1 package org
.argeo
.cms
.auth
;
3 import java
.security
.Principal
;
4 import java
.util
.Collection
;
8 import javax
.naming
.InvalidNameException
;
9 import javax
.naming
.ldap
.LdapName
;
10 import javax
.security
.auth
.Subject
;
11 import javax
.security
.auth
.x500
.X500Principal
;
12 import javax
.servlet
.http
.HttpServletRequest
;
13 import javax
.servlet
.http
.HttpSession
;
15 import org
.apache
.commons
.logging
.Log
;
16 import org
.apache
.commons
.logging
.LogFactory
;
17 //import org.apache.jackrabbit.core.security.AnonymousPrincipal;
18 //import org.apache.jackrabbit.core.security.SecurityConstants;
19 //import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
20 import org
.argeo
.cms
.CmsException
;
21 import org
.argeo
.cms
.internal
.auth
.CmsSessionImpl
;
22 import org
.argeo
.cms
.internal
.auth
.ImpliedByPrincipal
;
23 import org
.argeo
.cms
.internal
.http
.WebCmsSessionImpl
;
24 import org
.argeo
.node
.security
.AnonymousPrincipal
;
25 import org
.argeo
.node
.security
.DataAdminPrincipal
;
26 import org
.argeo
.node
.security
.NodeSecurityUtils
;
27 import org
.osgi
.framework
.BundleContext
;
28 import org
.osgi
.framework
.InvalidSyntaxException
;
29 import org
.osgi
.framework
.ServiceReference
;
30 import org
.osgi
.service
.http
.HttpContext
;
31 import org
.osgi
.service
.useradmin
.Authorization
;
34 private final static Log log
= LogFactory
.getLog(CmsAuthUtils
.class);
36 /** Shared HTTP request */
37 final static String SHARED_STATE_HTTP_REQUEST
= "org.argeo.cms.auth.http.request";
38 /** From org.osgi.service.http.HttpContext */
39 final static String SHARED_STATE_AUTHORIZATION
= "org.osgi.service.useradmin.authorization";
40 /** From com.sun.security.auth.module.*LoginModule */
41 final static String SHARED_STATE_NAME
= "javax.security.auth.login.name";
42 /** From com.sun.security.auth.module.*LoginModule */
43 final static String SHARED_STATE_PWD
= "javax.security.auth.login.password";
45 final static String SHARED_STATE_SPNEGO_TOKEN
= "org.argeo.cms.auth.spnegoToken";
46 final static String SHARED_STATE_SPNEGO_OUT_TOKEN
= "org.argeo.cms.auth.spnegoOutToken";
48 final static String HEADER_AUTHORIZATION
= "Authorization";
49 final static String HEADER_WWW_AUTHENTICATE
= "WWW-Authenticate";
51 static void addAuthentication(Subject subject
, Authorization authorization
) {
52 assert subject
!= null;
53 checkSubjectEmpty(subject
);
54 assert authorization
!= null;
56 // required for display name:
57 subject
.getPrivateCredentials().add(authorization
);
59 Set
<Principal
> principals
= subject
.getPrincipals();
61 String authName
= authorization
.getName();
63 // determine user's principal
65 final Principal userPrincipal
;
66 if (authName
== null) {
67 name
= NodeSecurityUtils
.ROLE_ANONYMOUS_NAME
;
68 userPrincipal
= new AnonymousPrincipal();
69 principals
.add(userPrincipal
);
70 // principals.add(new AnonymousPrincipal());
72 name
= new LdapName(authName
);
73 NodeSecurityUtils
.checkUserName(name
);
74 userPrincipal
= new X500Principal(name
.toString());
75 principals
.add(userPrincipal
);
76 principals
.add(new ImpliedByPrincipal(NodeSecurityUtils
.ROLE_USER_NAME
, userPrincipal
));
79 // Add roles provided by authorization
80 for (String role
: authorization
.getRoles()) {
81 LdapName roleName
= new LdapName(role
);
82 if (roleName
.equals(name
)) {
85 NodeSecurityUtils
.checkImpliedPrincipalName(roleName
);
86 principals
.add(new ImpliedByPrincipal(roleName
.toString(), userPrincipal
));
87 if (roleName
.equals(NodeSecurityUtils
.ROLE_ADMIN_NAME
))
88 principals
.add(new DataAdminPrincipal());
92 } catch (InvalidNameException e
) {
93 throw new CmsException("Cannot commit", e
);
97 private static void checkSubjectEmpty(Subject subject
) {
98 if (!subject
.getPrincipals(AnonymousPrincipal
.class).isEmpty())
99 throw new IllegalStateException("Already logged in as anonymous: " + subject
);
100 if (!subject
.getPrincipals(X500Principal
.class).isEmpty())
101 throw new IllegalStateException("Already logged in as user: " + subject
);
102 if (!subject
.getPrincipals(DataAdminPrincipal
.class).isEmpty())
103 throw new IllegalStateException("Already logged in as data admin: " + subject
);
104 if (!subject
.getPrincipals(ImpliedByPrincipal
.class).isEmpty())
105 throw new IllegalStateException("Already authorized: " + subject
);
108 static void cleanUp(Subject subject
) {
110 subject
.getPrincipals().removeAll(subject
.getPrincipals(X500Principal
.class));
111 subject
.getPrincipals().removeAll(subject
.getPrincipals(ImpliedByPrincipal
.class));
113 // subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class));
114 // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
118 // compatible with com.sun.security.auth.module.*LoginModule
119 // public static final String SHARED_STATE_USERNAME =
120 // "javax.security.auth.login.name";
121 // public static final String SHARED_STATE_PASSWORD =
122 // "javax.security.auth.login.password";
124 static void registerSessionAuthorization(BundleContext bc
, HttpServletRequest request
, Subject subject
,
125 Authorization authorization
) {
126 HttpSession httpSession
= request
.getSession();
127 String httpSessId
= httpSession
.getId();
128 if (authorization
.getName() != null) {
129 request
.setAttribute(HttpContext
.REMOTE_USER
, authorization
.getName());
130 request
.setAttribute(HttpContext
.AUTHORIZATION
, authorization
);
132 CmsSession cmsSession
= CmsSessionImpl
.getByLocalId(httpSessId
);
133 if (cmsSession
== null)
134 cmsSession
= new WebCmsSessionImpl(subject
, authorization
, httpSessId
);
135 request
.setAttribute(CmsSession
.class.getName(), cmsSession
);
137 // throw new CmsException("Already a CMS session registered for
140 // if (httpSession.getAttribute(HttpContext.AUTHORIZATION) == null)
143 // Collection<ServiceReference<CmsSession>> sr;
145 // sr = bc.getServiceReferences(CmsSession.class,
146 // "(" + CmsSession.SESSION_LOCAL_ID + "=" + httpSessId + ")");
147 // } catch (InvalidSyntaxException e) {
148 // throw new CmsException("Cannot get CMS session for id " +
151 // ServiceReference<CmsSession> cmsSessionRef;
152 // if (sr.size() == 1) {
153 // cmsSessionRef = sr.iterator().next();
154 // } else if (sr.size() == 0) {
155 // WebCmsSessionImpl cmsSessionImpl = new WebCmsSessionImpl(subject,
156 // authorization, httpSessId);
158 // cmsSessionImpl.getServiceRegistration().getReference();
159 // if (log.isDebugEnabled())
160 // log.debug("Initialized " + cmsSessionImpl + " for " +
161 // authorization.getName());
163 // throw new CmsException(sr.size() + " CMS sessions registered for
166 // cmsSession = (CmsSession) bc.getService(cmsSessionRef);
167 // cmsSession.addHttpSession(request);
168 // if (log.isTraceEnabled())
169 // log.trace("Added " + request.getServletPath() + " to " +
170 // cmsSession + " (" + request.getRequestURI()
172 // httpSession.setAttribute(HttpContext.REMOTE_USER,
173 // authorization.getName());
174 // httpSession.setAttribute(HttpContext.AUTHORIZATION,
176 CmsSessionId nodeSessionId
= new CmsSessionId(cmsSession
.getUuid());
177 if (subject
.getPrivateCredentials(CmsSessionId
.class).size() == 0)
178 subject
.getPrivateCredentials().add(nodeSessionId
);
180 UUID storedSessionId
= subject
.getPrivateCredentials(CmsSessionId
.class).iterator().next().getUuid();
181 // if (storedSessionId.equals(httpSessionId.getValue()))
182 throw new CmsException(
183 "Subject already logged with session " + storedSessionId
+ " (not " + nodeSessionId
+ ")");
189 static boolean logoutSession(BundleContext bc
, Subject subject
) {
191 if (subject
.getPrivateCredentials(CmsSessionId
.class).size() == 1)
192 nodeSessionId
= subject
.getPrivateCredentials(CmsSessionId
.class).iterator().next().getUuid();
195 Collection
<ServiceReference
<CmsSession
>> srs
;
197 srs
= bc
.getServiceReferences(CmsSession
.class, "(" + CmsSession
.SESSION_UUID
+ "=" + nodeSessionId
+ ")");
198 } catch (InvalidSyntaxException e
) {
199 throw new CmsException("Cannot retrieve CMS session #" + nodeSessionId
, e
);
202 if (srs
.size() == 0) {
203 if (log
.isTraceEnabled())
204 log
.warn("No CMS web session found for http session " + nodeSessionId
);
206 } else if (srs
.size() > 1)
207 throw new CmsException(srs
.size() + " CMS web sessions found for http session " + nodeSessionId
);
209 WebCmsSessionImpl cmsSession
= (WebCmsSessionImpl
) bc
.getService(srs
.iterator().next());
210 cmsSession
.cleanUp();
211 subject
.getPrivateCredentials().removeAll(subject
.getPrivateCredentials(CmsSessionId
.class));
212 if (log
.isDebugEnabled())
213 log
.debug("Cleaned up " + cmsSession
);
217 public static <T
extends Principal
> T
getSinglePrincipal(Subject subject
, Class
<T
> clss
) {
218 Set
<T
> principals
= subject
.getPrincipals(clss
);
219 if (principals
.isEmpty())
221 if (principals
.size() > 1)
222 throw new IllegalStateException("Only one " + clss
+ " principal expected in " + subject
);
223 return principals
.iterator().next();
226 private CmsAuthUtils() {