X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Fauth%2FUserAdminLoginModule.java;h=738b507e79495a5898f29098f5a0f2c4169bf8a9;hb=f4da6777015da3fc392138f0c01cea2f2add9ed3;hp=f7d426e26c31036baf4a678e74438c536e4b1b59;hpb=5b3108fe285bca50565b58b63fa4feddc96c0765;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index f7d426e26..738b507e7 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -1,6 +1,6 @@
 package org.argeo.cms.auth;
 
-import static org.argeo.naming.LdapAttrs.cn;
+import static org.argeo.util.naming.LdapAttrs.cn;
 
 import java.io.IOException;
 import java.security.PrivilegedAction;
@@ -23,19 +23,16 @@ import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.login.CredentialNotFoundException;
 import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.argeo.api.NodeConstants;
-import org.argeo.api.security.CryptoKeyring;
-import org.argeo.cms.CmsException;
-import org.argeo.cms.internal.kernel.Activator;
-import org.argeo.naming.LdapAttrs;
+
+import org.argeo.api.cms.CmsConstants;
+import org.argeo.api.cms.CmsLog;
+import org.argeo.cms.internal.osgi.NodeUserAdmin;
+import org.argeo.cms.internal.runtime.CmsContextImpl;
+import org.argeo.cms.security.CryptoKeyring;
 import org.argeo.osgi.useradmin.AuthenticatingUser;
 import org.argeo.osgi.useradmin.IpaUtils;
-import org.argeo.osgi.useradmin.OsUserUtils;
 import org.argeo.osgi.useradmin.TokenUtils;
+import org.argeo.util.naming.LdapAttrs;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
 import org.osgi.framework.ServiceReference;
@@ -44,8 +41,12 @@ import org.osgi.service.useradmin.Group;
 import org.osgi.service.useradmin.User;
 import org.osgi.service.useradmin.UserAdmin;
 
+/**
+ * Use the {@link UserAdmin} in the OSGi registry as the basis for
+ * authentication.
+ */
 public class UserAdminLoginModule implements LoginModule {
-	private final static Log log = LogFactory.getLog(UserAdminLoginModule.class);
+	private final static CmsLog log = CmsLog.getLog(UserAdminLoginModule.class);
 
 	private Subject subject;
 	private CallbackHandler callbackHandler;
@@ -61,7 +62,7 @@ public class UserAdminLoginModule implements LoginModule {
 
 	private Authorization bindAuthorization = null;
 
-	private boolean singleUser = Activator.isSingleUser();
+//	private boolean singleUser = Activator.isSingleUser();
 
 	@SuppressWarnings("unchecked")
 	@Override
@@ -73,13 +74,13 @@ public class UserAdminLoginModule implements LoginModule {
 			this.callbackHandler = callbackHandler;
 			this.sharedState = (Map<String, Object>) sharedState;
 		} catch (Exception e) {
-			throw new CmsException("Cannot initialize login module", e);
+			throw new IllegalStateException("Cannot initialize login module", e);
 		}
 	}
 
 	@Override
 	public boolean login() throws LoginException {
-		UserAdmin userAdmin = Activator.getUserAdmin();
+		UserAdmin userAdmin = CmsContextImpl.getUserAdmin();
 		final String username;
 		final char[] password;
 		Object certificateChain = null;
@@ -110,9 +111,11 @@ public class UserAdminLoginModule implements LoginModule {
 			username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
 			password = null;
 			preauth = true;
-		} else if (singleUser) {
-			username = OsUserUtils.getOsUsername();
-			password = null;
+//		} else if (singleUser) {
+//			username = OsUserUtils.getOsUsername();
+//			password = null;
+//			// TODO retrieve from http session
+//			locale = Locale.getDefault();
 		} else {
 
 			// ask for username and password
@@ -189,8 +192,8 @@ public class UserAdminLoginModule implements LoginModule {
 			// TODO check CRLs/OSCP validity?
 			// NB: authorization in commit() will work only if an LDAP connection password
 			// is provided
-		} else if (singleUser) {
-			// TODO verify IP address?
+//		} else if (singleUser) {
+//			// TODO verify IP address?
 		} else if (preauth) {
 			// ident
 		} else {
@@ -203,15 +206,13 @@ public class UserAdminLoginModule implements LoginModule {
 
 	@Override
 	public boolean commit() throws LoginException {
-		if (locale == null)
-			subject.getPublicCredentials().add(Locale.getDefault());
-		else
+		if (locale != null)
 			subject.getPublicCredentials().add(locale);
 
-		if (singleUser) {
-			OsUserUtils.loginAsSystemUser(subject);
-		}
-		UserAdmin userAdmin = Activator.getUserAdmin();
+//		if (singleUser) {
+//			OsUserUtils.loginAsSystemUser(subject);
+//		}
+		UserAdmin userAdmin = CmsContextImpl.getUserAdmin();
 		Authorization authorization;
 		if (callbackHandler == null) {// anonymous
 			authorization = userAdmin.getAuthorization(null);
@@ -224,7 +225,7 @@ public class UserAdminLoginModule implements LoginModule {
 				if (authenticatedUser == null) {
 					if (log.isTraceEnabled())
 						log.trace("Neither kerberos nor user admin login succeeded. Login failed.");
-					return false;
+					throw new CredentialNotFoundException("Bad credentials.");
 				} else {
 					authenticatingUser = authenticatedUser;
 				}
@@ -251,7 +252,7 @@ public class UserAdminLoginModule implements LoginModule {
 		}
 
 		// Log and monitor new login
-		HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
+		RemoteAuthRequest request = (RemoteAuthRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
 		CmsAuthUtils.addAuthorization(subject, authorization);
 
 		// Unlock keyring (underlying login to the JCR repository)
@@ -295,8 +296,6 @@ public class UserAdminLoginModule implements LoginModule {
 	public boolean logout() throws LoginException {
 		if (log.isTraceEnabled())
 			log.trace("Logging out from CMS... " + subject);
-		// boolean httpSessionLogoutOk = CmsAuthUtils.logoutSession(bc,
-		// subject);
 		CmsAuthUtils.cleanUp(subject);
 		return true;
 	}
@@ -307,6 +306,7 @@ public class UserAdminLoginModule implements LoginModule {
 			Set<User> collectedUsers = new HashSet<>();
 			// try dn
 			User user = null;
+			user = null;
 			// try all indexes
 			for (String attr : indexedUserProperties) {
 				user = userAdmin.getUser(attr, providedUsername);
@@ -337,7 +337,7 @@ public class UserAdminLoginModule implements LoginModule {
 	}
 
 	protected Group searchForToken(UserAdmin userAdmin, String token) {
-		String dn = cn + "=" + token + "," + NodeConstants.TOKENS_BASEDN;
+		String dn = cn + "=" + token + "," + CmsConstants.TOKENS_BASEDN;
 		Group tokenGroup = (Group) userAdmin.getRole(dn);
 		return tokenGroup;
 	}