X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FCmsAuthUtils.java;h=461080295ccc4d298228069ae3bbcf1f8e5df32d;hb=a547404b8d6e7943f912a3bb9c2b65caea5b5bfe;hp=63936c89754a1a81b2d2b222c557e43823fc0f3c;hpb=e01be1347b84f99eb1e4a1c0e9829cfe7fbd89f9;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java index 63936c897..461080295 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java @@ -1,32 +1,54 @@ package org.argeo.cms.auth; import java.security.Principal; +import java.util.Collection; import java.util.Set; +import java.util.UUID; import javax.naming.InvalidNameException; import javax.naming.ldap.LdapName; import javax.security.auth.Subject; import javax.security.auth.x500.X500Principal; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; //import org.apache.jackrabbit.core.security.AnonymousPrincipal; //import org.apache.jackrabbit.core.security.SecurityConstants; //import org.apache.jackrabbit.core.security.principal.AdminPrincipal; import org.argeo.cms.CmsException; +import org.argeo.cms.internal.auth.CmsSessionImpl; import org.argeo.cms.internal.auth.ImpliedByPrincipal; +import org.argeo.cms.internal.http.WebCmsSessionImpl; import org.argeo.node.security.AnonymousPrincipal; import org.argeo.node.security.DataAdminPrincipal; import org.argeo.node.security.NodeSecurityUtils; +import org.osgi.framework.BundleContext; +import org.osgi.framework.InvalidSyntaxException; +import org.osgi.framework.ServiceReference; +import org.osgi.service.http.HttpContext; import org.osgi.service.useradmin.Authorization; class CmsAuthUtils { + private final static Log log = LogFactory.getLog(CmsAuthUtils.class); + + /** Shared HTTP request */ + final static String SHARED_STATE_HTTP_REQUEST = "org.argeo.cms.auth.http.request"; /** From org.osgi.service.http.HttpContext */ - static final String SHARED_STATE_AUTHORIZATION = "org.osgi.service.useradmin.authorization"; + final static String SHARED_STATE_AUTHORIZATION = "org.osgi.service.useradmin.authorization"; /** From com.sun.security.auth.module.*LoginModule */ - static final String SHARED_STATE_NAME = "javax.security.auth.login.name"; + final static String SHARED_STATE_NAME = "javax.security.auth.login.name"; /** From com.sun.security.auth.module.*LoginModule */ - static final String SHARED_STATE_PWD = "javax.security.auth.login.password"; + final static String SHARED_STATE_PWD = "javax.security.auth.login.password"; + + final static String SHARED_STATE_SPNEGO_TOKEN = "org.argeo.cms.auth.spnegoToken"; + final static String SHARED_STATE_SPNEGO_OUT_TOKEN = "org.argeo.cms.auth.spnegoOutToken"; + + final static String HEADER_AUTHORIZATION = "Authorization"; + final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate"; - static void addAuthentication(Subject subject, Authorization authorization) { + static void addAuthorization(Subject subject, Authorization authorization, HttpServletRequest request) { assert subject != null; checkSubjectEmpty(subject); assert authorization != null; @@ -70,6 +92,8 @@ class CmsAuthUtils { } catch (InvalidNameException e) { throw new CmsException("Cannot commit", e); } + + registerSessionAuthorization(request, subject, authorization); } private static void checkSubjectEmpty(Subject subject) { @@ -99,7 +123,74 @@ class CmsAuthUtils { // public static final String SHARED_STATE_PASSWORD = // "javax.security.auth.login.password"; + private static void registerSessionAuthorization(HttpServletRequest request, Subject subject, + Authorization authorization) { + if (request != null) { + HttpSession httpSession = request.getSession(); + String httpSessId = httpSession.getId(); + if (authorization.getName() != null) { + request.setAttribute(HttpContext.REMOTE_USER, authorization.getName()); + request.setAttribute(HttpContext.AUTHORIZATION, authorization); + + CmsSession cmsSession = CmsSessionImpl.getByLocalId(httpSessId); + if (cmsSession == null) + cmsSession = new WebCmsSessionImpl(subject, authorization, httpSessId); + request.setAttribute(CmsSession.class.getName(), cmsSession); + CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid()); + if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0) + subject.getPrivateCredentials().add(nodeSessionId); + else { + UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next() + .getUuid(); + // if (storedSessionId.equals(httpSessionId.getValue())) + throw new CmsException( + "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")"); + } + } + } else { + // TODO desktop, CLI + } + } + + static boolean logoutSession(BundleContext bc, Subject subject) { + UUID nodeSessionId; + if (subject.getPrivateCredentials(CmsSessionId.class).size() == 1) + nodeSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next().getUuid(); + else + return false; + Collection> srs; + try { + srs = bc.getServiceReferences(CmsSession.class, "(" + CmsSession.SESSION_UUID + "=" + nodeSessionId + ")"); + } catch (InvalidSyntaxException e) { + throw new CmsException("Cannot retrieve CMS session #" + nodeSessionId, e); + } + + if (srs.size() == 0) { + if (log.isTraceEnabled()) + log.warn("No CMS web session found for http session " + nodeSessionId); + return false; + } else if (srs.size() > 1) + throw new CmsException(srs.size() + " CMS web sessions found for http session " + nodeSessionId); + + WebCmsSessionImpl cmsSession = (WebCmsSessionImpl) bc.getService(srs.iterator().next()); + cmsSession.cleanUp(); + subject.getPrivateCredentials().removeAll(subject.getPrivateCredentials(CmsSessionId.class)); + if (log.isDebugEnabled()) + log.debug("Cleaned up " + cmsSession); + return true; + } + + public static T getSinglePrincipal(Subject subject, Class clss) { + Set principals = subject.getPrincipals(clss); + if (principals.isEmpty()) + return null; + if (principals.size() > 1) + throw new IllegalStateException("Only one " + clss + " principal expected in " + subject); + return principals.iterator().next(); + } + private CmsAuthUtils() { } + }