1 package org
.argeo
.cms
.auth
;
3 import java
.security
.PrivilegedAction
;
7 import javax
.naming
.InvalidNameException
;
8 import javax
.naming
.ldap
.LdapName
;
9 import javax
.security
.auth
.Subject
;
10 import javax
.security
.auth
.callback
.CallbackHandler
;
11 import javax
.security
.auth
.kerberos
.KerberosPrincipal
;
12 import javax
.security
.auth
.login
.LoginException
;
13 import javax
.security
.auth
.spi
.LoginModule
;
14 import javax
.servlet
.http
.HttpServletRequest
;
16 import org
.argeo
.cms
.CmsException
;
17 import org
.argeo
.naming
.LdapAttrs
;
18 import org
.osgi
.framework
.BundleContext
;
19 import org
.osgi
.framework
.FrameworkUtil
;
20 import org
.osgi
.service
.useradmin
.Authorization
;
21 import org
.osgi
.service
.useradmin
.UserAdmin
;
23 public class IpaLoginModule
implements LoginModule
{
24 private BundleContext bc
;
25 private Subject subject
;
26 private Map
<String
, Object
> sharedState
= null;
27 private CallbackHandler callbackHandler
;
30 public void initialize(Subject subject
, CallbackHandler callbackHandler
, Map
<String
, ?
> sharedState
,
31 Map
<String
, ?
> options
) {
32 this.subject
= subject
;
33 this.sharedState
= (Map
<String
, Object
>) sharedState
;
34 this.callbackHandler
= callbackHandler
;
36 bc
= FrameworkUtil
.getBundle(IpaLoginModule
.class).getBundleContext();
38 } catch (Exception e
) {
39 throw new CmsException("Cannot initialize login module", e
);
44 public boolean login() throws LoginException
{
49 public boolean commit() throws LoginException
{
50 UserAdmin userAdmin
= bc
.getService(bc
.getServiceReference(UserAdmin
.class));
51 Authorization authorization
= null;
52 Set
<KerberosPrincipal
> kerberosPrincipals
= subject
.getPrincipals(KerberosPrincipal
.class);
53 if (kerberosPrincipals
.isEmpty()) {
54 if(callbackHandler
!=null)
55 throw new LoginException("Cannot be anonymous if callback handler is set");
56 authorization
= userAdmin
.getAuthorization(null);
58 KerberosPrincipal kerberosPrincipal
= kerberosPrincipals
.iterator().next();
59 LdapName dn
= kerberosToIpa(kerberosPrincipal
);
60 AuthenticatingUser authenticatingUser
= new AuthenticatingUser(dn
);
61 authorization
= Subject
.doAs(subject
, new PrivilegedAction
<Authorization
>() {
64 public Authorization
run() {
65 Authorization authorization
= userAdmin
.getAuthorization(authenticatingUser
);
71 if (authorization
== null)
73 CmsAuthUtils
.addAuthentication(subject
, authorization
);
74 HttpServletRequest request
= (HttpServletRequest
) sharedState
.get(CmsAuthUtils
.SHARED_STATE_HTTP_REQUEST
);
75 if (request
!= null) {
76 CmsAuthUtils
.registerSessionAuthorization(bc
, request
, subject
, authorization
);
81 private LdapName
kerberosToIpa(KerberosPrincipal kerberosPrincipal
) {
82 String
[] kname
= kerberosPrincipal
.getName().split("@");
83 String username
= kname
[0];
84 String
[] dcs
= kname
[1].split("\\.");
85 StringBuilder sb
= new StringBuilder();
86 for (String dc
: dcs
) {
87 sb
.append(',').append(LdapAttrs
.dc
.name()).append('=').append(dc
.toLowerCase());
89 String dn
= LdapAttrs
.uid
+ "=" + username
+ ",cn=users,cn=accounts" + sb
;
91 return new LdapName(dn
);
92 } catch (InvalidNameException e
) {
93 throw new CmsException("Badly formatted name for " + kerberosPrincipal
+ ": " + dn
);
98 public boolean abort() throws LoginException
{
99 // TODO Auto-generated method stub
104 public boolean logout() throws LoginException
{
105 return CmsAuthUtils
.logoutSession(bc
, subject
);