# DON'T CHANGE BELOW
org.eclipse.rap.workbenchAutostart=false
-org.eclipse.equinox.http.jetty.autostart=false
\ No newline at end of file
+org.eclipse.equinox.http.jetty.autostart=false
+javax.security.auth.useSubjectCredsOnly=false
--- /dev/null
+/krb5.keytab
// Initial login
try {
loginContext = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER,
- new HttpRequestCallbackHandler(UiContext.getHttpRequest()));
+ new HttpRequestCallbackHandler(UiContext.getHttpRequest(), UiContext.getHttpResponse()));
loginContext.login();
} catch (LoginException e) {
try {
((NameCallback) callback).setName(usernameT.getText());
else if (callback instanceof PasswordCallback && passwordT != null)
((PasswordCallback) callback).setPassword(passwordT.getTextChars());
- else if (callback instanceof HttpRequestCallback)
+ else if (callback instanceof HttpRequestCallback){
((HttpRequestCallback) callback).setRequest(UiContext.getHttpRequest());
+ ((HttpRequestCallback) callback).setResponse(UiContext.getHttpResponse());
+ }
else if (callback instanceof LanguageCallback && localeChoice != null)
((LanguageCallback) callback).setLocale(localeChoice.getSelectedLocale());
}
private final static Log log = LogFactory.getLog(CmsAuthUtils.class);
/** Shared HTTP request */
- static final String SHARED_STATE_HTTP_REQUEST = "org.argeo.cms.auth.http.request";
+ final static String SHARED_STATE_HTTP_REQUEST = "org.argeo.cms.auth.http.request";
/** From org.osgi.service.http.HttpContext */
- static final String SHARED_STATE_AUTHORIZATION = "org.osgi.service.useradmin.authorization";
+ final static String SHARED_STATE_AUTHORIZATION = "org.osgi.service.useradmin.authorization";
/** From com.sun.security.auth.module.*LoginModule */
- static final String SHARED_STATE_NAME = "javax.security.auth.login.name";
+ final static String SHARED_STATE_NAME = "javax.security.auth.login.name";
/** From com.sun.security.auth.module.*LoginModule */
- static final String SHARED_STATE_PWD = "javax.security.auth.login.password";
+ final static String SHARED_STATE_PWD = "javax.security.auth.login.password";
- static final String SHARED_STATE_SPNEGO_TOKEN = "org.argeo.cms.auth.spnegoToken";
- static final String SHARED_STATE_SPNEGO_OUT_TOKEN = "org.argeo.cms.auth.spnegoOutToken";
+ final static String SHARED_STATE_SPNEGO_TOKEN = "org.argeo.cms.auth.spnegoToken";
+ final static String SHARED_STATE_SPNEGO_OUT_TOKEN = "org.argeo.cms.auth.spnegoOutToken";
- static final String HEADER_AUTHORIZATION = "Authorization";
+ final static String HEADER_AUTHORIZATION = "Authorization";
+ final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
static void addAuthentication(Subject subject, Authorization authorization) {
assert subject != null;
import javax.security.auth.callback.Callback;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
public class HttpRequestCallback implements Callback {
private HttpServletRequest request;
+ private HttpServletResponse response;
public HttpServletRequest getRequest() {
return request;
public void setRequest(HttpServletRequest request) {
this.request = request;
}
+
+ public HttpServletResponse getResponse() {
+ return response;
+ }
+
+ public void setResponse(HttpServletResponse response) {
+ this.response = response;
+ }
+
}
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
/**
* Callback handler populating {@link HttpRequestCallback}s with the provided
*/
public class HttpRequestCallbackHandler implements CallbackHandler {
final private HttpServletRequest request;
+ final private HttpServletResponse response;
- public HttpRequestCallbackHandler(HttpServletRequest request) {
+ public HttpRequestCallbackHandler(HttpServletRequest request, HttpServletResponse response) {
this.request = request;
+ this.response = response;
}
@Override
- public void handle(Callback[] callbacks) throws IOException,
- UnsupportedCallbackException {
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks)
- if (callback instanceof HttpRequestCallback)
+ if (callback instanceof HttpRequestCallback) {
((HttpRequestCallback) callback).setRequest(request);
+ ((HttpRequestCallback) callback).setResponse(response);
+ }
}
}
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
private Map<String, Object> sharedState = null;
private HttpServletRequest request = null;
+ private HttpServletResponse response = null;
private BundleContext bc;
return true;
}
- // private Authorization checkHttp() {
- // Authorization authorization = null;
- // if (request != null) {
- // authorization = (Authorization)
- // request.getAttribute(HttpContext.AUTHORIZATION);
- // if (authorization == null) {
- // String httpSessionId = request.getSession().getId();
- // authorization = (Authorization)
- // request.getSession().getAttribute(HttpContext.AUTHORIZATION);
- // if (authorization == null) {
- // Collection<ServiceReference<WebCmsSession>> sr;
- // try {
- // sr = bc.getServiceReferences(WebCmsSession.class,
- // "(" + WebCmsSession.CMS_SESSION_ID + "=" + httpSessionId + ")");
- // } catch (InvalidSyntaxException e) {
- // throw new CmsException("Cannot get CMS session for id " + httpSessionId,
- // e);
- // }
- // if (sr.size() == 1) {
- // WebCmsSession cmsSession = bc.getService(sr.iterator().next());
- // authorization = cmsSession.getAuthorization();
- // if (log.isTraceEnabled())
- // log.trace("Retrieved authorization from " + cmsSession);
- // } else if (sr.size() == 0)
- // return null;
- // else
- // throw new CmsException(
- // sr.size() + ">1 web sessions detected for http session " +
- // httpSessionId);
- // }
- // }
- // }
- // return authorization;
- // }
-
@Override
public boolean commit() throws LoginException {
// TODO create CmsSession in another module
return false;
CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorizationToRegister);
+ byte[] outToken = (byte[]) sharedState.get(CmsAuthUtils.SHARED_STATE_SPNEGO_OUT_TOKEN);
+ if (outToken != null) {
+ response.setHeader(CmsAuthUtils.HEADER_WWW_AUTHENTICATE,
+ "Negotiate " + java.util.Base64.getEncoder().encodeToString(outToken));
+ }
+
if (authorization != null) {
// CmsAuthUtils.addAuthentication(subject, authorization);
cleanUp();
return NodeConstants.PATH_FILES + "/" + alias;
}
- private Subject subjectFromRequest(HttpServletRequest request) {
+ private Subject subjectFromRequest(HttpServletRequest request, HttpServletResponse response) {
Authorization authorization = (Authorization) request.getAttribute(HttpContext.AUTHORIZATION);
if (authorization == null)
throw new CmsException("Not authenticated");
try {
LoginContext lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER,
- new HttpRequestCallbackHandler(request));
+ new HttpRequestCallbackHandler(request, response));
lc.login();
return lc.getSubject();
} catch (LoginException e) {
private void askForWwwAuth(HttpServletRequest request, HttpServletResponse response) {
response.setStatus(401);
- response.setHeader(HEADER_WWW_AUTHENTICATE, "basic realm=\"" +
- httpAuthRealm + "\"");
-
+ response.setHeader(HEADER_WWW_AUTHENTICATE, "basic realm=\"" + httpAuthRealm + "\"");
+
// SPNEGO
-// response.setHeader(HEADER_WWW_AUTHENTICATE, "Negotiate");
-// response.setDateHeader("Date", System.currentTimeMillis());
-// response.setDateHeader("Expires", System.currentTimeMillis() + (24 * 60 * 60 * 1000));
-// response.setHeader("Accept-Ranges", "bytes");
-// response.setHeader("Connection", "Keep-Alive");
-// response.setHeader("Keep-Alive", "timeout=5, max=97");
-// response.setContentType("text/html; charset=UTF-8");
-
+ // response.setHeader(HEADER_WWW_AUTHENTICATE, "Negotiate");
+ // response.setDateHeader("Date", System.currentTimeMillis());
+ // response.setDateHeader("Expires", System.currentTimeMillis() + (24 *
+ // 60 * 60 * 1000));
+ // response.setHeader("Accept-Ranges", "bytes");
+ // response.setHeader("Connection", "Keep-Alive");
+ // response.setHeader("Keep-Alive", "timeout=5, max=97");
+ // response.setContentType("text/html; charset=UTF-8");
+
}
private CallbackHandler extractHttpAuth(final HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
((NameCallback) cb).setName(login);
else if (cb instanceof PasswordCallback)
((PasswordCallback) cb).setPassword(password);
- else if (cb instanceof HttpRequestCallback)
+ else if (cb instanceof HttpRequestCallback) {
((HttpRequestCallback) cb).setRequest(httpRequest);
+ ((HttpRequestCallback) cb).setResponse(httpResponse);
+ }
}
}
};
while (!gContext.isEstablished()) {
byte[] outToken = gContext.acceptSecContext(authToken, 0, authToken.length);
String outTokenStr = Base64.encodeBase64String(outToken);
- httpResponse.setHeader("WWW-Authenticate","Negotiate "+ outTokenStr);
+ httpResponse.setHeader("WWW-Authenticate", "Negotiate " + outTokenStr);
}
if (gContext.isEstablished()) {
String clientName = gContext.getSrcName().toString();
log.debug("Client Principal is: " + gContext.getSrcName());
log.debug("Server Principal is: " + gContext.getTargName());
log.debug("Client Default Role: " + role);
-
+
// TODO log in
}
}
} catch (GSSException gsse) {
- log.warn(gsse,gsse);
+ log.warn(gsse, gsse);
}
}
KernelUtils.logRequestHeaders(log, request);
LoginContext lc;
try {
- lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, new HttpRequestCallbackHandler(request));
+ lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER,
+ new HttpRequestCallbackHandler(request, response));
lc.login();
// return true;
} catch (LoginException e) {
- CallbackHandler token = extractHttpAuth(request,response);
+ CallbackHandler token = extractHttpAuth(request, response);
if (token != null) {
try {
lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, token);
KernelUtils.logRequestHeaders(log, request);
LoginContext lc;
try {
- lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, new HttpRequestCallbackHandler(request));
+ lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER,
+ new HttpRequestCallbackHandler(request, response));
lc.login();
// return true;
} catch (LoginException e) {
- CallbackHandler token = extractHttpAuth(request,response);
+ CallbackHandler token = extractHttpAuth(request, response);
if (token != null) {
try {
lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, token);
KernelUtils.logRequestHeaders(log, request);
LoginContext lc;
try {
- lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, new HttpRequestCallbackHandler(request));
+ lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER,
+ new HttpRequestCallbackHandler(request, response));
lc.login();
} catch (CredentialNotFoundException e) {
- CallbackHandler token = extractHttpAuth(request,response);
+ CallbackHandler token = extractHttpAuth(request, response);
if (token != null) {
try {
lc = new LoginContext(NodeConstants.LOGIN_CONTEXT_USER, token);
protected void service(final HttpServletRequest request, final HttpServletResponse response)
throws ServletException, IOException {
try {
- Subject subject = subjectFromRequest(request);
+ Subject subject = subjectFromRequest(request, response);
Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
com.sun.security.auth.module.Krb5LoginModule optional
keyTab="${osgi.instance.area}node/krb5.keytab"
useKeyTab=true
- storeKey=true;
+ storeKey=true
+ debug=true;
org.argeo.cms.auth.DataAdminLoginModule requisite;
};
import java.util.Locale;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import org.eclipse.rap.rwt.RWT;
import org.eclipse.swt.widgets.Display;
return RWT.getRequest();
}
+ public static HttpServletResponse getHttpResponse() {
+ return RWT.getResponse();
+ }
+
public static Locale getLocale() {
if (Display.getCurrent() != null)
return RWT.getUISession().getLocale();
public static void setData(String key, Object value) {
Display display = getDisplay();
if (display == null)
- throw new SingleSourcingException(
- "Not display available in RAP context");
+ throw new SingleSourcingException("Not display available in RAP context");
display.setData(key, value);
}