X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FUserAdminLoginModule.java;h=53161e58c5533103ad136fbd5cd829cca147d5fa;hb=e75cf778a87f1b2ef7cfc57339ccbf9657282e92;hp=0ae84ff8ac7f294b4b891ac5d77c7281eb10e162;hpb=da78fca0c8b99cabab454d704136e0313342292c;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java index 0ae84ff8a..53161e58c 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java @@ -1,8 +1,9 @@ package org.argeo.cms.auth; -import static org.argeo.util.naming.LdapAttrs.cn; +import static org.argeo.api.acr.ldap.LdapAttr.cn; import java.io.IOException; +import java.security.Principal; import java.security.PrivilegedAction; import java.util.Arrays; import java.util.HashSet; @@ -24,13 +25,13 @@ import javax.security.auth.login.CredentialNotFoundException; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; +import org.argeo.api.acr.ldap.LdapAttr; import org.argeo.api.cms.CmsConstants; import org.argeo.api.cms.CmsLog; +import org.argeo.cms.directory.ldap.IpaUtils; import org.argeo.cms.internal.runtime.CmsContextImpl; -import org.argeo.osgi.useradmin.AuthenticatingUser; -import org.argeo.osgi.useradmin.TokenUtils; -import org.argeo.util.directory.ldap.IpaUtils; -import org.argeo.util.naming.LdapAttrs; +import org.argeo.cms.osgi.useradmin.AuthenticatingUser; +import org.argeo.cms.osgi.useradmin.TokenUtils; import org.osgi.service.useradmin.Authorization; import org.osgi.service.useradmin.Group; import org.osgi.service.useradmin.User; @@ -47,8 +48,8 @@ public class UserAdminLoginModule implements LoginModule { private CallbackHandler callbackHandler; private Map sharedState = null; - private List indexedUserProperties = Arrays.asList(new String[] { LdapAttrs.mail.name(), - LdapAttrs.uid.name(), LdapAttrs.employeeNumber.name(), LdapAttrs.authPassword.name() }); + private List indexedUserProperties = Arrays.asList(new String[] { LdapAttr.mail.name(), LdapAttr.uid.name(), + LdapAttr.employeeNumber.name(), LdapAttr.authPassword.name() }); // private state // private BundleContext bc; @@ -102,6 +103,11 @@ public class UserAdminLoginModule implements LoginModule { username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); password = null; preauth = true; + } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME)) { + // single user, we assume Kerberos or other mean for commit + username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME); + password = null; + preauth = true; } else { // ask for username and password @@ -155,20 +161,24 @@ public class UserAdminLoginModule implements LoginModule { return true;// expect Kerberos if (password != null) { + // TODO disabling bind for the time being, + // as it requires authorisations to be set at LDAP level + boolean tryBind = false; // try bind first - try { - AuthenticatingUser authenticatingUser = new AuthenticatingUser(user.getName(), password); - bindAuthorization = userAdmin.getAuthorization(authenticatingUser); - // TODO check tokens as well - if (bindAuthorization != null) { - authenticatedUser = user; - return true; + if (tryBind) + try { + AuthenticatingUser authenticatingUser = new AuthenticatingUser(user.getName(), password); + bindAuthorization = userAdmin.getAuthorization(authenticatingUser); + // TODO check tokens as well + if (bindAuthorization != null) { + authenticatedUser = user; + return true; + } + } catch (Exception e) { + // silent + if (log.isTraceEnabled()) + log.trace("Bind failed", e); } - } catch (Exception e) { - // silent - if (log.isTraceEnabled()) - log.trace("Bind failed", e); - } // works only if a connection password is provided if (!user.hasCredential(null, password)) { @@ -200,7 +210,7 @@ public class UserAdminLoginModule implements LoginModule { // } UserAdmin userAdmin = CmsContextImpl.getCmsContext().getUserAdmin(); Authorization authorization; - if (callbackHandler == null) {// anonymous + if (callbackHandler == null && !sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME)) {// anonymous authorization = userAdmin.getAuthorization(null); } else if (bindAuthorization != null) {// bind authorization = bindAuthorization; @@ -270,8 +280,21 @@ public class UserAdminLoginModule implements LoginModule { // Register CmsSession with initial subject CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale); - if (log.isDebugEnabled()) - log.debug("Logged in to CMS: " + subject); + if (log.isDebugEnabled()) { + StringBuilder msg = new StringBuilder(); + msg.append("Logged in to CMS: " + authorization.getName() + "(" + authorization + ")\n"); + for (Principal principal : subject.getPrincipals()) { + msg.append(" Principal: " + principal.getName()).append(" (") + .append(principal.getClass().getSimpleName()).append(")\n"); + } + for (Object credential : subject.getPublicCredentials()) { + msg.append(" Public Credential: " + credential).append(" (") + .append(credential.getClass().getSimpleName()).append(")\n"); + } + log.debug(msg); + } +// if (log.isTraceEnabled()) +// log.trace(" Subject: " + subject); return true; }