]> git.argeo.org Git - lgpl/argeo-commons.git/blob - org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix automated Kerberos config
[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / CmsAuthUtils.java
1 package org.argeo.cms.auth;
2
3 import java.security.Principal;
4 import java.util.Collection;
5 import java.util.Set;
6 import java.util.UUID;
7
8 import javax.naming.InvalidNameException;
9 import javax.naming.ldap.LdapName;
10 import javax.security.auth.Subject;
11 import javax.security.auth.x500.X500Principal;
12 import javax.servlet.http.HttpServletRequest;
13 import javax.servlet.http.HttpSession;
14
15 import org.apache.commons.logging.Log;
16 import org.apache.commons.logging.LogFactory;
17 //import org.apache.jackrabbit.core.security.AnonymousPrincipal;
18 //import org.apache.jackrabbit.core.security.SecurityConstants;
19 //import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
20 import org.argeo.cms.CmsException;
21 import org.argeo.cms.internal.auth.CmsSessionImpl;
22 import org.argeo.cms.internal.auth.ImpliedByPrincipal;
23 import org.argeo.cms.internal.http.WebCmsSessionImpl;
24 import org.argeo.node.security.AnonymousPrincipal;
25 import org.argeo.node.security.DataAdminPrincipal;
26 import org.argeo.node.security.NodeSecurityUtils;
27 import org.osgi.framework.BundleContext;
28 import org.osgi.framework.InvalidSyntaxException;
29 import org.osgi.framework.ServiceReference;
30 import org.osgi.service.http.HttpContext;
31 import org.osgi.service.useradmin.Authorization;
32
33 class CmsAuthUtils {
34 private final static Log log = LogFactory.getLog(CmsAuthUtils.class);
35
36 /** Shared HTTP request */
37 final static String SHARED_STATE_HTTP_REQUEST = "org.argeo.cms.auth.http.request";
38 /** From org.osgi.service.http.HttpContext */
39 final static String SHARED_STATE_AUTHORIZATION = "org.osgi.service.useradmin.authorization";
40 /** From com.sun.security.auth.module.*LoginModule */
41 final static String SHARED_STATE_NAME = "javax.security.auth.login.name";
42 /** From com.sun.security.auth.module.*LoginModule */
43 final static String SHARED_STATE_PWD = "javax.security.auth.login.password";
44
45 final static String SHARED_STATE_SPNEGO_TOKEN = "org.argeo.cms.auth.spnegoToken";
46 final static String SHARED_STATE_SPNEGO_OUT_TOKEN = "org.argeo.cms.auth.spnegoOutToken";
47
48 final static String HEADER_AUTHORIZATION = "Authorization";
49 final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
50
51 static void addAuthentication(Subject subject, Authorization authorization) {
52 assert subject != null;
53 checkSubjectEmpty(subject);
54 assert authorization != null;
55
56 // required for display name:
57 subject.getPrivateCredentials().add(authorization);
58
59 Set<Principal> principals = subject.getPrincipals();
60 try {
61 String authName = authorization.getName();
62
63 // determine user's principal
64 final LdapName name;
65 final Principal userPrincipal;
66 if (authName == null) {
67 name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME;
68 userPrincipal = new AnonymousPrincipal();
69 principals.add(userPrincipal);
70 // principals.add(new AnonymousPrincipal());
71 } else {
72 name = new LdapName(authName);
73 NodeSecurityUtils.checkUserName(name);
74 userPrincipal = new X500Principal(name.toString());
75 principals.add(userPrincipal);
76 principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_USER_NAME, userPrincipal));
77 }
78
79 // Add roles provided by authorization
80 for (String role : authorization.getRoles()) {
81 LdapName roleName = new LdapName(role);
82 if (roleName.equals(name)) {
83 // skip
84 } else {
85 NodeSecurityUtils.checkImpliedPrincipalName(roleName);
86 principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal));
87 if (roleName.equals(NodeSecurityUtils.ROLE_ADMIN_NAME))
88 principals.add(new DataAdminPrincipal());
89 }
90 }
91
92 } catch (InvalidNameException e) {
93 throw new CmsException("Cannot commit", e);
94 }
95 }
96
97 private static void checkSubjectEmpty(Subject subject) {
98 if (!subject.getPrincipals(AnonymousPrincipal.class).isEmpty())
99 throw new IllegalStateException("Already logged in as anonymous: " + subject);
100 if (!subject.getPrincipals(X500Principal.class).isEmpty())
101 throw new IllegalStateException("Already logged in as user: " + subject);
102 if (!subject.getPrincipals(DataAdminPrincipal.class).isEmpty())
103 throw new IllegalStateException("Already logged in as data admin: " + subject);
104 if (!subject.getPrincipals(ImpliedByPrincipal.class).isEmpty())
105 throw new IllegalStateException("Already authorized: " + subject);
106 }
107
108 static void cleanUp(Subject subject) {
109 // Argeo
110 subject.getPrincipals().removeAll(subject.getPrincipals(X500Principal.class));
111 subject.getPrincipals().removeAll(subject.getPrincipals(ImpliedByPrincipal.class));
112 // Jackrabbit
113 // subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class));
114 // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
115 }
116
117 // SHARED STATE KEYS
118 // compatible with com.sun.security.auth.module.*LoginModule
119 // public static final String SHARED_STATE_USERNAME =
120 // "javax.security.auth.login.name";
121 // public static final String SHARED_STATE_PASSWORD =
122 // "javax.security.auth.login.password";
123
124 static void registerSessionAuthorization(BundleContext bc, HttpServletRequest request, Subject subject,
125 Authorization authorization) {
126 HttpSession httpSession = request.getSession();
127 String httpSessId = httpSession.getId();
128 if (authorization.getName() != null) {
129 request.setAttribute(HttpContext.REMOTE_USER, authorization.getName());
130 request.setAttribute(HttpContext.AUTHORIZATION, authorization);
131
132 CmsSession cmsSession = CmsSessionImpl.getByLocalId(httpSessId);
133 if (cmsSession == null)
134 cmsSession = new WebCmsSessionImpl(subject, authorization, httpSessId);
135 request.setAttribute(CmsSession.class.getName(), cmsSession);
136 // else
137 // throw new CmsException("Already a CMS session registered for
138 // "+httpSessId);
139
140 // if (httpSession.getAttribute(HttpContext.AUTHORIZATION) == null)
141 // {
142
143 // Collection<ServiceReference<CmsSession>> sr;
144 // try {
145 // sr = bc.getServiceReferences(CmsSession.class,
146 // "(" + CmsSession.SESSION_LOCAL_ID + "=" + httpSessId + ")");
147 // } catch (InvalidSyntaxException e) {
148 // throw new CmsException("Cannot get CMS session for id " +
149 // httpSessId, e);
150 // }
151 // ServiceReference<CmsSession> cmsSessionRef;
152 // if (sr.size() == 1) {
153 // cmsSessionRef = sr.iterator().next();
154 // } else if (sr.size() == 0) {
155 // WebCmsSessionImpl cmsSessionImpl = new WebCmsSessionImpl(subject,
156 // authorization, httpSessId);
157 // cmsSessionRef =
158 // cmsSessionImpl.getServiceRegistration().getReference();
159 // if (log.isDebugEnabled())
160 // log.debug("Initialized " + cmsSessionImpl + " for " +
161 // authorization.getName());
162 // } else
163 // throw new CmsException(sr.size() + " CMS sessions registered for
164 // " + httpSessId);
165 //
166 // cmsSession = (CmsSession) bc.getService(cmsSessionRef);
167 // cmsSession.addHttpSession(request);
168 // if (log.isTraceEnabled())
169 // log.trace("Added " + request.getServletPath() + " to " +
170 // cmsSession + " (" + request.getRequestURI()
171 // + ")");
172 // httpSession.setAttribute(HttpContext.REMOTE_USER,
173 // authorization.getName());
174 // httpSession.setAttribute(HttpContext.AUTHORIZATION,
175 // authorization);
176 CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid());
177 if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0)
178 subject.getPrivateCredentials().add(nodeSessionId);
179 else {
180 UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next().getUuid();
181 // if (storedSessionId.equals(httpSessionId.getValue()))
182 throw new CmsException(
183 "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")");
184 }
185 }
186 // }
187 }
188
189 static boolean logoutSession(BundleContext bc, Subject subject) {
190 UUID nodeSessionId;
191 if (subject.getPrivateCredentials(CmsSessionId.class).size() == 1)
192 nodeSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next().getUuid();
193 else
194 return false;
195 Collection<ServiceReference<CmsSession>> srs;
196 try {
197 srs = bc.getServiceReferences(CmsSession.class, "(" + CmsSession.SESSION_UUID + "=" + nodeSessionId + ")");
198 } catch (InvalidSyntaxException e) {
199 throw new CmsException("Cannot retrieve CMS session #" + nodeSessionId, e);
200 }
201
202 if (srs.size() == 0) {
203 if (log.isTraceEnabled())
204 log.warn("No CMS web session found for http session " + nodeSessionId);
205 return false;
206 } else if (srs.size() > 1)
207 throw new CmsException(srs.size() + " CMS web sessions found for http session " + nodeSessionId);
208
209 WebCmsSessionImpl cmsSession = (WebCmsSessionImpl) bc.getService(srs.iterator().next());
210 cmsSession.cleanUp();
211 subject.getPrivateCredentials().removeAll(subject.getPrivateCredentials(CmsSessionId.class));
212 if (log.isDebugEnabled())
213 log.debug("Cleaned up " + cmsSession);
214 return true;
215 }
216
217 public static <T extends Principal> T getSinglePrincipal(Subject subject, Class<T> clss) {
218 Set<T> principals = subject.getPrincipals(clss);
219 if (principals.isEmpty())
220 return null;
221 if (principals.size() > 1)
222 throw new IllegalStateException("Only one " + clss + " principal expected in " + subject);
223 return principals.iterator().next();
224 }
225
226 private CmsAuthUtils() {
227
228 }
229
230 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi