X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FCmsAuthUtils.java;h=dde2d73f50efffa23f6267d454e9b9c24f75de76;hb=4ccae1bf1714f7adbb69a4505f424e70f2c39698;hp=d50535eaefcedaa791f06b93342c94634f68b552;hpb=a5459b7f0a4ce0463b950efd5c776368fe169256;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java index d50535eae..dde2d73f5 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java @@ -19,6 +19,7 @@ import org.argeo.cms.CmsException; import org.argeo.cms.internal.auth.CmsSessionImpl; import org.argeo.cms.internal.auth.ImpliedByPrincipal; import org.argeo.cms.internal.http.WebCmsSessionImpl; +import org.argeo.cms.internal.kernel.Activator; import org.argeo.node.NodeConstants; import org.argeo.node.security.AnonymousPrincipal; import org.argeo.node.security.DataAdminPrincipal; @@ -38,6 +39,7 @@ class CmsAuthUtils { final static String SHARED_STATE_HTTP_REQUEST = "org.argeo.cms.auth.http.request"; final static String SHARED_STATE_SPNEGO_TOKEN = "org.argeo.cms.auth.spnegoToken"; final static String SHARED_STATE_SPNEGO_OUT_TOKEN = "org.argeo.cms.auth.spnegoOutToken"; + final static String SHARED_STATE_CERTIFICATE_CHAIN = "org.argeo.cms.auth.certificateChain"; static void addAuthorization(Subject subject, Authorization authorization, Locale locale, HttpServletRequest request) { @@ -48,6 +50,10 @@ class CmsAuthUtils { // required for display name: subject.getPrivateCredentials().add(authorization); + if (Activator.isSingleUser()) { + subject.getPrincipals().add(new DataAdminPrincipal()); + } + Set principals = subject.getPrincipals(); try { String authName = authorization.getName(); @@ -59,13 +65,13 @@ class CmsAuthUtils { name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME; userPrincipal = new AnonymousPrincipal(); principals.add(userPrincipal); - // principals.add(new AnonymousPrincipal()); } else { name = new LdapName(authName); NodeSecurityUtils.checkUserName(name); userPrincipal = new X500Principal(name.toString()); principals.add(userPrincipal); - principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_USER_NAME, userPrincipal)); + // principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_USER_NAME, + // userPrincipal)); } // Add roles provided by authorization @@ -73,6 +79,8 @@ class CmsAuthUtils { LdapName roleName = new LdapName(role); if (roleName.equals(name)) { // skip + } else if (roleName.equals(NodeSecurityUtils.ROLE_ANONYMOUS_NAME)) { + // skip } else { NodeSecurityUtils.checkImpliedPrincipalName(roleName); principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal)); @@ -85,7 +93,7 @@ class CmsAuthUtils { throw new CmsException("Cannot commit", e); } - registerSessionAuthorization(request, subject, authorization, locale); + // registerSessionAuthorization(request, subject, authorization, locale); } private static void checkSubjectEmpty(Subject subject) { @@ -113,7 +121,7 @@ class CmsAuthUtils { // subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class)); } - private synchronized static void registerSessionAuthorization(HttpServletRequest request, Subject subject, + synchronized static void registerSessionAuthorization(HttpServletRequest request, Subject subject, Authorization authorization, Locale locale) { // synchronized in order to avoid multiple registrations // TODO move it to a service in order to avoid static synchronization @@ -136,6 +144,9 @@ class CmsAuthUtils { throw new CmsException("Inconsistent user " + authorization.getName() + " for existing CMS session " + cmsSession); } + // keyring + if (cmsSession != null) + subject.getPrivateCredentials().addAll(cmsSession.getSecretKeys()); } else {// anonymous if (cmsSession.getAuthorization().getName() != null) { cmsSession.close(); @@ -143,19 +154,21 @@ class CmsAuthUtils { cmsSession = null; } } - } - - if (cmsSession == null) + } else if (cmsSession == null) { cmsSession = new WebCmsSessionImpl(subject, authorization, locale, request); + } // request.setAttribute(CmsSession.class.getName(), cmsSession); - CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid()); - if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0) - subject.getPrivateCredentials().add(nodeSessionId); - else { - UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next().getUuid(); - // if (storedSessionId.equals(httpSessionId.getValue())) - throw new CmsException( - "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")"); + if (cmsSession != null) { + CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid()); + if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0) + subject.getPrivateCredentials().add(nodeSessionId); + else { + UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next() + .getUuid(); + // if (storedSessionId.equals(httpSessionId.getValue())) + throw new CmsException( + "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")"); + } } } else { // TODO desktop, CLI