X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FHttpSessionLoginModule.java;h=8cc3941bc191b9b883306706f0d95f0ee8361fad;hb=7064547ae5d85225546f1b8f15d6b5c82f30fe22;hp=48220a86876b7db2b3092ad9395757cc648514c5;hpb=715f6820660b91d532e3bd75a53786267066e1a7;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
index 48220a868..8cc3941bc 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
@@ -3,7 +3,6 @@ package org.argeo.cms.auth;
 import java.io.IOException;
 import java.security.cert.X509Certificate;
 import java.util.Base64;
-import java.util.Collection;
 import java.util.Locale;
 import java.util.Map;
 import java.util.StringTokenizer;
@@ -14,20 +13,17 @@ import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.argeo.cms.CmsException;
+import org.argeo.cms.internal.auth.CmsSessionImpl;
+import org.argeo.cms.internal.kernel.Activator;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
-import org.osgi.framework.InvalidSyntaxException;
-import org.osgi.framework.ServiceReference;
 import org.osgi.service.http.HttpContext;
 import org.osgi.service.useradmin.Authorization;
 
+/** Use the HTTP session as the basis for authentication. */
 public class HttpSessionLoginModule implements LoginModule {
 	private final static Log log = LogFactory.getLog(HttpSessionLoginModule.class);
 
@@ -35,8 +31,8 @@ public class HttpSessionLoginModule implements LoginModule {
 	private CallbackHandler callbackHandler = null;
 	private Map<String, Object> sharedState = null;
 
-	private HttpServletRequest request = null;
-	private HttpServletResponse response = null;
+	private HttpRequest request = null;
+	private HttpResponse response = null;
 
 	private BundleContext bc;
 
@@ -67,48 +63,54 @@ public class HttpSessionLoginModule implements LoginModule {
 			return false;
 		}
 		request = httpCallback.getRequest();
-		if (request == null)
-			return false;
-		authorization = (Authorization) request.getAttribute(HttpContext.AUTHORIZATION);
-		if (authorization == null) {// search by session ID
-			HttpSession httpSession = request.getSession(false);
-			if (httpSession == null) {
-				// TODO make sure this is always safe
-				if (log.isTraceEnabled())
-					log.trace("Create http session");
-				httpSession = request.getSession(true);
-			}
+		if (request == null) {
+			HttpSession httpSession = httpCallback.getHttpSession();
+			if (httpSession == null)
+				return false;
+			// TODO factorize with below
 			String httpSessionId = httpSession.getId();
-			// authorization = (Authorization)
-			// request.getSession().getAttribute(HttpContext.AUTHORIZATION);
-			// if (authorization == null) {
-			Collection<ServiceReference<CmsSession>> sr;
-			try {
-				sr = bc.getServiceReferences(CmsSession.class,
-						"(" + CmsSession.SESSION_LOCAL_ID + "=" + httpSessionId + ")");
-			} catch (InvalidSyntaxException e) {
-				throw new CmsException("Cannot get CMS session for id " + httpSessionId, e);
-			}
-			if (sr.size() == 1) {
-				CmsSession cmsSession = bc.getService(sr.iterator().next());
-				locale = cmsSession.getLocale();
+//			if (log.isTraceEnabled())
+//				log.trace("HTTP login: " + request.getPathInfo() + " #" + httpSessionId);
+			CmsSessionImpl cmsSession = CmsAuthUtils.cmsSessionFromHttpSession(bc, httpSessionId);
+			if (cmsSession != null) {
 				authorization = cmsSession.getAuthorization();
-				if (authorization.getName() == null)
-					authorization = null;// anonymous is not sufficient
+				locale = cmsSession.getLocale();
 				if (log.isTraceEnabled())
 					log.trace("Retrieved authorization from " + cmsSession);
-			} else if (sr.size() == 0)
-				authorization = null;
-			else
-				throw new CmsException(sr.size() + ">1 web sessions detected for http session " + httpSessionId);
-
+			}
+		} else {
+			authorization = (Authorization) request.getAttribute(HttpContext.AUTHORIZATION);
+			if (authorization == null) {// search by session ID
+				HttpSession httpSession = request.getSession();
+				if (httpSession == null) {
+					// TODO make sure this is always safe
+					if (log.isTraceEnabled())
+						log.trace("Create http session");
+					httpSession = request.createSession();
+				}
+				String httpSessionId = httpSession.getId();
+//				if (log.isTraceEnabled())
+//					log.trace("HTTP login: " + request.getPathInfo() + " #" + httpSessionId);
+				CmsSessionImpl cmsSession = CmsAuthUtils.cmsSessionFromHttpSession(bc, httpSessionId);
+				if (cmsSession != null) {
+					authorization = cmsSession.getAuthorization();
+					locale = cmsSession.getLocale();
+					if (log.isTraceEnabled())
+						log.trace("Retrieved authorization from " + cmsSession);
+				}
+			}
+			sharedState.put(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST, request);
+			extractHttpAuth(request);
+			extractClientCertificate(request);
 		}
-		sharedState.put(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST, request);
-		extractHttpAuth(request);
-		extractClientCertificate(request);
 		if (authorization == null) {
+			if (log.isTraceEnabled())
+				log.trace("HTTP login: " + false);
 			return false;
 		} else {
+			if (log.isTraceEnabled())
+				log.trace("HTTP login: " + true);
+			request.setAttribute(HttpContext.AUTHORIZATION, authorization);
 			return true;
 		}
 	}
@@ -123,10 +125,11 @@ public class HttpSessionLoginModule implements LoginModule {
 
 		if (authorization != null) {
 			// Locale locale = request.getLocale();
-			if (locale == null)
+			if (locale == null && request != null)
 				locale = request.getLocale();
-			subject.getPublicCredentials().add(locale);
-			CmsAuthUtils.addAuthorization(subject, authorization, locale, request);
+			if (locale != null)
+				subject.getPublicCredentials().add(locale);
+			CmsAuthUtils.addAuthorization(subject, authorization);
 			CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale);
 			cleanUp();
 			return true;
@@ -153,8 +156,12 @@ public class HttpSessionLoginModule implements LoginModule {
 		return true;
 	}
 
-	private void extractHttpAuth(final HttpServletRequest httpRequest) {
+	private void extractHttpAuth(final HttpRequest httpRequest) {
 		String authHeader = httpRequest.getHeader(CmsAuthUtils.HEADER_AUTHORIZATION);
+		extractHttpAuth(authHeader);
+	}
+
+	private void extractHttpAuth(String authHeader) {
 		if (authHeader != null) {
 			StringTokenizer st = new StringTokenizer(authHeader);
 			if (st.hasMoreTokens()) {
@@ -172,10 +179,10 @@ public class HttpSessionLoginModule implements LoginModule {
 							sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, login);
 							sharedState.put(CmsAuthUtils.SHARED_STATE_PWD, password);
 						} else {
-							throw new CmsException("Invalid authentication token");
+							throw new IllegalStateException("Invalid authentication token");
 						}
 					} catch (Exception e) {
-						throw new CmsException("Couldn't retrieve authentication", e);
+						throw new IllegalStateException("Couldn't retrieve authentication", e);
 					}
 				} else if (basic.equalsIgnoreCase("Negotiate")) {
 					String spnegoToken = st.nextToken();
@@ -196,18 +203,25 @@ public class HttpSessionLoginModule implements LoginModule {
 		// }
 	}
 
-	private void extractClientCertificate(HttpServletRequest req) {
+	private void extractClientCertificate(HttpRequest req) {
 		X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
-		if (null != certs && certs.length > 0) {
-			sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certs[0].getSubjectX500Principal().getName());
+		if (null != certs && certs.length > 0) {// Servlet container verified the client certificate
+			String certDn = certs[0].getSubjectX500Principal().getName();
+			sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certDn);
 			sharedState.put(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN, certs);
-		} else {
-			// When client has been verified by reverse proxy
-			String certDn = req.getHeader("SSL_CLIENT_S_DN");
-			if (certDn != null) {
+			if (log.isDebugEnabled())
+				log.debug("Client certificate " + certDn + " verified by servlet container");
+		} // Reverse proxy verified the client certificate
+		String clientDnHttpHeader = Activator.getHttpProxySslHeader();
+		if (clientDnHttpHeader != null) {
+			String certDn = req.getHeader(clientDnHttpHeader);
+			// TODO retrieve more cf. https://httpd.apache.org/docs/current/mod/mod_ssl.html
+			// String issuerDn = req.getHeader("SSL_CLIENT_I_DN");
+			if (certDn != null && !certDn.trim().equals("(null)")) {
 				sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certDn);
-				String issuerDn = req.getHeader("SSL_CLIENT_I_DN");
-				sharedState.put(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN, issuerDn);
+				sharedState.put(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN, "");
+				if (log.isDebugEnabled())
+					log.debug("Client certificate " + certDn + " verified by reverse proxy");
 			}
 		}
 	}