X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FCmsAuthUtils.java;h=9e00ed458ac0011480f034589e3297b8e89eb7c5;hb=4e548693acc16f97b74eaaa95d6841054a172b85;hp=1efb93afdd36b9ad1432f4976d4351c48dfa2277;hpb=da9d144b6b241e1526a3bd255dff905a7969a5bc;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java index 1efb93afd..9e00ed458 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java @@ -1,12 +1,20 @@ package org.argeo.cms.auth; +import static org.argeo.api.cms.CmsConstants.ROLE_ADMIN; +import static org.argeo.api.cms.CmsConstants.ROLE_ANONYMOUS; +import static org.argeo.api.cms.CmsConstants.ROLE_USER; +import static org.argeo.api.cms.CmsConstants.ROLE_USER_ADMIN; + import java.security.Principal; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; import java.util.Locale; import java.util.Set; import java.util.UUID; -import javax.naming.InvalidNameException; -import javax.naming.ldap.LdapName; +//import javax.naming.InvalidNameException; +//import javax.naming.ldap.LdapName; import javax.security.auth.Subject; import javax.security.auth.x500.X500Principal; @@ -18,9 +26,7 @@ import org.argeo.cms.internal.auth.CmsSessionImpl; import org.argeo.cms.internal.auth.ImpliedByPrincipal; import org.argeo.cms.internal.http.WebCmsSessionImpl; import org.argeo.cms.internal.runtime.CmsContextImpl; -import org.argeo.cms.security.NodeSecurityUtils; import org.argeo.osgi.useradmin.AuthenticatingUser; -import org.osgi.service.http.HttpContext; import org.osgi.service.useradmin.Authorization; /** Centralises security related registrations. */ @@ -41,6 +47,9 @@ class CmsAuthUtils { final static String SINGLE_USER_LOCAL_ID = "single-user"; + private final static List RESERVED_ROLES = Collections + .unmodifiableList(Arrays.asList(new String[] { ROLE_ADMIN, ROLE_ANONYMOUS, ROLE_USER, ROLE_USER_ADMIN })); + static void addAuthorization(Subject subject, Authorization authorization) { assert subject != null; checkSubjectEmpty(subject); @@ -52,46 +61,46 @@ class CmsAuthUtils { boolean singleUser = authorization instanceof SingleUserAuthorization; Set principals = subject.getPrincipals(); - try { - String authName = authorization.getName(); - - // determine user's principal - final LdapName name; - final Principal userPrincipal; - if (authName == null) { - name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME; - userPrincipal = new AnonymousPrincipal(); - principals.add(userPrincipal); - } else { - name = new LdapName(authName); - NodeSecurityUtils.checkUserName(name); - userPrincipal = new X500Principal(name.toString()); - principals.add(userPrincipal); - - if (singleUser) { - principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_ADMIN_NAME, userPrincipal)); - principals.add(new DataAdminPrincipal()); - } +// try { + String authName = authorization.getName(); + + // determine user's principal +// final LdapName name; + final Principal userPrincipal; + if (authName == null) { +// name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME; + userPrincipal = new AnonymousPrincipal(); + principals.add(userPrincipal); + } else { +// name = new LdapName(authName); + checkUserName(authName); + userPrincipal = new X500Principal(authName.toString()); + principals.add(userPrincipal); + + if (singleUser) { + principals.add(new ImpliedByPrincipal(CmsConstants.ROLE_ADMIN, userPrincipal)); + principals.add(new DataAdminPrincipal()); } + } - // Add roles provided by authorization - for (String role : authorization.getRoles()) { - LdapName roleName = new LdapName(role); - if (roleName.equals(name)) { - // skip - } else if (roleName.equals(NodeSecurityUtils.ROLE_ANONYMOUS_NAME)) { - // skip - } else { - NodeSecurityUtils.checkImpliedPrincipalName(roleName); - principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal)); - if (roleName.equals(NodeSecurityUtils.ROLE_ADMIN_NAME)) - principals.add(new DataAdminPrincipal()); - } + // Add roles provided by authorization + for (String role : authorization.getRoles()) { +// LdapName roleName = new LdapName(role); + if (role.equals(authName)) { + // skip + } else if (role.equals(CmsConstants.ROLE_ANONYMOUS)) { + // skip + } else { +// NodeSecurityUtils.checkImpliedPrincipalName(role); + principals.add(new ImpliedByPrincipal(role, userPrincipal)); + if (role.equals(CmsConstants.ROLE_ADMIN)) + principals.add(new DataAdminPrincipal()); } - - } catch (InvalidNameException e) { - throw new IllegalArgumentException("Cannot commit", e); } + +// } catch (InvalidNameException e) { +// throw new IllegalArgumentException("Cannot commit", e); +// } } private static void checkSubjectEmpty(Subject subject) { @@ -130,8 +139,8 @@ class CmsAuthUtils { String httpSessId = httpSession.getId(); boolean anonymous = authorization.getName() == null; String remoteUser = !anonymous ? authorization.getName() : CmsConstants.ROLE_ANONYMOUS; - request.setAttribute(HttpContext.REMOTE_USER, remoteUser); - request.setAttribute(HttpContext.AUTHORIZATION, authorization); + request.setAttribute(RemoteAuthRequest.REMOTE_USER, remoteUser); + request.setAttribute(RemoteAuthRequest.AUTHORIZATION, authorization); CmsSessionImpl cmsSession; CmsSessionImpl currentLocalSession = CmsContextImpl.getCmsContext().getCmsSessionByLocalId(httpSessId); @@ -150,8 +159,10 @@ class CmsAuthUtils { } else { // keep current session cmsSession = currentLocalSession; - // keyring - subject.getPrivateCredentials().addAll(cmsSession.getSecretKeys()); + // credentials + // TODO control it more?? + subject.getPrivateCredentials().addAll(cmsSession.getSubject().getPrivateCredentials()); + subject.getPublicCredentials().addAll(cmsSession.getSubject().getPublicCredentials()); } } else {// anonymous if (!currentLocalSessionAnonymous) { @@ -177,9 +188,9 @@ class CmsAuthUtils { subject.getPrivateCredentials().add(nodeSessionId); } else { UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next().getUuid(); - // if (storedSessionId.equals(httpSessionId.getValue())) - throw new IllegalStateException( - "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")"); + if (!storedSessionId.equals(nodeSessionId.getUuid())) + throw new IllegalStateException( + "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")"); } } else { CmsSessionImpl cmsSession = CmsContextImpl.getCmsContext().getCmsSessionByLocalId(SINGLE_USER_LOCAL_ID); @@ -225,6 +236,11 @@ class CmsAuthUtils { return principals.iterator().next(); } + private static void checkUserName(String name) throws IllegalArgumentException { + if (RESERVED_ROLES.contains(name)) + throw new IllegalArgumentException(name + " is a reserved name"); + } + private CmsAuthUtils() { }