X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FUserAdminLoginModule.java;h=092a06b7778e8bd6ecbcff7b53293ce3494a36b2;hb=52a45835da8cd816ac2e2b22ee9b84101fe8fb06;hp=cdb0f4ca27edfff0ad89340753d357ab097c09d7;hpb=b6e64316eb5472b68f4673cbda3f1e375defe8fe;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java index cdb0f4ca2..092a06b77 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java @@ -27,14 +27,12 @@ import javax.servlet.http.HttpServletRequest; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.argeo.cms.CmsException; +import org.argeo.api.NodeConstants; +import org.argeo.api.security.CryptoKeyring; import org.argeo.cms.internal.kernel.Activator; import org.argeo.naming.LdapAttrs; -import org.argeo.node.NodeConstants; -import org.argeo.node.security.CryptoKeyring; import org.argeo.osgi.useradmin.AuthenticatingUser; import org.argeo.osgi.useradmin.IpaUtils; -import org.argeo.osgi.useradmin.OsUserUtils; import org.argeo.osgi.useradmin.TokenUtils; import org.osgi.framework.BundleContext; import org.osgi.framework.FrameworkUtil; @@ -44,6 +42,10 @@ import org.osgi.service.useradmin.Group; import org.osgi.service.useradmin.User; import org.osgi.service.useradmin.UserAdmin; +/** + * Use the {@link UserAdmin} in the OSGi registry as the basis for + * authentication. + */ public class UserAdminLoginModule implements LoginModule { private final static Log log = LogFactory.getLog(UserAdminLoginModule.class); @@ -61,7 +63,7 @@ public class UserAdminLoginModule implements LoginModule { private Authorization bindAuthorization = null; - private boolean singleUser = Activator.isSingleUser(); +// private boolean singleUser = Activator.isSingleUser(); @SuppressWarnings("unchecked") @Override @@ -73,7 +75,7 @@ public class UserAdminLoginModule implements LoginModule { this.callbackHandler = callbackHandler; this.sharedState = (Map) sharedState; } catch (Exception e) { - throw new CmsException("Cannot initialize login module", e); + throw new IllegalStateException("Cannot initialize login module", e); } } @@ -83,6 +85,7 @@ public class UserAdminLoginModule implements LoginModule { final String username; final char[] password; Object certificateChain = null; + boolean preauth = false; if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME) && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) { // NB: required by Basic http auth @@ -103,9 +106,17 @@ public class UserAdminLoginModule implements LoginModule { username = certDn; certificateChain = sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN); password = null; - } else if (singleUser) { - username = OsUserUtils.getOsUsername(); + } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME) + && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_REMOTE_ADDR) + && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_REMOTE_PORT)) {// ident + username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); password = null; + preauth = true; +// } else if (singleUser) { +// username = OsUserUtils.getOsUsername(); +// password = null; +// // TODO retrieve from http session +// locale = Locale.getDefault(); } else { // ask for username and password @@ -182,8 +193,10 @@ public class UserAdminLoginModule implements LoginModule { // TODO check CRLs/OSCP validity? // NB: authorization in commit() will work only if an LDAP connection password // is provided - } else if (singleUser) { - // TODO verify IP address? +// } else if (singleUser) { +// // TODO verify IP address? + } else if (preauth) { + // ident } else { throw new CredentialNotFoundException("No credentials provided"); } @@ -194,14 +207,12 @@ public class UserAdminLoginModule implements LoginModule { @Override public boolean commit() throws LoginException { - if (locale == null) - subject.getPublicCredentials().add(Locale.getDefault()); - else + if (locale != null) subject.getPublicCredentials().add(locale); - if (singleUser) { - OsUserUtils.loginAsSystemUser(subject); - } +// if (singleUser) { +// OsUserUtils.loginAsSystemUser(subject); +// } UserAdmin userAdmin = Activator.getUserAdmin(); Authorization authorization; if (callbackHandler == null) {// anonymous @@ -215,7 +226,7 @@ public class UserAdminLoginModule implements LoginModule { if (authenticatedUser == null) { if (log.isTraceEnabled()) log.trace("Neither kerberos nor user admin login succeeded. Login failed."); - return false; + throw new CredentialNotFoundException("Bad credentials."); } else { authenticatingUser = authenticatedUser; } @@ -286,8 +297,6 @@ public class UserAdminLoginModule implements LoginModule { public boolean logout() throws LoginException { if (log.isTraceEnabled()) log.trace("Logging out from CMS... " + subject); - // boolean httpSessionLogoutOk = CmsAuthUtils.logoutSession(bc, - // subject); CmsAuthUtils.cleanUp(subject); return true; } @@ -298,6 +307,7 @@ public class UserAdminLoginModule implements LoginModule { Set collectedUsers = new HashSet<>(); // try dn User user = null; + user = null; // try all indexes for (String attr : indexedUserProperties) { user = userAdmin.getUser(attr, providedUsername); @@ -345,7 +355,9 @@ public class UserAdminLoginModule implements LoginModule { // return null; // } // } - Authorization auth = userAdmin.getAuthorization(tokenGroup); + String userDn = TokenUtils.userDn(tokenGroup); + User user = (User) userAdmin.getRole(userDn); + Authorization auth = userAdmin.getAuthorization(user); return auth; } }