
162 cmsSession
= currentLocalSession
;
166 cmsSession
= new WebCmsSessionImpl(subject
, authorization
, locale
, request
);
167 CmsContextImpl
.getCmsContext().registerCmsSession(cmsSession
);
170 if (cmsSession
== null)// should be dead code (cf. SuppressWarning of the method)
171 throw new IllegalStateException("CMS session cannot be null");
173 CmsSessionId nodeSessionId
= new CmsSessionId(cmsSession
.getUuid());
174 if (subject
.getPrivateCredentials(CmsSessionId
.class).size() == 0) {
175 subject
.getPrivateCredentials().add(nodeSessionId
);
177 UUID storedSessionId
= subject
.getPrivateCredentials(CmsSessionId
.class).iterator().next().getUuid();
178 // if (storedSessionId.equals(httpSessionId.getValue()))
179 throw new IllegalStateException(
180 "Subject already logged with session " + storedSessionId
+ " (not " + nodeSessionId
+ ")");
183 CmsSessionImpl cmsSession
= CmsContextImpl
.getCmsContext().getCmsSessionByLocalId(SINGLE_USER_LOCAL_ID
);
184 if (cmsSession
== null) {
185 cmsSession
= new CmsSessionImpl(subject
, authorization
, locale
, SINGLE_USER_LOCAL_ID
);
186 CmsContextImpl
.getCmsContext().registerCmsSession(cmsSession
);
188 CmsSessionId nodeSessionId
= new CmsSessionId(cmsSession
.getUuid());
189 subject
.getPrivateCredentials().add(nodeSessionId
);
193 // public static CmsSessionImpl cmsSessionFromHttpSession(BundleContext bc, String httpSessionId) {
194 // Authorization authorization = null;
195 // Collection<ServiceReference<CmsSession>> sr;
197 // sr = bc.getServiceReferences(CmsSession.class,
198 // "(" + CmsSession.SESSION_LOCAL_ID + "=" + httpSessionId + ")");
199 // } catch (InvalidSyntaxException e) {
200 // throw new IllegalArgumentException("Cannot get CMS session for id " + httpSessionId, e);
202 // CmsSessionImpl cmsSession;
203 // if (sr.size() == 1) {
204 // cmsSession = (CmsSessionImpl) bc.getService(sr.iterator().next());
205 //// locale = cmsSession.getLocale();
206 // authorization = cmsSession.getAuthorization();
207 // if (authorization.getName() == null)
208 // return null;// anonymous is not sufficient
209 // } else if (sr.size() == 0)
212 // throw new IllegalStateException(sr.size() + ">1 web sessions detected for http session " + httpSessionId);
213 // return cmsSession;
216 public static <T
extends Principal
> T
getSinglePrincipal(Subject subject
, Class
<T
> clss
) {
217 Set
<T
> principals
= subject
.getPrincipals(clss
);
218 if (principals
.isEmpty())
220 if (principals
.size() > 1)
221 throw new IllegalStateException("Only one " + clss
+ " principal expected in " + subject
);
222 return principals
.iterator().next();
225 private CmsAuthUtils() {