From 8fd1416f1a9ba2e6bd9da56ec560f57ad421ac83 Mon Sep 17 00:00:00 2001 From: Mathieu Baudier Date: Wed, 4 Nov 2020 08:36:50 +0100 Subject: [PATCH] Improve servlet integration. --- .../integration/CmsPrivateServletContext.java | 2 +- .../argeo/cms/servlet/CmsServletContext.java | 1 - .../{auth => servlet}/ServletAuthUtils.java | 33 ++++++++++++------- 3 files changed, 23 insertions(+), 13 deletions(-) rename org.argeo.cms/src/org/argeo/cms/{auth => servlet}/ServletAuthUtils.java (63%) diff --git a/org.argeo.cms/src/org/argeo/cms/integration/CmsPrivateServletContext.java b/org.argeo.cms/src/org/argeo/cms/integration/CmsPrivateServletContext.java index a97f4133f..862d7ee08 100644 --- a/org.argeo.cms/src/org/argeo/cms/integration/CmsPrivateServletContext.java +++ b/org.argeo.cms/src/org/argeo/cms/integration/CmsPrivateServletContext.java @@ -14,7 +14,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.argeo.cms.auth.HttpRequestCallbackHandler; -import org.argeo.cms.auth.ServletAuthUtils; +import org.argeo.cms.servlet.ServletAuthUtils; import org.osgi.service.http.context.ServletContextHelper; /** Manages security access to servlets. */ diff --git a/org.argeo.cms/src/org/argeo/cms/servlet/CmsServletContext.java b/org.argeo.cms/src/org/argeo/cms/servlet/CmsServletContext.java index 0d94ff3f1..9ff8f855f 100644 --- a/org.argeo.cms/src/org/argeo/cms/servlet/CmsServletContext.java +++ b/org.argeo.cms/src/org/argeo/cms/servlet/CmsServletContext.java @@ -15,7 +15,6 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.argeo.api.NodeConstants; import org.argeo.cms.auth.HttpRequestCallbackHandler; -import org.argeo.cms.auth.ServletAuthUtils; import org.argeo.cms.internal.http.HttpUtils; import org.osgi.framework.Bundle; import org.osgi.framework.FrameworkUtil; diff --git a/org.argeo.cms/src/org/argeo/cms/auth/ServletAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/servlet/ServletAuthUtils.java similarity index 63% rename from org.argeo.cms/src/org/argeo/cms/auth/ServletAuthUtils.java rename to org.argeo.cms/src/org/argeo/cms/servlet/ServletAuthUtils.java index 9cb7fdcbe..13dfbe638 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/ServletAuthUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/servlet/ServletAuthUtils.java @@ -1,4 +1,4 @@ -package org.argeo.cms.auth; +package org.argeo.cms.servlet; import java.security.AccessControlContext; import java.security.AccessController; @@ -8,21 +8,32 @@ import java.util.function.Supplier; import javax.security.auth.Subject; import javax.servlet.http.HttpServletRequest; +import org.argeo.cms.auth.CurrentUser; import org.osgi.service.http.HttpContext; /** Authentications utilities when using servlets. */ public class ServletAuthUtils { + /** + * Execute this supplier, using the CMS class loader as context classloader. + * Useful to log in to JCR. + */ public final static T doAs(Supplier supplier, HttpServletRequest req) { - return Subject.doAs( - Subject.getSubject((AccessControlContext) req.getAttribute(AccessControlContext.class.getName())), - new PrivilegedAction() { - - @Override - public T run() { - return supplier.get(); - } - - }); + ClassLoader currentContextCl = Thread.currentThread().getContextClassLoader(); + Thread.currentThread().setContextClassLoader(ServletAuthUtils.class.getClassLoader()); + try { + return Subject.doAs( + Subject.getSubject((AccessControlContext) req.getAttribute(AccessControlContext.class.getName())), + new PrivilegedAction() { + + @Override + public T run() { + return supplier.get(); + } + + }); + } finally { + Thread.currentThread().setContextClassLoader(currentContextCl); + } } public final static void configureRequestSecurity(HttpServletRequest req) { -- 2.30.2