X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FNodeUserLoginModule.java;h=a4b7498da99a5319ab8646df247acf8d6053bb73;hb=029a84fb1a01e9877736db2693b8a3013b1e72a1;hp=74fe4e421e747e0998b7e2763663ae0ab1be0f03;hpb=9dba7b01008499bdaf15c754190906d3200713fe;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java index 74fe4e421..a4b7498da 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java @@ -3,7 +3,6 @@ package org.argeo.cms.auth; import java.security.Principal; import java.util.Arrays; import java.util.Collections; -import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Set; @@ -12,6 +11,7 @@ import javax.naming.InvalidNameException; import javax.naming.ldap.LdapName; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; import javax.security.auth.x500.X500Principal; @@ -23,11 +23,11 @@ import org.argeo.cms.CmsException; import org.argeo.cms.internal.auth.ImpliedByPrincipal; import org.osgi.service.useradmin.Authorization; -public class NodeUserLoginModule implements LoginModule { +public class NodeUserLoginModule implements LoginModule, AuthConstants { private Subject subject; + private Map sharedState = null; - private final static LdapName ROLE_KERNEL_NAME, ROLE_ADMIN_NAME, - ROLE_ANONYMOUS_NAME, ROLE_USER_NAME; + private final static LdapName ROLE_KERNEL_NAME, ROLE_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME; private final static List RESERVED_ROLES; private final static X500Principal ROLE_ANONYMOUS_PRINCIPAL; static { @@ -36,13 +36,10 @@ public class NodeUserLoginModule implements LoginModule { ROLE_ADMIN_NAME = new LdapName(AuthConstants.ROLE_ADMIN); ROLE_USER_NAME = new LdapName(AuthConstants.ROLE_USER); ROLE_ANONYMOUS_NAME = new LdapName(AuthConstants.ROLE_ANONYMOUS); - RESERVED_ROLES = Collections.unmodifiableList(Arrays - .asList(new LdapName[] { ROLE_KERNEL_NAME, ROLE_ADMIN_NAME, - ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, - new LdapName(AuthConstants.ROLE_GROUP_ADMIN), - new LdapName(AuthConstants.ROLE_USER_ADMIN) })); - ROLE_ANONYMOUS_PRINCIPAL = new X500Principal( - ROLE_ANONYMOUS_NAME.toString()); + RESERVED_ROLES = Collections.unmodifiableList(Arrays.asList(new LdapName[] { ROLE_KERNEL_NAME, + ROLE_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, new LdapName(AuthConstants.ROLE_GROUP_ADMIN), + new LdapName(AuthConstants.ROLE_USER_ADMIN) })); + ROLE_ANONYMOUS_PRINCIPAL = new X500Principal(ROLE_ANONYMOUS_NAME.toString()); } catch (InvalidNameException e) { throw new Error("Cannot initialize login module class", e); } @@ -50,67 +47,71 @@ public class NodeUserLoginModule implements LoginModule { private Authorization authorization; + @SuppressWarnings("unchecked") @Override - public void initialize(Subject subject, CallbackHandler callbackHandler, - Map sharedState, Map options) { + public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, + Map options) { this.subject = subject; + this.sharedState = (Map) sharedState; } @Override public boolean login() throws LoginException { - Iterator auth = subject.getPrivateCredentials( - Authorization.class).iterator(); - if (!auth.hasNext()) - return false; - authorization = auth.next(); + authorization = (Authorization) sharedState.get(SHARED_STATE_AUTHORIZATION); + if (authorization == null) + throw new FailedLoginException("No authorization available"); + // Iterator auth = subject.getPrivateCredentials( + // Authorization.class).iterator(); + // if (!auth.hasNext()) + // throw new FailedLoginException("No authorization available"); + // authorization = auth.next(); return true; } @Override public boolean commit() throws LoginException { - if (authorization != null) { - Set principals = subject.getPrincipals(); - try { - String authName = authorization.getName(); - - // determine user's principal - final LdapName name; - final Principal userPrincipal; - if (authName == null) { - name = ROLE_ANONYMOUS_NAME; - userPrincipal = ROLE_ANONYMOUS_PRINCIPAL; - principals.add(userPrincipal); - principals.add(new AnonymousPrincipal()); - } else { - name = new LdapName(authName); - checkUserName(name); - userPrincipal = new X500Principal(name.toString()); - principals.add(userPrincipal); - principals.add(new ImpliedByPrincipal(ROLE_USER_NAME, - userPrincipal)); - } + if (authorization == null) + throw new LoginException("Authorization should not be null"); + // required for display name: + subject.getPrivateCredentials().add(authorization); - // Add roles provided by authorization - for (String role : authorization.getRoles()) { - LdapName roleName = new LdapName(role); - if (roleName.equals(name)) { - // skip - } else { - checkImpliedPrincipalName(roleName); - principals.add(new ImpliedByPrincipal(roleName - .toString(), userPrincipal)); - if (roleName.equals(ROLE_ADMIN_NAME)) - principals.add(new AdminPrincipal( - SecurityConstants.ADMIN_ID)); - } - } + Set principals = subject.getPrincipals(); + try { + String authName = authorization.getName(); + + // determine user's principal + final LdapName name; + final Principal userPrincipal; + if (authName == null) { + name = ROLE_ANONYMOUS_NAME; + userPrincipal = ROLE_ANONYMOUS_PRINCIPAL; + principals.add(userPrincipal); + principals.add(new AnonymousPrincipal()); + } else { + name = new LdapName(authName); + checkUserName(name); + userPrincipal = new X500Principal(name.toString()); + principals.add(userPrincipal); + principals.add(new ImpliedByPrincipal(ROLE_USER_NAME, userPrincipal)); + } - return true; - } catch (InvalidNameException e) { - throw new CmsException("Cannot commit", e); + // Add roles provided by authorization + for (String role : authorization.getRoles()) { + LdapName roleName = new LdapName(role); + if (roleName.equals(name)) { + // skip + } else { + checkImpliedPrincipalName(roleName); + principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal)); + if (roleName.equals(ROLE_ADMIN_NAME)) + principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID)); + } } - } else - return false; + + return true; + } catch (InvalidNameException e) { + throw new CmsException("Cannot commit", e); + } } @Override @@ -121,18 +122,17 @@ public class NodeUserLoginModule implements LoginModule { @Override public boolean logout() throws LoginException { - // TODO better deal with successive logout if (subject == null) - return true; - // TODO make it less brutal - subject.getPrincipals().removeAll( - subject.getPrincipals(X500Principal.class)); - subject.getPrincipals().removeAll( - subject.getPrincipals(ImpliedByPrincipal.class)); - subject.getPrincipals().removeAll( - subject.getPrincipals(AdminPrincipal.class)); - subject.getPrincipals().removeAll( - subject.getPrincipals(AnonymousPrincipal.class)); + throw new LoginException("Subject should not be null"); + // Clean up principals + // Argeo + subject.getPrincipals().removeAll(subject.getPrincipals(X500Principal.class)); + subject.getPrincipals().removeAll(subject.getPrincipals(ImpliedByPrincipal.class)); + // Jackrabbit + subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class)); + subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class)); + // Clean up private credentials + subject.getPrivateCredentials().clear(); cleanUp(); return true; } @@ -148,8 +148,7 @@ public class NodeUserLoginModule implements LoginModule { } private void checkImpliedPrincipalName(LdapName roleName) { - if (ROLE_USER_NAME.equals(roleName) - || ROLE_ANONYMOUS_NAME.equals(roleName) + if (ROLE_USER_NAME.equals(roleName) || ROLE_ANONYMOUS_NAME.equals(roleName) || ROLE_KERNEL_NAME.equals(roleName)) throw new CmsException(roleName + " cannot be listed as role"); }