} else {
// keep current session
cmsSession = currentLocalSession;
- // keyring
- subject.getPrivateCredentials().addAll(cmsSession.getSecretKeys());
+ // credentials
+ // TODO control it more??
+ subject.getPrivateCredentials().addAll(cmsSession.getSubject().getPrivateCredentials());
+ subject.getPublicCredentials().addAll(cmsSession.getSubject().getPublicCredentials());
}
} else {// anonymous
if (!currentLocalSessionAnonymous) {
subject.getPrivateCredentials().add(nodeSessionId);
} else {
UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next().getUuid();
- // if (storedSessionId.equals(httpSessionId.getValue()))
- throw new IllegalStateException(
- "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")");
+ if (!storedSessionId.equals(nodeSessionId.getUuid()))
+ throw new IllegalStateException(
+ "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")");
}
} else {
CmsSessionImpl cmsSession = CmsContextImpl.getCmsContext().getCmsSessionByLocalId(SINGLE_USER_LOCAL_ID);
import org.argeo.api.cms.CmsLog;
import org.argeo.cms.internal.auth.CmsSessionImpl;
import org.argeo.cms.internal.runtime.CmsContextImpl;
-import org.argeo.cms.internal.runtime.KernelUtils;
import org.osgi.service.http.HttpContext;
import org.osgi.service.useradmin.Authorization;
public boolean login() throws LoginException {
if (callbackHandler == null)
return false;
- RemoteAuthCallback httpCallback = new RemoteAuthCallback();
+ RemoteAuthCallback remoteAuthCallback = new RemoteAuthCallback();
try {
- callbackHandler.handle(new Callback[] { httpCallback });
+ callbackHandler.handle(new Callback[] { remoteAuthCallback });
} catch (IOException e) {
throw new LoginException("Cannot handle http callback: " + e.getMessage());
} catch (UnsupportedCallbackException e) {
return false;
}
- request = httpCallback.getRequest();
+ request = remoteAuthCallback.getRequest();
if (request == null) {
- RemoteAuthSession httpSession = httpCallback.getHttpSession();
+ RemoteAuthSession httpSession = remoteAuthCallback.getHttpSession();
if (httpSession == null)
return false;
// TODO factorize with below
}
DirectoryUserAdmin userReferentialOfThisUser = findUserAdmin(user.getName());
Authorization rawAuthorization = userReferentialOfThisUser.getAuthorization(user);
+ User retrievedUser = (User) userReferentialOfThisUser.getRole(user.getName());
String usernameToUse;
String displayNameToUse;
if (user instanceof Group) {
}
// gather roles from other referentials
+ List<String> allRoles = new ArrayList<>(Arrays.asList(rawAuthorization.getRoles()));
+ for (LdapName otherBaseDn : businessRoles.keySet()) {
+ if (otherBaseDn.equals(userReferentialOfThisUser.getBaseDn()))
+ continue;
+ DirectoryUserAdmin otherUserAdmin = businessRoles.get(otherBaseDn);
+ Authorization auth = otherUserAdmin.getAuthorization(retrievedUser);
+ allRoles.addAll(Arrays.asList(auth.getRoles()));
+
+ }
+
+ // integrate system roles
final DirectoryUserAdmin userAdminToUse;// possibly scoped when authenticating
if (user instanceof DirectoryUser) {
userAdminToUse = userReferentialOfThisUser;
}
addAbstractSystemRoles(rawAuthorization, sysRoles);
Authorization authorization = new AggregatingAuthorization(usernameToUse, displayNameToUse, sysRoles,
- rawAuthorization.getRoles());
+ allRoles.toArray(new String[allRoles.size()]));
return authorization;
} finally {
if (userAdminToUse != null && userAdminToUse.isScoped()) {
import static org.argeo.util.naming.LdapObjs.top;
import java.net.URI;
-import java.nio.channels.UnsupportedAddressTypeException;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Dictionary;
+import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import javax.naming.directory.BasicAttributes;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosTicket;
+import org.argeo.util.CurrentSubject;
import org.argeo.util.directory.DirectoryConf;
import org.argeo.util.directory.DirectoryDigestUtils;
import org.argeo.util.directory.HierarchyUnit;
protected List<Role> getAllRoles(DirectoryUser user) {
List<Role> allRoles = new ArrayList<Role>();
if (user != null) {
- collectRoles(user, allRoles);
+ collectRoles((LdapEntry) user, allRoles);
allRoles.add(user);
} else
collectAnonymousRoles(allRoles);
return allRoles;
}
- private void collectRoles(DirectoryUser user, List<Role> allRoles) {
+ private void collectRoles(LdapEntry user, List<Role> allRoles) {
List<LdapEntry> allEntries = new ArrayList<>();
- LdapEntry entry = (LdapEntry) user;
+ LdapEntry entry = user;
collectGroups(entry, allEntries);
for (LdapEntry e : allEntries) {
if (e instanceof Role)
@Override
public Authorization getAuthorization(User user) {
- if (user == null || user instanceof DirectoryUser) {
- return new LdifAuthorization(user, getAllRoles((DirectoryUser) user));
+ if (user == null) {// anonymous
+ return new LdifAuthorization(user, getAllRoles(null));
+ }
+ LdapName userName = toLdapName(user.getName());
+ if (isExternal(userName) && user instanceof LdapEntry) {
+ List<Role> allRoles = new ArrayList<Role>();
+ collectRoles((LdapEntry) user, allRoles);
+ return new LdifAuthorization(user, allRoles);
} else {
- // bind
- DirectoryUserAdmin scopedUserAdmin = (DirectoryUserAdmin) scope(user);
- try {
- DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName());
- if (directoryUser == null)
- throw new IllegalStateException("No scoped user found for " + user);
- LdifAuthorization authorization = new LdifAuthorization(directoryUser,
- scopedUserAdmin.getAllRoles(directoryUser));
- return authorization;
- } finally {
- scopedUserAdmin.destroy();
+
+ Subject currentSubject = CurrentSubject.current();
+ if (currentSubject != null //
+ && !currentSubject.getPrivateCredentials(Authorization.class).isEmpty() //
+ && !currentSubject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
+ // TODO not only Kerberos but also bind scope with kept password ?
+ Authorization auth = currentSubject.getPrivateCredentials(Authorization.class).iterator().next();
+ // bind with authenticating user
+ DirectoryUserAdmin scopedUserAdmin = Subject.doAs(currentSubject,
+ (PrivilegedAction<DirectoryUserAdmin>) () -> (DirectoryUserAdmin) scope(
+ new AuthenticatingUser(auth.getName(), new Hashtable<>())));
+ return getAuthorizationFromScoped(scopedUserAdmin, user);
+ }
+
+ if (user instanceof DirectoryUser) {
+ return new LdifAuthorization(user, getAllRoles((DirectoryUser) user));
+ } else {
+ // bind with authenticating user
+ DirectoryUserAdmin scopedUserAdmin = (DirectoryUserAdmin) scope(user);
+ return getAuthorizationFromScoped(scopedUserAdmin, user);
}
}
}
+ private Authorization getAuthorizationFromScoped(DirectoryUserAdmin scopedUserAdmin, User user) {
+ try {
+ DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName());
+ if (directoryUser == null)
+ throw new IllegalStateException("No scoped user found for " + user);
+ LdifAuthorization authorization = new LdifAuthorization(directoryUser,
+ scopedUserAdmin.getAllRoles(directoryUser));
+ return authorization;
+ } finally {
+ scopedUserAdmin.destroy();
+ }
+ }
+
@Override
public Role createRole(String name, int type) {
checkEdit();