projects / lgpl / argeo-commons.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Rename remote auth interfaces
[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / UserAdminLoginModule.java
diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index 6a3ac97dfa76dfac6bd955edee1ef256790cdef2..188e860581a7335dbda19bae5888bb2bea13b6c0 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -23,18 +23,15 @@ import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.login.CredentialNotFoundException;
 import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
-import javax.servlet.http.HttpServletRequest;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.argeo.cms.CmsException;
+import org.argeo.api.NodeConstants;
+import org.argeo.api.security.CryptoKeyring;
 import org.argeo.cms.internal.kernel.Activator;
 import org.argeo.naming.LdapAttrs;
-import org.argeo.node.NodeConstants;
-import org.argeo.node.security.CryptoKeyring;
 import org.argeo.osgi.useradmin.AuthenticatingUser;
 import org.argeo.osgi.useradmin.IpaUtils;
-import org.argeo.osgi.useradmin.OsUserUtils;
 import org.argeo.osgi.useradmin.TokenUtils;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.FrameworkUtil;
@@ -44,6 +41,10 @@ import org.osgi.service.useradmin.Group;
 import org.osgi.service.useradmin.User;
 import org.osgi.service.useradmin.UserAdmin;
 
+/**
+ * Use the {@link UserAdmin} in the OSGi registry as the basis for
+ * authentication.
+ */
 public class UserAdminLoginModule implements LoginModule {
        private final static Log log = LogFactory.getLog(UserAdminLoginModule.class);
 
@@ -61,7 +62,7 @@ public class UserAdminLoginModule implements LoginModule {
 
        private Authorization bindAuthorization = null;
 
-       private boolean singleUser = Activator.isSingleUser();
+//     private boolean singleUser = Activator.isSingleUser();
 
        @SuppressWarnings("unchecked")
        @Override
@@ -73,7 +74,7 @@ public class UserAdminLoginModule implements LoginModule {
                        this.callbackHandler = callbackHandler;
                        this.sharedState = (Map<String, Object>) sharedState;
                } catch (Exception e) {
-                       throw new CmsException("Cannot initialize login module", e);
+                       throw new IllegalStateException("Cannot initialize login module", e);
                }
        }
 
@@ -110,9 +111,11 @@ public class UserAdminLoginModule implements LoginModule {
                        username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
                        password = null;
                        preauth = true;
-               } else if (singleUser) {
-                       username = OsUserUtils.getOsUsername();
-                       password = null;
+//             } else if (singleUser) {
+//                     username = OsUserUtils.getOsUsername();
+//                     password = null;
+//                     // TODO retrieve from http session
+//                     locale = Locale.getDefault();
                } else {
 
                        // ask for username and password
@@ -189,8 +192,8 @@ public class UserAdminLoginModule implements LoginModule {
                        // TODO check CRLs/OSCP validity?
                        // NB: authorization in commit() will work only if an LDAP connection password
                        // is provided
-               } else if (singleUser) {
-                       // TODO verify IP address?
+//             } else if (singleUser) {
+//                     // TODO verify IP address?
                } else if (preauth) {
                        // ident
                } else {
@@ -203,14 +206,12 @@ public class UserAdminLoginModule implements LoginModule {
 
        @Override
        public boolean commit() throws LoginException {
-               if (locale == null)
-                       subject.getPublicCredentials().add(Locale.getDefault());
-               else
+               if (locale != null)
                        subject.getPublicCredentials().add(locale);
 
-               if (singleUser) {
-                       OsUserUtils.loginAsSystemUser(subject);
-               }
+//             if (singleUser) {
+//                     OsUserUtils.loginAsSystemUser(subject);
+//             }
                UserAdmin userAdmin = Activator.getUserAdmin();
                Authorization authorization;
                if (callbackHandler == null) {// anonymous
@@ -224,7 +225,7 @@ public class UserAdminLoginModule implements LoginModule {
                                if (authenticatedUser == null) {
                                        if (log.isTraceEnabled())
                                                log.trace("Neither kerberos nor user admin login succeeded. Login failed.");
-                                       return false;
+                                       throw new CredentialNotFoundException("Bad credentials.");
                                } else {
                                        authenticatingUser = authenticatedUser;
                                }
@@ -251,7 +252,7 @@ public class UserAdminLoginModule implements LoginModule {
                }
 
                // Log and monitor new login
-               HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
+               RemoteAuthRequest request = (RemoteAuthRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
                CmsAuthUtils.addAuthorization(subject, authorization);
 
                // Unlock keyring (underlying login to the JCR repository)
@@ -295,8 +296,6 @@ public class UserAdminLoginModule implements LoginModule {
        public boolean logout() throws LoginException {
                if (log.isTraceEnabled())
                        log.trace("Logging out from CMS... " + subject);
-               // boolean httpSessionLogoutOk = CmsAuthUtils.logoutSession(bc,
-               // subject);
                CmsAuthUtils.cleanUp(subject);
                return true;
        }
@@ -307,6 +306,7 @@ public class UserAdminLoginModule implements LoginModule {
                        Set<User> collectedUsers = new HashSet<>();
                        // try dn
                        User user = null;
+                       user = null;
                        // try all indexes
                        for (String attr : indexedUserProperties) {
                                user = userAdmin.getUser(attr, providedUsername);
@@ -354,7 +354,9 @@ public class UserAdminLoginModule implements LoginModule {
 //                             return null;
 //                     }
 //             }
-               Authorization auth = userAdmin.getAuthorization(tokenGroup);
+               String userDn = TokenUtils.userDn(tokenGroup);
+               User user = (User) userAdmin.getRole(userDn);
+               Authorization auth = userAdmin.getAuthorization(user);
                return auth;
        }
 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi