X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FSingleUserLoginModule.java;h=10e091ead0a4953e2236f2ad4860c5d04ba277c2;hb=e75cf778a87f1b2ef7cfc57339ccbf9657282e92;hp=23bbf2345abb90b82654051d3673f39f66d42d12;hpb=fd8f2c91e47d38445ba9702b40559939162f666d;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java index 23bbf2345..10e091ead 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java @@ -1,44 +1,88 @@ package org.argeo.cms.auth; -import java.security.Principal; +import java.util.Locale; import java.util.Map; -import java.util.Set; +import javax.naming.ldap.LdapName; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.kerberos.KerberosPrincipal; +import javax.security.auth.login.CredentialException; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; import javax.security.auth.x500.X500Principal; -import org.apache.jackrabbit.core.security.SecurityConstants; -import org.apache.jackrabbit.core.security.principal.AdminPrincipal; -import org.argeo.cms.internal.auth.ImpliedByPrincipal; -import org.argeo.node.NodeConstants; +import org.argeo.api.acr.ldap.LdapAttr; +import org.argeo.cms.directory.ldap.IpaUtils; +import org.argeo.cms.internal.runtime.CmsContextImpl; +import org.argeo.cms.osgi.useradmin.OsUserUtils; +import org.osgi.service.useradmin.Authorization; + +/** Login module for when the system is owned by a single user. */ +public class SingleUserLoginModule implements LoginModule { +// private final static CmsLog log = CmsLog.getLog(SingleUserLoginModule.class); -public class SingleUserLoginModule implements LoginModule, AuthConstants { private Subject subject; + private Map sharedState = null; + @SuppressWarnings("unchecked") @Override - public void initialize(Subject subject, CallbackHandler callbackHandler, - Map sharedState, Map options) { + public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, + Map options) { this.subject = subject; + this.sharedState = (Map) sharedState; } @Override public boolean login() throws LoginException { + String username = System.getProperty("user.name"); + if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME) + && !username.equals(sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME))) + throw new CredentialException( + "OS username already set with " + sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME)); + if (!sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME)) + sharedState.put(CmsAuthUtils.SHARED_STATE_OS_USERNAME, username); return true; } @Override public boolean commit() throws LoginException { - String username = System.getProperty("user.name"); - X500Principal principal = new X500Principal("uid=" + username - + ",dc=localhost,dc=localdomain"); - Set principals = subject.getPrincipals(); - principals.add(principal); - principals.add(new ImpliedByPrincipal(NodeConstants.ROLE_ADMIN, principal)); - // Jackrabbit - principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID)); + String authorizationName; + KerberosPrincipal kerberosPrincipal = CmsAuthUtils.getSinglePrincipal(subject, KerberosPrincipal.class); + if (kerberosPrincipal != null) { + LdapName userDn = IpaUtils.kerberosToDn(kerberosPrincipal.getName()); + X500Principal principal = new X500Principal(userDn.toString()); + authorizationName = principal.getName(); + } else { + Object username = sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME); + if (username == null) + throw new LoginException("No username available"); + String hostname = CmsContextImpl.getCmsContext().getCmsState().getHostname(); + String baseDn = ("." + hostname).replaceAll("\\.", ",dc="); + X500Principal principal = new X500Principal(LdapAttr.uid + "=" + username + baseDn); + authorizationName = principal.getName(); + } + + RemoteAuthRequest request = (RemoteAuthRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST); + Locale locale = Locale.getDefault(); + if (request != null) + locale = request.getLocale(); + if (locale == null) + locale = Locale.getDefault(); + Authorization authorization = new SingleUserAuthorization(authorizationName); + CmsAuthUtils.addAuthorization(subject, authorization); + + // Add standard Java OS login + OsUserUtils.loginAsSystemUser(subject); + + // additional principals (must be after Authorization registration) +// Set principals = subject.getPrincipals(); +// principals.add(principal); +// principals.add(new ImpliedByPrincipal(NodeConstants.ROLE_ADMIN, principal)); +// principals.add(new DataAdminPrincipal()); + + CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale); + return true; } @@ -49,7 +93,7 @@ public class SingleUserLoginModule implements LoginModule, AuthConstants { @Override public boolean logout() throws LoginException { - // TODO Auto-generated method stub + CmsAuthUtils.cleanUp(subject); return true; }