} else {
if (log.isTraceEnabled())
log.trace("HTTP login: " + true);
+ request.setAttribute(HttpContext.AUTHORIZATION, authorization);
return true;
}
}
--- /dev/null
+package org.argeo.cms.auth;
+
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.util.function.Supplier;
+
+import javax.security.auth.Subject;
+import javax.servlet.http.HttpServletRequest;
+
+import org.osgi.service.http.HttpContext;
+
+/** Authentications utilities when using servlets. */
+public class ServletAuthUtils {
+ public final static <T> T doAs(Supplier<T> supplier, HttpServletRequest req) {
+ return Subject.doAs(
+ Subject.getSubject((AccessControlContext) req.getAttribute(AccessControlContext.class.getName())),
+ new PrivilegedAction<T>() {
+
+ @Override
+ public T run() {
+ return supplier.get();
+ }
+
+ });
+ }
+
+ public final static void configureRequestSecurity(HttpServletRequest req) {
+ if (req.getAttribute(AccessControlContext.class.getName()) != null)
+ throw new IllegalStateException("Request already authenticated.");
+ AccessControlContext acc = AccessController.getContext();
+ req.setAttribute(HttpContext.REMOTE_USER, CurrentUser.getUsername());
+ req.setAttribute(AccessControlContext.class.getName(), acc);
+ }
+
+ public final static void clearRequestSecurity(HttpServletRequest req) {
+ if (req.getAttribute(AccessControlContext.class.getName()) == null)
+ throw new IllegalStateException("Cannot clear non-authenticated request.");
+ req.setAttribute(HttpContext.REMOTE_USER, null);
+ req.setAttribute(AccessControlContext.class.getName(), null);
+ }
+}
import org.osgi.service.useradmin.User;
import org.osgi.service.useradmin.UserAdmin;
-/** Use the {@link UserAdmin} in the OSGi registry as the basis for authentication.*/
+/**
+ * Use the {@link UserAdmin} in the OSGi registry as the basis for
+ * authentication.
+ */
public class UserAdminLoginModule implements LoginModule {
private final static Log log = LogFactory.getLog(UserAdminLoginModule.class);
if (authenticatedUser == null) {
if (log.isTraceEnabled())
log.trace("Neither kerberos nor user admin login succeeded. Login failed.");
- return false;
+ throw new CredentialNotFoundException("Bad credentials.");
} else {
authenticatingUser = authenticatedUser;
}
import java.io.IOException;
import java.security.AccessControlContext;
-import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Map;
import javax.servlet.http.HttpServletResponse;
import org.argeo.cms.auth.HttpRequestCallbackHandler;
+import org.argeo.cms.auth.ServletAuthUtils;
import org.osgi.service.http.context.ServletContextHelper;
/** Manages security access to servlets. */
@Override
public Void run() {
- request.setAttribute(REMOTE_USER, AccessController.getContext());
+ // TODO also set login context in order to log out ?
+ ServletAuthUtils.configureRequestSecurity(request);
return null;
}
return true;
}
+ @Override
+ public void finishSecurity(HttpServletRequest request, HttpServletResponse response) {
+ ServletAuthUtils.clearRequestSecurity(request);
+ }
+
protected LoginContext processUnauthorized(HttpServletRequest request, HttpServletResponse response) {
try {
response.sendRedirect(loginPage);
USER {
org.argeo.cms.auth.HttpSessionLoginModule sufficient;
org.argeo.cms.auth.IdentLoginModule optional;
- org.argeo.cms.auth.UserAdminLoginModule sufficient;
+ org.argeo.cms.auth.UserAdminLoginModule requisite;
};
ANONYMOUS {
org.argeo.cms.auth.HttpSessionLoginModule sufficient;
- org.argeo.cms.auth.AnonymousLoginModule sufficient;
+ org.argeo.cms.auth.AnonymousLoginModule requisite;
};
DATA_ADMIN {
import java.io.IOException;
import java.net.URL;
+import java.security.PrivilegedAction;
import java.util.Map;
+import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.LogFactory;
import org.argeo.api.NodeConstants;
import org.argeo.cms.auth.HttpRequestCallbackHandler;
+import org.argeo.cms.auth.ServletAuthUtils;
import org.argeo.cms.internal.http.HttpUtils;
import org.osgi.framework.Bundle;
import org.osgi.framework.FrameworkUtil;
if (lc == null)
return false;
}
+
+ Subject subject = lc.getSubject();
+ //log.debug("SERVLET CONTEXT: "+subject);
+ Subject.doAs(subject, new PrivilegedAction<Void>() {
+
+ @Override
+ public Void run() {
+ // TODO also set login context in order to log out ?
+ ServletAuthUtils.configureRequestSecurity(request);
+ return null;
+ }
+
+ });
return true;
}
+ @Override
+ public void finishSecurity(HttpServletRequest request, HttpServletResponse response) {
+ ServletAuthUtils.clearRequestSecurity(request);
+ }
+
protected LoginContext processUnauthorized(HttpServletRequest request, HttpServletResponse response) {
// anonymous
try {