From: Mathieu Baudier Date: Mon, 27 Feb 2017 08:01:14 +0000 (+0100) Subject: Fix anonymous login X-Git-Tag: argeo-commons-2.1.62~3 X-Git-Url: https://git.argeo.org/?a=commitdiff_plain;h=e5e5e2187618e7ab67414ca8268467dc231eafe8;p=lgpl%2Fargeo-commons.git Fix anonymous login Remove old login modules --- diff --git a/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java deleted file mode 100644 index 0cbdc7d5b..000000000 --- a/org.argeo.cms/src/org/argeo/cms/auth/IpaLoginModule.java +++ /dev/null @@ -1,93 +0,0 @@ -package org.argeo.cms.auth; - -import java.security.PrivilegedAction; -import java.util.Map; -import java.util.Set; - -import javax.naming.ldap.LdapName; -import javax.security.auth.Subject; -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.kerberos.KerberosPrincipal; -import javax.security.auth.login.LoginException; -import javax.security.auth.spi.LoginModule; -import javax.servlet.http.HttpServletRequest; - -import org.argeo.cms.CmsException; -import org.argeo.osgi.useradmin.IpaUtils; -import org.osgi.framework.BundleContext; -import org.osgi.framework.FrameworkUtil; -import org.osgi.service.useradmin.Authorization; -import org.osgi.service.useradmin.UserAdmin; - -public class IpaLoginModule implements LoginModule { - private BundleContext bc; - private Subject subject; - private Map sharedState = null; - private CallbackHandler callbackHandler; - - @SuppressWarnings("unchecked") - @Override - public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, - Map options) { - this.subject = subject; - this.sharedState = (Map) sharedState; - this.callbackHandler = callbackHandler; - try { - bc = FrameworkUtil.getBundle(IpaLoginModule.class).getBundleContext(); - assert bc != null; - } catch (Exception e) { - throw new CmsException("Cannot initialize login module", e); - } - } - - @Override - public boolean login() throws LoginException { - return true; - } - - @Override - public boolean commit() throws LoginException { - UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class)); - Authorization authorization = null; - Set kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class); - if (kerberosPrincipals.isEmpty()) { - if(callbackHandler!=null) - throw new LoginException("Cannot be anonymous if callback handler is set"); - authorization = userAdmin.getAuthorization(null); - } else { - KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next(); - LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName()); - AuthenticatingUser authenticatingUser = new AuthenticatingUser(dn); - authorization = Subject.doAs(subject, new PrivilegedAction() { - - @Override - public Authorization run() { - Authorization authorization = userAdmin.getAuthorization(authenticatingUser); - return authorization; - } - - }); - } - if (authorization == null) - return false; - CmsAuthUtils.addAuthentication(subject, authorization); - HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST); - if (request != null) { - CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization); - } - return true; - } - - - @Override - public boolean abort() throws LoginException { - // TODO Auto-generated method stub - return false; - } - - @Override - public boolean logout() throws LoginException { - return CmsAuthUtils.logoutSession(bc, subject); - } - -} diff --git a/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java deleted file mode 100644 index 03dacef93..000000000 --- a/org.argeo.cms/src/org/argeo/cms/auth/NodeUserLoginModule.java +++ /dev/null @@ -1,139 +0,0 @@ -package org.argeo.cms.auth; - -import java.util.Map; - -import javax.security.auth.Subject; -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.login.LoginException; -import javax.security.auth.spi.LoginModule; - -import org.osgi.service.useradmin.Authorization; - -public class NodeUserLoginModule implements LoginModule { - private Subject subject; - private Map sharedState = null; - -// private final static LdapName ROLE_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME; -// private final static List RESERVED_ROLES; -// private final static X500Principal ROLE_ANONYMOUS_PRINCIPAL; -// static { -// try { -// // ROLE_KERNEL_NAME = new LdapName(AuthConstants.ROLE_KERNEL); -// ROLE_ADMIN_NAME = new LdapName(NodeConstants.ROLE_ADMIN); -// ROLE_USER_NAME = new LdapName(NodeConstants.ROLE_USER); -// ROLE_ANONYMOUS_NAME = new LdapName(NodeConstants.ROLE_ANONYMOUS); -// RESERVED_ROLES = Collections.unmodifiableList(Arrays.asList(new LdapName[] { ROLE_ADMIN_NAME, -// ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, new LdapName(AuthConstants.ROLE_GROUP_ADMIN), -// new LdapName(NodeConstants.ROLE_USER_ADMIN) })); -// ROLE_ANONYMOUS_PRINCIPAL = new X500Principal(ROLE_ANONYMOUS_NAME.toString()); -// } catch (InvalidNameException e) { -// throw new Error("Cannot initialize login module class", e); -// } -// } - - // private Authorization authorization; - - @SuppressWarnings("unchecked") - @Override - public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, - Map options) { - this.subject = subject; - this.sharedState = (Map) sharedState; - } - - @Override - public boolean login() throws LoginException { - // if (authorization == null) - // throw new FailedLoginException("No authorization available"); - // Iterator auth = subject.getPrivateCredentials( - // Authorization.class).iterator(); - // if (!auth.hasNext()) - // throw new FailedLoginException("No authorization available"); - // authorization = auth.next(); - return true; - } - - @Override - public boolean commit() throws LoginException { - Authorization authorization = (Authorization) sharedState.get(CmsAuthUtils.SHARED_STATE_AUTHORIZATION); - if (authorization == null) - throw new LoginException("Authorization should not be null"); - CmsAuthUtils.addAuthentication(subject, authorization); - return true; - // // required for display name: - // subject.getPrivateCredentials().add(authorization); - // - // Set principals = subject.getPrincipals(); - // try { - // String authName = authorization.getName(); - // - // // determine user's principal - // final LdapName name; - // final Principal userPrincipal; - // if (authName == null) { - // name = ROLE_ANONYMOUS_NAME; - // userPrincipal = ROLE_ANONYMOUS_PRINCIPAL; - // principals.add(userPrincipal); - // principals.add(new AnonymousPrincipal()); - // } else { - // name = new LdapName(authName); - // checkUserName(name); - // userPrincipal = new X500Principal(name.toString()); - // principals.add(userPrincipal); - // principals.add(new ImpliedByPrincipal(ROLE_USER_NAME, - // userPrincipal)); - // } - // - // // Add roles provided by authorization - // for (String role : authorization.getRoles()) { - // LdapName roleName = new LdapName(role); - // if (roleName.equals(name)) { - // // skip - // } else { - // checkImpliedPrincipalName(roleName); - // principals.add(new ImpliedByPrincipal(roleName.toString(), - // userPrincipal)); - // if (roleName.equals(ROLE_ADMIN_NAME)) - // principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID)); - // } - // } - // - // return true; - // } catch (InvalidNameException e) { - // throw new CmsException("Cannot commit", e); - // } - } - - @Override - public boolean abort() throws LoginException { - cleanUp(); - return true; - } - - @Override - public boolean logout() throws LoginException { - if (subject == null) - throw new LoginException("Subject should not be null"); - // Clean up principals - CmsAuthUtils.cleanUp(subject); - // Clean up private credentials - subject.getPrivateCredentials().clear(); - cleanUp(); - return true; - } - - private void cleanUp() { - subject = null; - // authorization = null; - } - -// private void checkUserName(LdapName name) { -// if (RESERVED_ROLES.contains(name)) -// throw new CmsException(name + " is a reserved name"); -// } -// -// private void checkImpliedPrincipalName(LdapName roleName) { -// if (ROLE_USER_NAME.equals(roleName) || ROLE_ANONYMOUS_NAME.equals(roleName)) -// throw new CmsException(roleName + " cannot be listed as role"); -// } -}