X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.security.jackrabbit%2Fsrc%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FSystemJackrabbitLoginModule.java;h=9977938eccb4029dc6ec683a4e1796a4e0370452;hb=34130a879d419e1def9526d9d31f8aaa55c950d4;hp=466402d4e6117faeb9c734746a23f43cbd998deb;hpb=93a457cf047cebb0170abd0f37a9b4291a2ae3e9;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/SystemJackrabbitLoginModule.java b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/SystemJackrabbitLoginModule.java index 466402d4e..9977938ec 100644 --- a/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/SystemJackrabbitLoginModule.java +++ b/org.argeo.security.jackrabbit/src/org/argeo/security/jackrabbit/SystemJackrabbitLoginModule.java @@ -1,6 +1,5 @@ package org.argeo.security.jackrabbit; -import java.security.Principal; import java.util.Map; import java.util.Set; @@ -8,9 +7,11 @@ import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; +import javax.security.auth.x500.X500Principal; -import org.apache.jackrabbit.core.security.AnonymousPrincipal; +import org.apache.jackrabbit.core.security.SecurityConstants; import org.apache.jackrabbit.core.security.principal.AdminPrincipal; +import org.argeo.security.SystemAuth; public class SystemJackrabbitLoginModule implements LoginModule { @@ -29,32 +30,51 @@ public class SystemJackrabbitLoginModule implements LoginModule { @Override public boolean commit() throws LoginException { - Set principals = subject.getPrincipals(); - if (principals.isEmpty()) {// system - subject.getPrincipals().add(new AdminPrincipal("admin")); + Set initPrincipal = subject + .getPrincipals(SystemAuth.class); + if (!initPrincipal.isEmpty()) { + subject.getPrincipals().add( + new AdminPrincipal(SecurityConstants.ADMIN_ID)); return true; } - boolean isAdmin = false; - boolean isAnonymous = false; - // FIXME make it more generic - for (Principal principal : principals) { - if (principal.getName().equalsIgnoreCase( - "cn=admin,ou=system,ou=node")) - isAdmin = true; - else if (principal.getName().equalsIgnoreCase( - "cn=anonymous,ou=system,ou=node")) - isAnonymous = true; - } - if (isAnonymous && isAdmin) - throw new LoginException("Cannot be admin and anonymous"); + Set userPrincipal = subject + .getPrincipals(X500Principal.class); + if (userPrincipal.isEmpty()) + throw new LoginException("Subject must be pre-authenticated"); + if (userPrincipal.size() > 1) + throw new LoginException("Multiple user principals " + + userPrincipal); - // Add special Jackrabbit roles - if (isAdmin) - principals.add(new AdminPrincipal("admin")); - if (isAnonymous)// anonymous - principals.add(new AnonymousPrincipal()); return true; + + // Set principals = subject.getPrincipals(); + // if (principals.isEmpty()) {// system + // throw new LoginException("Subject must be pre-authenticated"); + // // subject.getPrincipals().add(new AdminPrincipal("admin")); + // // return true; + // } + // boolean isAdmin = false; + // boolean isAnonymous = false; + // // FIXME make it more generic + // for (Principal principal : principals) { + // if (principal.getName().equalsIgnoreCase( + // "cn=admin,ou=roles,ou=node")) + // isAdmin = true; + // else if (principal.getName().equalsIgnoreCase( + // "cn=anonymous,ou=roles,ou=node")) + // isAnonymous = true; + // } + // + // if (isAnonymous && isAdmin) + // throw new LoginException("Cannot be admin and anonymous"); + // + // // Add special Jackrabbit roles + // if (isAdmin) + // principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID)); + // if (isAnonymous)// anonymous + // principals.add(new AnonymousPrincipal()); + // return true; } @Override @@ -64,9 +84,14 @@ public class SystemJackrabbitLoginModule implements LoginModule { @Override public boolean logout() throws LoginException { - subject.getPrincipals().removeAll( - subject.getPrincipals(AdminPrincipal.class)); + Set initPrincipal = subject + .getPrincipals(SystemAuth.class); + if (!initPrincipal.isEmpty()) { + subject.getPrincipals(AdminPrincipal.class); + return true; + } + // subject.getPrincipals().removeAll( + // subject.getPrincipals(AdminPrincipal.class)); return true; } - }