1 package org
.argeo
.cms
.auth
;
3 import java
.security
.Principal
;
4 import java
.util
.Locale
;
8 import javax
.naming
.InvalidNameException
;
9 import javax
.naming
.ldap
.LdapName
;
10 import javax
.security
.auth
.Subject
;
11 import javax
.security
.auth
.x500
.X500Principal
;
12 import javax
.servlet
.http
.HttpServletRequest
;
13 import javax
.servlet
.http
.HttpSession
;
15 //import org.apache.jackrabbit.core.security.AnonymousPrincipal;
16 //import org.apache.jackrabbit.core.security.SecurityConstants;
17 //import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
18 import org
.argeo
.cms
.CmsException
;
19 import org
.argeo
.cms
.internal
.auth
.CmsSessionImpl
;
20 import org
.argeo
.cms
.internal
.auth
.ImpliedByPrincipal
;
21 import org
.argeo
.cms
.internal
.http
.WebCmsSessionImpl
;
22 import org
.argeo
.node
.NodeConstants
;
23 import org
.argeo
.node
.security
.AnonymousPrincipal
;
24 import org
.argeo
.node
.security
.DataAdminPrincipal
;
25 import org
.argeo
.node
.security
.NodeSecurityUtils
;
26 import org
.osgi
.service
.http
.HttpContext
;
27 import org
.osgi
.service
.useradmin
.Authorization
;
30 /** Shared HTTP request */
31 final static String SHARED_STATE_HTTP_REQUEST
= "org.argeo.cms.auth.http.request";
32 /** From org.osgi.service.http.HttpContext */
33 // final static String SHARED_STATE_AUTHORIZATION =
34 // "org.osgi.service.useradmin.authorization";
35 /** From com.sun.security.auth.module.*LoginModule */
36 final static String SHARED_STATE_NAME
= "javax.security.auth.login.name";
37 /** From com.sun.security.auth.module.*LoginModule */
38 final static String SHARED_STATE_PWD
= "javax.security.auth.login.password";
40 final static String SHARED_STATE_SPNEGO_TOKEN
= "org.argeo.cms.auth.spnegoToken";
41 final static String SHARED_STATE_SPNEGO_OUT_TOKEN
= "org.argeo.cms.auth.spnegoOutToken";
43 final static String HEADER_AUTHORIZATION
= "Authorization";
44 final static String HEADER_WWW_AUTHENTICATE
= "WWW-Authenticate";
46 static void addAuthorization(Subject subject
, Authorization authorization
, Locale locale
,
47 HttpServletRequest request
) {
48 assert subject
!= null;
49 checkSubjectEmpty(subject
);
50 assert authorization
!= null;
52 // required for display name:
53 subject
.getPrivateCredentials().add(authorization
);
55 Set
<Principal
> principals
= subject
.getPrincipals();
57 String authName
= authorization
.getName();
59 // determine user's principal
61 final Principal userPrincipal
;
62 if (authName
== null) {
63 name
= NodeSecurityUtils
.ROLE_ANONYMOUS_NAME
;
64 userPrincipal
= new AnonymousPrincipal();
65 principals
.add(userPrincipal
);
66 // principals.add(new AnonymousPrincipal());
68 name
= new LdapName(authName
);
69 NodeSecurityUtils
.checkUserName(name
);
70 userPrincipal
= new X500Principal(name
.toString());
71 principals
.add(userPrincipal
);
72 principals
.add(new ImpliedByPrincipal(NodeSecurityUtils
.ROLE_USER_NAME
, userPrincipal
));
75 // Add roles provided by authorization
76 for (String role
: authorization
.getRoles()) {
77 LdapName roleName
= new LdapName(role
);
78 if (roleName
.equals(name
)) {
81 NodeSecurityUtils
.checkImpliedPrincipalName(roleName
);
82 principals
.add(new ImpliedByPrincipal(roleName
.toString(), userPrincipal
));
83 if (roleName
.equals(NodeSecurityUtils
.ROLE_ADMIN_NAME
))
84 principals
.add(new DataAdminPrincipal());
88 } catch (InvalidNameException e
) {
89 throw new CmsException("Cannot commit", e
);
92 registerSessionAuthorization(request
, subject
, authorization
, locale
);
95 private static void checkSubjectEmpty(Subject subject
) {
96 if (!subject
.getPrincipals(AnonymousPrincipal
.class).isEmpty())
97 throw new IllegalStateException("Already logged in as anonymous: " + subject
);
98 if (!subject
.getPrincipals(X500Principal
.class).isEmpty())
99 throw new IllegalStateException("Already logged in as user: " + subject
);
100 if (!subject
.getPrincipals(DataAdminPrincipal
.class).isEmpty())
101 throw new IllegalStateException("Already logged in as data admin: " + subject
);
102 if (!subject
.getPrincipals(ImpliedByPrincipal
.class).isEmpty())
103 throw new IllegalStateException("Already authorized: " + subject
);
106 static void cleanUp(Subject subject
) {
108 subject
.getPrincipals().removeAll(subject
.getPrincipals(X500Principal
.class));
109 subject
.getPrincipals().removeAll(subject
.getPrincipals(ImpliedByPrincipal
.class));
110 subject
.getPrincipals().removeAll(subject
.getPrincipals(AnonymousPrincipal
.class));
111 subject
.getPrincipals().removeAll(subject
.getPrincipals(DataAdminPrincipal
.class));
113 subject
.getPrivateCredentials().removeAll(subject
.getPrivateCredentials(CmsSessionId
.class));
114 subject
.getPrivateCredentials().removeAll(subject
.getPrivateCredentials(Authorization
.class));
116 // subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class));
117 // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
120 private synchronized static void registerSessionAuthorization(HttpServletRequest request
, Subject subject
,
121 Authorization authorization
, Locale locale
) {
122 // synchronized in order to avoid multiple registrations
123 // TODO move it to a service in order to avoid static synchronization
124 if (request
!= null) {
125 HttpSession httpSession
= request
.getSession(false);
126 assert httpSession
!= null;
127 String httpSessId
= httpSession
.getId();
128 String remoteUser
= authorization
.getName() != null ? authorization
.getName()
129 : NodeConstants
.ROLE_ANONYMOUS
;
130 request
.setAttribute(HttpContext
.REMOTE_USER
, remoteUser
);
131 request
.setAttribute(HttpContext
.AUTHORIZATION
, authorization
);
133 CmsSessionImpl cmsSession
= CmsSessionImpl
.getByLocalId(httpSessId
);
134 if (cmsSession
!= null) {
135 if (authorization
.getName() != null) {
136 if (cmsSession
.getAuthorization().getName() == null) {
139 } else if (!authorization
.getName().equals(cmsSession
.getAuthorization().getName())) {
140 throw new CmsException("Inconsistent user " + authorization
.getName()
141 + " for existing CMS session " + cmsSession
);
144 if (cmsSession
.getAuthorization().getName() != null) {
146 // TODO rather throw an exception ? log a warning ?
152 if (cmsSession
== null)
153 cmsSession
= new WebCmsSessionImpl(subject
, authorization
, locale
, request
);
154 // request.setAttribute(CmsSession.class.getName(), cmsSession);
155 CmsSessionId nodeSessionId
= new CmsSessionId(cmsSession
.getUuid());
156 if (subject
.getPrivateCredentials(CmsSessionId
.class).size() == 0)
157 subject
.getPrivateCredentials().add(nodeSessionId
);
159 UUID storedSessionId
= subject
.getPrivateCredentials(CmsSessionId
.class).iterator().next().getUuid();
160 // if (storedSessionId.equals(httpSessionId.getValue()))
161 throw new CmsException(
162 "Subject already logged with session " + storedSessionId
+ " (not " + nodeSessionId
+ ")");
169 public static <T
extends Principal
> T
getSinglePrincipal(Subject subject
, Class
<T
> clss
) {
170 Set
<T
> principals
= subject
.getPrincipals(clss
);
171 if (principals
.isEmpty())
173 if (principals
.size() > 1)
174 throw new IllegalStateException("Only one " + clss
+ " principal expected in " + subject
);
175 return principals
.iterator().next();
178 private CmsAuthUtils() {