1 package org
.argeo
.cms
.auth
;
3 import java
.security
.PrivilegedAction
;
7 import javax
.naming
.InvalidNameException
;
8 import javax
.naming
.ldap
.LdapName
;
9 import javax
.security
.auth
.Subject
;
10 import javax
.security
.auth
.callback
.CallbackHandler
;
11 import javax
.security
.auth
.kerberos
.KerberosPrincipal
;
12 import javax
.security
.auth
.login
.LoginException
;
13 import javax
.security
.auth
.spi
.LoginModule
;
15 import org
.argeo
.cms
.CmsException
;
16 import org
.argeo
.naming
.LdapAttrs
;
17 import org
.osgi
.framework
.BundleContext
;
18 import org
.osgi
.framework
.FrameworkUtil
;
19 import org
.osgi
.service
.useradmin
.Authorization
;
20 import org
.osgi
.service
.useradmin
.UserAdmin
;
22 public class IpaLoginModule
implements LoginModule
{
23 private BundleContext bc
;
24 private Subject subject
;
27 public void initialize(Subject subject
, CallbackHandler callbackHandler
, Map
<String
, ?
> sharedState
,
28 Map
<String
, ?
> options
) {
29 this.subject
= subject
;
31 bc
= FrameworkUtil
.getBundle(IpaLoginModule
.class).getBundleContext();
33 } catch (Exception e
) {
34 throw new CmsException("Cannot initialize login module", e
);
39 public boolean login() throws LoginException
{
44 public boolean commit() throws LoginException
{
45 UserAdmin userAdmin
= bc
.getService(bc
.getServiceReference(UserAdmin
.class));
46 Authorization authorization
= null;
47 Set
<KerberosPrincipal
> kerberosPrincipals
= subject
.getPrincipals(KerberosPrincipal
.class);
48 if (kerberosPrincipals
.isEmpty()) {
49 authorization
= userAdmin
.getAuthorization(null);
51 KerberosPrincipal kerberosPrincipal
= kerberosPrincipals
.iterator().next();
52 LdapName dn
= kerberosToIpa(kerberosPrincipal
);
53 AuthenticatingUser authenticatingUser
= new AuthenticatingUser(dn
);
54 authorization
= Subject
.doAs(subject
, new PrivilegedAction
<Authorization
>() {
57 public Authorization
run() {
58 Authorization authorization
= userAdmin
.getAuthorization(authenticatingUser
);
64 if (authorization
== null)
66 CmsAuthUtils
.addAuthentication(subject
, authorization
);
70 private LdapName
kerberosToIpa(KerberosPrincipal kerberosPrincipal
) {
71 String
[] kname
= kerberosPrincipal
.getName().split("@");
72 String username
= kname
[0];
73 String
[] dcs
= kname
[1].split("\\.");
74 StringBuilder sb
= new StringBuilder();
75 for (String dc
: dcs
) {
76 sb
.append(',').append(LdapAttrs
.dc
.name()).append('=').append(dc
.toLowerCase());
78 String dn
= LdapAttrs
.uid
+ "=" + username
+ ",cn=users,cn=accounts" + sb
;
80 return new LdapName(dn
);
81 } catch (InvalidNameException e
) {
82 throw new CmsException("Badly formatted name for " + kerberosPrincipal
+ ": " + dn
);
87 public boolean abort() throws LoginException
{
88 // TODO Auto-generated method stub
93 public boolean logout() throws LoginException
{
94 // TODO Auto-generated method stub