X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FNodeUserLoginModule.java;h=03dacef931fa55044b94d15f86f46f90bb766abe;hb=a847fccbcfed504b2526c137a46d1e0238c28cf5;hp=74fe4e421e747e0998b7e2763663ae0ab1be0f03;hpb=9dba7b01008499bdaf15c754190906d3200713fe;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java
index 74fe4e421..03dacef93 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java
@@ -1,116 +1,107 @@
 package org.argeo.cms.auth;
 
-import java.security.Principal;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Iterator;
-import java.util.List;
 import java.util.Map;
-import java.util.Set;
 
-import javax.naming.InvalidNameException;
-import javax.naming.ldap.LdapName;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
-import javax.security.auth.x500.X500Principal;
 
-import org.apache.jackrabbit.core.security.AnonymousPrincipal;
-import org.apache.jackrabbit.core.security.SecurityConstants;
-import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
-import org.argeo.cms.CmsException;
-import org.argeo.cms.internal.auth.ImpliedByPrincipal;
 import org.osgi.service.useradmin.Authorization;
 
 public class NodeUserLoginModule implements LoginModule {
 	private Subject subject;
-
-	private final static LdapName ROLE_KERNEL_NAME, ROLE_ADMIN_NAME,
-			ROLE_ANONYMOUS_NAME, ROLE_USER_NAME;
-	private final static List<LdapName> RESERVED_ROLES;
-	private final static X500Principal ROLE_ANONYMOUS_PRINCIPAL;
-	static {
-		try {
-			ROLE_KERNEL_NAME = new LdapName(AuthConstants.ROLE_KERNEL);
-			ROLE_ADMIN_NAME = new LdapName(AuthConstants.ROLE_ADMIN);
-			ROLE_USER_NAME = new LdapName(AuthConstants.ROLE_USER);
-			ROLE_ANONYMOUS_NAME = new LdapName(AuthConstants.ROLE_ANONYMOUS);
-			RESERVED_ROLES = Collections.unmodifiableList(Arrays
-					.asList(new LdapName[] { ROLE_KERNEL_NAME, ROLE_ADMIN_NAME,
-							ROLE_ANONYMOUS_NAME, ROLE_USER_NAME,
-							new LdapName(AuthConstants.ROLE_GROUP_ADMIN),
-							new LdapName(AuthConstants.ROLE_USER_ADMIN) }));
-			ROLE_ANONYMOUS_PRINCIPAL = new X500Principal(
-					ROLE_ANONYMOUS_NAME.toString());
-		} catch (InvalidNameException e) {
-			throw new Error("Cannot initialize login module class", e);
-		}
-	}
-
-	private Authorization authorization;
-
+	private Map<String, Object> sharedState = null;
+
+//	private final static LdapName ROLE_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME;
+//	private final static List<LdapName> RESERVED_ROLES;
+//	private final static X500Principal ROLE_ANONYMOUS_PRINCIPAL;
+//	static {
+//		try {
+//			// ROLE_KERNEL_NAME = new LdapName(AuthConstants.ROLE_KERNEL);
+//			ROLE_ADMIN_NAME = new LdapName(NodeConstants.ROLE_ADMIN);
+//			ROLE_USER_NAME = new LdapName(NodeConstants.ROLE_USER);
+//			ROLE_ANONYMOUS_NAME = new LdapName(NodeConstants.ROLE_ANONYMOUS);
+//			RESERVED_ROLES = Collections.unmodifiableList(Arrays.asList(new LdapName[] { ROLE_ADMIN_NAME,
+//					ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, new LdapName(AuthConstants.ROLE_GROUP_ADMIN),
+//					new LdapName(NodeConstants.ROLE_USER_ADMIN) }));
+//			ROLE_ANONYMOUS_PRINCIPAL = new X500Principal(ROLE_ANONYMOUS_NAME.toString());
+//		} catch (InvalidNameException e) {
+//			throw new Error("Cannot initialize login module class", e);
+//		}
+//	}
+
+	// private Authorization authorization;
+
+	@SuppressWarnings("unchecked")
 	@Override
-	public void initialize(Subject subject, CallbackHandler callbackHandler,
-			Map<String, ?> sharedState, Map<String, ?> options) {
+	public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
+			Map<String, ?> options) {
 		this.subject = subject;
+		this.sharedState = (Map<String, Object>) sharedState;
 	}
 
 	@Override
 	public boolean login() throws LoginException {
-		Iterator<Authorization> auth = subject.getPrivateCredentials(
-				Authorization.class).iterator();
-		if (!auth.hasNext())
-			return false;
-		authorization = auth.next();
+		// if (authorization == null)
+		// throw new FailedLoginException("No authorization available");
+		// Iterator<Authorization> auth = subject.getPrivateCredentials(
+		// Authorization.class).iterator();
+		// if (!auth.hasNext())
+		// throw new FailedLoginException("No authorization available");
+		// authorization = auth.next();
 		return true;
 	}
 
 	@Override
 	public boolean commit() throws LoginException {
-		if (authorization != null) {
-			Set<Principal> principals = subject.getPrincipals();
-			try {
-				String authName = authorization.getName();
-
-				// determine user's principal
-				final LdapName name;
-				final Principal userPrincipal;
-				if (authName == null) {
-					name = ROLE_ANONYMOUS_NAME;
-					userPrincipal = ROLE_ANONYMOUS_PRINCIPAL;
-					principals.add(userPrincipal);
-					principals.add(new AnonymousPrincipal());
-				} else {
-					name = new LdapName(authName);
-					checkUserName(name);
-					userPrincipal = new X500Principal(name.toString());
-					principals.add(userPrincipal);
-					principals.add(new ImpliedByPrincipal(ROLE_USER_NAME,
-							userPrincipal));
-				}
-
-				// Add roles provided by authorization
-				for (String role : authorization.getRoles()) {
-					LdapName roleName = new LdapName(role);
-					if (roleName.equals(name)) {
-						// skip
-					} else {
-						checkImpliedPrincipalName(roleName);
-						principals.add(new ImpliedByPrincipal(roleName
-								.toString(), userPrincipal));
-						if (roleName.equals(ROLE_ADMIN_NAME))
-							principals.add(new AdminPrincipal(
-									SecurityConstants.ADMIN_ID));
-					}
-				}
-
-				return true;
-			} catch (InvalidNameException e) {
-				throw new CmsException("Cannot commit", e);
-			}
-		} else
-			return false;
+		Authorization authorization = (Authorization) sharedState.get(CmsAuthUtils.SHARED_STATE_AUTHORIZATION);
+		if (authorization == null)
+			throw new LoginException("Authorization should not be null");
+		CmsAuthUtils.addAuthentication(subject, authorization);
+		return true;
+		// // required for display name:
+		// subject.getPrivateCredentials().add(authorization);
+		//
+		// Set<Principal> principals = subject.getPrincipals();
+		// try {
+		// String authName = authorization.getName();
+		//
+		// // determine user's principal
+		// final LdapName name;
+		// final Principal userPrincipal;
+		// if (authName == null) {
+		// name = ROLE_ANONYMOUS_NAME;
+		// userPrincipal = ROLE_ANONYMOUS_PRINCIPAL;
+		// principals.add(userPrincipal);
+		// principals.add(new AnonymousPrincipal());
+		// } else {
+		// name = new LdapName(authName);
+		// checkUserName(name);
+		// userPrincipal = new X500Principal(name.toString());
+		// principals.add(userPrincipal);
+		// principals.add(new ImpliedByPrincipal(ROLE_USER_NAME,
+		// userPrincipal));
+		// }
+		//
+		// // Add roles provided by authorization
+		// for (String role : authorization.getRoles()) {
+		// LdapName roleName = new LdapName(role);
+		// if (roleName.equals(name)) {
+		// // skip
+		// } else {
+		// checkImpliedPrincipalName(roleName);
+		// principals.add(new ImpliedByPrincipal(roleName.toString(),
+		// userPrincipal));
+		// if (roleName.equals(ROLE_ADMIN_NAME))
+		// principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID));
+		// }
+		// }
+		//
+		// return true;
+		// } catch (InvalidNameException e) {
+		// throw new CmsException("Cannot commit", e);
+		// }
 	}
 
 	@Override
@@ -121,36 +112,28 @@ public class NodeUserLoginModule implements LoginModule {
 
 	@Override
 	public boolean logout() throws LoginException {
-		// TODO better deal with successive logout
 		if (subject == null)
-			return true;
-		// TODO make it less brutal
-		subject.getPrincipals().removeAll(
-				subject.getPrincipals(X500Principal.class));
-		subject.getPrincipals().removeAll(
-				subject.getPrincipals(ImpliedByPrincipal.class));
-		subject.getPrincipals().removeAll(
-				subject.getPrincipals(AdminPrincipal.class));
-		subject.getPrincipals().removeAll(
-				subject.getPrincipals(AnonymousPrincipal.class));
+			throw new LoginException("Subject should not be null");
+		// Clean up principals
+		CmsAuthUtils.cleanUp(subject);
+		// Clean up private credentials
+		subject.getPrivateCredentials().clear();
 		cleanUp();
 		return true;
 	}
 
 	private void cleanUp() {
 		subject = null;
-		authorization = null;
+		// authorization = null;
 	}
 
-	private void checkUserName(LdapName name) {
-		if (RESERVED_ROLES.contains(name))
-			throw new CmsException(name + " is a reserved name");
-	}
-
-	private void checkImpliedPrincipalName(LdapName roleName) {
-		if (ROLE_USER_NAME.equals(roleName)
-				|| ROLE_ANONYMOUS_NAME.equals(roleName)
-				|| ROLE_KERNEL_NAME.equals(roleName))
-			throw new CmsException(roleName + " cannot be listed as role");
-	}
+//	private void checkUserName(LdapName name) {
+//		if (RESERVED_ROLES.contains(name))
+//			throw new CmsException(name + " is a reserved name");
+//	}
+//
+//	private void checkImpliedPrincipalName(LdapName roleName) {
+//		if (ROLE_USER_NAME.equals(roleName) || ROLE_ANONYMOUS_NAME.equals(roleName))
+//			throw new CmsException(roleName + " cannot be listed as role");
+//	}
 }