import java.util.Map;
import java.util.Set;
-import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
+import javax.servlet.http.HttpServletRequest;
import org.argeo.cms.CmsException;
-import org.argeo.naming.LdapAttrs;
+import org.argeo.osgi.useradmin.IpaUtils;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkUtil;
import org.osgi.service.useradmin.Authorization;
public class IpaLoginModule implements LoginModule {
private BundleContext bc;
private Subject subject;
+ private Map<String, Object> sharedState = null;
+ private CallbackHandler callbackHandler;
+ @SuppressWarnings("unchecked")
@Override
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
Map<String, ?> options) {
this.subject = subject;
+ this.sharedState = (Map<String, Object>) sharedState;
+ this.callbackHandler = callbackHandler;
try {
bc = FrameworkUtil.getBundle(IpaLoginModule.class).getBundleContext();
assert bc != null;
Authorization authorization = null;
Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
if (kerberosPrincipals.isEmpty()) {
+ if(callbackHandler!=null)
+ throw new LoginException("Cannot be anonymous if callback handler is set");
authorization = userAdmin.getAuthorization(null);
} else {
KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next();
- LdapName dn = kerberosToIpa(kerberosPrincipal);
+ LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName());
AuthenticatingUser authenticatingUser = new AuthenticatingUser(dn);
authorization = Subject.doAs(subject, new PrivilegedAction<Authorization>() {
if (authorization == null)
return false;
CmsAuthUtils.addAuthentication(subject, authorization);
+ HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
+ if (request != null) {
+ CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization);
+ }
return true;
}
- private LdapName kerberosToIpa(KerberosPrincipal kerberosPrincipal) {
- String[] kname = kerberosPrincipal.getName().split("@");
- String username = kname[0];
- String[] dcs = kname[1].split("\\.");
- StringBuilder sb = new StringBuilder();
- for (String dc : dcs) {
- sb.append(',').append(LdapAttrs.dc.name()).append('=').append(dc.toLowerCase());
- }
- String dn = LdapAttrs.uid + "=" + username + ",cn=users,cn=accounts" + sb;
- try {
- return new LdapName(dn);
- } catch (InvalidNameException e) {
- throw new CmsException("Badly formatted name for " + kerberosPrincipal + ": " + dn);
- }
- }
@Override
public boolean abort() throws LoginException {
@Override
public boolean logout() throws LoginException {
- // TODO Auto-generated method stub
- return false;
+ return CmsAuthUtils.logoutSession(bc, subject);
}
}