X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fhttp%2FCmsAuthenticator.java;h=307f928a5c9658f52bca202cf8d24f0655c0e403;hb=921b6cf95420aafa6b9cebe107c927e8062ed865;hp=04312eca3d8abcb573c446f6be45eb434191a244;hpb=1d7058b30bd990cda7d4efc1c029501f05a07113;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/http/CmsAuthenticator.java b/org.argeo.cms/src/org/argeo/cms/internal/http/CmsAuthenticator.java index 04312eca3..307f928a5 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/http/CmsAuthenticator.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/http/CmsAuthenticator.java @@ -5,20 +5,22 @@ import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import org.argeo.api.cms.CmsAuth; -import org.argeo.api.cms.CmsLog; import org.argeo.cms.auth.CurrentUser; import org.argeo.cms.auth.RemoteAuthCallbackHandler; -import org.argeo.cms.auth.SpnegoLoginModule; +import org.argeo.cms.auth.RemoteAuthRequest; +import org.argeo.cms.auth.RemoteAuthResponse; +import org.argeo.cms.auth.RemoteAuthUtils; +import org.argeo.util.CurrentSubject; import com.sun.net.httpserver.Authenticator; import com.sun.net.httpserver.HttpExchange; import com.sun.net.httpserver.HttpPrincipal; public class CmsAuthenticator extends Authenticator { - final static String HEADER_AUTHORIZATION = "Authorization"; - final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate"; +// final static String HEADER_AUTHORIZATION = "Authorization"; +// final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate"; - private final static CmsLog log = CmsLog.getLog(CmsAuthenticator.class); +// private final static CmsLog log = CmsLog.getLog(CmsAuthenticator.class); // TODO make it configurable private final String httpAuthRealm = "Argeo"; @@ -28,22 +30,21 @@ public class CmsAuthenticator extends Authenticator { public Result authenticate(HttpExchange exch) { // if (log.isTraceEnabled()) // HttpUtils.logRequestHeaders(log, request); - RemoteAuthHttpExchange remoteAuthHttpExchange = new RemoteAuthHttpExchange(exch); + RemoteAuthHttpExchange remoteAuthExchange = new RemoteAuthHttpExchange(exch); ClassLoader currentThreadContextClassLoader = Thread.currentThread().getContextClassLoader(); Thread.currentThread().setContextClassLoader(CmsAuthenticator.class.getClassLoader()); LoginContext lc; try { - lc = CmsAuth.USER - .newLoginContext(new RemoteAuthCallbackHandler(remoteAuthHttpExchange, remoteAuthHttpExchange)); + lc = CmsAuth.USER.newLoginContext(new RemoteAuthCallbackHandler(remoteAuthExchange, remoteAuthExchange)); lc.login(); } catch (LoginException e) { // FIXME better analyse failure so as not to try endlessly - if (authIsRequired(exch)) { - return askForWwwAuth(exch); + if (authIsRequired(remoteAuthExchange,remoteAuthExchange)) { + int statusCode = RemoteAuthUtils.askForWwwAuth(remoteAuthExchange, httpAuthRealm, forceBasic); + return new Authenticator.Retry(statusCode); + } else { - lc = processUnauthorized(exch); -// if (log.isTraceEnabled()) -// HttpUtils.logResponseHeaders(log, response); + lc = RemoteAuthUtils.anonymousLogin(remoteAuthExchange, remoteAuthExchange); } if (lc == null) return new Authenticator.Failure(403); @@ -53,6 +54,10 @@ public class CmsAuthenticator extends Authenticator { Subject subject = lc.getSubject(); + CurrentSubject.callAs(subject, () -> { + RemoteAuthUtils.configureRequestSecurity(remoteAuthExchange); + return null; + }); // Subject.doAs(subject, new PrivilegedAction() { // // @Override @@ -68,47 +73,9 @@ public class CmsAuthenticator extends Authenticator { return new Authenticator.Success(httpPrincipal); } - protected boolean authIsRequired(HttpExchange httpExchange) { + protected boolean authIsRequired(RemoteAuthRequest remoteAuthRequest, + RemoteAuthResponse remoteAuthResponse) { return true; } - protected LoginContext processUnauthorized(HttpExchange httpExchange) { - - RemoteAuthHttpExchange remoteAuthExchange = new RemoteAuthHttpExchange(httpExchange); - // anonymous - ClassLoader currentContextClassLoader = Thread.currentThread().getContextClassLoader(); - try { - Thread.currentThread().setContextClassLoader(CmsAuthenticator.class.getClassLoader()); - LoginContext lc = CmsAuth.ANONYMOUS - .newLoginContext(new RemoteAuthCallbackHandler(remoteAuthExchange, remoteAuthExchange)); - lc.login(); - return lc; - } catch (LoginException e1) { - if (log.isDebugEnabled()) - log.error("Cannot log in as anonymous", e1); - return null; - } finally { - Thread.currentThread().setContextClassLoader(currentContextClassLoader); - } - } - - protected Authenticator.Retry askForWwwAuth(HttpExchange httpExchange) { - // response.setHeader(HttpUtils.HEADER_WWW_AUTHENTICATE, "basic - // realm=\"" + httpAuthRealm + "\""); - if (SpnegoLoginModule.hasAcceptorCredentials() && !forceBasic)// SPNEGO - httpExchange.getResponseHeaders().set(HEADER_WWW_AUTHENTICATE, "Negotiate"); - else - httpExchange.getResponseHeaders().set(HEADER_WWW_AUTHENTICATE, "Basic realm=\"" + httpAuthRealm + "\""); - - // response.setDateHeader("Date", System.currentTimeMillis()); - // response.setDateHeader("Expires", System.currentTimeMillis() + (24 * - // 60 * 60 * 1000)); - // response.setHeader("Accept-Ranges", "bytes"); - // response.setHeader("Connection", "Keep-Alive"); - // response.setHeader("Keep-Alive", "timeout=5, max=97"); - // response.setContentType("text/html; charset=UTF-8"); - - return new Authenticator.Retry(401); - } - }