From 76a7e65ffa515c0dbd7a5587b29ffc9bba449542 Mon Sep 17 00:00:00 2001 From: Mathieu Baudier Date: Mon, 9 Jan 2017 11:17:30 +0100 Subject: [PATCH] Support anonymous and http session in IPA mode --- .../argeo/cms/ui/AbstractCmsEntryPoint.java | 7 +- .../src/org/argeo/cms/auth/CmsAuthUtils.java | 94 +++++++++++++++++++ .../cms/auth/HttpSessionLoginModule.java | 78 +-------------- .../org/argeo/cms/auth/IpaLoginModule.java | 14 ++- .../cms/internal/kernel/CmsDeployment.java | 10 ++ .../argeo/cms/internal/kernel/jaas-ipa.cfg | 3 +- 6 files changed, 123 insertions(+), 83 deletions(-) diff --git a/org.argeo.cms.ui/src/org/argeo/cms/ui/AbstractCmsEntryPoint.java b/org.argeo.cms.ui/src/org/argeo/cms/ui/AbstractCmsEntryPoint.java index 9f7811aa4..f310f31e2 100644 --- a/org.argeo.cms.ui/src/org/argeo/cms/ui/AbstractCmsEntryPoint.java +++ b/org.argeo.cms.ui/src/org/argeo/cms/ui/AbstractCmsEntryPoint.java @@ -12,7 +12,6 @@ import javax.jcr.RepositoryException; import javax.jcr.Session; import javax.jcr.nodetype.NodeType; import javax.security.auth.Subject; -import javax.security.auth.login.CredentialNotFoundException; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import javax.servlet.http.HttpServletRequest; @@ -75,15 +74,13 @@ public abstract class AbstractCmsEntryPoint extends AbstractEntryPoint implement loginContext = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, new HttpRequestCallbackHandler(UiContext.getHttpRequest())); loginContext.login(); - } catch (CredentialNotFoundException e) { + } catch (LoginException e) { try { loginContext = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER); loginContext.login(); } catch (LoginException e1) { throw new CmsException("Cannot log in as anonymous", e1); } - } catch (LoginException e) { - throw new CmsException("Cannot initialize subject", e); } authChange(loginContext); @@ -179,7 +176,7 @@ public abstract class AbstractCmsEntryPoint extends AbstractEntryPoint implement anonymousLc.login(); authChange(anonymousLc); } catch (LoginException e) { - throw new CmsException("Cannot logout", e); + log.error("Cannot logout", e); } } diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java index 63936c897..760544b81 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java @@ -1,24 +1,38 @@ package org.argeo.cms.auth; import java.security.Principal; +import java.util.Collection; import java.util.Set; import javax.naming.InvalidNameException; import javax.naming.ldap.LdapName; import javax.security.auth.Subject; import javax.security.auth.x500.X500Principal; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; //import org.apache.jackrabbit.core.security.AnonymousPrincipal; //import org.apache.jackrabbit.core.security.SecurityConstants; //import org.apache.jackrabbit.core.security.principal.AdminPrincipal; import org.argeo.cms.CmsException; import org.argeo.cms.internal.auth.ImpliedByPrincipal; +import org.argeo.cms.internal.kernel.WebCmsSessionImpl; import org.argeo.node.security.AnonymousPrincipal; import org.argeo.node.security.DataAdminPrincipal; import org.argeo.node.security.NodeSecurityUtils; +import org.osgi.framework.BundleContext; +import org.osgi.framework.InvalidSyntaxException; +import org.osgi.framework.ServiceReference; +import org.osgi.service.http.HttpContext; import org.osgi.service.useradmin.Authorization; class CmsAuthUtils { + private final static Log log = LogFactory.getLog(CmsAuthUtils.class); + + /** Shared HTTP request */ + static final String SHARED_STATE_HTTP_REQUEST = "org.argeo.cms.auth.http.request"; /** From org.osgi.service.http.HttpContext */ static final String SHARED_STATE_AUTHORIZATION = "org.osgi.service.useradmin.authorization"; /** From com.sun.security.auth.module.*LoginModule */ @@ -99,7 +113,87 @@ class CmsAuthUtils { // public static final String SHARED_STATE_PASSWORD = // "javax.security.auth.login.password"; + static void registerSessionAuthorization(BundleContext bc, HttpServletRequest request, Subject subject, + Authorization authorization) { + String httpSessId = request.getSession().getId(); + if (authorization.getName() != null) { + request.setAttribute(HttpContext.REMOTE_USER, authorization.getName()); + request.setAttribute(HttpContext.AUTHORIZATION, authorization); + + HttpSession httpSession = request.getSession(); + if (httpSession.getAttribute(HttpContext.AUTHORIZATION) == null) { + + Collection> sr; + try { + sr = bc.getServiceReferences(WebCmsSession.class, + "(" + WebCmsSession.CMS_SESSION_ID + "=" + httpSessId + ")"); + } catch (InvalidSyntaxException e) { + throw new CmsException("Cannot get CMS session for id " + httpSessId, e); + } + ServiceReference cmsSessionRef; + if (sr.size() == 1) { + cmsSessionRef = sr.iterator().next(); + } else if (sr.size() == 0) { + WebCmsSessionImpl cmsSessionImpl = new WebCmsSessionImpl(httpSessId, authorization); + cmsSessionRef = cmsSessionImpl.getServiceRegistration().getReference(); + if (log.isDebugEnabled()) + log.debug("Initialized " + cmsSessionImpl + " for " + authorization.getName()); + } else + throw new CmsException(sr.size() + " CMS sessions registered for " + httpSessId); + + WebCmsSessionImpl cmsSession = (WebCmsSessionImpl) bc.getService(cmsSessionRef); + cmsSession.addHttpSession(request); + if (log.isTraceEnabled()) + log.trace("Added " + request.getServletPath() + " to " + cmsSession + " (" + request.getRequestURI() + + ")"); + // httpSession.setAttribute(HttpContext.REMOTE_USER, + // authorization.getName()); + // httpSession.setAttribute(HttpContext.AUTHORIZATION, + // authorization); + } + } + HttpSessionId httpSessionId = new HttpSessionId(httpSessId); + if (subject.getPrivateCredentials(HttpSessionId.class).size() == 0) + subject.getPrivateCredentials().add(httpSessionId); + else { + String storedSessionId = subject.getPrivateCredentials(HttpSessionId.class).iterator().next().getValue(); + // if (storedSessionId.equals(httpSessionId.getValue())) + throw new CmsException( + "Subject already logged with session " + storedSessionId + " (not " + httpSessionId + ")"); + } + } + + static boolean logoutSession(BundleContext bc, Subject subject) { + String httpSessionId; + if (subject.getPrivateCredentials(HttpSessionId.class).size() == 1) + httpSessionId = subject.getPrivateCredentials(HttpSessionId.class).iterator().next().getValue(); + else + return false; + Collection> srs; + try { + srs = bc.getServiceReferences(WebCmsSession.class, + "(" + WebCmsSession.CMS_SESSION_ID + "=" + httpSessionId + ")"); + } catch (InvalidSyntaxException e) { + throw new CmsException("Cannot retrieve CMS session #" + httpSessionId, e); + } + + if (srs.size() == 0) { + if (log.isTraceEnabled()) + log.warn("No CMS web session found for http session " + httpSessionId); + return false; + } else if (srs.size() > 1) + throw new CmsException(srs.size() + " CMS web sessions found for http session " + httpSessionId); + + WebCmsSessionImpl cmsSession = (WebCmsSessionImpl) bc.getService(srs.iterator().next()); + cmsSession.cleanUp(); + subject.getPrivateCredentials().removeAll(subject.getPrivateCredentials(HttpSessionId.class)); + if (log.isDebugEnabled()) + log.debug("Cleaned up " + cmsSession); + return true; + } + private CmsAuthUtils() { } + } diff --git a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java index da0fe2d46..eac68036d 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java @@ -11,7 +11,6 @@ import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpSession; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -87,6 +86,7 @@ public class HttpSessionLoginModule implements LoginModule { throw new CmsException(sr.size() + ">1 web sessions detected for http session " + httpSessionId); } + sharedState.put(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST, request); if (authorization == null) return false; sharedState.put(CmsAuthUtils.SHARED_STATE_AUTHORIZATION, authorization); @@ -143,15 +143,7 @@ public class HttpSessionLoginModule implements LoginModule { } if (request == null) return false; - HttpSessionId httpSessionId = registerAuthorization(request, authorizationToRegister); - if (subject.getPrivateCredentials(HttpSessionId.class).size() == 0) - subject.getPrivateCredentials().add(httpSessionId); - else { - String storedSessionId = subject.getPrivateCredentials(HttpSessionId.class).iterator().next().getValue(); - // if (storedSessionId.equals(httpSessionId.getValue())) - throw new LoginException( - "Subject already logged with session " + storedSessionId + " (not " + httpSessionId + ")"); - } + CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorizationToRegister); if (authorization != null) { // CmsAuthUtils.addAuthentication(subject, authorization); @@ -163,47 +155,6 @@ public class HttpSessionLoginModule implements LoginModule { } } - private HttpSessionId registerAuthorization(HttpServletRequest request, Authorization authorization) { - String httpSessionId = request.getSession().getId(); - if (authorization.getName() != null) { - request.setAttribute(HttpContext.REMOTE_USER, authorization.getName()); - request.setAttribute(HttpContext.AUTHORIZATION, authorization); - - HttpSession httpSession = request.getSession(); - if (httpSession.getAttribute(HttpContext.AUTHORIZATION) == null) { - - Collection> sr; - try { - sr = bc.getServiceReferences(WebCmsSession.class, - "(" + WebCmsSession.CMS_SESSION_ID + "=" + httpSessionId + ")"); - } catch (InvalidSyntaxException e) { - throw new CmsException("Cannot get CMS session for id " + httpSessionId, e); - } - ServiceReference cmsSessionRef; - if (sr.size() == 1) { - cmsSessionRef = sr.iterator().next(); - } else if (sr.size() == 0) { - WebCmsSessionImpl cmsSessionImpl = new WebCmsSessionImpl(httpSessionId, authorization); - cmsSessionRef = cmsSessionImpl.getServiceRegistration().getReference(); - if (log.isDebugEnabled()) - log.debug("Initialized " + cmsSessionImpl + " for " + authorization.getName()); - } else - throw new CmsException(sr.size() + " CMS sessions registered for " + httpSessionId); - - WebCmsSessionImpl cmsSession = (WebCmsSessionImpl) bc.getService(cmsSessionRef); - cmsSession.addHttpSession(request); - if (log.isTraceEnabled()) - log.trace("Added " + request.getServletPath() + " to " + cmsSession + " (" + request.getRequestURI() - + ")"); - // httpSession.setAttribute(HttpContext.REMOTE_USER, - // authorization.getName()); - // httpSession.setAttribute(HttpContext.AUTHORIZATION, - // authorization); - } - } - return new HttpSessionId(httpSessionId); - } - @Override public boolean abort() throws LoginException { cleanUp(); @@ -217,30 +168,7 @@ public class HttpSessionLoginModule implements LoginModule { @Override public boolean logout() throws LoginException { - String httpSessionId; - if (subject.getPrivateCredentials(HttpSessionId.class).size() == 1) - httpSessionId = subject.getPrivateCredentials(HttpSessionId.class).iterator().next().getValue(); - else - return false; - Collection> srs; - try { - srs = bc.getServiceReferences(WebCmsSession.class, - "(" + WebCmsSession.CMS_SESSION_ID + "=" + httpSessionId + ")"); - } catch (InvalidSyntaxException e) { - throw new CmsException("Cannot retrieve CMS session #" + httpSessionId, e); - } - - if (srs.size() == 0) - throw new CmsException("No CMS web session found for http session " + httpSessionId); - else if (srs.size() > 1) - throw new CmsException(srs.size() + " CMS web sessions found for http session " + httpSessionId); - - WebCmsSessionImpl cmsSession = (WebCmsSessionImpl) bc.getService(srs.iterator().next()); - cmsSession.cleanUp(); - subject.getPrivateCredentials().removeAll(subject.getPrivateCredentials(HttpSessionId.class)); - if (log.isDebugEnabled()) - log.debug("Cleaned up " + cmsSession); - return true; + return CmsAuthUtils.logoutSession(bc, subject); } } diff --git a/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java index 3ed485619..6cb6ab11d 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java @@ -11,6 +11,7 @@ import javax.security.auth.callback.CallbackHandler; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; +import javax.servlet.http.HttpServletRequest; import org.argeo.cms.CmsException; import org.argeo.naming.LdapAttrs; @@ -22,11 +23,15 @@ import org.osgi.service.useradmin.UserAdmin; public class IpaLoginModule implements LoginModule { private BundleContext bc; private Subject subject; + private Map sharedState = null; + private CallbackHandler callbackHandler; @Override public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { this.subject = subject; + this.sharedState = (Map) sharedState; + this.callbackHandler = callbackHandler; try { bc = FrameworkUtil.getBundle(IpaLoginModule.class).getBundleContext(); assert bc != null; @@ -46,6 +51,8 @@ public class IpaLoginModule implements LoginModule { Authorization authorization = null; Set kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class); if (kerberosPrincipals.isEmpty()) { + if(callbackHandler!=null) + throw new LoginException("Cannot be anonymous if callback handler is set"); authorization = userAdmin.getAuthorization(null); } else { KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next(); @@ -64,6 +71,10 @@ public class IpaLoginModule implements LoginModule { if (authorization == null) return false; CmsAuthUtils.addAuthentication(subject, authorization); + HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST); + if (request != null) { + CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization); + } return true; } @@ -91,8 +102,7 @@ public class IpaLoginModule implements LoginModule { @Override public boolean logout() throws LoginException { - // TODO Auto-generated method stub - return false; + return CmsAuthUtils.logoutSession(bc, subject); } } diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsDeployment.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsDeployment.java index e30249f3c..1d1734d36 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsDeployment.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/CmsDeployment.java @@ -36,6 +36,7 @@ import org.osgi.framework.ServiceReference; import org.osgi.framework.wiring.BundleCapability; import org.osgi.framework.wiring.BundleWire; import org.osgi.framework.wiring.BundleWiring; +import org.osgi.service.cm.Configuration; import org.osgi.service.cm.ConfigurationAdmin; import org.osgi.service.cm.ManagedService; import org.osgi.service.http.HttpService; @@ -88,6 +89,15 @@ public class CmsDeployment implements NodeDeployment { ConfigurationAdmin configurationAdmin = bc.getService(reference); deployConfig = new DeployConfig(configurationAdmin, cleanState); httpExpected = deployConfig.getProps(KernelConstants.JETTY_FACTORY_PID, "default") != null; + try { + Configuration[] configs= configurationAdmin.listConfigurations("(service.factoryPid="+NodeConstants.NODE_REPOS_FACTORY_PID+")"); + for(Configuration config:configs){ + Object cn = config.getProperties().get(NodeConstants.CN); + log.debug("Standalone repo cn: "+cn); + } + } catch (Exception e) { + throw new CmsException("Cannot initialize config", e); + } return super.addingService(reference); } }.open(); diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas-ipa.cfg b/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas-ipa.cfg index 33c556f57..690bfc198 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas-ipa.cfg +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas-ipa.cfg @@ -1,5 +1,6 @@ USER { - com.sun.security.auth.module.Krb5LoginModule required clearPass=true; + org.argeo.cms.auth.HttpSessionLoginModule sufficient; + com.sun.security.auth.module.Krb5LoginModule optional clearPass=true; org.argeo.cms.auth.IpaLoginModule requisite; }; -- 2.30.2