Introduce weak authentication

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / CmsAuthUtils.java
diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java

index 4d59c5263a76afe974b600244c8ad6b848c98243..65ccbd6aba15c7c2cfa71fcb7f39d7107eb5d7a0 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
@@ -1,6 +1,7 @@
  package org.argeo.cms.auth;
  
  import java.security.Principal;
+import java.util.Locale;
  import java.util.Set;
  import java.util.UUID;
  
@@ -42,7 +43,8 @@ class CmsAuthUtils {
         final static String HEADER_AUTHORIZATION = "Authorization";
         final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
  
-       static void addAuthorization(Subject subject, Authorization authorization, HttpServletRequest request) {
+       static void addAuthorization(Subject subject, Authorization authorization, Locale locale,
+                       HttpServletRequest request) {
                 assert subject != null;
                 checkSubjectEmpty(subject);
                 assert authorization != null;
@@ -87,7 +89,7 @@ class CmsAuthUtils {
                         throw new CmsException("Cannot commit", e);
                 }
  
-               registerSessionAuthorization(request, subject, authorization);
+               registerSessionAuthorization(request, subject, authorization, locale);
         }
  
         private static void checkSubjectEmpty(Subject subject) {
@@ -115,22 +117,24 @@ class CmsAuthUtils {
                 // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
         }
  
-       private static void registerSessionAuthorization(HttpServletRequest request, Subject subject,
-                       Authorization authorization) {
+       private synchronized static void registerSessionAuthorization(HttpServletRequest request, Subject subject,
+                       Authorization authorization, Locale locale) {
+               // synchronized in order to avoid multiple registrations
+               // TODO move it to a service in order to avoid static synchronization
                 if (request != null) {
-                       HttpSession httpSession = request.getSession();
+                       HttpSession httpSession = request.getSession(false);
+                       assert httpSession != null;
                         String httpSessId = httpSession.getId();
                         String remoteUser = authorization.getName() != null ? authorization.getName()
                                         : NodeConstants.ROLE_ANONYMOUS;
                         request.setAttribute(HttpContext.REMOTE_USER, remoteUser);
                         request.setAttribute(HttpContext.AUTHORIZATION, authorization);
  
-                       CmsSession cmsSession = CmsSessionImpl.getByLocalId(httpSessId);
+                       CmsSessionImpl cmsSession = CmsSessionImpl.getByLocalId(httpSessId);
                         if (cmsSession != null) {
                                 if (authorization.getName() != null) {
                                         if (cmsSession.getAuthorization().getName() == null) {
-                                               // FIXME make it more generic
-                                               ((WebCmsSessionImpl) cmsSession).cleanUp();
+                                               cmsSession.close();
                                                 cmsSession = null;
                                         } else if (!authorization.getName().equals(cmsSession.getAuthorization().getName())) {
                                                 throw new CmsException("Inconsistent user " + authorization.getName()
@@ -138,15 +142,15 @@ class CmsAuthUtils {
                                         }
                                 } else {// anonymous
                                         if (cmsSession.getAuthorization().getName() != null) {
-                                               // FIXME make it more generic
-                                               ((WebCmsSessionImpl) cmsSession).cleanUp();
+                                               cmsSession.close();
+                                               // TODO rather throw an exception ? log a warning ?
                                                 cmsSession = null;
                                         }
                                 }
                         }
  
                         if (cmsSession == null)
-                               cmsSession = new WebCmsSessionImpl(subject, authorization, httpSessId);
+                               cmsSession = new WebCmsSessionImpl(subject, authorization, locale, request);
                         // request.setAttribute(CmsSession.class.getName(), cmsSession);
                         CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid());
                         if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0)