]> git.argeo.org Git - lgpl/argeo-commons.git/blob - org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix automated Kerberos config
[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / IpaLoginModule.java
1 package org.argeo.cms.auth;
2
3 import java.security.PrivilegedAction;
4 import java.util.Map;
5 import java.util.Set;
6
7 import javax.naming.ldap.LdapName;
8 import javax.security.auth.Subject;
9 import javax.security.auth.callback.CallbackHandler;
10 import javax.security.auth.kerberos.KerberosPrincipal;
11 import javax.security.auth.login.LoginException;
12 import javax.security.auth.spi.LoginModule;
13 import javax.servlet.http.HttpServletRequest;
14
15 import org.argeo.cms.CmsException;
16 import org.argeo.osgi.useradmin.IpaUtils;
17 import org.osgi.framework.BundleContext;
18 import org.osgi.framework.FrameworkUtil;
19 import org.osgi.service.useradmin.Authorization;
20 import org.osgi.service.useradmin.UserAdmin;
21
22 public class IpaLoginModule implements LoginModule {
23 private BundleContext bc;
24 private Subject subject;
25 private Map<String, Object> sharedState = null;
26 private CallbackHandler callbackHandler;
27
28 @SuppressWarnings("unchecked")
29 @Override
30 public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
31 Map<String, ?> options) {
32 this.subject = subject;
33 this.sharedState = (Map<String, Object>) sharedState;
34 this.callbackHandler = callbackHandler;
35 try {
36 bc = FrameworkUtil.getBundle(IpaLoginModule.class).getBundleContext();
37 assert bc != null;
38 } catch (Exception e) {
39 throw new CmsException("Cannot initialize login module", e);
40 }
41 }
42
43 @Override
44 public boolean login() throws LoginException {
45 return true;
46 }
47
48 @Override
49 public boolean commit() throws LoginException {
50 UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
51 Authorization authorization = null;
52 Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
53 if (kerberosPrincipals.isEmpty()) {
54 if(callbackHandler!=null)
55 throw new LoginException("Cannot be anonymous if callback handler is set");
56 authorization = userAdmin.getAuthorization(null);
57 } else {
58 KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next();
59 LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName());
60 AuthenticatingUser authenticatingUser = new AuthenticatingUser(dn);
61 authorization = Subject.doAs(subject, new PrivilegedAction<Authorization>() {
62
63 @Override
64 public Authorization run() {
65 Authorization authorization = userAdmin.getAuthorization(authenticatingUser);
66 return authorization;
67 }
68
69 });
70 }
71 if (authorization == null)
72 return false;
73 CmsAuthUtils.addAuthentication(subject, authorization);
74 HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
75 if (request != null) {
76 CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization);
77 }
78 return true;
79 }
80
81
82 @Override
83 public boolean abort() throws LoginException {
84 // TODO Auto-generated method stub
85 return false;
86 }
87
88 @Override
89 public boolean logout() throws LoginException {
90 return CmsAuthUtils.logoutSession(bc, subject);
91 }
92
93 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi