From 998f2785e9571572c21117da28fbd1d681cc33a4 Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Fri, 7 Aug 2015 16:51:07 +0000
Subject: [PATCH] Introduce Single User login

git-svn-id: https://svn.argeo.org/commons/trunk@8308 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---
 .../src/org/argeo/cms/KernelHeader.java       |  1 +
 .../internal/auth/AbstractLoginModule.java    | 12 ++++---
 .../internal/auth/SingleUserLoginModule.java  | 36 +++++++++++++++++++
 .../cms/internal/kernel/NodeSecurity.java     |  6 ++++
 .../org/argeo/cms/internal/kernel/jaas.cfg    |  6 ++++
 5 files changed, 56 insertions(+), 5 deletions(-)
 create mode 100644 org.argeo.cms/src/org/argeo/cms/internal/auth/SingleUserLoginModule.java

diff --git a/org.argeo.cms/src/org/argeo/cms/KernelHeader.java b/org.argeo.cms/src/org/argeo/cms/KernelHeader.java
index 94477c3d4..c2dd2cae7 100644
--- a/org.argeo.cms/src/org/argeo/cms/KernelHeader.java
+++ b/org.argeo.cms/src/org/argeo/cms/KernelHeader.java
@@ -6,6 +6,7 @@ public interface KernelHeader {
 	final static String LOGIN_CONTEXT_USER = "USER";
 	final static String LOGIN_CONTEXT_ANONYMOUS = "ANONYMOUS";
 	final static String LOGIN_CONTEXT_SYSTEM = "SYSTEM";
+	final static String LOGIN_CONTEXT_SINGLE_USER = "SINGLE_USER";
 
 	// RESERVED ROLES
 	public final static String ROLE_ADMIN = "ROLE_ADMIN";
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/auth/AbstractLoginModule.java b/org.argeo.cms/src/org/argeo/cms/internal/auth/AbstractLoginModule.java
index baf6b6317..89312a3dc 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/auth/AbstractLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/auth/AbstractLoginModule.java
@@ -161,11 +161,13 @@ public abstract class AbstractLoginModule implements LoginModule {
 		SecurityContextHolder.getContext().setAuthentication(null);
 		if (Display.getCurrent() != null) {
 			HttpServletRequest httpRequest = RWT.getRequest();
-			HttpSession httpSession = httpRequest.getSession();
-			if (httpSession.getAttribute(SPRING_SECURITY_CONTEXT_KEY) != null)
-				httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, null);
-			// expire session
-			httpSession.setMaxInactiveInterval(0);
+			if (httpRequest != null) {
+				HttpSession httpSession = httpRequest.getSession();
+				if (httpSession.getAttribute(SPRING_SECURITY_CONTEXT_KEY) != null)
+					httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, null);
+				// expire session
+				httpSession.setMaxInactiveInterval(0);
+			}
 		}
 		return true;
 	}
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/auth/SingleUserLoginModule.java b/org.argeo.cms/src/org/argeo/cms/internal/auth/SingleUserLoginModule.java
new file mode 100644
index 000000000..a00c9220d
--- /dev/null
+++ b/org.argeo.cms/src/org/argeo/cms/internal/auth/SingleUserLoginModule.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2007-2012 Argeo GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.argeo.cms.internal.auth;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginException;
+
+import org.argeo.security.OsAuthenticationToken;
+import org.springframework.security.core.Authentication;
+
+/** Login module which caches one subject per thread. */
+public class SingleUserLoginModule extends AbstractLoginModule {
+	@Override
+	protected Authentication processLogin(CallbackHandler callbackHandler)
+			throws LoginException, UnsupportedCallbackException, IOException,
+			InterruptedException {
+		OsAuthenticationToken token = new OsAuthenticationToken();
+		return getAuthenticationManager().authenticate(token);
+	}
+}
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java
index e841bfc3d..f279ba5ea 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeSecurity.java
@@ -10,9 +10,11 @@ import org.argeo.cms.CmsException;
 import org.argeo.cms.internal.useradmin.JcrUserAdmin;
 import org.argeo.cms.internal.useradmin.SimpleJcrSecurityModel;
 import org.argeo.cms.internal.useradmin.jackrabbit.JackrabbitUserAdminService;
+import org.argeo.security.OsAuthenticationToken;
 import org.argeo.security.UserAdminService;
 import org.argeo.security.core.InternalAuthentication;
 import org.argeo.security.core.InternalAuthenticationProvider;
+import org.argeo.security.core.OsAuthenticationProvider;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.ServiceRegistration;
 import org.osgi.service.useradmin.UserAdmin;
@@ -30,6 +32,7 @@ class NodeSecurity implements AuthenticationManager {
 
 	private final BundleContext bundleContext;
 
+	private final OsAuthenticationProvider osAuth;
 	private final InternalAuthenticationProvider internalAuth;
 	private final AnonymousAuthenticationProvider anonymousAuth;
 	private final JackrabbitUserAdminService userAdminService;
@@ -50,6 +53,7 @@ class NodeSecurity implements AuthenticationManager {
 
 		this.bundleContext = bundleContext;
 
+		osAuth = new OsAuthenticationProvider();
 		internalAuth = new InternalAuthenticationProvider(
 				Activator.getSystemKey());
 		anonymousAuth = new AnonymousAuthenticationProvider(
@@ -100,6 +104,8 @@ class NodeSecurity implements AuthenticationManager {
 			auth = anonymousAuth.authenticate(authentication);
 		else if (authentication instanceof UsernamePasswordAuthenticationToken)
 			auth = userAdminService.authenticate(authentication);
+		else if (authentication instanceof OsAuthenticationToken)
+			auth = osAuth.authenticate(authentication);
 		if (auth == null)
 			throw new CmsException("Could not authenticate " + authentication);
 		return auth;
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas.cfg b/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas.cfg
index cc1a07499..c8033b1bd 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas.cfg
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/jaas.cfg
@@ -16,3 +16,9 @@ SYSTEM {
 KEYRING {
     org.argeo.security.crypto.KeyringLoginModule required;
 };
+
+SINGLE_USER {
+    com.sun.security.auth.module.UnixLoginModule requisite;
+    org.argeo.cms.internal.auth.SingleUserLoginModule requisite;
+    org.springframework.security.authentication.jaas.SecurityContextLoginModule requisite;
+};
-- 
2.30.2