X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FCmsAuthUtils.java;h=aa313ee0a954e6b2b1fa088f9c1881d9e093de72;hb=ef73bd445ed1fc2a24dd0afc4d022c48b0501e8e;hp=6fa7bd2a1c343d03e3b73ed14018175c8c43ad77;hpb=d66d81530f1da58e2e2c5d25e0a5dc30ad32b848;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java index 6fa7bd2a1..aa313ee0a 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java @@ -19,29 +19,27 @@ import org.argeo.cms.CmsException; import org.argeo.cms.internal.auth.CmsSessionImpl; import org.argeo.cms.internal.auth.ImpliedByPrincipal; import org.argeo.cms.internal.http.WebCmsSessionImpl; +import org.argeo.cms.internal.kernel.Activator; import org.argeo.node.NodeConstants; import org.argeo.node.security.AnonymousPrincipal; import org.argeo.node.security.DataAdminPrincipal; import org.argeo.node.security.NodeSecurityUtils; +import org.argeo.osgi.useradmin.AuthenticatingUser; import org.osgi.service.http.HttpContext; import org.osgi.service.useradmin.Authorization; class CmsAuthUtils { - /** Shared HTTP request */ - final static String SHARED_STATE_HTTP_REQUEST = "org.argeo.cms.auth.http.request"; - /** From org.osgi.service.http.HttpContext */ - // final static String SHARED_STATE_AUTHORIZATION = - // "org.osgi.service.useradmin.authorization"; - /** From com.sun.security.auth.module.*LoginModule */ - final static String SHARED_STATE_NAME = "javax.security.auth.login.name"; - /** From com.sun.security.auth.module.*LoginModule */ - final static String SHARED_STATE_PWD = "javax.security.auth.login.password"; + // Standard + final static String SHARED_STATE_NAME = AuthenticatingUser.SHARED_STATE_NAME; + final static String SHARED_STATE_PWD = AuthenticatingUser.SHARED_STATE_PWD; + final static String HEADER_AUTHORIZATION = "Authorization"; + final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate"; + // Argeo specific + final static String SHARED_STATE_HTTP_REQUEST = "org.argeo.cms.auth.http.request"; final static String SHARED_STATE_SPNEGO_TOKEN = "org.argeo.cms.auth.spnegoToken"; final static String SHARED_STATE_SPNEGO_OUT_TOKEN = "org.argeo.cms.auth.spnegoOutToken"; - - final static String HEADER_AUTHORIZATION = "Authorization"; - final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate"; + final static String SHARED_STATE_CERTIFICATE_CHAIN = "org.argeo.cms.auth.certificateChain"; static void addAuthorization(Subject subject, Authorization authorization, Locale locale, HttpServletRequest request) { @@ -52,6 +50,10 @@ class CmsAuthUtils { // required for display name: subject.getPrivateCredentials().add(authorization); + if (Activator.isSingleUser()) { + subject.getPrincipals().add(new DataAdminPrincipal()); + } + Set principals = subject.getPrincipals(); try { String authName = authorization.getName(); @@ -63,13 +65,13 @@ class CmsAuthUtils { name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME; userPrincipal = new AnonymousPrincipal(); principals.add(userPrincipal); - // principals.add(new AnonymousPrincipal()); } else { name = new LdapName(authName); NodeSecurityUtils.checkUserName(name); userPrincipal = new X500Principal(name.toString()); principals.add(userPrincipal); - principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_USER_NAME, userPrincipal)); + // principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_USER_NAME, + // userPrincipal)); } // Add roles provided by authorization @@ -77,6 +79,8 @@ class CmsAuthUtils { LdapName roleName = new LdapName(role); if (roleName.equals(name)) { // skip + } else if (roleName.equals(NodeSecurityUtils.ROLE_ANONYMOUS_NAME)) { + // skip } else { NodeSecurityUtils.checkImpliedPrincipalName(roleName); principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal)); @@ -89,7 +93,7 @@ class CmsAuthUtils { throw new CmsException("Cannot commit", e); } - registerSessionAuthorization(request, subject, authorization, locale); + // registerSessionAuthorization(request, subject, authorization, locale); } private static void checkSubjectEmpty(Subject subject) { @@ -117,10 +121,13 @@ class CmsAuthUtils { // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class)); } - private static void registerSessionAuthorization(HttpServletRequest request, Subject subject, + synchronized static void registerSessionAuthorization(HttpServletRequest request, Subject subject, Authorization authorization, Locale locale) { + // synchronized in order to avoid multiple registrations + // TODO move it to a service in order to avoid static synchronization if (request != null) { HttpSession httpSession = request.getSession(false); + assert httpSession != null; String httpSessId = httpSession.getId(); String remoteUser = authorization.getName() != null ? authorization.getName() : NodeConstants.ROLE_ANONYMOUS; @@ -131,24 +138,24 @@ class CmsAuthUtils { if (cmsSession != null) { if (authorization.getName() != null) { if (cmsSession.getAuthorization().getName() == null) { - // FIXME make it more generic cmsSession.close(); cmsSession = null; } else if (!authorization.getName().equals(cmsSession.getAuthorization().getName())) { throw new CmsException("Inconsistent user " + authorization.getName() + " for existing CMS session " + cmsSession); } + // keyring + subject.getPrivateCredentials().addAll(cmsSession.getSecretKeys()); } else {// anonymous if (cmsSession.getAuthorization().getName() != null) { - // FIXME make it more generic cmsSession.close(); + // TODO rather throw an exception ? log a warning ? cmsSession = null; } } - } - - if (cmsSession == null) + } else if (cmsSession == null) { cmsSession = new WebCmsSessionImpl(subject, authorization, locale, request); + } // request.setAttribute(CmsSession.class.getName(), cmsSession); CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid()); if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0) @@ -159,7 +166,9 @@ class CmsAuthUtils { throw new CmsException( "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")"); } - } else { + } else + + { // TODO desktop, CLI } }