From: Mathieu Baudier Date: Mon, 27 Feb 2017 08:01:32 +0000 (+0100) Subject: Fix anonymous login X-Git-Tag: argeo-commons-2.1.62~2 X-Git-Url: https://git.argeo.org/?a=commitdiff_plain;h=e6ec864540db3fe0d39d99be294c7e402c2a4ce9;p=lgpl%2Fargeo-commons.git Fix anonymous login --- diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java index fb7a6123a..461080295 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java @@ -48,7 +48,7 @@ class CmsAuthUtils { final static String HEADER_AUTHORIZATION = "Authorization"; final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate"; - static void addAuthentication(Subject subject, Authorization authorization) { + static void addAuthorization(Subject subject, Authorization authorization, HttpServletRequest request) { assert subject != null; checkSubjectEmpty(subject); assert authorization != null; @@ -92,6 +92,8 @@ class CmsAuthUtils { } catch (InvalidNameException e) { throw new CmsException("Cannot commit", e); } + + registerSessionAuthorization(request, subject, authorization); } private static void checkSubjectEmpty(Subject subject) { @@ -121,69 +123,33 @@ class CmsAuthUtils { // public static final String SHARED_STATE_PASSWORD = // "javax.security.auth.login.password"; - static void registerSessionAuthorization(BundleContext bc, HttpServletRequest request, Subject subject, + private static void registerSessionAuthorization(HttpServletRequest request, Subject subject, Authorization authorization) { - HttpSession httpSession = request.getSession(); - String httpSessId = httpSession.getId(); - if (authorization.getName() != null) { - request.setAttribute(HttpContext.REMOTE_USER, authorization.getName()); - request.setAttribute(HttpContext.AUTHORIZATION, authorization); - - CmsSession cmsSession = CmsSessionImpl.getByLocalId(httpSessId); - if (cmsSession == null) - cmsSession = new WebCmsSessionImpl(subject, authorization, httpSessId); - request.setAttribute(CmsSession.class.getName(), cmsSession); - // else - // throw new CmsException("Already a CMS session registered for - // "+httpSessId); - - // if (httpSession.getAttribute(HttpContext.AUTHORIZATION) == null) - // { - - // Collection> sr; - // try { - // sr = bc.getServiceReferences(CmsSession.class, - // "(" + CmsSession.SESSION_LOCAL_ID + "=" + httpSessId + ")"); - // } catch (InvalidSyntaxException e) { - // throw new CmsException("Cannot get CMS session for id " + - // httpSessId, e); - // } - // ServiceReference cmsSessionRef; - // if (sr.size() == 1) { - // cmsSessionRef = sr.iterator().next(); - // } else if (sr.size() == 0) { - // WebCmsSessionImpl cmsSessionImpl = new WebCmsSessionImpl(subject, - // authorization, httpSessId); - // cmsSessionRef = - // cmsSessionImpl.getServiceRegistration().getReference(); - // if (log.isDebugEnabled()) - // log.debug("Initialized " + cmsSessionImpl + " for " + - // authorization.getName()); - // } else - // throw new CmsException(sr.size() + " CMS sessions registered for - // " + httpSessId); - // - // cmsSession = (CmsSession) bc.getService(cmsSessionRef); - // cmsSession.addHttpSession(request); - // if (log.isTraceEnabled()) - // log.trace("Added " + request.getServletPath() + " to " + - // cmsSession + " (" + request.getRequestURI() - // + ")"); - // httpSession.setAttribute(HttpContext.REMOTE_USER, - // authorization.getName()); - // httpSession.setAttribute(HttpContext.AUTHORIZATION, - // authorization); - CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid()); - if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0) - subject.getPrivateCredentials().add(nodeSessionId); - else { - UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next().getUuid(); - // if (storedSessionId.equals(httpSessionId.getValue())) - throw new CmsException( - "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")"); + if (request != null) { + HttpSession httpSession = request.getSession(); + String httpSessId = httpSession.getId(); + if (authorization.getName() != null) { + request.setAttribute(HttpContext.REMOTE_USER, authorization.getName()); + request.setAttribute(HttpContext.AUTHORIZATION, authorization); + + CmsSession cmsSession = CmsSessionImpl.getByLocalId(httpSessId); + if (cmsSession == null) + cmsSession = new WebCmsSessionImpl(subject, authorization, httpSessId); + request.setAttribute(CmsSession.class.getName(), cmsSession); + CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid()); + if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0) + subject.getPrivateCredentials().add(nodeSessionId); + else { + UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next() + .getUuid(); + // if (storedSessionId.equals(httpSessionId.getValue())) + throw new CmsException( + "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")"); + } } + } else { + // TODO desktop, CLI } - // } } static boolean logoutSession(BundleContext bc, Subject subject) { diff --git a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java index 19f6ee0c6..9e05ac95a 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java @@ -102,8 +102,8 @@ public class HttpSessionLoginModule implements LoginModule { @Override public boolean commit() throws LoginException { if(authorization!=null){ - CmsAuthUtils.addAuthentication(subject, authorization); - CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization); + CmsAuthUtils.addAuthorization(subject, authorization,request); +// CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization); } // TODO create CmsSession in another module diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java index b368b1de5..0f7f0bdee 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java @@ -157,43 +157,48 @@ public class UserAdminLoginModule implements LoginModule { // return true; // } UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class)); - Authorization authorization = null; - User authenticatingUser; - Set kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class); - if (kerberosPrincipals.isEmpty()) { - if (callbackHandler == null) { - authorization = userAdmin.getAuthorization(null); - } - if (authenticatedUser == null) { - return false; + Authorization authorization; + if (callbackHandler == null) {// anonymous + authorization = userAdmin.getAuthorization(null); + } else { + User authenticatingUser; + Set kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class); + if (kerberosPrincipals.isEmpty()) { + if (authenticatedUser == null) { + if(log.isTraceEnabled()) + log.trace("Neither kerberos nor user admin login succeeded. Login failed."); + return false; + } else { + authenticatingUser = authenticatedUser; + } } else { - authenticatingUser = authenticatedUser; + KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next(); + LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName()); + authenticatingUser = new AuthenticatingUser(dn); + if (authenticatedUser != null && !authenticatingUser.getName().equals(authenticatedUser.getName())) + throw new LoginException("Kerberos login " + authenticatingUser.getName() + + " is inconsistent with user admin login " + authenticatedUser.getName()); } - } else { - KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next(); - LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName()); - authenticatingUser = new AuthenticatingUser(dn); - } - if (authorization == null) - authorization = Subject.doAs(subject, new PrivilegedAction() { + authorization = Subject.doAs(subject, new PrivilegedAction() { - @Override - public Authorization run() { - Authorization authorization = userAdmin.getAuthorization(authenticatingUser); - return authorization; - } + @Override + public Authorization run() { + Authorization authorization = userAdmin.getAuthorization(authenticatingUser); + return authorization; + } - }); - if (authorization == null) - return false; + }); + if (authorization == null) + throw new LoginException("User admin found no authorization for authenticated user "+authenticatingUser.getName()); + } // Log and monitor new login - CmsAuthUtils.addAuthentication(subject, authorization); + CmsAuthUtils.addAuthorization(subject, authorization, (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST)); +// HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST); +// if (request != null) { +// CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization); +// } if (log.isDebugEnabled()) log.debug("Logged in to CMS: " + subject); - HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST); - if (request != null) { - CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization); - } return true; }