1 package org
.argeo
.cms
.auth
;
3 import java
.security
.PrivilegedAction
;
7 import javax
.naming
.InvalidNameException
;
8 import javax
.naming
.ldap
.LdapName
;
9 import javax
.security
.auth
.Subject
;
10 import javax
.security
.auth
.callback
.CallbackHandler
;
11 import javax
.security
.auth
.kerberos
.KerberosPrincipal
;
12 import javax
.security
.auth
.login
.LoginException
;
13 import javax
.security
.auth
.spi
.LoginModule
;
14 import javax
.servlet
.http
.HttpServletRequest
;
16 import org
.argeo
.cms
.CmsException
;
17 import org
.argeo
.naming
.LdapAttrs
;
18 import org
.osgi
.framework
.BundleContext
;
19 import org
.osgi
.framework
.FrameworkUtil
;
20 import org
.osgi
.service
.useradmin
.Authorization
;
21 import org
.osgi
.service
.useradmin
.UserAdmin
;
23 public class IpaLoginModule
implements LoginModule
{
24 private BundleContext bc
;
25 private Subject subject
;
26 private Map
<String
, Object
> sharedState
= null;
27 private CallbackHandler callbackHandler
;
29 @SuppressWarnings("unchecked")
31 public void initialize(Subject subject
, CallbackHandler callbackHandler
, Map
<String
, ?
> sharedState
,
32 Map
<String
, ?
> options
) {
33 this.subject
= subject
;
34 this.sharedState
= (Map
<String
, Object
>) sharedState
;
35 this.callbackHandler
= callbackHandler
;
37 bc
= FrameworkUtil
.getBundle(IpaLoginModule
.class).getBundleContext();
39 } catch (Exception e
) {
40 throw new CmsException("Cannot initialize login module", e
);
45 public boolean login() throws LoginException
{
50 public boolean commit() throws LoginException
{
51 UserAdmin userAdmin
= bc
.getService(bc
.getServiceReference(UserAdmin
.class));
52 Authorization authorization
= null;
53 Set
<KerberosPrincipal
> kerberosPrincipals
= subject
.getPrincipals(KerberosPrincipal
.class);
54 if (kerberosPrincipals
.isEmpty()) {
55 if(callbackHandler
!=null)
56 throw new LoginException("Cannot be anonymous if callback handler is set");
57 authorization
= userAdmin
.getAuthorization(null);
59 KerberosPrincipal kerberosPrincipal
= kerberosPrincipals
.iterator().next();
60 LdapName dn
= kerberosToIpa(kerberosPrincipal
);
61 AuthenticatingUser authenticatingUser
= new AuthenticatingUser(dn
);
62 authorization
= Subject
.doAs(subject
, new PrivilegedAction
<Authorization
>() {
65 public Authorization
run() {
66 Authorization authorization
= userAdmin
.getAuthorization(authenticatingUser
);
72 if (authorization
== null)
74 CmsAuthUtils
.addAuthentication(subject
, authorization
);
75 HttpServletRequest request
= (HttpServletRequest
) sharedState
.get(CmsAuthUtils
.SHARED_STATE_HTTP_REQUEST
);
76 if (request
!= null) {
77 CmsAuthUtils
.registerSessionAuthorization(bc
, request
, subject
, authorization
);
82 private LdapName
kerberosToIpa(KerberosPrincipal kerberosPrincipal
) {
83 String
[] kname
= kerberosPrincipal
.getName().split("@");
84 String username
= kname
[0];
85 String
[] dcs
= kname
[1].split("\\.");
86 StringBuilder sb
= new StringBuilder();
87 for (String dc
: dcs
) {
88 sb
.append(',').append(LdapAttrs
.dc
.name()).append('=').append(dc
.toLowerCase());
90 String dn
= LdapAttrs
.uid
+ "=" + username
+ ",cn=users,cn=accounts" + sb
;
92 return new LdapName(dn
);
93 } catch (InvalidNameException e
) {
94 throw new CmsException("Badly formatted name for " + kerberosPrincipal
+ ": " + dn
);
99 public boolean abort() throws LoginException
{
100 // TODO Auto-generated method stub
105 public boolean logout() throws LoginException
{
106 return CmsAuthUtils
.logoutSession(bc
, subject
);