1 package org
.argeo
.cms
.auth
;
3 import static org
.argeo
.api
.cms
.CmsConstants
.ROLE_ADMIN
;
4 import static org
.argeo
.api
.cms
.CmsConstants
.ROLE_ANONYMOUS
;
5 import static org
.argeo
.api
.cms
.CmsConstants
.ROLE_USER
;
6 import static org
.argeo
.api
.cms
.CmsConstants
.ROLE_USER_ADMIN
;
8 import java
.security
.Principal
;
9 import java
.util
.Arrays
;
10 import java
.util
.Collections
;
11 import java
.util
.List
;
12 import java
.util
.Locale
;
14 import java
.util
.UUID
;
16 //import javax.naming.InvalidNameException;
17 //import javax.naming.ldap.LdapName;
18 import javax
.security
.auth
.Subject
;
19 import javax
.security
.auth
.x500
.X500Principal
;
21 import org
.argeo
.api
.cms
.AnonymousPrincipal
;
22 import org
.argeo
.api
.cms
.CmsConstants
;
23 import org
.argeo
.api
.cms
.CmsSession
;
24 import org
.argeo
.api
.cms
.CmsSessionId
;
25 import org
.argeo
.api
.cms
.DataAdminPrincipal
;
26 import org
.argeo
.api
.cms
.auth
.ImpliedByPrincipal
;
27 import org
.argeo
.cms
.internal
.auth
.CmsSessionImpl
;
28 import org
.argeo
.cms
.internal
.auth
.RemoteCmsSessionImpl
;
29 import org
.argeo
.cms
.internal
.runtime
.CmsContextImpl
;
30 import org
.argeo
.cms
.osgi
.useradmin
.AuthenticatingUser
;
31 import org
.osgi
.service
.useradmin
.Authorization
;
33 /** Centralises security related registrations. */
36 final static String SHARED_STATE_NAME
= AuthenticatingUser
.SHARED_STATE_NAME
;
37 final static String SHARED_STATE_PWD
= AuthenticatingUser
.SHARED_STATE_PWD
;
38 // final static String HEADER_AUTHORIZATION = "Authorization";
39 // final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
42 final static String SHARED_STATE_HTTP_REQUEST
= "org.argeo.cms.auth.http.request";
43 final static String SHARED_STATE_SPNEGO_TOKEN
= "org.argeo.cms.auth.spnegoToken";
44 final static String SHARED_STATE_SPNEGO_OUT_TOKEN
= "org.argeo.cms.auth.spnegoOutToken";
45 final static String SHARED_STATE_CERTIFICATE_CHAIN
= "org.argeo.cms.auth.certificateChain";
46 final static String SHARED_STATE_REMOTE_ADDR
= "org.argeo.cms.auth.remote.addr";
47 final static String SHARED_STATE_REMOTE_PORT
= "org.argeo.cms.auth.remote.port";
48 final static String SHARED_STATE_OS_USERNAME
= "org.argeo.cms.os.username";
50 final static String SINGLE_USER_LOCAL_ID
= "single-user";
52 private final static List
<String
> RESERVED_ROLES
= Collections
53 .unmodifiableList(Arrays
.asList(new String
[] { ROLE_ADMIN
, ROLE_ANONYMOUS
, ROLE_USER
, ROLE_USER_ADMIN
}));
55 static void addAuthorization(Subject subject
, Authorization authorization
) {
56 assert subject
!= null;
57 checkSubjectEmpty(subject
);
58 assert authorization
!= null;
60 // required for display name:
61 subject
.getPrivateCredentials().add(authorization
);
63 boolean singleUser
= authorization
instanceof SingleUserAuthorization
;
65 Set
<Principal
> principals
= subject
.getPrincipals();
67 String authName
= authorization
.getName();
69 // determine user's principal
70 // final LdapName name;
71 final Principal userPrincipal
;
72 if (authName
== null) {
73 // name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME;
74 userPrincipal
= new AnonymousPrincipal();
75 principals
.add(userPrincipal
);
77 // name = new LdapName(authName);
78 checkUserName(authName
);
79 userPrincipal
= new X500Principal(authName
.toString());
80 principals
.add(userPrincipal
);
83 principals
.add(new ImpliedByPrincipal(CmsConstants
.ROLE_ADMIN
, userPrincipal
));
84 principals
.add(new DataAdminPrincipal());
88 // Add roles provided by authorization
89 for (String role
: authorization
.getRoles()) {
90 // LdapName roleName = new LdapName(role);
91 if (role
.equals(authName
)) {
93 } else if (role
.equals(CmsConstants
.ROLE_ANONYMOUS
)) {
96 // NodeSecurityUtils.checkImpliedPrincipalName(role);
97 principals
.add(new ImpliedByPrincipal(role
, userPrincipal
));
98 if (role
.equals(CmsConstants
.ROLE_ADMIN
))
99 principals
.add(new DataAdminPrincipal());
103 // } catch (InvalidNameException e) {
104 // throw new IllegalArgumentException("Cannot commit", e);
108 private static void checkSubjectEmpty(Subject subject
) {
109 if (!subject
.getPrincipals(AnonymousPrincipal
.class).isEmpty())
110 throw new IllegalStateException("Already logged in as anonymous: " + subject
);
111 if (!subject
.getPrincipals(X500Principal
.class).isEmpty())
112 throw new IllegalStateException("Already logged in as user: " + subject
);
113 if (!subject
.getPrincipals(DataAdminPrincipal
.class).isEmpty())
114 throw new IllegalStateException("Already logged in as data admin: " + subject
);
115 if (!subject
.getPrincipals(ImpliedByPrincipal
.class).isEmpty())
116 throw new IllegalStateException("Already authorized: " + subject
);
119 static void cleanUp(Subject subject
) {
121 subject
.getPrincipals().removeAll(subject
.getPrincipals(X500Principal
.class));
122 subject
.getPrincipals().removeAll(subject
.getPrincipals(ImpliedByPrincipal
.class));
123 subject
.getPrincipals().removeAll(subject
.getPrincipals(AnonymousPrincipal
.class));
124 subject
.getPrincipals().removeAll(subject
.getPrincipals(DataAdminPrincipal
.class));
126 subject
.getPrivateCredentials().removeAll(subject
.getPrivateCredentials(CmsSessionId
.class));
127 subject
.getPrivateCredentials().removeAll(subject
.getPrivateCredentials(Authorization
.class));
129 // subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class));
130 // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
133 @SuppressWarnings("unused")
134 synchronized static void registerSessionAuthorization(RemoteAuthRequest request
, Subject subject
,
135 Authorization authorization
, Locale locale
) {
136 // synchronized in order to avoid multiple registrations
137 // TODO move it to a service in order to avoid static synchronization
138 if (request
!= null) {
139 RemoteAuthSession httpSession
= request
.getSession();
140 String httpSessId
= httpSession
!= null ? httpSession
.getId() : null;
141 boolean anonymous
= authorization
.getName() == null;
142 String remoteUser
= !anonymous ? authorization
.getName() : CmsConstants
.ROLE_ANONYMOUS
;
143 request
.setAttribute(RemoteAuthRequest
.REMOTE_USER
, remoteUser
);
144 request
.setAttribute(RemoteAuthRequest
.AUTHORIZATION
, authorization
);
146 CmsSessionImpl cmsSession
;
147 CmsSessionImpl currentLocalSession
= CmsContextImpl
.getCmsContext().getCmsSessionByLocalId(httpSessId
);
148 if (currentLocalSession
!= null) {
149 boolean currentLocalSessionAnonymous
= currentLocalSession
.isAnonymous();
151 if (currentLocalSessionAnonymous
) {
152 currentLocalSession
.close();
154 UUID cmsSessionUuid
= CmsContextImpl
.getCmsContext().getUuidFactory().timeUUID();
155 cmsSession
= new RemoteCmsSessionImpl(cmsSessionUuid
, subject
, authorization
, locale
, request
);
156 CmsContextImpl
.getCmsContext().registerCmsSession(cmsSession
);
157 } else if (!authorization
.getName().equals(currentLocalSession
.getAuthorization().getName())) {
158 throw new IllegalStateException("Inconsistent user " + authorization
.getName()
159 + " for existing CMS session " + currentLocalSession
);
161 // keep current session
162 cmsSession
= currentLocalSession
;
164 // TODO control it more??
165 subject
.getPrivateCredentials().addAll(cmsSession
.getSubject().getPrivateCredentials());
166 subject
.getPublicCredentials().addAll(cmsSession
.getSubject().getPublicCredentials());
169 if (!currentLocalSessionAnonymous
) {
170 currentLocalSession
.close();
171 throw new IllegalStateException(
172 "Existing CMS session " + currentLocalSession
+ " was not logged out properly.");
174 // keep current session
175 cmsSession
= currentLocalSession
;
179 UUID cmsSessionUuid
= CmsContextImpl
.getCmsContext().getUuidFactory().timeUUID();
180 cmsSession
= new RemoteCmsSessionImpl(cmsSessionUuid
, subject
, authorization
, locale
, request
);
181 CmsContextImpl
.getCmsContext().registerCmsSession(cmsSession
);
184 if (cmsSession
== null)// should be dead code (cf. SuppressWarning of the method)
185 throw new IllegalStateException("CMS session cannot be null");
187 CmsSessionId nodeSessionId
= new CmsSessionId(cmsSession
.getUuid());
188 if (subject
.getPrivateCredentials(CmsSessionId
.class).size() == 0) {
189 subject
.getPrivateCredentials().add(nodeSessionId
);
191 UUID storedSessionId
= subject
.getPrivateCredentials(CmsSessionId
.class).iterator().next().getUuid();
192 if (!storedSessionId
.equals(nodeSessionId
.getUuid()))
193 throw new IllegalStateException(
194 "Subject already logged with session " + storedSessionId
+ " (not " + nodeSessionId
+ ")");
196 request
.setAttribute(CmsSession
.class.getName(), cmsSession
);
198 CmsSessionImpl cmsSession
= CmsContextImpl
.getCmsContext().getCmsSessionByLocalId(SINGLE_USER_LOCAL_ID
);
199 if (cmsSession
== null) {
200 UUID cmsSessionUuid
= CmsContextImpl
.getCmsContext().getUuidFactory().timeUUID();
201 cmsSession
= new CmsSessionImpl(cmsSessionUuid
, subject
, authorization
, locale
, SINGLE_USER_LOCAL_ID
);
202 CmsContextImpl
.getCmsContext().registerCmsSession(cmsSession
);
204 CmsSessionId nodeSessionId
= new CmsSessionId(cmsSession
.getUuid());
205 subject
.getPrivateCredentials().add(nodeSessionId
);
209 // public static CmsSessionImpl cmsSessionFromHttpSession(BundleContext bc, String httpSessionId) {
210 // Authorization authorization = null;
211 // Collection<ServiceReference<CmsSession>> sr;
213 // sr = bc.getServiceReferences(CmsSession.class,
214 // "(" + CmsSession.SESSION_LOCAL_ID + "=" + httpSessionId + ")");
215 // } catch (InvalidSyntaxException e) {
216 // throw new IllegalArgumentException("Cannot get CMS session for id " + httpSessionId, e);
218 // CmsSessionImpl cmsSession;
219 // if (sr.size() == 1) {
220 // cmsSession = (CmsSessionImpl) bc.getService(sr.iterator().next());
221 //// locale = cmsSession.getLocale();
222 // authorization = cmsSession.getAuthorization();
223 // if (authorization.getName() == null)
224 // return null;// anonymous is not sufficient
225 // } else if (sr.size() == 0)
228 // throw new IllegalStateException(sr.size() + ">1 web sessions detected for http session " + httpSessionId);
229 // return cmsSession;
232 public static <T
extends Principal
> T
getSinglePrincipal(Subject subject
, Class
<T
> clss
) {
233 Set
<T
> principals
= subject
.getPrincipals(clss
);
234 if (principals
.isEmpty())
236 if (principals
.size() > 1)
237 throw new IllegalStateException("Only one " + clss
+ " principal expected in " + subject
);
238 return principals
.iterator().next();
241 private static void checkUserName(String name
) throws IllegalArgumentException
{
242 if (RESERVED_ROLES
.contains(name
))
243 throw new IllegalArgumentException(name
+ " is a reserved name");
246 private CmsAuthUtils() {