X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fplugins%2Forg.argeo.security.ui.rap%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fui%2Frap%2FSecureEntryPoint.java;h=8e377e09998ccdc1ec0f4f468e6d622dc201f01c;hb=118878eb12c8e142da7648cae3880754b34798b2;hp=f30f0059bd825516bdc77cff250d9bb6d5ed14f1;hpb=5266ec50ddbf3247a5033d98a1dbceec6673a5b8;p=lgpl%2Fargeo-commons.git diff --git a/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java b/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java index f30f0059b..8e377e099 100644 --- a/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java +++ b/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java @@ -7,61 +7,170 @@ import javax.security.auth.login.LoginException; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.argeo.eclipse.ui.dialogs.Error; +import org.argeo.ArgeoException; +import org.eclipse.equinox.security.auth.ILoginContext; +import org.eclipse.jface.dialogs.MessageDialog; +import org.eclipse.rwt.RWT; import org.eclipse.rwt.lifecycle.IEntryPoint; -import org.eclipse.rwt.service.SessionStoreEvent; -import org.eclipse.rwt.service.SessionStoreListener; import org.eclipse.swt.widgets.Display; import org.eclipse.ui.PlatformUI; import org.eclipse.ui.application.IWorkbenchWindowConfigurer; import org.eclipse.ui.application.WorkbenchAdvisor; import org.eclipse.ui.application.WorkbenchWindowAdvisor; +import org.springframework.security.BadCredentialsException; -public class SecureEntryPoint implements IEntryPoint, SessionStoreListener { - private Log log = LogFactory.getLog(SecureEntryPoint.class); +/** + * RAP entry point with login capabilities. On the user has been authenticated, + * the workbench is run as a privileged action by the related subject. + */ +public class SecureEntryPoint implements IEntryPoint { + private final static Log log = LogFactory.getLog(SecureEntryPoint.class); + + /** + * How many seconds to wait before invalidating the session if the user has + * not yet logged in. + */ + private Integer loginTimeout = 1 * 60; + private Integer sessionTimeout = 15 * 60; @Override public int createUI() { - // log.debug("THREAD=" + Thread.currentThread().getId() - // + ", RWT.getSessionStore().getId()=" - // + RWT.getSessionStore().getId()); + // Short login timeout so that the modal dialog login doesn't hang + // around too long + RWT.getRequest().getSession().setMaxInactiveInterval(loginTimeout); + + if (log.isDebugEnabled()) + log.debug("THREAD=" + Thread.currentThread().getId() + + ", sessionStore=" + RWT.getSessionStore().getId()); Integer returnCode = null; + + // create display Display display = PlatformUI.createDisplay(); - try { - Subject subject = null; - Boolean retry = true; - while (retry) { - try { - // force login in order to give Spring Security a chance to - // load - SecureRapActivator.getLoginContext().login(); - subject = SecureRapActivator.getLoginContext().getSubject(); - retry = false; - } catch (LoginException e) { - Error.show("Cannot login", e); - retry = true; - } catch (Exception e) { - Error.show("Unexpected exception while trying to login", e); - retry = false; + + // log in + final ILoginContext loginContext = SecureRapActivator + .createLoginContext(); + Subject subject = null; + tryLogin: while (subject == null && !display.isDisposed()) { + try { + loginContext.login(); + subject = loginContext.getSubject(); + } catch (LoginException e) { + BadCredentialsException bce = wasCausedByBadCredentials(e); + if (bce != null) { + MessageDialog.openInformation(display.getActiveShell(), + "Bad Credentials", bce.getMessage()); + // retry login + continue tryLogin; + } + + // check thread death + ThreadDeath td = wasCausedByThreadDeath(e); + if (td != null) { + display.dispose(); + throw td; + } + + // if (e.getCause() != null) { + // Throwable firstCause = e.getCause(); + // // log.error("Cause", firstCause); + // if (firstCause instanceof LoginException + // && firstCause.getCause() != null) { + // Throwable secondCause = firstCause.getCause(); + // if (secondCause instanceof BadCredentialsException) { + // MessageDialog.openInformation( + // display.getActiveShell(), + // "Bad Credentials", + // "Your credentials are incorrect"); + // // retry login + // continue tryLogin; + // } else if (secondCause instanceof ThreadDeath) { + // // rethrow thread death caused by dialog UI timeout + // throw (ThreadDeath) secondCause; + // } + // + // } else if (firstCause instanceof ThreadDeath) { + // throw (ThreadDeath) firstCause; + // } + // } + + if (!display.isDisposed()) { + org.argeo.eclipse.ui.Error.show( + "Unexpected exception during authentication", e); + // this was not just bad credentials or death thread + RWT.getRequest().getSession().setMaxInactiveInterval(1); + display.dispose(); + return -1; + } else { + throw new ArgeoException( + "Unexpected exception during authentication", e); } } + } + + // identify after successful login + if (log.isDebugEnabled()) + log.debug("Authenticated " + subject); + final String username = subject.getPrincipals().iterator().next() + .getName(); + + // Once the user is logged in, she can have a longer session timeout + RWT.getRequest().getSession().setMaxInactiveInterval(sessionTimeout); - if (subject != null) { - returnCode = (Integer) Subject.doAs(subject, - getRunAction(display)); - SecureRapActivator.getLoginContext().logout(); - return processReturnCode(returnCode); - } else { - return -1; + // Logout callback when the display is disposed + display.disposeExec(new Runnable() { + public void run() { + log.debug("Display disposed"); + logout(loginContext, username); } - } catch (Exception e) { - log.error("Unexpected error",e); - return -1; - } -// finally { -// display.dispose(); -// } + }); + + // + // RUN THE WORKBENCH + // + try { + returnCode = (Integer) Subject.doAs(subject, getRunAction(display)); + logout(loginContext, username); + } finally { + display.dispose(); + } + return processReturnCode(returnCode); + } + + /** Recursively look for {@link BadCredentialsException} in the root causes. */ + private BadCredentialsException wasCausedByBadCredentials(Throwable t) { + if (t instanceof BadCredentialsException) + return (BadCredentialsException) t; + + if (t.getCause() != null) + return wasCausedByBadCredentials(t.getCause()); + else + return null; + } + + /** + * If there is a {@link ThreadDeath} in the root causes, rethrow it + * (important for RAP cleaning mechanism) + */ + protected ThreadDeath wasCausedByThreadDeath(Throwable t) { + if (t instanceof ThreadDeath) + return (ThreadDeath) t; + + if (t.getCause() != null) + return wasCausedByThreadDeath(t.getCause()); + else + return null; + } + + protected void logout(ILoginContext secureContext, String username) { + try { + secureContext.logout(); + log.info("Logged out " + (username != null ? username : "") + + " (THREAD=" + Thread.currentThread().getId() + ")"); + } catch (LoginException e) { + log.error("Erorr when logging out", e); + } } @SuppressWarnings("rawtypes") @@ -74,15 +183,18 @@ public class SecureEntryPoint implements IEntryPoint, SessionStoreListener { }; } + /** To be overridden */ protected Integer createAndRunWorkbench(Display display) { return PlatformUI.createAndRunWorkbench(display, createWorkbenchAdvisor()); } + /** To be overridden */ protected Integer processReturnCode(Integer returnCode) { return returnCode; } + /** To be overridden */ protected WorkbenchAdvisor createWorkbenchAdvisor() { return new SecureWorkbenchAdvisor() { public WorkbenchWindowAdvisor createWorkbenchWindowAdvisor( @@ -92,14 +204,4 @@ public class SecureEntryPoint implements IEntryPoint, SessionStoreListener { }; } - - @Override - public void beforeDestroy(SessionStoreEvent event) { - if (log.isDebugEnabled()) - log.debug("RWT session " + event.getSessionStore().getId() - + " about to be destroyed. THREAD=" - + Thread.currentThread().getId()); - - } - }