1 package org
.argeo
.cms
.auth
;
3 import java
.security
.Principal
;
4 import java
.util
.Collection
;
5 import java
.util
.Locale
;
9 import javax
.naming
.InvalidNameException
;
10 import javax
.naming
.ldap
.LdapName
;
11 import javax
.security
.auth
.Subject
;
12 import javax
.security
.auth
.x500
.X500Principal
;
13 import javax
.servlet
.http
.HttpServletRequest
;
14 import javax
.servlet
.http
.HttpSession
;
16 import org
.argeo
.api
.NodeConstants
;
17 import org
.argeo
.api
.cms
.CmsSession
;
18 import org
.argeo
.api
.cms
.CmsSessionId
;
19 import org
.argeo
.api
.security
.AnonymousPrincipal
;
20 import org
.argeo
.api
.security
.DataAdminPrincipal
;
21 import org
.argeo
.api
.security
.NodeSecurityUtils
;
22 import org
.argeo
.cms
.internal
.auth
.CmsSessionImpl
;
23 import org
.argeo
.cms
.internal
.auth
.ImpliedByPrincipal
;
24 import org
.argeo
.cms
.internal
.http
.WebCmsSessionImpl
;
25 import org
.argeo
.osgi
.useradmin
.AuthenticatingUser
;
26 import org
.osgi
.framework
.BundleContext
;
27 import org
.osgi
.framework
.InvalidSyntaxException
;
28 import org
.osgi
.framework
.ServiceReference
;
29 import org
.osgi
.service
.http
.HttpContext
;
30 import org
.osgi
.service
.useradmin
.Authorization
;
32 /** Centralises security related registrations. */
35 final static String SHARED_STATE_NAME
= AuthenticatingUser
.SHARED_STATE_NAME
;
36 final static String SHARED_STATE_PWD
= AuthenticatingUser
.SHARED_STATE_PWD
;
37 final static String HEADER_AUTHORIZATION
= "Authorization";
38 final static String HEADER_WWW_AUTHENTICATE
= "WWW-Authenticate";
41 final static String SHARED_STATE_HTTP_REQUEST
= "org.argeo.cms.auth.http.request";
42 final static String SHARED_STATE_SPNEGO_TOKEN
= "org.argeo.cms.auth.spnegoToken";
43 final static String SHARED_STATE_SPNEGO_OUT_TOKEN
= "org.argeo.cms.auth.spnegoOutToken";
44 final static String SHARED_STATE_CERTIFICATE_CHAIN
= "org.argeo.cms.auth.certificateChain";
45 final static String SHARED_STATE_REMOTE_ADDR
= "org.argeo.cms.auth.remote.addr";
46 final static String SHARED_STATE_REMOTE_PORT
= "org.argeo.cms.auth.remote.port";
48 static void addAuthorization(Subject subject
, Authorization authorization
) {
49 assert subject
!= null;
50 checkSubjectEmpty(subject
);
51 assert authorization
!= null;
53 // required for display name:
54 subject
.getPrivateCredentials().add(authorization
);
56 boolean singleUser
= authorization
instanceof SingleUserAuthorization
;
58 Set
<Principal
> principals
= subject
.getPrincipals();
60 String authName
= authorization
.getName();
62 // determine user's principal
64 final Principal userPrincipal
;
65 if (authName
== null) {
66 name
= NodeSecurityUtils
.ROLE_ANONYMOUS_NAME
;
67 userPrincipal
= new AnonymousPrincipal();
68 principals
.add(userPrincipal
);
70 name
= new LdapName(authName
);
71 NodeSecurityUtils
.checkUserName(name
);
72 userPrincipal
= new X500Principal(name
.toString());
73 principals
.add(userPrincipal
);
76 principals
.add(new ImpliedByPrincipal(NodeSecurityUtils
.ROLE_ADMIN_NAME
, userPrincipal
));
77 principals
.add(new DataAdminPrincipal());
81 // Add roles provided by authorization
82 for (String role
: authorization
.getRoles()) {
83 LdapName roleName
= new LdapName(role
);
84 if (roleName
.equals(name
)) {
86 } else if (roleName
.equals(NodeSecurityUtils
.ROLE_ANONYMOUS_NAME
)) {
89 NodeSecurityUtils
.checkImpliedPrincipalName(roleName
);
90 principals
.add(new ImpliedByPrincipal(roleName
.toString(), userPrincipal
));
91 if (roleName
.equals(NodeSecurityUtils
.ROLE_ADMIN_NAME
))
92 principals
.add(new DataAdminPrincipal());
96 } catch (InvalidNameException e
) {
97 throw new IllegalArgumentException("Cannot commit", e
);
101 private static void checkSubjectEmpty(Subject subject
) {
102 if (!subject
.getPrincipals(AnonymousPrincipal
.class).isEmpty())
103 throw new IllegalStateException("Already logged in as anonymous: " + subject
);
104 if (!subject
.getPrincipals(X500Principal
.class).isEmpty())
105 throw new IllegalStateException("Already logged in as user: " + subject
);
106 if (!subject
.getPrincipals(DataAdminPrincipal
.class).isEmpty())
107 throw new IllegalStateException("Already logged in as data admin: " + subject
);
108 if (!subject
.getPrincipals(ImpliedByPrincipal
.class).isEmpty())
109 throw new IllegalStateException("Already authorized: " + subject
);
112 static void cleanUp(Subject subject
) {
114 subject
.getPrincipals().removeAll(subject
.getPrincipals(X500Principal
.class));
115 subject
.getPrincipals().removeAll(subject
.getPrincipals(ImpliedByPrincipal
.class));
116 subject
.getPrincipals().removeAll(subject
.getPrincipals(AnonymousPrincipal
.class));
117 subject
.getPrincipals().removeAll(subject
.getPrincipals(DataAdminPrincipal
.class));
119 subject
.getPrivateCredentials().removeAll(subject
.getPrivateCredentials(CmsSessionId
.class));
120 subject
.getPrivateCredentials().removeAll(subject
.getPrivateCredentials(Authorization
.class));
122 // subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class));
123 // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
126 @SuppressWarnings("unused")
127 synchronized static void registerSessionAuthorization(HttpServletRequest request
, Subject subject
,
128 Authorization authorization
, Locale locale
) {
129 // synchronized in order to avoid multiple registrations
130 // TODO move it to a service in order to avoid static synchronization
131 if (request
!= null) {
132 HttpSession httpSession
= request
.getSession(false);
133 assert httpSession
!= null;
134 String httpSessId
= httpSession
.getId();
135 boolean anonymous
= authorization
.getName() == null;
136 String remoteUser
= !anonymous ? authorization
.getName() : NodeConstants
.ROLE_ANONYMOUS
;
137 request
.setAttribute(HttpContext
.REMOTE_USER
, remoteUser
);
138 request
.setAttribute(HttpContext
.AUTHORIZATION
, authorization
);
140 CmsSessionImpl cmsSession
;
141 CmsSessionImpl currentLocalSession
= CmsSessionImpl
.getByLocalId(httpSessId
);
142 if (currentLocalSession
!= null) {
143 boolean currentLocalSessionAnonymous
= currentLocalSession
.getAuthorization().getName() == null;
145 if (currentLocalSessionAnonymous
) {
146 currentLocalSession
.close();
148 cmsSession
= new WebCmsSessionImpl(subject
, authorization
, locale
, request
);
149 } else if (!authorization
.getName().equals(currentLocalSession
.getAuthorization().getName())) {
150 throw new IllegalStateException("Inconsistent user " + authorization
.getName()
151 + " for existing CMS session " + currentLocalSession
);
153 // keep current session
154 cmsSession
= currentLocalSession
;
156 subject
.getPrivateCredentials().addAll(cmsSession
.getSecretKeys());
159 if (!currentLocalSessionAnonymous
) {
160 currentLocalSession
.close();
161 throw new IllegalStateException(
162 "Existing CMS session " + currentLocalSession
+ " was not logged out properly.");
164 // keep current session
165 cmsSession
= currentLocalSession
;
169 cmsSession
= new WebCmsSessionImpl(subject
, authorization
, locale
, request
);
172 if (cmsSession
== null)// should be dead code (cf. SuppressWarning of the method)
173 throw new IllegalStateException("CMS session cannot be null");
175 CmsSessionId nodeSessionId
= new CmsSessionId(cmsSession
.getUuid());
176 if (subject
.getPrivateCredentials(CmsSessionId
.class).size() == 0) {
177 subject
.getPrivateCredentials().add(nodeSessionId
);
179 UUID storedSessionId
= subject
.getPrivateCredentials(CmsSessionId
.class).iterator().next().getUuid();
180 // if (storedSessionId.equals(httpSessionId.getValue()))
181 throw new IllegalStateException(
182 "Subject already logged with session " + storedSessionId
+ " (not " + nodeSessionId
+ ")");
185 CmsSessionImpl cmsSession
= new CmsSessionImpl(subject
, authorization
, locale
, "desktop");
186 CmsSessionId nodeSessionId
= new CmsSessionId(cmsSession
.getUuid());
187 subject
.getPrivateCredentials().add(nodeSessionId
);
191 public static CmsSessionImpl
cmsSessionFromHttpSession(BundleContext bc
, String httpSessionId
) {
192 Authorization authorization
= null;
193 Collection
<ServiceReference
<CmsSession
>> sr
;
195 sr
= bc
.getServiceReferences(CmsSession
.class,
196 "(" + CmsSession
.SESSION_LOCAL_ID
+ "=" + httpSessionId
+ ")");
197 } catch (InvalidSyntaxException e
) {
198 throw new IllegalArgumentException("Cannot get CMS session for id " + httpSessionId
, e
);
200 CmsSessionImpl cmsSession
;
201 if (sr
.size() == 1) {
202 cmsSession
= (CmsSessionImpl
) bc
.getService(sr
.iterator().next());
203 // locale = cmsSession.getLocale();
204 authorization
= cmsSession
.getAuthorization();
205 if (authorization
.getName() == null)
206 return null;// anonymous is not sufficient
207 } else if (sr
.size() == 0)
210 throw new IllegalStateException(sr
.size() + ">1 web sessions detected for http session " + httpSessionId
);
214 public static <T
extends Principal
> T
getSinglePrincipal(Subject subject
, Class
<T
> clss
) {
215 Set
<T
> principals
= subject
.getPrincipals(clss
);
216 if (principals
.isEmpty())
218 if (principals
.size() > 1)
219 throw new IllegalStateException("Only one " + clss
+ " principal expected in " + subject
);
220 return principals
.iterator().next();
223 private CmsAuthUtils() {