Single user login does not create principal if Kerberos is available

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / SingleUserLoginModule.java

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java
index 4b36f28abb90f927df087b743f81c09852241319..cfffb6eea74e43a50dde96ff3e87e0288beb82b3 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java
@@ -7,6 +7,7 @@ import javax.naming.ldap.LdapName;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.login.CredentialException;
 import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
 import javax.security.auth.x500.X500Principal;
@@ -35,8 +36,12 @@ public class SingleUserLoginModule implements LoginModule {
        @Override
        public boolean login() throws LoginException {
                String username = System.getProperty("user.name");
-               if (!sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME))
-                       sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, username);
+               if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME)
+                               && !username.equals(sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME)))
+                       throw new CredentialException(
+                                       "OS username already set with " + sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME));
+               if (!sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME))
+                       sharedState.put(CmsAuthUtils.SHARED_STATE_OS_USERNAME, username);
                return true;
        }
 
@@ -49,7 +54,7 @@ public class SingleUserLoginModule implements LoginModule {
                        X500Principal principal = new X500Principal(userDn.toString());
                        authorizationName = principal.getName();
                } else {
-                       Object username = sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
+                       Object username = sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME);
                        if (username == null)
                                throw new LoginException("No username available");
                        String hostname = CmsContextImpl.getCmsContext().getCmsState().getHostname();
@@ -64,8 +69,14 @@ public class SingleUserLoginModule implements LoginModule {
                        locale = request.getLocale();
                if (locale == null)
                        locale = Locale.getDefault();
-               Authorization authorization = new SingleUserAuthorization(authorizationName);
-               CmsAuthUtils.addAuthorization(subject, authorization);
+
+               Authorization authorization = null;
+               if (kerberosPrincipal != null) {
+                       authorization = new SingleUserAuthorization(authorizationName);
+                       CmsAuthUtils.addAuthorization(subject, authorization);
+               } else {
+                       // next step with user admin will properly populate
+               }
 
                // Add standard Java OS login
                OsUserUtils.loginAsSystemUser(subject);
@@ -76,7 +87,8 @@ public class SingleUserLoginModule implements LoginModule {
 //             principals.add(new ImpliedByPrincipal(NodeConstants.ROLE_ADMIN, principal));
 //             principals.add(new DataAdminPrincipal());
 
-               CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale);
+               if (authorization != null)
+                       CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale);
 
                return true;
        }