Make client certificate authorization more robust

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / UserAdminLoginModule.java

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index 83accceb4d6f1047a6a4eb9ba11b120a2f40db13..ad9eb24c52ac912c32f9568ca956f19869123405 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -5,7 +5,6 @@ import static org.argeo.naming.LdapAttrs.description;
 
 import java.io.IOException;
 import java.security.PrivilegedAction;
-import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -14,7 +13,6 @@ import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 
-import javax.naming.InvalidNameException;
 import javax.naming.ldap.LdapName;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
@@ -86,7 +84,7 @@ public class UserAdminLoginModule implements LoginModule {
                UserAdmin userAdmin = Activator.getUserAdmin();
                final String username;
                final char[] password;
-               X509Certificate[] certificateChain = null;
+               Object certificateChain = null;
                if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
                                && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) {
                        // NB: required by Basic http auth
@@ -95,16 +93,17 @@ public class UserAdminLoginModule implements LoginModule {
                        // // TODO locale?
                } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
                                && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN)) {
-                       String certificateName = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
-                       LdapName ldapName;
-                       try {
-                               ldapName = new LdapName(certificateName);
-                       } catch (InvalidNameException e) {
-                               e.printStackTrace();
-                               return false;
-                       }
-                       username = ldapName.getRdn(ldapName.size()-1).getValue().toString();
-                       certificateChain = (X509Certificate[]) sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
+                       String certDn = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
+//                     LdapName ldapName;
+//                     try {
+//                             ldapName = new LdapName(certificateName);
+//                     } catch (InvalidNameException e) {
+//                             e.printStackTrace();
+//                             return false;
+//                     }
+//                     username = ldapName.getRdn(ldapName.size() - 1).getValue().toString();
+                       username = certDn;
+                       certificateChain = sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
                        password = null;
                } else if (singleUser) {
                        username = OsUserUtils.getOsUsername();