X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FUserAdminLoginModule.java;h=0f7f0bdeed37c6e489f67cd9a67bd4cd965d99aa;hb=ebd927da42511bb5959000c50a39974c6cfa5f49;hp=b368b1de5345da3aad3118d217d5a0c3fb9ba3a0;hpb=2fc5ac92dd1de5d93328766fc86b37086b518b98;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java index b368b1de5..0f7f0bdee 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java @@ -157,43 +157,48 @@ public class UserAdminLoginModule implements LoginModule { // return true; // } UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class)); - Authorization authorization = null; - User authenticatingUser; - Set kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class); - if (kerberosPrincipals.isEmpty()) { - if (callbackHandler == null) { - authorization = userAdmin.getAuthorization(null); - } - if (authenticatedUser == null) { - return false; + Authorization authorization; + if (callbackHandler == null) {// anonymous + authorization = userAdmin.getAuthorization(null); + } else { + User authenticatingUser; + Set kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class); + if (kerberosPrincipals.isEmpty()) { + if (authenticatedUser == null) { + if(log.isTraceEnabled()) + log.trace("Neither kerberos nor user admin login succeeded. Login failed."); + return false; + } else { + authenticatingUser = authenticatedUser; + } } else { - authenticatingUser = authenticatedUser; + KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next(); + LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName()); + authenticatingUser = new AuthenticatingUser(dn); + if (authenticatedUser != null && !authenticatingUser.getName().equals(authenticatedUser.getName())) + throw new LoginException("Kerberos login " + authenticatingUser.getName() + + " is inconsistent with user admin login " + authenticatedUser.getName()); } - } else { - KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next(); - LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName()); - authenticatingUser = new AuthenticatingUser(dn); - } - if (authorization == null) - authorization = Subject.doAs(subject, new PrivilegedAction() { + authorization = Subject.doAs(subject, new PrivilegedAction() { - @Override - public Authorization run() { - Authorization authorization = userAdmin.getAuthorization(authenticatingUser); - return authorization; - } + @Override + public Authorization run() { + Authorization authorization = userAdmin.getAuthorization(authenticatingUser); + return authorization; + } - }); - if (authorization == null) - return false; + }); + if (authorization == null) + throw new LoginException("User admin found no authorization for authenticated user "+authenticatingUser.getName()); + } // Log and monitor new login - CmsAuthUtils.addAuthentication(subject, authorization); + CmsAuthUtils.addAuthorization(subject, authorization, (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST)); +// HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST); +// if (request != null) { +// CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization); +// } if (log.isDebugEnabled()) log.debug("Logged in to CMS: " + subject); - HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST); - if (request != null) { - CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization); - } return true; }