Improve client certificate auth

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / HttpSessionLoginModule.java

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
index 81ca5baf3778727783b1f73f6dd045b6a0d893f2..48220a86876b7db2b3092ad9395757cc648514c5 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
@@ -41,6 +41,7 @@ public class HttpSessionLoginModule implements LoginModule {
        private BundleContext bc;
 
        private Authorization authorization;
+       private Locale locale;
 
        @SuppressWarnings("unchecked")
        @Override
@@ -90,6 +91,7 @@ public class HttpSessionLoginModule implements LoginModule {
                        }
                        if (sr.size() == 1) {
                                CmsSession cmsSession = bc.getService(sr.iterator().next());
+                               locale = cmsSession.getLocale();
                                authorization = cmsSession.getAuthorization();
                                if (authorization.getName() == null)
                                        authorization = null;// anonymous is not sufficient
@@ -120,8 +122,11 @@ public class HttpSessionLoginModule implements LoginModule {
                }
 
                if (authorization != null) {
-                       Locale locale = request.getLocale();
-                       CmsAuthUtils.addAuthorization(subject, authorization,locale , request);
+                       // Locale locale = request.getLocale();
+                       if (locale == null)
+                               locale = request.getLocale();
+                       subject.getPublicCredentials().add(locale);
+                       CmsAuthUtils.addAuthorization(subject, authorization, locale, request);
                        CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale);
                        cleanUp();
                        return true;
@@ -196,6 +201,14 @@ public class HttpSessionLoginModule implements LoginModule {
                if (null != certs && certs.length > 0) {
                        sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certs[0].getSubjectX500Principal().getName());
                        sharedState.put(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN, certs);
+               } else {
+                       // When client has been verified by reverse proxy
+                       String certDn = req.getHeader("SSL_CLIENT_S_DN");
+                       if (certDn != null) {
+                               sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certDn);
+                               String issuerDn = req.getHeader("SSL_CLIENT_I_DN");
+                               sharedState.put(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN, issuerDn);
+                       }
                }
        }