Improve CMS session.

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / UserAdminLoginModule.java

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index c77a5929f868dd3d4a45788a51a40a59b938caed..7e95c951a3f8eb67f80f1970feda3712b5fcdbfb 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -43,13 +43,11 @@ public class UserAdminLoginModule implements LoginModule {
        private CallbackHandler callbackHandler;
        private Map<String, Object> sharedState = null;
 
-       // private boolean isAnonymous = false;
        private List<String> indexedUserProperties = Arrays
                        .asList(new String[] { LdapAttrs.uid.name(), LdapAttrs.mail.name(), LdapAttrs.cn.name() });
 
        // private state
        private BundleContext bc;
-       // private Authorization authorization;
        private User authenticatedUser = null;
 
        @SuppressWarnings("unchecked")
@@ -59,13 +57,8 @@ public class UserAdminLoginModule implements LoginModule {
                this.subject = subject;
                try {
                        bc = FrameworkUtil.getBundle(UserAdminLoginModule.class).getBundleContext();
-                       assert bc != null;
-                       // this.subject = subject;
                        this.callbackHandler = callbackHandler;
                        this.sharedState = (Map<String, Object>) sharedState;
-                       // if (options.containsKey("anonymous"))
-                       // isAnonymous =
-                       // Boolean.parseBoolean(options.get("anonymous").toString());
                } catch (Exception e) {
                        throw new CmsException("Cannot initialize login module", e);
                }
@@ -73,16 +66,18 @@ public class UserAdminLoginModule implements LoginModule {
 
        @Override
        public boolean login() throws LoginException {
-               Authorization sharedAuth = (Authorization) sharedState.get(CmsAuthUtils.SHARED_STATE_AUTHORIZATION);
-               if (sharedAuth != null) {
-                       if (callbackHandler == null && sharedAuth.getName() != null)
-                               throw new LoginException("Shared authorization should be anonymous");
-                       return false;
-               }
+               // Authorization sharedAuth = (Authorization)
+               // sharedState.get(CmsAuthUtils.SHARED_STATE_AUTHORIZATION);
+               // if (sharedAuth != null) {
+               // if (callbackHandler == null && sharedAuth.getName() != null)
+               // throw new LoginException("Shared authorization should be anonymous");
+               // return false;
+               // }
                UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
                if (callbackHandler == null) {// anonymous
-//                     authorization = userAdmin.getAuthorization(null);
-//                     sharedState.put(CmsAuthUtils.SHARED_STATE_AUTHORIZATION, authorization);
+                       // authorization = userAdmin.getAuthorization(null);
+                       // sharedState.put(CmsAuthUtils.SHARED_STATE_AUTHORIZATION,
+                       // authorization);
                        return true;
                }
 
@@ -90,6 +85,7 @@ public class UserAdminLoginModule implements LoginModule {
                final char[] password;
                if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
                                && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) {
+                       // NB: required by Basic http auth
                        username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
                        password = (char[]) sharedState.get(CmsAuthUtils.SHARED_STATE_PWD);
                        // // TODO locale?
@@ -125,7 +121,6 @@ public class UserAdminLoginModule implements LoginModule {
                                password = passwordCallback.getPassword();
                        else
                                throw new CredentialNotFoundException("No credentials provided");
-                       // FIXME move Argeo specific convention from user admin to here
                }
 
                // User user = userAdmin.getUser(null, username);
@@ -136,49 +131,34 @@ public class UserAdminLoginModule implements LoginModule {
                if (!user.hasCredential(null, password))
                        throw new FailedLoginException("Invalid credentials");
                authenticatedUser = user;
-               // return false;
-
-               // Log and monitor new login
-               // if (log.isDebugEnabled())
-               // log.debug("Logged in to CMS with username [" + username +
-               // "]");
-
-               // authorization = userAdmin.getAuthorization(user);
-               // assert authorization != null;
-               //
-               // sharedState.put(CmsAuthUtils.SHARED_STATE_AUTHORIZATION,
-               // authorization);
                return true;
        }
 
        @Override
        public boolean commit() throws LoginException {
-               // if (authorization == null) {
-               // return false;
-               // // throw new LoginException("Authorization should not be null");
-               // } else {
-               // CmsAuthUtils.addAuthentication(subject, authorization);
-               // return true;
-               // }
                UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
-               Authorization authorization = null;
-               User authenticatingUser;
-               Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
-               if (kerberosPrincipals.isEmpty()) {
-                       if (callbackHandler == null) {
-                               authorization = userAdmin.getAuthorization(null);
-                       }
-                       if (authenticatedUser == null) {
-                               return false;
+               Authorization authorization;
+               if (callbackHandler == null) {// anonymous
+                       authorization = userAdmin.getAuthorization(null);
+               } else {
+                       User authenticatingUser;
+                       Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
+                       if (kerberosPrincipals.isEmpty()) {
+                               if (authenticatedUser == null) {
+                                       if (log.isTraceEnabled())
+                                               log.trace("Neither kerberos nor user admin login succeeded. Login failed.");
+                                       return false;
+                               } else {
+                                       authenticatingUser = authenticatedUser;
+                               }
                        } else {
-                               authenticatingUser = authenticatedUser;
+                               KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next();
+                               LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName());
+                               authenticatingUser = new AuthenticatingUser(dn);
+                               if (authenticatedUser != null && !authenticatingUser.getName().equals(authenticatedUser.getName()))
+                                       throw new LoginException("Kerberos login " + authenticatingUser.getName()
+                                                       + " is inconsistent with user admin login " + authenticatedUser.getName());
                        }
-               } else {
-                       KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next();
-                       LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName());
-                       authenticatingUser = new AuthenticatingUser(dn);
-               }
-               if (authorization == null)
                        authorization = Subject.doAs(subject, new PrivilegedAction<Authorization>() {
 
                                @Override
@@ -188,24 +168,29 @@ public class UserAdminLoginModule implements LoginModule {
                                }
 
                        });
-               if (authorization == null)
-                       return false;
-               CmsAuthUtils.addAuthentication(subject, authorization);
-               HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
-               if (request != null) {
-                       CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization);
+                       if (authorization == null)
+                               throw new LoginException(
+                                               "User admin found no authorization for authenticated user " + authenticatingUser.getName());
                }
+               // Log and monitor new login
+               CmsAuthUtils.addAuthorization(subject, authorization,
+                               (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST));
+               if (log.isDebugEnabled())
+                       log.debug("Logged in to CMS: " + subject);
                return true;
        }
 
        @Override
        public boolean abort() throws LoginException {
-//             authorization = null;
                return true;
        }
 
        @Override
        public boolean logout() throws LoginException {
+               if (log.isTraceEnabled())
+                       log.trace("Logging out from CMS... " + subject);
+               // boolean httpSessionLogoutOk = CmsAuthUtils.logoutSession(bc,
+               // subject);
                CmsAuthUtils.cleanUp(subject);
                return true;
        }