X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FUserAdminLoginModule.java;h=1d91a21ca4802e861671bc9ec0afd3c75ee89b36;hb=a5459b7f0a4ce0463b950efd5c776368fe169256;hp=269f509ed45d665ab4bb1b3dbcccefad21712d42;hpb=6ecc30c54a64fb658aa7949349b05d655ff386a8;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java index 269f509ed..1d91a21ca 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java @@ -27,6 +27,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.argeo.cms.CmsException; import org.argeo.naming.LdapAttrs; +import org.argeo.osgi.useradmin.AuthenticatingUser; import org.argeo.osgi.useradmin.IpaUtils; import org.osgi.framework.BundleContext; import org.osgi.framework.FrameworkUtil; @@ -41,14 +42,16 @@ public class UserAdminLoginModule implements LoginModule { private CallbackHandler callbackHandler; private Map sharedState = null; - private List indexedUserProperties = Arrays.asList( - new String[] { LdapAttrs.DN, LdapAttrs.mail.name(), LdapAttrs.uid.name(), LdapAttrs.authPassword.name() }); + private List indexedUserProperties = Arrays + .asList(new String[] { LdapAttrs.mail.name(), LdapAttrs.uid.name(), LdapAttrs.authPassword.name() }); // private state private BundleContext bc; private User authenticatedUser = null; private Locale locale; + private Authorization bindAuthorization = null; + @SuppressWarnings("unchecked") @Override public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, @@ -105,14 +108,27 @@ public class UserAdminLoginModule implements LoginModule { throw new CredentialNotFoundException("No credentials provided"); } - // User user = userAdmin.getUser(null, username); User user = searchForUser(userAdmin, username); if (user == null) return true;// expect Kerberos - // throw new FailedLoginException("Invalid credentials"); - if (!user.hasCredential(null, password)) + + // try bind first + try { + AuthenticatingUser authenticatingUser = new AuthenticatingUser(user.getName(), password); + bindAuthorization = userAdmin.getAuthorization(authenticatingUser); + // TODO check tokens as well + if (bindAuthorization != null) + return true; + } catch (Exception e) { + // silent + if(log.isTraceEnabled()) + log.trace("Bind failed", e); + } + + // works only if a connection password is provided + if (!user.hasCredential(null, password)) { return false; - // throw new FailedLoginException("Invalid credentials"); + } authenticatedUser = user; return true; } @@ -123,7 +139,9 @@ public class UserAdminLoginModule implements LoginModule { Authorization authorization; if (callbackHandler == null) {// anonymous authorization = userAdmin.getAuthorization(null); - } else { + } else if (bindAuthorization != null) {// bind + authorization = bindAuthorization; + } else {// Kerberos User authenticatingUser; Set kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class); if (kerberosPrincipals.isEmpty()) { @@ -184,23 +202,26 @@ public class UserAdminLoginModule implements LoginModule { Set collectedUsers = new HashSet<>(); // try dn User user = null; - try { - user = (User) userAdmin.getRole(providedUsername); - if (user != null) - collectedUsers.add(user); - } catch (Exception e) { - // silent - } // try all indexes for (String attr : indexedUserProperties) { user = userAdmin.getUser(attr, providedUsername); if (user != null) collectedUsers.add(user); } - if (collectedUsers.size() == 1) - return collectedUsers.iterator().next(); - else if (collectedUsers.size() > 1) + if (collectedUsers.size() == 1) { + user = collectedUsers.iterator().next(); + return user; + } else if (collectedUsers.size() > 1) { log.warn(collectedUsers.size() + " users for provided username" + providedUsername); + } + // try DN as a last resort + try { + user = (User) userAdmin.getRole(providedUsername); + if (user != null) + return user; + } catch (Exception e) { + // silent + } return null; } catch (Exception e) { if (log.isTraceEnabled())