X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;ds=sidebyside;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FIpaLoginModule.java;h=0cbdc7d5b64a18c274271b5ec4a2987699b2fa06;hb=02a6354c17ddb160513580e9e3c7826d9475b177;hp=3ed4856196b65dc18c0b3ca3c7a7b880f0a0c39b;hpb=a2ad417ed1d0219ac29d70ae985939764c13ce38;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java index 3ed485619..0cbdc7d5b 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java @@ -4,16 +4,16 @@ import java.security.PrivilegedAction; import java.util.Map; import java.util.Set; -import javax.naming.InvalidNameException; import javax.naming.ldap.LdapName; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; +import javax.servlet.http.HttpServletRequest; import org.argeo.cms.CmsException; -import org.argeo.naming.LdapAttrs; +import org.argeo.osgi.useradmin.IpaUtils; import org.osgi.framework.BundleContext; import org.osgi.framework.FrameworkUtil; import org.osgi.service.useradmin.Authorization; @@ -22,11 +22,16 @@ import org.osgi.service.useradmin.UserAdmin; public class IpaLoginModule implements LoginModule { private BundleContext bc; private Subject subject; + private Map sharedState = null; + private CallbackHandler callbackHandler; + @SuppressWarnings("unchecked") @Override public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { this.subject = subject; + this.sharedState = (Map) sharedState; + this.callbackHandler = callbackHandler; try { bc = FrameworkUtil.getBundle(IpaLoginModule.class).getBundleContext(); assert bc != null; @@ -46,10 +51,12 @@ public class IpaLoginModule implements LoginModule { Authorization authorization = null; Set kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class); if (kerberosPrincipals.isEmpty()) { + if(callbackHandler!=null) + throw new LoginException("Cannot be anonymous if callback handler is set"); authorization = userAdmin.getAuthorization(null); } else { KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next(); - LdapName dn = kerberosToIpa(kerberosPrincipal); + LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName()); AuthenticatingUser authenticatingUser = new AuthenticatingUser(dn); authorization = Subject.doAs(subject, new PrivilegedAction() { @@ -64,24 +71,13 @@ public class IpaLoginModule implements LoginModule { if (authorization == null) return false; CmsAuthUtils.addAuthentication(subject, authorization); + HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST); + if (request != null) { + CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization); + } return true; } - private LdapName kerberosToIpa(KerberosPrincipal kerberosPrincipal) { - String[] kname = kerberosPrincipal.getName().split("@"); - String username = kname[0]; - String[] dcs = kname[1].split("\\."); - StringBuilder sb = new StringBuilder(); - for (String dc : dcs) { - sb.append(',').append(LdapAttrs.dc.name()).append('=').append(dc.toLowerCase()); - } - String dn = LdapAttrs.uid + "=" + username + ",cn=users,cn=accounts" + sb; - try { - return new LdapName(dn); - } catch (InvalidNameException e) { - throw new CmsException("Badly formatted name for " + kerberosPrincipal + ": " + dn); - } - } @Override public boolean abort() throws LoginException { @@ -91,8 +87,7 @@ public class IpaLoginModule implements LoginModule { @Override public boolean logout() throws LoginException { - // TODO Auto-generated method stub - return false; + return CmsAuthUtils.logoutSession(bc, subject); } }