Introduce weak authentication

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / HttpSessionLoginModule.java

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
index 9cf32974f536f62f50dc46b65f285cfde94a29eb..d3103627c294259f8d4218e3534f2a8d98ce89c1 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
@@ -14,11 +14,13 @@ import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.argeo.cms.CmsException;
+import org.argeo.naming.LdapAttrs;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
 import org.osgi.framework.InvalidSyntaxException;
@@ -68,7 +70,14 @@ public class HttpSessionLoginModule implements LoginModule {
                        return false;
                authorization = (Authorization) request.getAttribute(HttpContext.AUTHORIZATION);
                if (authorization == null) {// search by session ID
-                       String httpSessionId = request.getSession(false).getId();
+                       HttpSession httpSession = request.getSession(false);
+                       if (httpSession == null) {
+                               // TODO make sure this is always safe
+                               if (log.isTraceEnabled())
+                                       log.trace("Create http session");
+                               httpSession = request.getSession(true);
+                       }
+                       String httpSessionId = httpSession.getId();
                        // authorization = (Authorization)
                        // request.getSession().getAttribute(HttpContext.AUTHORIZATION);
                        // if (authorization == null) {
@@ -111,7 +120,7 @@ public class HttpSessionLoginModule implements LoginModule {
                }
 
                if (authorization != null) {
-                       CmsAuthUtils.addAuthorization(subject, authorization, request);
+                       CmsAuthUtils.addAuthorization(subject, authorization, request.getLocale(), request);
                        cleanUp();
                        return true;
                } else {
@@ -167,6 +176,15 @@ public class HttpSessionLoginModule implements LoginModule {
                                }
                        }
                }
+
+               // auth token
+//             String mail = request.getParameter(LdapAttrs.mail.name());
+//             String authPassword = request.getParameter(LdapAttrs.authPassword.name());
+//             if (authPassword != null) {
+//                     sharedState.put(CmsAuthUtils.SHARED_STATE_PWD, authPassword);
+//                     if (mail != null)
+//                             sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, mail);
+//             }
        }
 
        private X509Certificate[] extractClientCertificate(HttpServletRequest req) {