X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FNodeUserLoginModule.java;h=a4b7498da99a5319ab8646df247acf8d6053bb73;hb=029a84fb1a01e9877736db2693b8a3013b1e72a1;hp=a2f5863cb434008cf06f8ba02b27e5d79525d2f8;hpb=86db10fcb2299ebf71d5599a80dc54444b26f893;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java
index a2f5863cb..a4b7498da 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java
@@ -3,7 +3,6 @@ package org.argeo.cms.auth;
 import java.security.Principal;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -12,6 +11,7 @@ import javax.naming.InvalidNameException;
 import javax.naming.ldap.LdapName;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.FailedLoginException;
 import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
 import javax.security.auth.x500.X500Principal;
@@ -23,11 +23,11 @@ import org.argeo.cms.CmsException;
 import org.argeo.cms.internal.auth.ImpliedByPrincipal;
 import org.osgi.service.useradmin.Authorization;
 
-public class NodeUserLoginModule implements LoginModule {
+public class NodeUserLoginModule implements LoginModule, AuthConstants {
 	private Subject subject;
+	private Map<String, Object> sharedState = null;
 
-	private final static LdapName ROLE_KERNEL_NAME, ROLE_ADMIN_NAME,
-			ROLE_ANONYMOUS_NAME, ROLE_USER_NAME;
+	private final static LdapName ROLE_KERNEL_NAME, ROLE_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME;
 	private final static List<LdapName> RESERVED_ROLES;
 	private final static X500Principal ROLE_ANONYMOUS_PRINCIPAL;
 	static {
@@ -36,13 +36,10 @@ public class NodeUserLoginModule implements LoginModule {
 			ROLE_ADMIN_NAME = new LdapName(AuthConstants.ROLE_ADMIN);
 			ROLE_USER_NAME = new LdapName(AuthConstants.ROLE_USER);
 			ROLE_ANONYMOUS_NAME = new LdapName(AuthConstants.ROLE_ANONYMOUS);
-			RESERVED_ROLES = Collections.unmodifiableList(Arrays
-					.asList(new LdapName[] { ROLE_KERNEL_NAME, ROLE_ADMIN_NAME,
-							ROLE_ANONYMOUS_NAME, ROLE_USER_NAME,
-							new LdapName(AuthConstants.ROLE_GROUP_ADMIN),
-							new LdapName(AuthConstants.ROLE_USER_ADMIN) }));
-			ROLE_ANONYMOUS_PRINCIPAL = new X500Principal(
-					ROLE_ANONYMOUS_NAME.toString());
+			RESERVED_ROLES = Collections.unmodifiableList(Arrays.asList(new LdapName[] { ROLE_KERNEL_NAME,
+					ROLE_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, new LdapName(AuthConstants.ROLE_GROUP_ADMIN),
+					new LdapName(AuthConstants.ROLE_USER_ADMIN) }));
+			ROLE_ANONYMOUS_PRINCIPAL = new X500Principal(ROLE_ANONYMOUS_NAME.toString());
 		} catch (InvalidNameException e) {
 			throw new Error("Cannot initialize login module class", e);
 		}
@@ -50,19 +47,24 @@ public class NodeUserLoginModule implements LoginModule {
 
 	private Authorization authorization;
 
+	@SuppressWarnings("unchecked")
 	@Override
-	public void initialize(Subject subject, CallbackHandler callbackHandler,
-			Map<String, ?> sharedState, Map<String, ?> options) {
+	public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
+			Map<String, ?> options) {
 		this.subject = subject;
+		this.sharedState = (Map<String, Object>) sharedState;
 	}
 
 	@Override
 	public boolean login() throws LoginException {
-		Iterator<Authorization> auth = subject.getPrivateCredentials(
-				Authorization.class).iterator();
-		if (!auth.hasNext())
-			return false;
-		authorization = auth.next();
+		authorization = (Authorization) sharedState.get(SHARED_STATE_AUTHORIZATION);
+		if (authorization == null)
+			throw new FailedLoginException("No authorization available");
+		// Iterator<Authorization> auth = subject.getPrivateCredentials(
+		// Authorization.class).iterator();
+		// if (!auth.hasNext())
+		// throw new FailedLoginException("No authorization available");
+		// authorization = auth.next();
 		return true;
 	}
 
@@ -70,6 +72,9 @@ public class NodeUserLoginModule implements LoginModule {
 	public boolean commit() throws LoginException {
 		if (authorization == null)
 			throw new LoginException("Authorization should not be null");
+		// required for display name:
+		subject.getPrivateCredentials().add(authorization);
+
 		Set<Principal> principals = subject.getPrincipals();
 		try {
 			String authName = authorization.getName();
@@ -87,8 +92,7 @@ public class NodeUserLoginModule implements LoginModule {
 				checkUserName(name);
 				userPrincipal = new X500Principal(name.toString());
 				principals.add(userPrincipal);
-				principals.add(new ImpliedByPrincipal(ROLE_USER_NAME,
-						userPrincipal));
+				principals.add(new ImpliedByPrincipal(ROLE_USER_NAME, userPrincipal));
 			}
 
 			// Add roles provided by authorization
@@ -98,11 +102,9 @@ public class NodeUserLoginModule implements LoginModule {
 					// skip
 				} else {
 					checkImpliedPrincipalName(roleName);
-					principals.add(new ImpliedByPrincipal(roleName.toString(),
-							userPrincipal));
+					principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal));
 					if (roleName.equals(ROLE_ADMIN_NAME))
-						principals.add(new AdminPrincipal(
-								SecurityConstants.ADMIN_ID));
+						principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID));
 				}
 			}
 
@@ -122,16 +124,15 @@ public class NodeUserLoginModule implements LoginModule {
 	public boolean logout() throws LoginException {
 		if (subject == null)
 			throw new LoginException("Subject should not be null");
+		// Clean up principals
 		// Argeo
-		subject.getPrincipals().removeAll(
-				subject.getPrincipals(X500Principal.class));
-		subject.getPrincipals().removeAll(
-				subject.getPrincipals(ImpliedByPrincipal.class));
+		subject.getPrincipals().removeAll(subject.getPrincipals(X500Principal.class));
+		subject.getPrincipals().removeAll(subject.getPrincipals(ImpliedByPrincipal.class));
 		// Jackrabbit
-		subject.getPrincipals().removeAll(
-				subject.getPrincipals(AdminPrincipal.class));
-		subject.getPrincipals().removeAll(
-				subject.getPrincipals(AnonymousPrincipal.class));
+		subject.getPrincipals().removeAll(subject.getPrincipals(AdminPrincipal.class));
+		subject.getPrincipals().removeAll(subject.getPrincipals(AnonymousPrincipal.class));
+		// Clean up private credentials
+		subject.getPrivateCredentials().clear();
 		cleanUp();
 		return true;
 	}
@@ -147,8 +148,7 @@ public class NodeUserLoginModule implements LoginModule {
 	}
 
 	private void checkImpliedPrincipalName(LdapName roleName) {
-		if (ROLE_USER_NAME.equals(roleName)
-				|| ROLE_ANONYMOUS_NAME.equals(roleName)
+		if (ROLE_USER_NAME.equals(roleName) || ROLE_ANONYMOUS_NAME.equals(roleName)
 				|| ROLE_KERNEL_NAME.equals(roleName))
 			throw new CmsException(roleName + " cannot be listed as role");
 	}