X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FSpnegoLoginModule.java;h=e5f367d23f1e77cdba3ed26fe806006e8b06a00e;hb=HEAD;hp=2dbad96d28d592bcb007d7e186ea6223c054f62c;hpb=f4da6777015da3fc392138f0c01cea2f2add9ed3;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/SpnegoLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/SpnegoLoginModule.java
index 2dbad96d2..e5f367d23 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/SpnegoLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/SpnegoLoginModule.java
@@ -1,6 +1,5 @@
 package org.argeo.cms.auth;
 
-import java.lang.reflect.Method;
 import java.util.Map;
 
 import javax.security.auth.Subject;
@@ -11,11 +10,12 @@ import javax.security.auth.spi.LoginModule;
 import org.argeo.api.cms.CmsLog;
 import org.argeo.cms.internal.runtime.CmsContextImpl;
 import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.GSSManager;
 import org.ietf.jgss.GSSName;
 
+import com.sun.security.jgss.GSSUtil;
+
 /** SPNEGO login */
 public class SpnegoLoginModule implements LoginModule {
 	private final static CmsLog log = CmsLog.getLog(SpnegoLoginModule.class);
@@ -36,25 +36,33 @@ public class SpnegoLoginModule implements LoginModule {
 	@Override
 	public boolean login() throws LoginException {
 		byte[] spnegoToken = (byte[]) sharedState.get(CmsAuthUtils.SHARED_STATE_SPNEGO_TOKEN);
-		if (spnegoToken == null)
+		if (spnegoToken == null) {
+			if (!sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)) {
+				// workaround: set shared state name to empty
+				// in order to avoid Krb5LoginModule printing to System.out
+				// TODO ask upstream to only log in debug mode
+				sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, "");
+			}
 			return false;
+		}
 		gssContext = checkToken(spnegoToken);
 		if (gssContext == null)
 			return false;
-		else
+		else {
+			if (!sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)) {
+				try {
+					if (gssContext.getCredDelegState()) {
+						// commit will succeeed only if we have credential delegation
+						GSSName name = gssContext.getSrcName();
+						String username = name.toString();
+						sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, username);
+					}
+				} catch (GSSException e) {
+					throw new IllegalStateException("Cannot retrieve SPNEGO name", e);
+				}
+			}
 			return true;
-		// try {
-		// String clientName = gssContext.getSrcName().toString();
-		// String role = clientName.substring(clientName.indexOf('@') + 1);
-		//
-		// log.debug("SpnegoUserRealm: established a security context");
-		// log.debug("Client Principal is: " + gssContext.getSrcName());
-		// log.debug("Server Principal is: " + gssContext.getTargName());
-		// log.debug("Client Default Role: " + role);
-		// } catch (GSSException e) {
-		// // TODO Auto-generated catch block
-		// e.printStackTrace();
-		// }
+		}
 	}
 
 	@Override
@@ -63,14 +71,12 @@ public class SpnegoLoginModule implements LoginModule {
 			return false;
 
 		try {
-			Class<?> gssUtilsClass = Class.forName("com.sun.security.jgss.GSSUtil");
-			Method createSubjectMethod = gssUtilsClass.getMethod("createSubject", GSSName.class, GSSCredential.class);
 			Subject gssSubject;
 			if (gssContext.getCredDelegState())
-				gssSubject = (Subject) createSubjectMethod.invoke(null, gssContext.getSrcName(),
-						gssContext.getDelegCred());
+				gssSubject = (Subject) GSSUtil.createSubject(gssContext.getSrcName(), gssContext.getDelegCred());
 			else
-				gssSubject = (Subject) createSubjectMethod.invoke(null, gssContext.getSrcName(), null);
+				gssSubject = (Subject) GSSUtil.createSubject(gssContext.getSrcName(), null);
+			// without credential delegation we won't have access to the Kerberos key
 			subject.getPrincipals().addAll(gssSubject.getPrincipals());
 			subject.getPrivateCredentials().addAll(gssSubject.getPrivateCredentials());
 			return true;
@@ -111,8 +117,7 @@ public class SpnegoLoginModule implements LoginModule {
 	private GSSContext checkToken(byte[] authToken) {
 		GSSManager manager = GSSManager.getInstance();
 		try {
-			GSSContext gContext = manager.createContext(CmsContextImpl.getAcceptorCredentials());
-
+			GSSContext gContext = manager.createContext(CmsContextImpl.getCmsContext().getAcceptorCredentials());
 			if (gContext == null) {
 				log.debug("SpnegoUserRealm: failed to establish GSSContext");
 			} else {
@@ -132,8 +137,4 @@ public class SpnegoLoginModule implements LoginModule {
 
 	}
 
-	@Deprecated
-	public static boolean hasAcceptorCredentials() {
-		return CmsContextImpl.getAcceptorCredentials() != null;
-	}
 }