package org.argeo.cms.auth;
-import static org.argeo.util.naming.LdapAttrs.cn;
+import static org.argeo.api.acr.ldap.LdapAttr.cn;
import java.io.IOException;
+import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.HashSet;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
+import org.argeo.api.acr.ldap.LdapAttr;
import org.argeo.api.cms.CmsConstants;
import org.argeo.api.cms.CmsLog;
+import org.argeo.cms.directory.ldap.IpaUtils;
import org.argeo.cms.internal.runtime.CmsContextImpl;
-import org.argeo.osgi.useradmin.AuthenticatingUser;
-import org.argeo.osgi.useradmin.TokenUtils;
-import org.argeo.util.directory.ldap.IpaUtils;
-import org.argeo.util.naming.LdapAttrs;
+import org.argeo.cms.osgi.useradmin.AuthenticatingUser;
+import org.argeo.cms.osgi.useradmin.TokenUtils;
import org.osgi.service.useradmin.Authorization;
import org.osgi.service.useradmin.Group;
import org.osgi.service.useradmin.User;
private CallbackHandler callbackHandler;
private Map<String, Object> sharedState = null;
- private List<String> indexedUserProperties = Arrays.asList(new String[] { LdapAttrs.mail.name(),
- LdapAttrs.uid.name(), LdapAttrs.employeeNumber.name(), LdapAttrs.authPassword.name() });
+ private List<String> indexedUserProperties = Arrays.asList(new String[] { LdapAttr.mail.name(), LdapAttr.uid.name(),
+ LdapAttr.employeeNumber.name(), LdapAttr.authPassword.name() });
// private state
// private BundleContext bc;
username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
password = null;
preauth = true;
+ } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME)) {
+ // single user, we assume Kerberos or other mean for commit
+ username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME);
+ password = null;
+ preauth = true;
} else {
// ask for username and password
return true;// expect Kerberos
if (password != null) {
+ // TODO disabling bind for the time being,
+ // as it requires authorisations to be set at LDAP level
+ boolean tryBind = false;
// try bind first
- try {
- AuthenticatingUser authenticatingUser = new AuthenticatingUser(user.getName(), password);
- bindAuthorization = userAdmin.getAuthorization(authenticatingUser);
- // TODO check tokens as well
- if (bindAuthorization != null) {
- authenticatedUser = user;
- return true;
+ if (tryBind)
+ try {
+ AuthenticatingUser authenticatingUser = new AuthenticatingUser(user.getName(), password);
+ bindAuthorization = userAdmin.getAuthorization(authenticatingUser);
+ // TODO check tokens as well
+ if (bindAuthorization != null) {
+ authenticatedUser = user;
+ return true;
+ }
+ } catch (Exception e) {
+ // silent
+ if (log.isTraceEnabled())
+ log.trace("Bind failed", e);
}
- } catch (Exception e) {
- // silent
- if (log.isTraceEnabled())
- log.trace("Bind failed", e);
- }
// works only if a connection password is provided
if (!user.hasCredential(null, password)) {
// }
UserAdmin userAdmin = CmsContextImpl.getCmsContext().getUserAdmin();
Authorization authorization;
- if (callbackHandler == null) {// anonymous
+ if (callbackHandler == null && !sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME)) {// anonymous
authorization = userAdmin.getAuthorization(null);
} else if (bindAuthorization != null) {// bind
authorization = bindAuthorization;
// Register CmsSession with initial subject
CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale);
- if (log.isDebugEnabled())
- log.debug("Logged in to CMS: " + subject);
+ if (log.isDebugEnabled()) {
+ StringBuilder msg = new StringBuilder();
+ msg.append("Logged in to CMS: '" + authorization + "' (" + authorization.getName() + ")\n");
+ if (log.isTraceEnabled()) {
+ for (Principal principal : subject.getPrincipals()) {
+ msg.append(" Principal: " + principal.getName()).append(" (")
+ .append(principal.getClass().getSimpleName()).append(")\n");
+ }
+ for (Object credential : subject.getPublicCredentials()) {
+ msg.append(" Public Credential: " + credential).append(" (")
+ .append(credential.getClass().getSimpleName()).append(")\n");
+ }
+ }
+ log.debug(msg);
+ }
+// if (log.isTraceEnabled())
+// log.trace(" Subject: " + subject);
return true;
}