]> git.argeo.org Git - lgpl/argeo-commons.git/blob - org.argeo.security.ui.rap/src/org/argeo/security/ui/rap/SecureEntryPoint.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Remove the 'Logout' entry point from plugin.xml after corresponding class deletion
[lgpl/argeo-commons.git] / org.argeo.security.ui.rap / src / org / argeo / security / ui / rap / SecureEntryPoint.java
1 /*
2 * Copyright (C) 2007-2012 Argeo GmbH
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 package org.argeo.security.ui.rap;
17
18 import java.security.PrivilegedAction;
19
20 import javax.security.auth.Subject;
21 import javax.security.auth.login.LoginException;
22 import javax.security.auth.spi.LoginModule;
23 import javax.servlet.http.HttpServletRequest;
24 import javax.servlet.http.HttpSession;
25
26 import org.apache.commons.logging.Log;
27 import org.apache.commons.logging.LogFactory;
28 import org.argeo.ArgeoException;
29 import org.argeo.eclipse.ui.workbench.ErrorFeedback;
30 import org.argeo.security.ui.dialogs.DefaultLoginDialog;
31 import org.argeo.util.LocaleUtils;
32 import org.eclipse.jface.dialogs.MessageDialog;
33 import org.eclipse.rap.rwt.RWT;
34 import org.eclipse.rap.rwt.application.EntryPoint;
35 import org.eclipse.swt.widgets.Display;
36 import org.eclipse.ui.PlatformUI;
37 import org.osgi.framework.BundleContext;
38 import org.springframework.security.authentication.BadCredentialsException;
39 import org.springframework.security.core.Authentication;
40 import org.springframework.security.core.context.SecurityContext;
41 import org.springframework.security.core.context.SecurityContextHolder;
42
43 /**
44 * RAP entry point with login capabilities. Once the user has been
45 * authenticated, the workbench is run as a privileged action by the related
46 * subject.
47 */
48 public class SecureEntryPoint implements EntryPoint {
49 private final static Log log = LogFactory.getLog(SecureEntryPoint.class);
50
51 /**
52 * From org.springframework.security.context.
53 * HttpSessionContextIntegrationFilter
54 */
55 protected static final String SPRING_SECURITY_CONTEXT_KEY = "SPRING_SECURITY_CONTEXT";
56
57 /**
58 * How many seconds to wait before invalidating the session if the user has
59 * not yet logged in.
60 */
61 private Integer loginTimeout = 1 * 60;
62 // TODO make it configurable
63 /** Default session timeout is 8 hours (European working day length) */
64 private Integer sessionTimeout = 8 * 60 * 60;
65
66 /** Override to provide an application specific workbench advisor */
67 protected RapWorkbenchAdvisor createRapWorkbenchAdvisor(String username) {
68 return new RapWorkbenchAdvisor(username);
69 }
70
71 @Override
72 public final int createUI() {
73 // Short login timeout so that the modal dialog login doesn't hang
74 // around too long
75 RWT.getRequest().getSession().setMaxInactiveInterval(loginTimeout);
76
77 // Try to load security context thanks to the session processing filter
78 HttpServletRequest httpRequest = RWT.getRequest();
79 HttpSession httpSession = httpRequest.getSession();
80 Object contextFromSessionObject = httpSession
81 .getAttribute(SPRING_SECURITY_CONTEXT_KEY);
82 if (contextFromSessionObject != null)
83 SecurityContextHolder
84 .setContext((SecurityContext) contextFromSessionObject);
85
86 // if (log.isDebugEnabled())
87 // log.debug("THREAD=" + Thread.currentThread().getId()
88 // + ", sessionStore=" + RWT.getSessionStore().getId()
89 // + ", remote user=" + httpRequest.getRemoteUser());
90
91 // create display
92 final Display display = PlatformUI.createDisplay();
93 Subject subject = new Subject();
94
95 // log in
96 BundleContext bc = SecureRapActivator.getActivator().getBundleContext();
97 final LoginModule loginModule = bc.getService(bc
98 .getServiceReference(LoginModule.class));
99 loginModule.initialize(subject,
100 new DefaultLoginDialog(display.getActiveShell()), null, null);
101 tryLogin: while (subject.getPrincipals(Authentication.class).size() == 0) {
102 try {
103 if (!loginModule.login()) {
104 throw new ArgeoException("Login failed");
105 }
106
107 if (subject.getPrincipals(Authentication.class).size() == 0)
108 throw new ArgeoException("Login succeeded but no auth");// fatal
109
110 // add security context to session
111 if (httpSession.getAttribute(SPRING_SECURITY_CONTEXT_KEY) == null)
112 httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY,
113 SecurityContextHolder.getContext());
114 // add thread locale to RWT session
115 log.info("Locale " + LocaleUtils.threadLocale.get());
116 RWT.setLocale(LocaleUtils.threadLocale.get());
117
118 // Once the user is logged in, longer session timeout
119 RWT.getRequest().getSession()
120 .setMaxInactiveInterval(sessionTimeout);
121
122 if (log.isDebugEnabled())
123 log.debug("Authenticated " + subject);
124 } catch (LoginException e) {
125 BadCredentialsException bce = wasCausedByBadCredentials(e);
126 if (bce != null) {
127 MessageDialog.openInformation(display.getActiveShell(),
128 "Bad Credentials", bce.getMessage());
129 // retry login
130 continue tryLogin;
131 }
132 return processLoginDeath(display, e);
133 }
134 }
135
136 final String username = subject.getPrincipals(Authentication.class)
137 .iterator().next().getName();
138 // Logout callback when the display is disposed
139 display.disposeExec(new Runnable() {
140 public void run() {
141 log.debug("Display disposed");
142 // logout(loginContext, username);
143 try {
144 loginModule.logout();
145 } catch (LoginException e) {
146 log.error("Error when logging out", e);
147 }
148 }
149 });
150
151 //
152 // RUN THE WORKBENCH
153 //
154 Integer returnCode = null;
155 try {
156 returnCode = Subject.doAs(subject, new PrivilegedAction<Integer>() {
157 public Integer run() {
158 RapWorkbenchAdvisor workbenchAdvisor = createRapWorkbenchAdvisor(username);
159 int result = PlatformUI.createAndRunWorkbench(display,
160 workbenchAdvisor);
161 return new Integer(result);
162 }
163 });
164 // Explicit exit from workbench
165 logout(loginModule, username);
166 } finally {
167 display.dispose();
168 }
169 return returnCode;
170 }
171
172 private Integer processLoginDeath(Display display, LoginException e) {
173 // check thread death
174 ThreadDeath td = wasCausedByThreadDeath(e);
175 if (td != null) {
176 display.dispose();
177 throw td;
178 }
179 if (!display.isDisposed()) {
180 ErrorFeedback.show("Unexpected exception during authentication", e);
181 // this was not just bad credentials or death thread
182 RWT.getRequest().getSession().setMaxInactiveInterval(1);
183 display.dispose();
184 return -1;
185 } else {
186 throw new ArgeoException(
187 "Unexpected exception during authentication", e);
188 }
189
190 }
191
192 /** Recursively look for {@link BadCredentialsException} in the root causes. */
193 private BadCredentialsException wasCausedByBadCredentials(Throwable t) {
194 if (t instanceof BadCredentialsException)
195 return (BadCredentialsException) t;
196
197 if (t.getCause() != null)
198 return wasCausedByBadCredentials(t.getCause());
199 else
200 return null;
201 }
202
203 /**
204 * If there is a {@link ThreadDeath} in the root causes, rethrow it
205 * (important for RAP cleaning mechanism)
206 */
207 protected ThreadDeath wasCausedByThreadDeath(Throwable t) {
208 if (t instanceof ThreadDeath)
209 return (ThreadDeath) t;
210
211 if (t.getCause() != null)
212 return wasCausedByThreadDeath(t.getCause());
213 else
214 return null;
215 }
216
217 private void logout(LoginModule loginModule, String username) {
218 try {
219 loginModule.logout();
220 SecurityContextHolder.clearContext();
221
222 HttpServletRequest httpRequest = RWT.getRequest();
223 HttpSession httpSession = httpRequest.getSession();
224 httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, null);
225 RWT.getRequest().getSession().setMaxInactiveInterval(1);
226 log.info("Logged out " + (username != null ? username : "")
227 + " (THREAD=" + Thread.currentThread().getId() + ")");
228 } catch (LoginException e) {
229 log.error("Erorr when logging out", e);
230 }
231 }
232 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi