package org.argeo.cms.auth;
+import static org.argeo.api.cms.CmsConstants.ROLE_ADMIN;
+import static org.argeo.api.cms.CmsConstants.ROLE_ANONYMOUS;
+import static org.argeo.api.cms.CmsConstants.ROLE_USER;
+import static org.argeo.api.cms.CmsConstants.ROLE_USER_ADMIN;
+
import java.security.Principal;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.UUID;
-import javax.naming.InvalidNameException;
-import javax.naming.ldap.LdapName;
+//import javax.naming.InvalidNameException;
+//import javax.naming.ldap.LdapName;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import org.argeo.cms.internal.auth.ImpliedByPrincipal;
import org.argeo.cms.internal.http.WebCmsSessionImpl;
import org.argeo.cms.internal.runtime.CmsContextImpl;
-import org.argeo.cms.security.NodeSecurityUtils;
import org.argeo.osgi.useradmin.AuthenticatingUser;
import org.osgi.service.http.HttpContext;
import org.osgi.service.useradmin.Authorization;
final static String SINGLE_USER_LOCAL_ID = "single-user";
+ private final static List<String> RESERVED_ROLES = Collections
+ .unmodifiableList(Arrays.asList(new String[] { ROLE_ADMIN, ROLE_ANONYMOUS, ROLE_USER, ROLE_USER_ADMIN }));
+
static void addAuthorization(Subject subject, Authorization authorization) {
assert subject != null;
checkSubjectEmpty(subject);
boolean singleUser = authorization instanceof SingleUserAuthorization;
Set<Principal> principals = subject.getPrincipals();
- try {
- String authName = authorization.getName();
-
- // determine user's principal
- final LdapName name;
- final Principal userPrincipal;
- if (authName == null) {
- name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME;
- userPrincipal = new AnonymousPrincipal();
- principals.add(userPrincipal);
- } else {
- name = new LdapName(authName);
- NodeSecurityUtils.checkUserName(name);
- userPrincipal = new X500Principal(name.toString());
- principals.add(userPrincipal);
-
- if (singleUser) {
- principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_ADMIN_NAME, userPrincipal));
- principals.add(new DataAdminPrincipal());
- }
+// try {
+ String authName = authorization.getName();
+
+ // determine user's principal
+// final LdapName name;
+ final Principal userPrincipal;
+ if (authName == null) {
+// name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME;
+ userPrincipal = new AnonymousPrincipal();
+ principals.add(userPrincipal);
+ } else {
+// name = new LdapName(authName);
+ checkUserName(authName);
+ userPrincipal = new X500Principal(authName.toString());
+ principals.add(userPrincipal);
+
+ if (singleUser) {
+ principals.add(new ImpliedByPrincipal(CmsConstants.ROLE_ADMIN, userPrincipal));
+ principals.add(new DataAdminPrincipal());
}
+ }
- // Add roles provided by authorization
- for (String role : authorization.getRoles()) {
- LdapName roleName = new LdapName(role);
- if (roleName.equals(name)) {
- // skip
- } else if (roleName.equals(NodeSecurityUtils.ROLE_ANONYMOUS_NAME)) {
- // skip
- } else {
- NodeSecurityUtils.checkImpliedPrincipalName(roleName);
- principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal));
- if (roleName.equals(NodeSecurityUtils.ROLE_ADMIN_NAME))
- principals.add(new DataAdminPrincipal());
- }
+ // Add roles provided by authorization
+ for (String role : authorization.getRoles()) {
+// LdapName roleName = new LdapName(role);
+ if (role.equals(authName)) {
+ // skip
+ } else if (role.equals(CmsConstants.ROLE_ANONYMOUS)) {
+ // skip
+ } else {
+// NodeSecurityUtils.checkImpliedPrincipalName(role);
+ principals.add(new ImpliedByPrincipal(role, userPrincipal));
+ if (role.equals(CmsConstants.ROLE_ADMIN))
+ principals.add(new DataAdminPrincipal());
}
-
- } catch (InvalidNameException e) {
- throw new IllegalArgumentException("Cannot commit", e);
}
+
+// } catch (InvalidNameException e) {
+// throw new IllegalArgumentException("Cannot commit", e);
+// }
}
private static void checkSubjectEmpty(Subject subject) {
if (currentLocalSessionAnonymous) {
currentLocalSession.close();
// new CMS session
- cmsSession = new WebCmsSessionImpl(subject, authorization, locale, request);
+ UUID cmsSessionUuid = CmsContextImpl.getCmsContext().getUuidFactory().timeUUID();
+ cmsSession = new WebCmsSessionImpl(cmsSessionUuid, subject, authorization, locale, request);
CmsContextImpl.getCmsContext().registerCmsSession(cmsSession);
} else if (!authorization.getName().equals(currentLocalSession.getAuthorization().getName())) {
throw new IllegalStateException("Inconsistent user " + authorization.getName()
}
} else {
// new CMS session
- cmsSession = new WebCmsSessionImpl(subject, authorization, locale, request);
+ UUID cmsSessionUuid = CmsContextImpl.getCmsContext().getUuidFactory().timeUUID();
+ cmsSession = new WebCmsSessionImpl(cmsSessionUuid, subject, authorization, locale, request);
CmsContextImpl.getCmsContext().registerCmsSession(cmsSession);
}
} else {
CmsSessionImpl cmsSession = CmsContextImpl.getCmsContext().getCmsSessionByLocalId(SINGLE_USER_LOCAL_ID);
if (cmsSession == null) {
- cmsSession = new CmsSessionImpl(subject, authorization, locale, SINGLE_USER_LOCAL_ID);
+ UUID cmsSessionUuid = CmsContextImpl.getCmsContext().getUuidFactory().timeUUID();
+ cmsSession = new CmsSessionImpl(cmsSessionUuid, subject, authorization, locale, SINGLE_USER_LOCAL_ID);
CmsContextImpl.getCmsContext().registerCmsSession(cmsSession);
}
CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid());
return principals.iterator().next();
}
+ private static void checkUserName(String name) throws IllegalArgumentException {
+ if (RESERVED_ROLES.contains(name))
+ throw new IllegalArgumentException(name + " is a reserved name");
+ }
+
private CmsAuthUtils() {
}
projects / lgpl / argeo-commons.git / blobdiff