import org.argeo.cms.internal.auth.CmsSessionImpl;
import org.argeo.cms.internal.auth.ImpliedByPrincipal;
import org.argeo.cms.internal.http.WebCmsSessionImpl;
-import org.argeo.cms.internal.kernel.Activator;
import org.argeo.osgi.useradmin.AuthenticatingUser;
import org.osgi.framework.BundleContext;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.service.http.HttpContext;
import org.osgi.service.useradmin.Authorization;
-/** Centrlaises security related registrations. */
+/** Centralises security related registrations. */
class CmsAuthUtils {
// Standard
final static String SHARED_STATE_NAME = AuthenticatingUser.SHARED_STATE_NAME;
// required for display name:
subject.getPrivateCredentials().add(authorization);
- if (Activator.isSingleUser()) {
- subject.getPrincipals().add(new DataAdminPrincipal());
- }
+ boolean singleUser = authorization instanceof SingleUserAuthorization;
Set<Principal> principals = subject.getPrincipals();
try {
userPrincipal = new X500Principal(name.toString());
principals.add(userPrincipal);
- if (Activator.isSingleUser()) {
+ if (singleUser) {
principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_ADMIN_NAME, userPrincipal));
+ principals.add(new DataAdminPrincipal());
}
}
"Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")");
}
} else {
- // TODO desktop, CLI
+ CmsSessionImpl cmsSession = new CmsSessionImpl(subject, authorization, locale, "desktop");
+ CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid());
+ subject.getPrivateCredentials().add(nodeSessionId);
}
}
* @see SingleUserLoginModule
*/
public class SingleUserAuthorization implements Authorization {
+ private String name;
+
+ public SingleUserAuthorization(String name) {
+ this.name = name;
+ }
@Override
public String getName() {
- return System.getProperty("user.name");
+ return name;
}
@Override
import java.net.InetAddress;
import java.net.UnknownHostException;
-import java.security.Principal;
import java.util.Locale;
import java.util.Map;
-import java.util.Set;
import javax.naming.ldap.LdapName;
import javax.security.auth.Subject;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.argeo.api.NodeConstants;
-import org.argeo.api.security.DataAdminPrincipal;
-import org.argeo.cms.internal.auth.ImpliedByPrincipal;
import org.argeo.naming.LdapAttrs;
import org.argeo.osgi.useradmin.IpaUtils;
+import org.argeo.osgi.useradmin.OsUserUtils;
import org.osgi.service.useradmin.Authorization;
/** Login module for when the system is owned by a single user. */
@Override
public boolean commit() throws LoginException {
- X500Principal principal;
+ String authorizationName;
KerberosPrincipal kerberosPrincipal = CmsAuthUtils.getSinglePrincipal(subject, KerberosPrincipal.class);
if (kerberosPrincipal != null) {
LdapName userDn = IpaUtils.kerberosToDn(kerberosPrincipal.getName());
- principal = new X500Principal(userDn.toString());
+ X500Principal principal = new X500Principal(userDn.toString());
+ authorizationName = principal.getName();
} else {
Object username = sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
if (username == null)
hostname = "localhost";
}
String baseDn = ("." + hostname).replaceAll("\\.", ",dc=");
- principal = new X500Principal(LdapAttrs.uid + "=" + username + baseDn);
+ X500Principal principal = new X500Principal(LdapAttrs.uid + "=" + username + baseDn);
+ authorizationName = principal.getName();
}
- Set<Principal> principals = subject.getPrincipals();
- principals.add(principal);
- principals.add(new ImpliedByPrincipal(NodeConstants.ROLE_ADMIN, principal));
- principals.add(new DataAdminPrincipal());
HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
Locale locale = Locale.getDefault();
locale = request.getLocale();
if (locale == null)
locale = Locale.getDefault();
- Authorization authorization = new SingleUserAuthorization();
+ Authorization authorization = new SingleUserAuthorization(authorizationName);
CmsAuthUtils.addAuthorization(subject, authorization);
+
+ // Add standard Java OS login
+ OsUserUtils.loginAsSystemUser(subject);
+
+ // additional principals (must be after Authorization registration)
+// Set<Principal> principals = subject.getPrincipals();
+// principals.add(principal);
+// principals.add(new ImpliedByPrincipal(NodeConstants.ROLE_ADMIN, principal));
+// principals.add(new DataAdminPrincipal());
+
CmsAuthUtils.registerSessionAuthorization(request, subject, authorization, locale);
return true;
import org.argeo.naming.LdapAttrs;
import org.argeo.osgi.useradmin.AuthenticatingUser;
import org.argeo.osgi.useradmin.IpaUtils;
-import org.argeo.osgi.useradmin.OsUserUtils;
import org.argeo.osgi.useradmin.TokenUtils;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkUtil;
private Authorization bindAuthorization = null;
- private boolean singleUser = Activator.isSingleUser();
+// private boolean singleUser = Activator.isSingleUser();
@SuppressWarnings("unchecked")
@Override
username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
password = null;
preauth = true;
- } else if (singleUser) {
- username = OsUserUtils.getOsUsername();
- password = null;
- // TODO retrieve from http session
- locale = Locale.getDefault();
+// } else if (singleUser) {
+// username = OsUserUtils.getOsUsername();
+// password = null;
+// // TODO retrieve from http session
+// locale = Locale.getDefault();
} else {
// ask for username and password
// TODO check CRLs/OSCP validity?
// NB: authorization in commit() will work only if an LDAP connection password
// is provided
- } else if (singleUser) {
- // TODO verify IP address?
+// } else if (singleUser) {
+// // TODO verify IP address?
} else if (preauth) {
// ident
} else {
if (locale != null)
subject.getPublicCredentials().add(locale);
- if (singleUser) {
- OsUserUtils.loginAsSystemUser(subject);
- }
+// if (singleUser) {
+// OsUserUtils.loginAsSystemUser(subject);
+// }
UserAdmin userAdmin = Activator.getUserAdmin();
Authorization authorization;
if (callbackHandler == null) {// anonymous
return getNodeUserAdmin().getAcceptorCredentials();
}
+ @Deprecated
public static boolean isSingleUser() {
return getNodeUserAdmin().isSingleUser();
}
}
/** Add a user or group to a group. */
- protected void addToGroup(String roledDn, String groupDn) {
- if (roledDn.contentEquals(groupDn)) {
+ protected void addToGroup(String groupToAddDn, String groupDn) {
+ if (groupToAddDn.contentEquals(groupDn)) {
if (log.isTraceEnabled())
log.trace("Ignore adding group " + groupDn + " to itself");
return;
}
if (getUserAdmin() == null) {
- log.warn("No user admin service available, cannot add group " + roledDn + " to " + groupDn);
+ log.warn("No user admin service available, cannot add group " + groupToAddDn + " to " + groupDn);
return;
}
- Group managerGroup = (Group) getUserAdmin().getRole(roledDn);
+ Group groupToAdd = (Group) getUserAdmin().getRole(groupToAddDn);
+ if (groupToAdd == null)
+ throw new IllegalArgumentException("Group " + groupToAddDn + " not found");
Group group = (Group) getUserAdmin().getRole(groupDn);
if (group == null)
throw new IllegalArgumentException("Group " + groupDn + " not found");
try {
getUserTransaction().begin();
- if (group.addMember(managerGroup))
- log.info("Added " + roledDn + " to " + group);
+ if (group.addMember(groupToAdd))
+ log.info("Added " + groupToAddDn + " to " + group);
getUserTransaction().commit();
} catch (Exception e) {
try {
} catch (Exception e1) {
// silent
}
- throw new IllegalStateException("Cannot add " + managerGroup + " to " + group);
+ throw new IllegalStateException("Cannot add " + groupToAddDn + " to " + groupDn);
}
}