X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FCmsAuthUtils.java;h=54824e140763b07787ab8b8fef83153ad98243f2;hb=eb4324be6ac9cdff15828a21ee7d3f6ca2f19fb9;hp=1efb93afdd36b9ad1432f4976d4351c48dfa2277;hpb=ddc70245fe7413b7341205914c91015600726b4a;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java index 1efb93afd..54824e140 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java @@ -1,12 +1,20 @@ package org.argeo.cms.auth; +import static org.argeo.api.cms.CmsConstants.ROLE_ADMIN; +import static org.argeo.api.cms.CmsConstants.ROLE_ANONYMOUS; +import static org.argeo.api.cms.CmsConstants.ROLE_USER; +import static org.argeo.api.cms.CmsConstants.ROLE_USER_ADMIN; + import java.security.Principal; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; import java.util.Locale; import java.util.Set; import java.util.UUID; -import javax.naming.InvalidNameException; -import javax.naming.ldap.LdapName; +//import javax.naming.InvalidNameException; +//import javax.naming.ldap.LdapName; import javax.security.auth.Subject; import javax.security.auth.x500.X500Principal; @@ -18,7 +26,6 @@ import org.argeo.cms.internal.auth.CmsSessionImpl; import org.argeo.cms.internal.auth.ImpliedByPrincipal; import org.argeo.cms.internal.http.WebCmsSessionImpl; import org.argeo.cms.internal.runtime.CmsContextImpl; -import org.argeo.cms.security.NodeSecurityUtils; import org.argeo.osgi.useradmin.AuthenticatingUser; import org.osgi.service.http.HttpContext; import org.osgi.service.useradmin.Authorization; @@ -41,6 +48,9 @@ class CmsAuthUtils { final static String SINGLE_USER_LOCAL_ID = "single-user"; + private final static List RESERVED_ROLES = Collections + .unmodifiableList(Arrays.asList(new String[] { ROLE_ADMIN, ROLE_ANONYMOUS, ROLE_USER, ROLE_USER_ADMIN })); + static void addAuthorization(Subject subject, Authorization authorization) { assert subject != null; checkSubjectEmpty(subject); @@ -52,46 +62,46 @@ class CmsAuthUtils { boolean singleUser = authorization instanceof SingleUserAuthorization; Set principals = subject.getPrincipals(); - try { - String authName = authorization.getName(); - - // determine user's principal - final LdapName name; - final Principal userPrincipal; - if (authName == null) { - name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME; - userPrincipal = new AnonymousPrincipal(); - principals.add(userPrincipal); - } else { - name = new LdapName(authName); - NodeSecurityUtils.checkUserName(name); - userPrincipal = new X500Principal(name.toString()); - principals.add(userPrincipal); - - if (singleUser) { - principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_ADMIN_NAME, userPrincipal)); - principals.add(new DataAdminPrincipal()); - } +// try { + String authName = authorization.getName(); + + // determine user's principal +// final LdapName name; + final Principal userPrincipal; + if (authName == null) { +// name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME; + userPrincipal = new AnonymousPrincipal(); + principals.add(userPrincipal); + } else { +// name = new LdapName(authName); + checkUserName(authName); + userPrincipal = new X500Principal(authName.toString()); + principals.add(userPrincipal); + + if (singleUser) { + principals.add(new ImpliedByPrincipal(CmsConstants.ROLE_ADMIN, userPrincipal)); + principals.add(new DataAdminPrincipal()); } + } - // Add roles provided by authorization - for (String role : authorization.getRoles()) { - LdapName roleName = new LdapName(role); - if (roleName.equals(name)) { - // skip - } else if (roleName.equals(NodeSecurityUtils.ROLE_ANONYMOUS_NAME)) { - // skip - } else { - NodeSecurityUtils.checkImpliedPrincipalName(roleName); - principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal)); - if (roleName.equals(NodeSecurityUtils.ROLE_ADMIN_NAME)) - principals.add(new DataAdminPrincipal()); - } + // Add roles provided by authorization + for (String role : authorization.getRoles()) { +// LdapName roleName = new LdapName(role); + if (role.equals(authName)) { + // skip + } else if (role.equals(CmsConstants.ROLE_ANONYMOUS)) { + // skip + } else { +// NodeSecurityUtils.checkImpliedPrincipalName(role); + principals.add(new ImpliedByPrincipal(role, userPrincipal)); + if (role.equals(CmsConstants.ROLE_ADMIN)) + principals.add(new DataAdminPrincipal()); } - - } catch (InvalidNameException e) { - throw new IllegalArgumentException("Cannot commit", e); } + +// } catch (InvalidNameException e) { +// throw new IllegalArgumentException("Cannot commit", e); +// } } private static void checkSubjectEmpty(Subject subject) { @@ -225,6 +235,11 @@ class CmsAuthUtils { return principals.iterator().next(); } + private static void checkUserName(String name) throws IllegalArgumentException { + if (RESERVED_ROLES.contains(name)) + throw new IllegalArgumentException(name + " is a reserved name"); + } + private CmsAuthUtils() { }