X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FUserAdminLoginModule.java;h=e39918e4002d40d18584ad91819a2a86545c92e5;hb=35507e18257f2e9f59842ba5120fcd3f19c4cf4d;hp=1d91a21ca4802e861671bc9ec0afd3c75ee89b36;hpb=a5459b7f0a4ce0463b950efd5c776368fe169256;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index 1d91a21ca..e39918e40 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -2,6 +2,7 @@ package org.argeo.cms.auth;
 
 import java.io.IOException;
 import java.security.PrivilegedAction;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
@@ -26,9 +27,11 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.argeo.cms.CmsException;
+import org.argeo.cms.internal.kernel.Activator;
 import org.argeo.naming.LdapAttrs;
 import org.argeo.osgi.useradmin.AuthenticatingUser;
 import org.argeo.osgi.useradmin.IpaUtils;
+import org.argeo.osgi.useradmin.OsUserUtils;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
 import org.osgi.service.useradmin.Authorization;
@@ -52,6 +55,8 @@ public class UserAdminLoginModule implements LoginModule {
 
 	private Authorization bindAuthorization = null;
 
+	private boolean singleUser = Activator.isSingleUser();
+
 	@SuppressWarnings("unchecked")
 	@Override
 	public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
@@ -71,13 +76,24 @@ public class UserAdminLoginModule implements LoginModule {
 		UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
 		final String username;
 		final char[] password;
+		X509Certificate[] certificateChain = null;
 		if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
 				&& sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) {
 			// NB: required by Basic http auth
 			username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
 			password = (char[]) sharedState.get(CmsAuthUtils.SHARED_STATE_PWD);
 			// // TODO locale?
+		} else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
+				&& sharedState.containsKey(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN)) {
+			// NB: required by Basic http auth
+			username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
+			certificateChain = (X509Certificate[]) sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
+			password = null;
+		} else if (singleUser) {
+			username = OsUserUtils.getOsUsername();
+			password = null;
 		} else {
+
 			// ask for username and password
 			NameCallback nameCallback = new NameCallback("User");
 			PasswordCallback passwordCallback = new PasswordCallback("Password", false);
@@ -95,7 +111,7 @@ public class UserAdminLoginModule implements LoginModule {
 			if (locale == null)
 				locale = Locale.getDefault();
 			// FIXME add it to Subject
-			// UiContext.setLocale(locale);
+			// Locale.setDefault(locale);
 
 			username = nameCallback.getName();
 			if (username == null || username.trim().equals("")) {
@@ -107,34 +123,49 @@ public class UserAdminLoginModule implements LoginModule {
 			else
 				throw new CredentialNotFoundException("No credentials provided");
 		}
-
 		User user = searchForUser(userAdmin, username);
 		if (user == null)
 			return true;// expect Kerberos
-		
-		// try bind first
-		try {
-			AuthenticatingUser authenticatingUser = new AuthenticatingUser(user.getName(), password);
-			bindAuthorization = userAdmin.getAuthorization(authenticatingUser);
-			// TODO check tokens as well
-			if (bindAuthorization != null)
-				return true;
-		} catch (Exception e) {
-			// silent
-			if(log.isTraceEnabled())
-				log.trace("Bind failed", e);
-		}
-		
-		// works only if a connection password is provided
-		if (!user.hasCredential(null, password)) {
-			return false;
+
+		if (password != null) {
+			// try bind first
+			try {
+				AuthenticatingUser authenticatingUser = new AuthenticatingUser(user.getName(), password);
+				bindAuthorization = userAdmin.getAuthorization(authenticatingUser);
+				// TODO check tokens as well
+				if (bindAuthorization != null) {
+					authenticatedUser = user;
+					return true;
+				}
+			} catch (Exception e) {
+				// silent
+				if (log.isTraceEnabled())
+					log.trace("Bind failed", e);
+			}
+
+			// works only if a connection password is provided
+			if (!user.hasCredential(null, password)) {
+				return false;
+			}
+		} else if (certificateChain != null) {
+			// TODO check CRLs/OSCP validity?
+			// NB: authorization in commit() will work only if an LDAP connection password
+			// is provided
+		} else if (singleUser) {
+			// TODO verify IP address?
+		} else {
+			throw new CredentialNotFoundException("No credentials provided");
 		}
+
 		authenticatedUser = user;
 		return true;
 	}
 
 	@Override
 	public boolean commit() throws LoginException {
+		if (singleUser) {
+			OsUserUtils.loginAsSystemUser(subject);
+		}
 		UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
 		Authorization authorization;
 		if (callbackHandler == null) {// anonymous