Support SSL client authentication

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / HttpSessionLoginModule.java

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
index 9e05ac95aec0212b320dccb3424a573b06de83cc..d2f0fe738d751957b684925d67dfaf895403f829 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
@@ -14,6 +14,7 @@ import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.logging.Log;
@@ -68,7 +69,14 @@ public class HttpSessionLoginModule implements LoginModule {
                        return false;
                authorization = (Authorization) request.getAttribute(HttpContext.AUTHORIZATION);
                if (authorization == null) {// search by session ID
-                       String httpSessionId = request.getSession().getId();
+                       HttpSession httpSession = request.getSession(false);
+                       if (httpSession == null) {
+                               // TODO make sure this is always safe
+                               if (log.isTraceEnabled())
+                                       log.trace("Create http session");
+                               httpSession = request.getSession(true);
+                       }
+                       String httpSessionId = httpSession.getId();
                        // authorization = (Authorization)
                        // request.getSession().getAttribute(HttpContext.AUTHORIZATION);
                        // if (authorization == null) {
@@ -82,6 +90,8 @@ public class HttpSessionLoginModule implements LoginModule {
                        if (sr.size() == 1) {
                                CmsSession cmsSession = bc.getService(sr.iterator().next());
                                authorization = cmsSession.getAuthorization();
+                               if (authorization.getName() == null)
+                                       authorization = null;// anonymous is not sufficient
                                if (log.isTraceEnabled())
                                        log.trace("Retrieved authorization from " + cmsSession);
                        } else if (sr.size() == 0)
@@ -93,35 +103,15 @@ public class HttpSessionLoginModule implements LoginModule {
                sharedState.put(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST, request);
                extractHttpAuth(request);
                extractClientCertificate(request);
-               if (authorization == null)
+               if (authorization == null) {
                        return false;
-               sharedState.put(CmsAuthUtils.SHARED_STATE_AUTHORIZATION, authorization);
-               return true;
+               } else {
+                       return true;
+               }
        }
 
        @Override
        public boolean commit() throws LoginException {
-               if(authorization!=null){
-                       CmsAuthUtils.addAuthorization(subject, authorization,request);
-//                     CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization);
-               }
-               
-               // TODO create CmsSession in another module
-//             Authorization authorizationToRegister;
-//             if (authorization == null) {
-//                     authorizationToRegister = (Authorization) sharedState.get(CmsAuthUtils.SHARED_STATE_AUTHORIZATION);
-//             }
-//             else { // this login module did the authorization
-//                     CmsAuthUtils.addAuthentication(subject, authorization);
-//                     authorizationToRegister = authorization;
-//             }
-//             if (authorizationToRegister == null) {
-//                     return false;
-//             }
-//             if (request == null)
-//                     return false;
-//             CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorizationToRegister);
-
                byte[] outToken = (byte[]) sharedState.get(CmsAuthUtils.SHARED_STATE_SPNEGO_OUT_TOKEN);
                if (outToken != null) {
                        response.setHeader(CmsAuthUtils.HEADER_WWW_AUTHENTICATE,
@@ -129,7 +119,7 @@ public class HttpSessionLoginModule implements LoginModule {
                }
 
                if (authorization != null) {
-                       // CmsAuthUtils.addAuthentication(subject, authorization);
+                       CmsAuthUtils.addAuthorization(subject, authorization, request.getLocale(), request);
                        cleanUp();
                        return true;
                } else {
@@ -151,7 +141,8 @@ public class HttpSessionLoginModule implements LoginModule {
 
        @Override
        public boolean logout() throws LoginException {
-               return CmsAuthUtils.logoutSession(bc, subject);
+               cleanUp();
+               return true;
        }
 
        private void extractHttpAuth(final HttpServletRequest httpRequest) {
@@ -184,14 +175,23 @@ public class HttpSessionLoginModule implements LoginModule {
                                }
                        }
                }
+
+               // auth token
+               // String mail = request.getParameter(LdapAttrs.mail.name());
+               // String authPassword = request.getParameter(LdapAttrs.authPassword.name());
+               // if (authPassword != null) {
+               // sharedState.put(CmsAuthUtils.SHARED_STATE_PWD, authPassword);
+               // if (mail != null)
+               // sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, mail);
+               // }
        }
 
-       private X509Certificate[] extractClientCertificate(HttpServletRequest req) {
+       private void extractClientCertificate(HttpServletRequest req) {
                X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
                if (null != certs && certs.length > 0) {
-                       return certs;
+                       sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certs[0].getSubjectX500Principal().getName());
+                       sharedState.put(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN, certs);
                }
-               return null;
        }
 
 }