auth/IpaLoginModule.java

   1 package org.argeo.cms.auth;
   2
   3 import java.security.PrivilegedAction;
   4 import java.util.Map;
   5 import java.util.Set;
   6
   7 import javax.naming.InvalidNameException;
   8 import javax.naming.ldap.LdapName;
   9 import javax.security.auth.Subject;
  10 import javax.security.auth.callback.CallbackHandler;
  11 import javax.security.auth.kerberos.KerberosPrincipal;
  12 import javax.security.auth.login.LoginException;
  13 import javax.security.auth.spi.LoginModule;
  14 import javax.servlet.http.HttpServletRequest;
  15
  16 import org.argeo.cms.CmsException;
  17 import org.argeo.naming.LdapAttrs;
  18 import org.osgi.framework.BundleContext;
  19 import org.osgi.framework.FrameworkUtil;
  20 import org.osgi.service.useradmin.Authorization;
  21 import org.osgi.service.useradmin.UserAdmin;
  22
  23 public class IpaLoginModule implements LoginModule {
  24         private BundleContext bc;
  25         private Subject subject;
  26         private Map<String, Object> sharedState = null;
  27         private CallbackHandler callbackHandler;
  28
  29         @SuppressWarnings("unchecked")
  30         @Override
  31         public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
  32                         Map<String, ?> options) {
  33                 this.subject = subject;
  34                 this.sharedState = (Map<String, Object>) sharedState;
  35                 this.callbackHandler = callbackHandler;
  36                 try {
  37                         bc = FrameworkUtil.getBundle(IpaLoginModule.class).getBundleContext();
  38                         assert bc != null;
  39                 } catch (Exception e) {
  40                         throw new CmsException("Cannot initialize login module", e);
  41                 }
  42         }
  43
  44         @Override
  45         public boolean login() throws LoginException {
  46                 return true;
  47         }
  48
  49         @Override
  50         public boolean commit() throws LoginException {
  51                 UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
  52                 Authorization authorization = null;
  53                 Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
  54                 if (kerberosPrincipals.isEmpty()) {
  55                         if(callbackHandler!=null)
  56                                 throw new LoginException("Cannot be anonymous if callback handler is set");
  57                         authorization = userAdmin.getAuthorization(null);
  58                 } else {
  59                         KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next();
  60                         LdapName dn = kerberosToIpa(kerberosPrincipal);
  61                         AuthenticatingUser authenticatingUser = new AuthenticatingUser(dn);
  62                         authorization = Subject.doAs(subject, new PrivilegedAction<Authorization>() {
  63
  64                                 @Override
  65                                 public Authorization run() {
  66                                         Authorization authorization = userAdmin.getAuthorization(authenticatingUser);
  67                                         return authorization;
  68                                 }
  69
  70                         });
  71                 }
  72                 if (authorization == null)
  73                         return false;
  74                 CmsAuthUtils.addAuthentication(subject, authorization);
  75                 HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
  76                 if (request != null) {
  77                         CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization);
  78                 }
  79                 return true;
  80         }
  81
  82         private LdapName kerberosToIpa(KerberosPrincipal kerberosPrincipal) {
  83                 String[] kname = kerberosPrincipal.getName().split("@");
  84                 String username = kname[0];
  85                 String[] dcs = kname[1].split("\\.");
  86                 StringBuilder sb = new StringBuilder();
  87                 for (String dc : dcs) {
  88                         sb.append(',').append(LdapAttrs.dc.name()).append('=').append(dc.toLowerCase());
  89                 }
  90                 String dn = LdapAttrs.uid + "=" + username + ",cn=users,cn=accounts" + sb;
  91                 try {
  92                         return new LdapName(dn);
  93                 } catch (InvalidNameException e) {
  94                         throw new CmsException("Badly formatted name for " + kerberosPrincipal + ": " + dn);
  95                 }
  96         }
  97
  98         @Override
  99         public boolean abort() throws LoginException {
 100                 // TODO Auto-generated method stub
 101                 return false;
 102         }
 103
 104         @Override
 105         public boolean logout() throws LoginException {
 106                 return CmsAuthUtils.logoutSession(bc, subject);
 107         }
 108
 109 }