Support anonymous and http session in IPA mode

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / IpaLoginModule.java

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java
index 3ed4856196b65dc18c0b3ca3c7a7b880f0a0c39b..6cb6ab11de73eae41f2c6f6d59cbd923717fb506 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java
@@ -11,6 +11,7 @@ import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
+import javax.servlet.http.HttpServletRequest;
 
 import org.argeo.cms.CmsException;
 import org.argeo.naming.LdapAttrs;
@@ -22,11 +23,15 @@ import org.osgi.service.useradmin.UserAdmin;
 public class IpaLoginModule implements LoginModule {
        private BundleContext bc;
        private Subject subject;
+       private Map<String, Object> sharedState = null;
+       private CallbackHandler callbackHandler;
 
        @Override
        public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
                        Map<String, ?> options) {
                this.subject = subject;
+               this.sharedState = (Map<String, Object>) sharedState;
+               this.callbackHandler = callbackHandler;
                try {
                        bc = FrameworkUtil.getBundle(IpaLoginModule.class).getBundleContext();
                        assert bc != null;
@@ -46,6 +51,8 @@ public class IpaLoginModule implements LoginModule {
                Authorization authorization = null;
                Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
                if (kerberosPrincipals.isEmpty()) {
+                       if(callbackHandler!=null)
+                               throw new LoginException("Cannot be anonymous if callback handler is set");
                        authorization = userAdmin.getAuthorization(null);
                } else {
                        KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next();
@@ -64,6 +71,10 @@ public class IpaLoginModule implements LoginModule {
                if (authorization == null)
                        return false;
                CmsAuthUtils.addAuthentication(subject, authorization);
+               HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
+               if (request != null) {
+                       CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization);
+               }
                return true;
        }
 
@@ -91,8 +102,7 @@ public class IpaLoginModule implements LoginModule {
 
        @Override
        public boolean logout() throws LoginException {
-               // TODO Auto-generated method stub
-               return false;
+               return CmsAuthUtils.logoutSession(bc, subject);
        }
 
 }