]> git.argeo.org Git - lgpl/argeo-commons.git/blob - IpaLoginModule.java
projects / lgpl / argeo-commons.git / blob


3ed4856196b65dc18c0b3ca3c7a7b880f0a0c39b
[lgpl/argeo-commons.git] / IpaLoginModule.java
1 package org.argeo.cms.auth;
2
3 import java.security.PrivilegedAction;
4 import java.util.Map;
5 import java.util.Set;
6
7 import javax.naming.InvalidNameException;
8 import javax.naming.ldap.LdapName;
9 import javax.security.auth.Subject;
10 import javax.security.auth.callback.CallbackHandler;
11 import javax.security.auth.kerberos.KerberosPrincipal;
12 import javax.security.auth.login.LoginException;
13 import javax.security.auth.spi.LoginModule;
14
15 import org.argeo.cms.CmsException;
16 import org.argeo.naming.LdapAttrs;
17 import org.osgi.framework.BundleContext;
18 import org.osgi.framework.FrameworkUtil;
19 import org.osgi.service.useradmin.Authorization;
20 import org.osgi.service.useradmin.UserAdmin;
21
22 public class IpaLoginModule implements LoginModule {
23 private BundleContext bc;
24 private Subject subject;
25
26 @Override
27 public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
28 Map<String, ?> options) {
29 this.subject = subject;
30 try {
31 bc = FrameworkUtil.getBundle(IpaLoginModule.class).getBundleContext();
32 assert bc != null;
33 } catch (Exception e) {
34 throw new CmsException("Cannot initialize login module", e);
35 }
36 }
37
38 @Override
39 public boolean login() throws LoginException {
40 return true;
41 }
42
43 @Override
44 public boolean commit() throws LoginException {
45 UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
46 Authorization authorization = null;
47 Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
48 if (kerberosPrincipals.isEmpty()) {
49 authorization = userAdmin.getAuthorization(null);
50 } else {
51 KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next();
52 LdapName dn = kerberosToIpa(kerberosPrincipal);
53 AuthenticatingUser authenticatingUser = new AuthenticatingUser(dn);
54 authorization = Subject.doAs(subject, new PrivilegedAction<Authorization>() {
55
56 @Override
57 public Authorization run() {
58 Authorization authorization = userAdmin.getAuthorization(authenticatingUser);
59 return authorization;
60 }
61
62 });
63 }
64 if (authorization == null)
65 return false;
66 CmsAuthUtils.addAuthentication(subject, authorization);
67 return true;
68 }
69
70 private LdapName kerberosToIpa(KerberosPrincipal kerberosPrincipal) {
71 String[] kname = kerberosPrincipal.getName().split("@");
72 String username = kname[0];
73 String[] dcs = kname[1].split("\\.");
74 StringBuilder sb = new StringBuilder();
75 for (String dc : dcs) {
76 sb.append(',').append(LdapAttrs.dc.name()).append('=').append(dc.toLowerCase());
77 }
78 String dn = LdapAttrs.uid + "=" + username + ",cn=users,cn=accounts" + sb;
79 try {
80 return new LdapName(dn);
81 } catch (InvalidNameException e) {
82 throw new CmsException("Badly formatted name for " + kerberosPrincipal + ": " + dn);
83 }
84 }
85
86 @Override
87 public boolean abort() throws LoginException {
88 // TODO Auto-generated method stub
89 return false;
90 }
91
92 @Override
93 public boolean logout() throws LoginException {
94 // TODO Auto-generated method stub
95 return false;
96 }
97
98 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi