]> git.argeo.org Git - lgpl/argeo-commons.git/blob - IpaLoginModule.java
projects / lgpl / argeo-commons.git / blob


6cb6ab11de73eae41f2c6f6d59cbd923717fb506
[lgpl/argeo-commons.git] / IpaLoginModule.java
1 package org.argeo.cms.auth;
2
3 import java.security.PrivilegedAction;
4 import java.util.Map;
5 import java.util.Set;
6
7 import javax.naming.InvalidNameException;
8 import javax.naming.ldap.LdapName;
9 import javax.security.auth.Subject;
10 import javax.security.auth.callback.CallbackHandler;
11 import javax.security.auth.kerberos.KerberosPrincipal;
12 import javax.security.auth.login.LoginException;
13 import javax.security.auth.spi.LoginModule;
14 import javax.servlet.http.HttpServletRequest;
15
16 import org.argeo.cms.CmsException;
17 import org.argeo.naming.LdapAttrs;
18 import org.osgi.framework.BundleContext;
19 import org.osgi.framework.FrameworkUtil;
20 import org.osgi.service.useradmin.Authorization;
21 import org.osgi.service.useradmin.UserAdmin;
22
23 public class IpaLoginModule implements LoginModule {
24 private BundleContext bc;
25 private Subject subject;
26 private Map<String, Object> sharedState = null;
27 private CallbackHandler callbackHandler;
28
29 @Override
30 public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
31 Map<String, ?> options) {
32 this.subject = subject;
33 this.sharedState = (Map<String, Object>) sharedState;
34 this.callbackHandler = callbackHandler;
35 try {
36 bc = FrameworkUtil.getBundle(IpaLoginModule.class).getBundleContext();
37 assert bc != null;
38 } catch (Exception e) {
39 throw new CmsException("Cannot initialize login module", e);
40 }
41 }
42
43 @Override
44 public boolean login() throws LoginException {
45 return true;
46 }
47
48 @Override
49 public boolean commit() throws LoginException {
50 UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
51 Authorization authorization = null;
52 Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
53 if (kerberosPrincipals.isEmpty()) {
54 if(callbackHandler!=null)
55 throw new LoginException("Cannot be anonymous if callback handler is set");
56 authorization = userAdmin.getAuthorization(null);
57 } else {
58 KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next();
59 LdapName dn = kerberosToIpa(kerberosPrincipal);
60 AuthenticatingUser authenticatingUser = new AuthenticatingUser(dn);
61 authorization = Subject.doAs(subject, new PrivilegedAction<Authorization>() {
62
63 @Override
64 public Authorization run() {
65 Authorization authorization = userAdmin.getAuthorization(authenticatingUser);
66 return authorization;
67 }
68
69 });
70 }
71 if (authorization == null)
72 return false;
73 CmsAuthUtils.addAuthentication(subject, authorization);
74 HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
75 if (request != null) {
76 CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization);
77 }
78 return true;
79 }
80
81 private LdapName kerberosToIpa(KerberosPrincipal kerberosPrincipal) {
82 String[] kname = kerberosPrincipal.getName().split("@");
83 String username = kname[0];
84 String[] dcs = kname[1].split("\\.");
85 StringBuilder sb = new StringBuilder();
86 for (String dc : dcs) {
87 sb.append(',').append(LdapAttrs.dc.name()).append('=').append(dc.toLowerCase());
88 }
89 String dn = LdapAttrs.uid + "=" + username + ",cn=users,cn=accounts" + sb;
90 try {
91 return new LdapName(dn);
92 } catch (InvalidNameException e) {
93 throw new CmsException("Badly formatted name for " + kerberosPrincipal + ": " + dn);
94 }
95 }
96
97 @Override
98 public boolean abort() throws LoginException {
99 // TODO Auto-generated method stub
100 return false;
101 }
102
103 @Override
104 public boolean logout() throws LoginException {
105 return CmsAuthUtils.logoutSession(bc, subject);
106 }
107
108 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi