1 package org
.argeo
.cms
.auth
;
3 import java
.security
.Principal
;
4 import java
.util
.Collection
;
7 import javax
.naming
.InvalidNameException
;
8 import javax
.naming
.ldap
.LdapName
;
9 import javax
.security
.auth
.Subject
;
10 import javax
.security
.auth
.x500
.X500Principal
;
11 import javax
.servlet
.http
.HttpServletRequest
;
12 import javax
.servlet
.http
.HttpSession
;
14 import org
.apache
.commons
.logging
.Log
;
15 import org
.apache
.commons
.logging
.LogFactory
;
16 //import org.apache.jackrabbit.core.security.AnonymousPrincipal;
17 //import org.apache.jackrabbit.core.security.SecurityConstants;
18 //import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
19 import org
.argeo
.cms
.CmsException
;
20 import org
.argeo
.cms
.internal
.auth
.ImpliedByPrincipal
;
21 import org
.argeo
.cms
.internal
.kernel
.WebCmsSessionImpl
;
22 import org
.argeo
.node
.security
.AnonymousPrincipal
;
23 import org
.argeo
.node
.security
.DataAdminPrincipal
;
24 import org
.argeo
.node
.security
.NodeSecurityUtils
;
25 import org
.osgi
.framework
.BundleContext
;
26 import org
.osgi
.framework
.InvalidSyntaxException
;
27 import org
.osgi
.framework
.ServiceReference
;
28 import org
.osgi
.service
.http
.HttpContext
;
29 import org
.osgi
.service
.useradmin
.Authorization
;
32 private final static Log log
= LogFactory
.getLog(CmsAuthUtils
.class);
34 /** Shared HTTP request */
35 final static String SHARED_STATE_HTTP_REQUEST
= "org.argeo.cms.auth.http.request";
36 /** From org.osgi.service.http.HttpContext */
37 final static String SHARED_STATE_AUTHORIZATION
= "org.osgi.service.useradmin.authorization";
38 /** From com.sun.security.auth.module.*LoginModule */
39 final static String SHARED_STATE_NAME
= "javax.security.auth.login.name";
40 /** From com.sun.security.auth.module.*LoginModule */
41 final static String SHARED_STATE_PWD
= "javax.security.auth.login.password";
43 final static String SHARED_STATE_SPNEGO_TOKEN
= "org.argeo.cms.auth.spnegoToken";
44 final static String SHARED_STATE_SPNEGO_OUT_TOKEN
= "org.argeo.cms.auth.spnegoOutToken";
46 final static String HEADER_AUTHORIZATION
= "Authorization";
47 final static String HEADER_WWW_AUTHENTICATE
= "WWW-Authenticate";
49 static void addAuthentication(Subject subject
, Authorization authorization
) {
50 assert subject
!= null;
51 checkSubjectEmpty(subject
);
52 assert authorization
!= null;
54 // required for display name:
55 subject
.getPrivateCredentials().add(authorization
);
57 Set
<Principal
> principals
= subject
.getPrincipals();
59 String authName
= authorization
.getName();
61 // determine user's principal
63 final Principal userPrincipal
;
64 if (authName
== null) {
65 name
= NodeSecurityUtils
.ROLE_ANONYMOUS_NAME
;
66 userPrincipal
= new AnonymousPrincipal();
67 principals
.add(userPrincipal
);
68 // principals.add(new AnonymousPrincipal());
70 name
= new LdapName(authName
);
71 NodeSecurityUtils
.checkUserName(name
);
72 userPrincipal
= new X500Principal(name
.toString());
73 principals
.add(userPrincipal
);
74 principals
.add(new ImpliedByPrincipal(NodeSecurityUtils
.ROLE_USER_NAME
, userPrincipal
));
77 // Add roles provided by authorization
78 for (String role
: authorization
.getRoles()) {
79 LdapName roleName
= new LdapName(role
);
80 if (roleName
.equals(name
)) {
83 NodeSecurityUtils
.checkImpliedPrincipalName(roleName
);
84 principals
.add(new ImpliedByPrincipal(roleName
.toString(), userPrincipal
));
85 if (roleName
.equals(NodeSecurityUtils
.ROLE_ADMIN_NAME
))
86 principals
.add(new DataAdminPrincipal());
90 } catch (InvalidNameException e
) {
91 throw new CmsException("Cannot commit", e
);
95 private static void checkSubjectEmpty(Subject subject
) {
96 if (!subject
.getPrincipals(AnonymousPrincipal
.class).isEmpty())
97 throw new IllegalStateException("Already logged in as anonymous: " + subject
);
98 if (!subject
.getPrincipals(X500Principal
.class).isEmpty())
99 throw new IllegalStateException("Already logged in as user: " + subject
);
100 if (!subject
.getPrincipals(DataAdminPrincipal
.class).isEmpty())
101 throw new IllegalStateException("Already logged in as data admin: " + subject
);
102 if (!subject
.getPrincipals(ImpliedByPrincipal
.class).isEmpty())
103 throw new IllegalStateException("Already authorized: " + subject
);
106 static void cleanUp(Subject subject
) {
108 subject
.getPrincipals().removeAll(subject
.getPrincipals(X500Principal
.class));
109 subject
.getPrincipals().removeAll(subject
.getPrincipals(ImpliedByPrincipal
.class));
111 // subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class));
112 // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
116 // compatible with com.sun.security.auth.module.*LoginModule
117 // public static final String SHARED_STATE_USERNAME =
118 // "javax.security.auth.login.name";
119 // public static final String SHARED_STATE_PASSWORD =
120 // "javax.security.auth.login.password";
122 static void registerSessionAuthorization(BundleContext bc
, HttpServletRequest request
, Subject subject
,
123 Authorization authorization
) {
124 String httpSessId
= request
.getSession().getId();
125 if (authorization
.getName() != null) {
126 request
.setAttribute(HttpContext
.REMOTE_USER
, authorization
.getName());
127 request
.setAttribute(HttpContext
.AUTHORIZATION
, authorization
);
129 HttpSession httpSession
= request
.getSession();
130 if (httpSession
.getAttribute(HttpContext
.AUTHORIZATION
) == null) {
132 Collection
<ServiceReference
<WebCmsSession
>> sr
;
134 sr
= bc
.getServiceReferences(WebCmsSession
.class,
135 "(" + WebCmsSession
.CMS_SESSION_ID
+ "=" + httpSessId
+ ")");
136 } catch (InvalidSyntaxException e
) {
137 throw new CmsException("Cannot get CMS session for id " + httpSessId
, e
);
139 ServiceReference
<WebCmsSession
> cmsSessionRef
;
140 if (sr
.size() == 1) {
141 cmsSessionRef
= sr
.iterator().next();
142 } else if (sr
.size() == 0) {
143 WebCmsSessionImpl cmsSessionImpl
= new WebCmsSessionImpl(httpSessId
, authorization
);
144 cmsSessionRef
= cmsSessionImpl
.getServiceRegistration().getReference();
145 if (log
.isDebugEnabled())
146 log
.debug("Initialized " + cmsSessionImpl
+ " for " + authorization
.getName());
148 throw new CmsException(sr
.size() + " CMS sessions registered for " + httpSessId
);
150 WebCmsSessionImpl cmsSession
= (WebCmsSessionImpl
) bc
.getService(cmsSessionRef
);
151 cmsSession
.addHttpSession(request
);
152 if (log
.isTraceEnabled())
153 log
.trace("Added " + request
.getServletPath() + " to " + cmsSession
+ " (" + request
.getRequestURI()
155 // httpSession.setAttribute(HttpContext.REMOTE_USER,
156 // authorization.getName());
157 // httpSession.setAttribute(HttpContext.AUTHORIZATION,
161 HttpSessionId httpSessionId
= new HttpSessionId(httpSessId
);
162 if (subject
.getPrivateCredentials(HttpSessionId
.class).size() == 0)
163 subject
.getPrivateCredentials().add(httpSessionId
);
165 String storedSessionId
= subject
.getPrivateCredentials(HttpSessionId
.class).iterator().next().getValue();
166 // if (storedSessionId.equals(httpSessionId.getValue()))
167 throw new CmsException(
168 "Subject already logged with session " + storedSessionId
+ " (not " + httpSessionId
+ ")");
172 static boolean logoutSession(BundleContext bc
, Subject subject
) {
173 String httpSessionId
;
174 if (subject
.getPrivateCredentials(HttpSessionId
.class).size() == 1)
175 httpSessionId
= subject
.getPrivateCredentials(HttpSessionId
.class).iterator().next().getValue();
178 Collection
<ServiceReference
<WebCmsSession
>> srs
;
180 srs
= bc
.getServiceReferences(WebCmsSession
.class,
181 "(" + WebCmsSession
.CMS_SESSION_ID
+ "=" + httpSessionId
+ ")");
182 } catch (InvalidSyntaxException e
) {
183 throw new CmsException("Cannot retrieve CMS session #" + httpSessionId
, e
);
186 if (srs
.size() == 0) {
187 if (log
.isTraceEnabled())
188 log
.warn("No CMS web session found for http session " + httpSessionId
);
190 } else if (srs
.size() > 1)
191 throw new CmsException(srs
.size() + " CMS web sessions found for http session " + httpSessionId
);
193 WebCmsSessionImpl cmsSession
= (WebCmsSessionImpl
) bc
.getService(srs
.iterator().next());
194 cmsSession
.cleanUp();
195 subject
.getPrivateCredentials().removeAll(subject
.getPrivateCredentials(HttpSessionId
.class));
196 if (log
.isDebugEnabled())
197 log
.debug("Cleaned up " + cmsSession
);
201 private CmsAuthUtils() {