From da55282938aaebf9fa148454dbc8add9c558501f Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Sun, 27 Mar 2011 13:39:41 +0000
Subject: [PATCH] Improve RCP security

git-svn-id: https://svn.argeo.org/commons/trunk@4383 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---
 .../ui/jcr/browser/HomeContentProvider.java   |  14 ++
 .../ui/jcr/views/UserCentricJcrBrowser.java   | 158 ++++++++++++++++++
 gis/runtime/org.argeo.gis.geotools/pom.xml    |   4 -
 .../META-INF/MANIFEST.MF                      |   4 +
 .../META-INF/spring/jcrsecuritydao-osgi.xml   |  23 ++-
 .../META-INF/spring/jcrsecuritydao.xml        |   5 +-
 .../META-INF/spring/services.xml              |  38 +++++
 .../security.properties                       |   1 +
 .../META-INF/jaas_default.txt                 |   5 +
 .../META-INF/spring/application-osgi.xml      |  16 ++
 .../META-INF/spring/application.xml           |  10 ++
 .../org.argeo.security.ui.rcp/plugin.xml      |   2 +-
 .../ui/rcp/AbstractSecureApplication.java     |   1 +
 .../META-INF/spring/osgi.xml                  |   3 +-
 .../core/OsAuthenticationProvider.java        |  34 +++-
 .../jcr/OsJcrAuthenticationProvider.java      |  64 ++++---
 .../jcr/SecureThreadBoundSession.java         |  16 +-
 .../jackrabbit/ArgeoSecurityManager.java      |   9 +-
 .../META-INF/spring/osgi.xml                  |   2 +-
 .../argeo/jackrabbit/JackrabbitContainer.java |   1 -
 .../src/main/java/org/argeo/jcr/JcrUtils.java |  18 ++
 .../jcr/ThreadBoundJcrSessionFactory.java     |   2 +-
 .../argeo/jcr/spring/ThreadBoundSession.java  |  17 ++
 23 files changed, 385 insertions(+), 62 deletions(-)
 create mode 100644 eclipse/runtime/org.argeo.eclipse.ui.jcr/src/main/java/org/argeo/eclipse/ui/jcr/browser/HomeContentProvider.java
 create mode 100644 eclipse/runtime/org.argeo.eclipse.ui.jcr/src/main/java/org/argeo/eclipse/ui/jcr/views/UserCentricJcrBrowser.java
 create mode 100644 security/modules/org.argeo.security.dao.jackrabbit/META-INF/spring/services.xml
 create mode 100644 security/modules/org.argeo.security.dao.jackrabbit/security.properties
 create mode 100644 security/plugins/org.argeo.security.ui.rcp/META-INF/spring/application-osgi.xml
 create mode 100644 security/plugins/org.argeo.security.ui.rcp/META-INF/spring/application.xml
 create mode 100644 server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/spring/ThreadBoundSession.java

diff --git a/eclipse/runtime/org.argeo.eclipse.ui.jcr/src/main/java/org/argeo/eclipse/ui/jcr/browser/HomeContentProvider.java b/eclipse/runtime/org.argeo.eclipse.ui.jcr/src/main/java/org/argeo/eclipse/ui/jcr/browser/HomeContentProvider.java
new file mode 100644
index 000000000..b3577a2bf
--- /dev/null
+++ b/eclipse/runtime/org.argeo.eclipse.ui.jcr/src/main/java/org/argeo/eclipse/ui/jcr/browser/HomeContentProvider.java
@@ -0,0 +1,14 @@
+package org.argeo.eclipse.ui.jcr.browser;
+
+import javax.jcr.Session;
+
+import org.argeo.eclipse.ui.jcr.SimpleNodeContentProvider;
+import org.argeo.jcr.JcrUtils;
+
+public class HomeContentProvider extends SimpleNodeContentProvider {
+
+	public HomeContentProvider(Session session) {
+		super(session, new String[] { JcrUtils.getUserHomePath(session) });
+	}
+
+}
diff --git a/eclipse/runtime/org.argeo.eclipse.ui.jcr/src/main/java/org/argeo/eclipse/ui/jcr/views/UserCentricJcrBrowser.java b/eclipse/runtime/org.argeo.eclipse.ui.jcr/src/main/java/org/argeo/eclipse/ui/jcr/views/UserCentricJcrBrowser.java
new file mode 100644
index 000000000..c121f599c
--- /dev/null
+++ b/eclipse/runtime/org.argeo.eclipse.ui.jcr/src/main/java/org/argeo/eclipse/ui/jcr/views/UserCentricJcrBrowser.java
@@ -0,0 +1,158 @@
+package org.argeo.eclipse.ui.jcr.views;
+
+import javax.jcr.Node;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+
+import org.argeo.ArgeoException;
+import org.argeo.eclipse.ui.jcr.SimpleNodeContentProvider;
+import org.argeo.eclipse.ui.jcr.browser.HomeContentProvider;
+import org.argeo.eclipse.ui.jcr.browser.NodeLabelProvider;
+import org.argeo.eclipse.ui.jcr.browser.RepositoryNode;
+import org.argeo.eclipse.ui.jcr.browser.WorkspaceNode;
+import org.argeo.eclipse.ui.jcr.utils.JcrFileProvider;
+import org.argeo.eclipse.ui.jcr.utils.NodeViewerComparer;
+import org.argeo.eclipse.ui.specific.FileHandler;
+import org.eclipse.jface.action.MenuManager;
+import org.eclipse.jface.viewers.DoubleClickEvent;
+import org.eclipse.jface.viewers.IDoubleClickListener;
+import org.eclipse.jface.viewers.IStructuredSelection;
+import org.eclipse.jface.viewers.StructuredSelection;
+import org.eclipse.jface.viewers.TreeViewer;
+import org.eclipse.swt.SWT;
+import org.eclipse.swt.layout.FillLayout;
+import org.eclipse.swt.layout.GridData;
+import org.eclipse.swt.layout.GridLayout;
+import org.eclipse.swt.widgets.Composite;
+import org.eclipse.swt.widgets.Menu;
+import org.eclipse.ui.part.ViewPart;
+
+/** JCR browser organized around a user home node. */
+public class UserCentricJcrBrowser extends ViewPart {
+	// private final static Log log = LogFactory.getLog(UserBrowser.class);
+
+	private TreeViewer nodesViewer;
+
+	private Session session;
+
+	@Override
+	public void createPartControl(Composite parent) {
+
+		// Instantiate the generic object that fits for
+		// both RCP & RAP, must be final to be accessed in the double click
+		// listener.
+		// Not that in RAP, it registers a service handler that provide the
+		// access to the files.
+
+		final JcrFileProvider jfp = new JcrFileProvider();
+		final FileHandler fh = new FileHandler(jfp);
+
+		parent.setLayout(new FillLayout());
+
+		Composite top = new Composite(parent, SWT.NONE);
+		GridLayout gl = new GridLayout(1, false);
+		top.setLayout(gl);
+
+		// nodes viewer
+		nodesViewer = new TreeViewer(top, SWT.MULTI | SWT.H_SCROLL
+				| SWT.V_SCROLL);
+		nodesViewer.getTree().setLayoutData(
+				new GridData(SWT.FILL, SWT.FILL, true, true));
+
+		SimpleNodeContentProvider contentProvider = new HomeContentProvider(
+				session);
+		nodesViewer.setContentProvider(contentProvider);
+		nodesViewer.setLabelProvider(new NodeLabelProvider());
+
+		nodesViewer.addDoubleClickListener(new IDoubleClickListener() {
+			public void doubleClick(DoubleClickEvent event) {
+				if (event.getSelection() == null
+						|| event.getSelection().isEmpty())
+					return;
+				Object obj = ((IStructuredSelection) event.getSelection())
+						.getFirstElement();
+				if (obj instanceof RepositoryNode) {
+					RepositoryNode rpNode = (RepositoryNode) obj;
+					rpNode.login();
+					// For the file provider to be able to browse the various
+					// repository.
+					// TODO : enhanced that.
+					jfp.setRepositoryNode(rpNode);
+					nodesViewer.refresh(obj);
+
+				} else if (obj instanceof WorkspaceNode) {
+					((WorkspaceNode) obj).login();
+					nodesViewer.refresh(obj);
+				} else if (obj instanceof Node) {
+					Node node = (Node) obj;
+
+					// double clic on a file node triggers its opening
+					try {
+						if (node.isNodeType("nt:file")) {
+							String name = node.getName();
+							String id = node.getIdentifier();
+							fh.openFile(name, id);
+						}
+					} catch (RepositoryException re) {
+						throw new ArgeoException(
+								"Repository error while getting Node file info",
+								re);
+					}
+				}
+			}
+		});
+
+		// context menu
+		MenuManager menuManager = new MenuManager();
+		Menu menu = menuManager.createContextMenu(nodesViewer.getTree());
+		nodesViewer.getTree().setMenu(menu);
+		getSite().registerContextMenu(menuManager, nodesViewer);
+		getSite().setSelectionProvider(nodesViewer);
+
+		nodesViewer.setInput(session);
+
+		nodesViewer.setComparer(new NodeViewerComparer());
+
+	}
+
+	@Override
+	public void setFocus() {
+		nodesViewer.getTree().setFocus();
+	}
+
+	/**
+	 * To be overidden to adapt size of form and result frames.
+	 * 
+	 * @return
+	 */
+	protected int[] getWeights() {
+		return new int[] { 70, 30 };
+	}
+
+	/*
+	 * NOTIFICATION
+	 */
+	public void refresh(Object obj) {
+		nodesViewer.refresh(obj);
+	}
+
+	public void nodeAdded(Node parentNode, Node newNode) {
+		nodesViewer.refresh(parentNode);
+		nodesViewer.expandToLevel(newNode, 0);
+	}
+
+	public void nodeRemoved(Node parentNode) {
+
+		IStructuredSelection newSel = new StructuredSelection(parentNode);
+		nodesViewer.setSelection(newSel, true);
+		// Force refresh
+		IStructuredSelection tmpSel = (IStructuredSelection) nodesViewer
+				.getSelection();
+		nodesViewer.refresh(tmpSel.getFirstElement());
+	}
+
+	public void setSession(Session session) {
+		this.session = session;
+	}
+
+}
diff --git a/gis/runtime/org.argeo.gis.geotools/pom.xml b/gis/runtime/org.argeo.gis.geotools/pom.xml
index 992ddfa66..2278658fa 100644
--- a/gis/runtime/org.argeo.gis.geotools/pom.xml
+++ b/gis/runtime/org.argeo.gis.geotools/pom.xml
@@ -74,10 +74,6 @@
 			<groupId>org.argeo.dep.osgi</groupId>
 			<artifactId>org.argeo.dep.osgi.jts</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.argeo.dep.osgi</groupId>
-			<artifactId>org.argeo.dep.osgi.geoapi</artifactId>
-		</dependency>
 		<dependency>
 			<groupId>org.jdom</groupId>
 			<artifactId>com.springsource.org.jdom</artifactId>
diff --git a/security/modules/org.argeo.security.dao.jackrabbit/META-INF/MANIFEST.MF b/security/modules/org.argeo.security.dao.jackrabbit/META-INF/MANIFEST.MF
index e5b22fb3a..47cec3bab 100644
--- a/security/modules/org.argeo.security.dao.jackrabbit/META-INF/MANIFEST.MF
+++ b/security/modules/org.argeo.security.dao.jackrabbit/META-INF/MANIFEST.MF
@@ -2,7 +2,11 @@ Bundle-SymbolicName: org.argeo.security.dao.jackrabbit
 Bundle-Version: 0.3.2.SNAPSHOT
 Import-Package: javax.jcr;version="[2.0.0,3.0.0)",
  org.argeo.security,
+ org.argeo.security.core,
  org.argeo.security.jackrabbit.providers,
  org.argeo.security.jcr,
+ org.springframework.beans.factory.config;specification-version="2.5.6.SEC01",
+ org.springframework.security;specification-version="2.0.6.RELEASE",
+ org.springframework.security.adapters;specification-version="2.0.6.RELEASE",
  org.springframework.security.providers;specification-version="2.0.6.RELEASE"
 Bundle-Name: Security DAO Jackrabbit
diff --git a/security/modules/org.argeo.security.dao.jackrabbit/META-INF/spring/jcrsecuritydao-osgi.xml b/security/modules/org.argeo.security.dao.jackrabbit/META-INF/spring/jcrsecuritydao-osgi.xml
index 4b15210c0..21d316f16 100644
--- a/security/modules/org.argeo.security.dao.jackrabbit/META-INF/spring/jcrsecuritydao-osgi.xml
+++ b/security/modules/org.argeo.security.dao.jackrabbit/META-INF/spring/jcrsecuritydao-osgi.xml
@@ -14,14 +14,23 @@
 		cardinality="0..1">
 		<listener ref="jcrAuthenticationProvider" bind-method="register"
 			unbind-method="unregister" />
-<!-- 		<listener ref="osJcrAuthenticationProvider" bind-method="register" -->
-<!-- 			unbind-method="unregister" /> -->
 	</reference>
-<!-- 	<reference id="systemExecutor" interface="org.argeo.security.SystemExecutionService" /> -->
+	<reference id="nodeRepository" interface="javax.jcr.Repository"
+		filter="(argeo.jcr.repository.alias=node)" cardinality="0..1">
+		<listener ref="osJcrAuthenticationProvider" bind-method="register"
+			unbind-method="unregister" />
+	</reference>
+
+	<reference id="systemExecutionServiceRef" interface="org.argeo.security.SystemExecutionService"
+		cardinality="0..1">
+		<listener ref="osJcrAuthenticationProvider" bind-method="register"
+			unbind-method="unregister" />
+	</reference>
 
 	<!-- SERVICES -->
-	<service ref="jcrAuthenticationProvider"
-		interface="org.springframework.security.providers.AuthenticationProvider" />
-<!-- 	<service ref="osJcrAuthenticationProvider" -->
-<!-- 		interface="org.springframework.security.providers.AuthenticationProvider" /> -->
+	<service ref="systemExecutionService" interface="org.argeo.security.SystemExecutionService" />
+
+	<service ref="authenticationManager"
+		interface="org.springframework.security.AuthenticationManager" />
+
 </beans:beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.dao.jackrabbit/META-INF/spring/jcrsecuritydao.xml b/security/modules/org.argeo.security.dao.jackrabbit/META-INF/spring/jcrsecuritydao.xml
index ab4104f82..bbe3a165e 100644
--- a/security/modules/org.argeo.security.dao.jackrabbit/META-INF/spring/jcrsecuritydao.xml
+++ b/security/modules/org.argeo.security.dao.jackrabbit/META-INF/spring/jcrsecuritydao.xml
@@ -6,7 +6,6 @@
 	<bean id="jcrAuthenticationProvider"
 		class="org.argeo.security.jackrabbit.providers.JackrabbitAuthenticationProvider" />
 
-<!-- 	<bean id="osJcrAuthenticationProvider" class="org.argeo.security.jcr.OsJcrAuthenticationProvider"> -->
-<!-- 		<property name="systemExecutor" ref="systemExecutor" /> -->
-<!-- 	</bean> -->
+	<bean id="osJcrAuthenticationProvider" class="org.argeo.security.jcr.OsJcrAuthenticationProvider">
+	</bean>
 </beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.dao.jackrabbit/META-INF/spring/services.xml b/security/modules/org.argeo.security.dao.jackrabbit/META-INF/spring/services.xml
new file mode 100644
index 000000000..c2348433c
--- /dev/null
+++ b/security/modules/org.argeo.security.dao.jackrabbit/META-INF/spring/services.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="
+       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
+
+	<bean
+		class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+		<property name="systemPropertiesModeName" value="SYSTEM_PROPERTIES_MODE_OVERRIDE" />
+		<property name="locations">
+			<value>osgibundle:security.properties</value>
+		</property>
+	</bean>
+
+	<bean id="systemExecutionService" class="org.argeo.security.core.KeyBasedSystemExecutionService">
+		<property name="systemAuthenticationKey" value="${argeo.security.systemKey}" />
+		<property name="authenticationManager" ref="authenticationManager" />
+	</bean>
+
+	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
+		<property name="providers">
+			<bean factory-bean="authenticationProvidersRegister"
+				factory-method="getProviders" />
+		</property>
+	</bean>
+
+	<bean id="authenticationProvidersRegister" class="org.argeo.security.core.AuthenticationProvidersRegister">
+		<property name="defaultProviders">
+			<list>
+				<bean class="org.springframework.security.adapters.AuthByAdapterProvider">
+					<property name="key" value="${argeo.security.systemKey}" />
+				</bean>
+				<ref bean="jcrAuthenticationProvider" />
+				<ref bean="osJcrAuthenticationProvider" />
+			</list>
+		</property>
+	</bean>
+</beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.dao.jackrabbit/security.properties b/security/modules/org.argeo.security.dao.jackrabbit/security.properties
new file mode 100644
index 000000000..ae7aa8725
--- /dev/null
+++ b/security/modules/org.argeo.security.dao.jackrabbit/security.properties
@@ -0,0 +1 @@
+argeo.security.systemKey=argeo
diff --git a/security/plugins/org.argeo.security.ui.rcp/META-INF/jaas_default.txt b/security/plugins/org.argeo.security.ui.rcp/META-INF/jaas_default.txt
index 5e0e4d3b2..96747d3ea 100644
--- a/security/plugins/org.argeo.security.ui.rcp/META-INF/jaas_default.txt
+++ b/security/plugins/org.argeo.security.ui.rcp/META-INF/jaas_default.txt
@@ -1,3 +1,8 @@
+OS_SPRING {
+    org.eclipse.equinox.security.auth.module.ExtensionLoginModule required
+        extensionId="org.argeo.security.equinox.osSpringLoginModule";
+};
+
 NIX {
     org.eclipse.equinox.security.auth.module.ExtensionLoginModule requisite
         extensionId="org.argeo.security.equinox.unixLoginModule";
diff --git a/security/plugins/org.argeo.security.ui.rcp/META-INF/spring/application-osgi.xml b/security/plugins/org.argeo.security.ui.rcp/META-INF/spring/application-osgi.xml
new file mode 100644
index 000000000..d50070b2a
--- /dev/null
+++ b/security/plugins/org.argeo.security.ui.rcp/META-INF/spring/application-osgi.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans:beans xmlns="http://www.springframework.org/schema/osgi"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
+	xmlns:util="http://www.springframework.org/schema/util"
+	xsi:schemaLocation="http://www.springframework.org/schema/osgi  
+       http://www.springframework.org/schema/osgi/spring-osgi-1.1.xsd
+       http://www.springframework.org/schema/beans   
+       http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
+       http://www.springframework.org/schema/util
+       http://www.springframework.org/schema/util/spring-util-2.5.xsd">
+
+	<!-- REFERENCE -->
+<!-- 	<reference id="authenticationManager" -->
+<!-- 		interface="org.springframework.security.AuthenticationManager" /> -->
+
+</beans:beans>
\ No newline at end of file
diff --git a/security/plugins/org.argeo.security.ui.rcp/META-INF/spring/application.xml b/security/plugins/org.argeo.security.ui.rcp/META-INF/spring/application.xml
new file mode 100644
index 000000000..dbf3680f5
--- /dev/null
+++ b/security/plugins/org.argeo.security.ui.rcp/META-INF/spring/application.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="
+       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
+
+	<bean id="secureUi" class="org.argeo.security.ui.rcp.SecureRcp">
+<!-- 		<property name="authenticationManager" ref="authenticationManager" /> -->
+	</bean>
+</beans>
\ No newline at end of file
diff --git a/security/plugins/org.argeo.security.ui.rcp/plugin.xml b/security/plugins/org.argeo.security.ui.rcp/plugin.xml
index 39b8c848c..6a79da510 100644
--- a/security/plugins/org.argeo.security.ui.rcp/plugin.xml
+++ b/security/plugins/org.argeo.security.ui.rcp/plugin.xml
@@ -27,7 +27,7 @@
          thread="main"
          visible="true">
          <run
-               class="org.argeo.security.ui.rcp.SecureRcp">
+               class="org.argeo.eclipse.spring.SpringExtensionFactory">
          </run>
       </application>
    </extension>
diff --git a/security/plugins/org.argeo.security.ui.rcp/src/main/java/org/argeo/security/ui/rcp/AbstractSecureApplication.java b/security/plugins/org.argeo.security.ui.rcp/src/main/java/org/argeo/security/ui/rcp/AbstractSecureApplication.java
index 3da1bc7b4..26795f274 100644
--- a/security/plugins/org.argeo.security.ui.rcp/src/main/java/org/argeo/security/ui/rcp/AbstractSecureApplication.java
+++ b/security/plugins/org.argeo.security.ui.rcp/src/main/java/org/argeo/security/ui/rcp/AbstractSecureApplication.java
@@ -46,6 +46,7 @@ public abstract class AbstractSecureApplication implements IApplication {
 
 		final Display display = PlatformUI.createDisplay();
 
+		// login
 		Subject subject = null;
 		try {
 			loginContext.login();
diff --git a/security/plugins/org.argeo.security.ui/META-INF/spring/osgi.xml b/security/plugins/org.argeo.security.ui/META-INF/spring/osgi.xml
index a0d30b506..9e357a36d 100644
--- a/security/plugins/org.argeo.security.ui/META-INF/spring/osgi.xml
+++ b/security/plugins/org.argeo.security.ui/META-INF/spring/osgi.xml
@@ -9,5 +9,6 @@
 	osgi:default-timeout="30000">
 
 	<reference id="userDetailsManager"
-		interface="org.springframework.security.userdetails.UserDetailsManager" />
+		interface="org.springframework.security.userdetails.UserDetailsManager"
+		cardinality="0..1" />
 </beans:beans>
\ No newline at end of file
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/OsAuthenticationProvider.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/OsAuthenticationProvider.java
index e9c83839f..fa70489fc 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/OsAuthenticationProvider.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/OsAuthenticationProvider.java
@@ -1,14 +1,18 @@
 package org.argeo.security.core;
 
+import java.security.AccessController;
 import java.util.ArrayList;
 import java.util.List;
 
+import javax.security.auth.Subject;
+
 import org.argeo.security.OsAuthenticationToken;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
 import org.springframework.security.GrantedAuthority;
 import org.springframework.security.GrantedAuthorityImpl;
 import org.springframework.security.providers.AuthenticationProvider;
+import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
 
 /** Validates an OS authentication. */
 public class OsAuthenticationProvider implements AuthenticationProvider {
@@ -20,16 +24,30 @@ public class OsAuthenticationProvider implements AuthenticationProvider {
 
 	public Authentication authenticate(Authentication authentication)
 			throws AuthenticationException {
+		final OsAuthenticationToken oat;
+		// if (authentication instanceof UsernamePasswordAuthenticationToken) {
+		// Subject subject = Subject.getSubject(AccessController.getContext());
+		// if (subject == null)
+		// return null;
+		// oat = new OsAuthenticationToken();
+		// } else
 		if (authentication instanceof OsAuthenticationToken) {
-			List<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();
-			auths.add(new GrantedAuthorityImpl(osUserRole));
-			auths.add(new GrantedAuthorityImpl(userRole));
-			if (isAdmin)
-				auths.add(new GrantedAuthorityImpl(adminRole));
-			return new OsAuthenticationToken(
-					auths.toArray(new GrantedAuthority[auths.size()]));
+			oat = (OsAuthenticationToken) authentication;
+		} else {
+			return null;
 		}
-		return null;
+
+		// not OS authenticated
+//		if (oat.getUser() == null)
+//			return null;
+
+		List<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();
+		auths.add(new GrantedAuthorityImpl(osUserRole));
+		auths.add(new GrantedAuthorityImpl(userRole));
+		if (isAdmin)
+			auths.add(new GrantedAuthorityImpl(adminRole));
+		return new OsAuthenticationToken(
+				auths.toArray(new GrantedAuthority[auths.size()]));
 	}
 
 	@SuppressWarnings("rawtypes")
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java
index 192d2fdb2..dc47fa383 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrAuthenticationProvider.java
@@ -4,41 +4,44 @@ import java.util.Map;
 import java.util.concurrent.Executor;
 
 import javax.jcr.Node;
+import javax.jcr.Repository;
 import javax.jcr.RepositoryException;
-import javax.jcr.RepositoryFactory;
 import javax.jcr.Session;
 
 import org.argeo.ArgeoException;
 import org.argeo.jcr.JcrUtils;
 import org.argeo.security.OsAuthenticationToken;
+import org.argeo.security.SystemExecutionService;
 import org.argeo.security.core.OsAuthenticationProvider;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
 import org.springframework.security.userdetails.UserDetails;
 
 public class OsJcrAuthenticationProvider extends OsAuthenticationProvider {
-	private RepositoryFactory repositoryFactory;
 	private Executor systemExecutor;
 	private String homeBasePath = "/home";
-	private String repositoryAlias = "node";
+	private Repository repository;
 	private String workspace = null;
 
+	private Long timeout = 5 * 60 * 1000l;
+
 	public Authentication authenticate(Authentication authentication)
 			throws AuthenticationException {
 		final OsAuthenticationToken authen = (OsAuthenticationToken) super
 				.authenticate(authentication);
+		final Repository repository = getRepositoryBlocking();
 		systemExecutor.execute(new Runnable() {
 			public void run() {
 				try {
-					Session session = JcrUtils.getRepositoryByAlias(
-							repositoryFactory, repositoryAlias)
-							.login(workspace);
-					Node userHome = JcrUtils.getUserHome(session,
-							authen.getName());
+					Session session = repository.login(workspace);
+					// WARNING: at this stage we assume that teh java properties
+					// will have the same value
+					String userName = System.getProperty("user.name");
+					Node userHome = JcrUtils.getUserHome(session, userName);
 					if (userHome == null)
-						JcrUtils.createUserHome(session, homeBasePath,
-								authen.getName());
-					authen.setDetails(getUserDetails(userHome, authen));
+						userHome = JcrUtils.createUserHome(session,
+								homeBasePath, userName);
+					//authen.setDetails(getUserDetails(userHome, authen));
 				} catch (RepositoryException e) {
 					throw new ArgeoException(
 							"Unexpected exception when synchronizing OS and JCR security ",
@@ -67,26 +70,47 @@ public class OsJcrAuthenticationProvider extends OsAuthenticationProvider {
 		return true;
 	}
 
-	public void register(RepositoryFactory repositoryFactory,
+	protected Repository getRepositoryBlocking() {
+		long begin = System.currentTimeMillis();
+		while (repository == null) {
+			synchronized (this) {
+				try {
+					wait(500);
+				} catch (InterruptedException e) {
+					// silent
+				}
+			}
+			if (System.currentTimeMillis() - begin > timeout)
+				throw new ArgeoException("No repository registered after "
+						+ timeout + " ms");
+		}
+		return repository;
+	}
+
+	public synchronized void register(Repository repository,
 			Map<String, String> parameters) {
-		this.repositoryFactory = repositoryFactory;
+		this.repository = repository;
+		notifyAll();
 	}
 
-	public void unregister(RepositoryFactory repositoryFactory,
+	public synchronized void unregister(Repository repository,
 			Map<String, String> parameters) {
-		this.repositoryFactory = null;
+		this.repository = null;
+		notifyAll();
 	}
 
-	public void setSystemExecutor(Executor systemExecutor) {
+	public void register(SystemExecutionService systemExecutor,
+			Map<String, String> parameters) {
 		this.systemExecutor = systemExecutor;
 	}
 
-	public void setHomeBasePath(String homeBasePath) {
-		this.homeBasePath = homeBasePath;
+	public void unregister(SystemExecutionService systemExecutor,
+			Map<String, String> parameters) {
+		this.systemExecutor = null;
 	}
 
-	public void setRepositoryAlias(String repositoryAlias) {
-		this.repositoryAlias = repositoryAlias;
+	public void setHomeBasePath(String homeBasePath) {
+		this.homeBasePath = homeBasePath;
 	}
 
 	public void setWorkspace(String workspace) {
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java
index db2cfccbc..dce6e5496 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java
@@ -4,10 +4,7 @@ import javax.jcr.Session;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.argeo.jcr.ThreadBoundJcrSessionFactory;
-import org.springframework.beans.factory.DisposableBean;
-import org.springframework.beans.factory.FactoryBean;
-import org.springframework.beans.factory.InitializingBean;
+import org.argeo.jcr.spring.ThreadBoundSession;
 import org.springframework.security.Authentication;
 import org.springframework.security.context.SecurityContextHolder;
 import org.springframework.security.userdetails.UserDetails;
@@ -16,19 +13,10 @@ import org.springframework.security.userdetails.UserDetails;
  * Thread bounded JCR session factory which checks authentication and is
  * autoconfigured in Spring.
  */
-public class SecureThreadBoundSession extends ThreadBoundJcrSessionFactory
-		implements FactoryBean, InitializingBean, DisposableBean {
+public class SecureThreadBoundSession extends ThreadBoundSession {
 	private final static Log log = LogFactory
 			.getLog(SecureThreadBoundSession.class);
 
-	public void afterPropertiesSet() throws Exception {
-		init();
-	}
-
-	public void destroy() throws Exception {
-		dispose();
-	}
-
 	@Override
 	protected Session preCall(Session session) {
 		Authentication authentication = SecurityContextHolder.getContext()
diff --git a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
index 1838dd05e..bf33b8a28 100644
--- a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
+++ b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
@@ -32,6 +32,8 @@ import org.springframework.security.GrantedAuthority;
 
 /** Intermediary class in order to have a consistent naming in config files. */
 public class ArgeoSecurityManager extends DefaultSecurityManager {
+	public final static String HOME_BASE_PATH = "/home";
+
 	private Log log = LogFactory.getLog(ArgeoSecurityManager.class);
 
 	@Override
@@ -61,7 +63,7 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 					.toString(), authen, null);
 			log.info(userId + " added as " + user);
 		}
-		
+
 		setHomeNodeAuthorizations(user);
 
 		// process groups
@@ -99,6 +101,11 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 		try {
 			userId = user.getID();
 			Node userHome = JcrUtils.getUserHome(getSystemSession(), userId);
+			// autocreate home node?
+//			if (userHome == null)
+//				userHome = JcrUtils.createUserHome(getSystemSession(),
+//						HOME_BASE_PATH, userId);
+
 			if (userHome != null) {
 				String path = userHome.getPath();
 				AccessControlPolicy policy = null;
diff --git a/server/plugins/org.argeo.jcr.ui.explorer/META-INF/spring/osgi.xml b/server/plugins/org.argeo.jcr.ui.explorer/META-INF/spring/osgi.xml
index 0e87da8c0..0d0e37ec0 100644
--- a/server/plugins/org.argeo.jcr.ui.explorer/META-INF/spring/osgi.xml
+++ b/server/plugins/org.argeo.jcr.ui.explorer/META-INF/spring/osgi.xml
@@ -8,7 +8,7 @@
        http://www.springframework.org/schema/beans/spring-beans-2.5.xsd"
 	osgi:default-timeout="30000">
 
-	<set id="repositories" interface="javax.jcr.Repository">
+	<set id="repositories" interface="javax.jcr.Repository" cardinality="0..N">
 		<listener ref="repositoryRegister" bind-method="register"
 			unbind-method="unregister" />
 	</set>
diff --git a/server/runtime/org.argeo.server.jackrabbit/src/main/java/org/argeo/jackrabbit/JackrabbitContainer.java b/server/runtime/org.argeo.server.jackrabbit/src/main/java/org/argeo/jackrabbit/JackrabbitContainer.java
index eb090514f..6f50f7358 100644
--- a/server/runtime/org.argeo.server.jackrabbit/src/main/java/org/argeo/jackrabbit/JackrabbitContainer.java
+++ b/server/runtime/org.argeo.server.jackrabbit/src/main/java/org/argeo/jackrabbit/JackrabbitContainer.java
@@ -295,7 +295,6 @@ public class JackrabbitContainer implements InitializingBean, DisposableBean,
 		try {
 			NamespaceHelper namespaceHelper = new NamespaceHelper(session);
 			namespaceHelper.registerNamespaces(namespaces);
-
 		} catch (Exception e) {
 			throw new ArgeoException("Cannot process new session", e);
 		}
diff --git a/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/JcrUtils.java b/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/JcrUtils.java
index bc7862f5f..6edb854cb 100644
--- a/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/JcrUtils.java
+++ b/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/JcrUtils.java
@@ -650,6 +650,24 @@ public class JcrUtils implements ArgeoJcrConstants {
 		return getUserHome(session, userID);
 	}
 
+	/**
+	 * Returns user home has path, embedding exceptions. Contrary to
+	 * {@link #getUserHome(Session)}, it never returns null but throws and
+	 * exception if not found.
+	 */
+	public static String getUserHomePath(Session session) {
+		String userID = session.getUserID();
+		try {
+			Node userHome = getUserHome(session, userID);
+			if (userHome != null)
+				return userHome.getPath();
+			else
+				throw new ArgeoException("No home registered for " + userID);
+		} catch (RepositoryException e) {
+			throw new ArgeoException("Cannot find user home path", e);
+		}
+	}
+
 	/** Get the profile of the user attached to this session. */
 	public static Node getUserProfile(Session session) {
 		String userID = session.getUserID();
diff --git a/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/ThreadBoundJcrSessionFactory.java b/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/ThreadBoundJcrSessionFactory.java
index d548b6edd..88c9cf8fe 100644
--- a/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/ThreadBoundJcrSessionFactory.java
+++ b/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/ThreadBoundJcrSessionFactory.java
@@ -37,7 +37,7 @@ import org.apache.commons.logging.LogFactory;
 import org.argeo.ArgeoException;
 
 /** Proxy JCR sessions and attach them to calling threads. */
-public class ThreadBoundJcrSessionFactory {
+public abstract class ThreadBoundJcrSessionFactory {
 	private final static Log log = LogFactory
 			.getLog(ThreadBoundJcrSessionFactory.class);
 
diff --git a/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/spring/ThreadBoundSession.java b/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/spring/ThreadBoundSession.java
new file mode 100644
index 000000000..74966eaf9
--- /dev/null
+++ b/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/spring/ThreadBoundSession.java
@@ -0,0 +1,17 @@
+package org.argeo.jcr.spring;
+
+import org.argeo.jcr.ThreadBoundJcrSessionFactory;
+import org.springframework.beans.factory.DisposableBean;
+import org.springframework.beans.factory.FactoryBean;
+import org.springframework.beans.factory.InitializingBean;
+
+public class ThreadBoundSession extends ThreadBoundJcrSessionFactory implements FactoryBean, InitializingBean, DisposableBean{
+	public void afterPropertiesSet() throws Exception {
+		init();
+	}
+
+	public void destroy() throws Exception {
+		dispose();
+	}
+
+}
-- 
2.30.2