X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FUserAdminLoginModule.java;h=4c9d094802026535e7525e543eab1494af113f9c;hb=6254373e6005cf77f218ab5b8c54fdc72bb97ca4;hp=692d214bcccc23ce5fe51303ef9e66336bccc3a4;hpb=08490f85954fc85940d1182c12a825b33491c3ba;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java index 692d214bc..4c9d09480 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java @@ -1,6 +1,6 @@ package org.argeo.cms.auth; -import static org.argeo.naming.LdapAttrs.cn; +import static org.argeo.util.naming.LdapAttrs.cn; import java.io.IOException; import java.security.PrivilegedAction; @@ -23,19 +23,15 @@ import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.CredentialNotFoundException; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; -import javax.servlet.http.HttpServletRequest; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.argeo.cms.CmsException; -import org.argeo.cms.internal.kernel.Activator; -import org.argeo.naming.LdapAttrs; -import org.argeo.node.NodeConstants; -import org.argeo.node.security.CryptoKeyring; + +import org.argeo.api.cms.CmsConstants; +import org.argeo.api.cms.CmsLog; +import org.argeo.cms.internal.runtime.CmsContextImpl; +import org.argeo.cms.security.CryptoKeyring; import org.argeo.osgi.useradmin.AuthenticatingUser; -import org.argeo.osgi.useradmin.IpaUtils; -import org.argeo.osgi.useradmin.OsUserUtils; import org.argeo.osgi.useradmin.TokenUtils; +import org.argeo.util.directory.ldap.IpaUtils; +import org.argeo.util.naming.LdapAttrs; import org.osgi.framework.BundleContext; import org.osgi.framework.FrameworkUtil; import org.osgi.framework.ServiceReference; @@ -44,15 +40,19 @@ import org.osgi.service.useradmin.Group; import org.osgi.service.useradmin.User; import org.osgi.service.useradmin.UserAdmin; +/** + * Use the {@link UserAdmin} in the OSGi registry as the basis for + * authentication. + */ public class UserAdminLoginModule implements LoginModule { - private final static Log log = LogFactory.getLog(UserAdminLoginModule.class); + private final static CmsLog log = CmsLog.getLog(UserAdminLoginModule.class); private Subject subject; private CallbackHandler callbackHandler; private Map sharedState = null; - private List indexedUserProperties = Arrays - .asList(new String[] { LdapAttrs.mail.name(), LdapAttrs.uid.name(), LdapAttrs.authPassword.name() }); + private List indexedUserProperties = Arrays.asList(new String[] { LdapAttrs.mail.name(), + LdapAttrs.uid.name(), LdapAttrs.employeeNumber.name(), LdapAttrs.authPassword.name() }); // private state private BundleContext bc; @@ -61,7 +61,7 @@ public class UserAdminLoginModule implements LoginModule { private Authorization bindAuthorization = null; - private boolean singleUser = Activator.isSingleUser(); +// private boolean singleUser = Activator.isSingleUser(); @SuppressWarnings("unchecked") @Override @@ -73,13 +73,13 @@ public class UserAdminLoginModule implements LoginModule { this.callbackHandler = callbackHandler; this.sharedState = (Map) sharedState; } catch (Exception e) { - throw new CmsException("Cannot initialize login module", e); + throw new IllegalStateException("Cannot initialize login module", e); } } @Override public boolean login() throws LoginException { - UserAdmin userAdmin = Activator.getUserAdmin(); + UserAdmin userAdmin = CmsContextImpl.getCmsContext().getUserAdmin(); final String username; final char[] password; Object certificateChain = null; @@ -90,17 +90,13 @@ public class UserAdminLoginModule implements LoginModule { username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); password = (char[]) sharedState.get(CmsAuthUtils.SHARED_STATE_PWD); // // TODO locale? + } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME) + && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_SPNEGO_TOKEN)) { + // SPNEGO login has succeeded, that's enough for us at this stage + return true; } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME) && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN)) { String certDn = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); -// LdapName ldapName; -// try { -// ldapName = new LdapName(certificateName); -// } catch (InvalidNameException e) { -// e.printStackTrace(); -// return false; -// } -// username = ldapName.getRdn(ldapName.size() - 1).getValue().toString(); username = certDn; certificateChain = sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN); password = null; @@ -110,9 +106,6 @@ public class UserAdminLoginModule implements LoginModule { username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); password = null; preauth = true; - } else if (singleUser) { - username = OsUserUtils.getOsUsername(); - password = null; } else { // ask for username and password @@ -189,8 +182,8 @@ public class UserAdminLoginModule implements LoginModule { // TODO check CRLs/OSCP validity? // NB: authorization in commit() will work only if an LDAP connection password // is provided - } else if (singleUser) { - // TODO verify IP address? +// } else if (singleUser) { +// // TODO verify IP address? } else if (preauth) { // ident } else { @@ -203,15 +196,13 @@ public class UserAdminLoginModule implements LoginModule { @Override public boolean commit() throws LoginException { - if (locale == null) - subject.getPublicCredentials().add(Locale.getDefault()); - else + if (locale != null) subject.getPublicCredentials().add(locale); - if (singleUser) { - OsUserUtils.loginAsSystemUser(subject); - } - UserAdmin userAdmin = Activator.getUserAdmin(); +// if (singleUser) { +// OsUserUtils.loginAsSystemUser(subject); +// } + UserAdmin userAdmin = CmsContextImpl.getCmsContext().getUserAdmin(); Authorization authorization; if (callbackHandler == null) {// anonymous authorization = userAdmin.getAuthorization(null); @@ -224,7 +215,7 @@ public class UserAdminLoginModule implements LoginModule { if (authenticatedUser == null) { if (log.isTraceEnabled()) log.trace("Neither kerberos nor user admin login succeeded. Login failed."); - return false; + throw new CredentialNotFoundException("Bad credentials."); } else { authenticatingUser = authenticatedUser; } @@ -236,6 +227,8 @@ public class UserAdminLoginModule implements LoginModule { throw new LoginException("Kerberos login " + authenticatingUser.getName() + " is inconsistent with user admin login " + authenticatedUser.getName()); } + if (log.isTraceEnabled()) + log.trace("Retrieve authorization for " + authenticatingUser + "... "); authorization = Subject.doAs(subject, new PrivilegedAction() { @Override @@ -251,7 +244,7 @@ public class UserAdminLoginModule implements LoginModule { } // Log and monitor new login - HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST); + RemoteAuthRequest request = (RemoteAuthRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST); CmsAuthUtils.addAuthorization(subject, authorization); // Unlock keyring (underlying login to the JCR repository) @@ -295,8 +288,6 @@ public class UserAdminLoginModule implements LoginModule { public boolean logout() throws LoginException { if (log.isTraceEnabled()) log.trace("Logging out from CMS... " + subject); - // boolean httpSessionLogoutOk = CmsAuthUtils.logoutSession(bc, - // subject); CmsAuthUtils.cleanUp(subject); return true; } @@ -307,6 +298,7 @@ public class UserAdminLoginModule implements LoginModule { Set collectedUsers = new HashSet<>(); // try dn User user = null; + user = null; // try all indexes for (String attr : indexedUserProperties) { user = userAdmin.getUser(attr, providedUsername); @@ -337,7 +329,7 @@ public class UserAdminLoginModule implements LoginModule { } protected Group searchForToken(UserAdmin userAdmin, String token) { - String dn = cn + "=" + token + "," + NodeConstants.TOKENS_BASEDN; + String dn = cn + "=" + token + "," + CmsConstants.TOKENS_BASEDN; Group tokenGroup = (Group) userAdmin.getRole(dn); return tokenGroup; }