]> git.argeo.org Git - lgpl/argeo-commons.git/blob - auth/CmsAuthUtils.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Prepare next development cycle
[lgpl/argeo-commons.git] / auth / CmsAuthUtils.java
1 package org.argeo.cms.auth;
2
3 import java.security.Principal;
4 import java.util.Collection;
5 import java.util.Set;
6
7 import javax.naming.InvalidNameException;
8 import javax.naming.ldap.LdapName;
9 import javax.security.auth.Subject;
10 import javax.security.auth.x500.X500Principal;
11 import javax.servlet.http.HttpServletRequest;
12 import javax.servlet.http.HttpSession;
13
14 import org.apache.commons.logging.Log;
15 import org.apache.commons.logging.LogFactory;
16 //import org.apache.jackrabbit.core.security.AnonymousPrincipal;
17 //import org.apache.jackrabbit.core.security.SecurityConstants;
18 //import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
19 import org.argeo.cms.CmsException;
20 import org.argeo.cms.internal.auth.ImpliedByPrincipal;
21 import org.argeo.cms.internal.kernel.WebCmsSessionImpl;
22 import org.argeo.node.security.AnonymousPrincipal;
23 import org.argeo.node.security.DataAdminPrincipal;
24 import org.argeo.node.security.NodeSecurityUtils;
25 import org.osgi.framework.BundleContext;
26 import org.osgi.framework.InvalidSyntaxException;
27 import org.osgi.framework.ServiceReference;
28 import org.osgi.service.http.HttpContext;
29 import org.osgi.service.useradmin.Authorization;
30
31 class CmsAuthUtils {
32 private final static Log log = LogFactory.getLog(CmsAuthUtils.class);
33
34 /** Shared HTTP request */
35 final static String SHARED_STATE_HTTP_REQUEST = "org.argeo.cms.auth.http.request";
36 /** From org.osgi.service.http.HttpContext */
37 final static String SHARED_STATE_AUTHORIZATION = "org.osgi.service.useradmin.authorization";
38 /** From com.sun.security.auth.module.*LoginModule */
39 final static String SHARED_STATE_NAME = "javax.security.auth.login.name";
40 /** From com.sun.security.auth.module.*LoginModule */
41 final static String SHARED_STATE_PWD = "javax.security.auth.login.password";
42
43 final static String SHARED_STATE_SPNEGO_TOKEN = "org.argeo.cms.auth.spnegoToken";
44 final static String SHARED_STATE_SPNEGO_OUT_TOKEN = "org.argeo.cms.auth.spnegoOutToken";
45
46 final static String HEADER_AUTHORIZATION = "Authorization";
47 final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
48
49 static void addAuthentication(Subject subject, Authorization authorization) {
50 assert subject != null;
51 checkSubjectEmpty(subject);
52 assert authorization != null;
53
54 // required for display name:
55 subject.getPrivateCredentials().add(authorization);
56
57 Set<Principal> principals = subject.getPrincipals();
58 try {
59 String authName = authorization.getName();
60
61 // determine user's principal
62 final LdapName name;
63 final Principal userPrincipal;
64 if (authName == null) {
65 name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME;
66 userPrincipal = new AnonymousPrincipal();
67 principals.add(userPrincipal);
68 // principals.add(new AnonymousPrincipal());
69 } else {
70 name = new LdapName(authName);
71 NodeSecurityUtils.checkUserName(name);
72 userPrincipal = new X500Principal(name.toString());
73 principals.add(userPrincipal);
74 principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_USER_NAME, userPrincipal));
75 }
76
77 // Add roles provided by authorization
78 for (String role : authorization.getRoles()) {
79 LdapName roleName = new LdapName(role);
80 if (roleName.equals(name)) {
81 // skip
82 } else {
83 NodeSecurityUtils.checkImpliedPrincipalName(roleName);
84 principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal));
85 if (roleName.equals(NodeSecurityUtils.ROLE_ADMIN_NAME))
86 principals.add(new DataAdminPrincipal());
87 }
88 }
89
90 } catch (InvalidNameException e) {
91 throw new CmsException("Cannot commit", e);
92 }
93 }
94
95 private static void checkSubjectEmpty(Subject subject) {
96 if (!subject.getPrincipals(AnonymousPrincipal.class).isEmpty())
97 throw new IllegalStateException("Already logged in as anonymous: " + subject);
98 if (!subject.getPrincipals(X500Principal.class).isEmpty())
99 throw new IllegalStateException("Already logged in as user: " + subject);
100 if (!subject.getPrincipals(DataAdminPrincipal.class).isEmpty())
101 throw new IllegalStateException("Already logged in as data admin: " + subject);
102 if (!subject.getPrincipals(ImpliedByPrincipal.class).isEmpty())
103 throw new IllegalStateException("Already authorized: " + subject);
104 }
105
106 static void cleanUp(Subject subject) {
107 // Argeo
108 subject.getPrincipals().removeAll(subject.getPrincipals(X500Principal.class));
109 subject.getPrincipals().removeAll(subject.getPrincipals(ImpliedByPrincipal.class));
110 // Jackrabbit
111 // subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class));
112 // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
113 }
114
115 // SHARED STATE KEYS
116 // compatible with com.sun.security.auth.module.*LoginModule
117 // public static final String SHARED_STATE_USERNAME =
118 // "javax.security.auth.login.name";
119 // public static final String SHARED_STATE_PASSWORD =
120 // "javax.security.auth.login.password";
121
122 static void registerSessionAuthorization(BundleContext bc, HttpServletRequest request, Subject subject,
123 Authorization authorization) {
124 String httpSessId = request.getSession().getId();
125 if (authorization.getName() != null) {
126 request.setAttribute(HttpContext.REMOTE_USER, authorization.getName());
127 request.setAttribute(HttpContext.AUTHORIZATION, authorization);
128
129 HttpSession httpSession = request.getSession();
130 if (httpSession.getAttribute(HttpContext.AUTHORIZATION) == null) {
131
132 Collection<ServiceReference<WebCmsSession>> sr;
133 try {
134 sr = bc.getServiceReferences(WebCmsSession.class,
135 "(" + WebCmsSession.CMS_SESSION_ID + "=" + httpSessId + ")");
136 } catch (InvalidSyntaxException e) {
137 throw new CmsException("Cannot get CMS session for id " + httpSessId, e);
138 }
139 ServiceReference<WebCmsSession> cmsSessionRef;
140 if (sr.size() == 1) {
141 cmsSessionRef = sr.iterator().next();
142 } else if (sr.size() == 0) {
143 WebCmsSessionImpl cmsSessionImpl = new WebCmsSessionImpl(httpSessId, authorization);
144 cmsSessionRef = cmsSessionImpl.getServiceRegistration().getReference();
145 if (log.isDebugEnabled())
146 log.debug("Initialized " + cmsSessionImpl + " for " + authorization.getName());
147 } else
148 throw new CmsException(sr.size() + " CMS sessions registered for " + httpSessId);
149
150 WebCmsSessionImpl cmsSession = (WebCmsSessionImpl) bc.getService(cmsSessionRef);
151 cmsSession.addHttpSession(request);
152 if (log.isTraceEnabled())
153 log.trace("Added " + request.getServletPath() + " to " + cmsSession + " (" + request.getRequestURI()
154 + ")");
155 // httpSession.setAttribute(HttpContext.REMOTE_USER,
156 // authorization.getName());
157 // httpSession.setAttribute(HttpContext.AUTHORIZATION,
158 // authorization);
159 }
160 }
161 HttpSessionId httpSessionId = new HttpSessionId(httpSessId);
162 if (subject.getPrivateCredentials(HttpSessionId.class).size() == 0)
163 subject.getPrivateCredentials().add(httpSessionId);
164 else {
165 String storedSessionId = subject.getPrivateCredentials(HttpSessionId.class).iterator().next().getValue();
166 // if (storedSessionId.equals(httpSessionId.getValue()))
167 throw new CmsException(
168 "Subject already logged with session " + storedSessionId + " (not " + httpSessionId + ")");
169 }
170 }
171
172 static boolean logoutSession(BundleContext bc, Subject subject) {
173 String httpSessionId;
174 if (subject.getPrivateCredentials(HttpSessionId.class).size() == 1)
175 httpSessionId = subject.getPrivateCredentials(HttpSessionId.class).iterator().next().getValue();
176 else
177 return false;
178 Collection<ServiceReference<WebCmsSession>> srs;
179 try {
180 srs = bc.getServiceReferences(WebCmsSession.class,
181 "(" + WebCmsSession.CMS_SESSION_ID + "=" + httpSessionId + ")");
182 } catch (InvalidSyntaxException e) {
183 throw new CmsException("Cannot retrieve CMS session #" + httpSessionId, e);
184 }
185
186 if (srs.size() == 0) {
187 if (log.isTraceEnabled())
188 log.warn("No CMS web session found for http session " + httpSessionId);
189 return false;
190 } else if (srs.size() > 1)
191 throw new CmsException(srs.size() + " CMS web sessions found for http session " + httpSessionId);
192
193 WebCmsSessionImpl cmsSession = (WebCmsSessionImpl) bc.getService(srs.iterator().next());
194 cmsSession.cleanUp();
195 subject.getPrivateCredentials().removeAll(subject.getPrivateCredentials(HttpSessionId.class));
196 if (log.isDebugEnabled())
197 log.debug("Cleaned up " + cmsSession);
198 return true;
199 }
200
201 private CmsAuthUtils() {
202
203 }
204
205 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi