+++ /dev/null
-package org.argeo.cms.auth;
-
-import java.security.PrivilegedAction;
-import java.util.Map;
-import java.util.Set;
-
-import javax.naming.ldap.LdapName;
-import javax.security.auth.Subject;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.login.LoginException;
-import javax.security.auth.spi.LoginModule;
-import javax.servlet.http.HttpServletRequest;
-
-import org.argeo.cms.CmsException;
-import org.argeo.osgi.useradmin.IpaUtils;
-import org.osgi.framework.BundleContext;
-import org.osgi.framework.FrameworkUtil;
-import org.osgi.service.useradmin.Authorization;
-import org.osgi.service.useradmin.UserAdmin;
-
-public class IpaLoginModule implements LoginModule {
- private BundleContext bc;
- private Subject subject;
- private Map<String, Object> sharedState = null;
- private CallbackHandler callbackHandler;
-
- @SuppressWarnings("unchecked")
- @Override
- public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
- Map<String, ?> options) {
- this.subject = subject;
- this.sharedState = (Map<String, Object>) sharedState;
- this.callbackHandler = callbackHandler;
- try {
- bc = FrameworkUtil.getBundle(IpaLoginModule.class).getBundleContext();
- assert bc != null;
- } catch (Exception e) {
- throw new CmsException("Cannot initialize login module", e);
- }
- }
-
- @Override
- public boolean login() throws LoginException {
- return true;
- }
-
- @Override
- public boolean commit() throws LoginException {
- UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
- Authorization authorization = null;
- Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
- if (kerberosPrincipals.isEmpty()) {
- if(callbackHandler!=null)
- throw new LoginException("Cannot be anonymous if callback handler is set");
- authorization = userAdmin.getAuthorization(null);
- } else {
- KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next();
- LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName());
- AuthenticatingUser authenticatingUser = new AuthenticatingUser(dn);
- authorization = Subject.doAs(subject, new PrivilegedAction<Authorization>() {
-
- @Override
- public Authorization run() {
- Authorization authorization = userAdmin.getAuthorization(authenticatingUser);
- return authorization;
- }
-
- });
- }
- if (authorization == null)
- return false;
- CmsAuthUtils.addAuthentication(subject, authorization);
- HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
- if (request != null) {
- CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization);
- }
- return true;
- }
-
-
- @Override
- public boolean abort() throws LoginException {
- // TODO Auto-generated method stub
- return false;
- }
-
- @Override
- public boolean logout() throws LoginException {
- return CmsAuthUtils.logoutSession(bc, subject);
- }
-
-}
+++ /dev/null
-package org.argeo.cms.auth;
-
-import java.util.Map;
-
-import javax.security.auth.Subject;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.login.LoginException;
-import javax.security.auth.spi.LoginModule;
-
-import org.osgi.service.useradmin.Authorization;
-
-public class NodeUserLoginModule implements LoginModule {
- private Subject subject;
- private Map<String, Object> sharedState = null;
-
-// private final static LdapName ROLE_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME;
-// private final static List<LdapName> RESERVED_ROLES;
-// private final static X500Principal ROLE_ANONYMOUS_PRINCIPAL;
-// static {
-// try {
-// // ROLE_KERNEL_NAME = new LdapName(AuthConstants.ROLE_KERNEL);
-// ROLE_ADMIN_NAME = new LdapName(NodeConstants.ROLE_ADMIN);
-// ROLE_USER_NAME = new LdapName(NodeConstants.ROLE_USER);
-// ROLE_ANONYMOUS_NAME = new LdapName(NodeConstants.ROLE_ANONYMOUS);
-// RESERVED_ROLES = Collections.unmodifiableList(Arrays.asList(new LdapName[] { ROLE_ADMIN_NAME,
-// ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, new LdapName(AuthConstants.ROLE_GROUP_ADMIN),
-// new LdapName(NodeConstants.ROLE_USER_ADMIN) }));
-// ROLE_ANONYMOUS_PRINCIPAL = new X500Principal(ROLE_ANONYMOUS_NAME.toString());
-// } catch (InvalidNameException e) {
-// throw new Error("Cannot initialize login module class", e);
-// }
-// }
-
- // private Authorization authorization;
-
- @SuppressWarnings("unchecked")
- @Override
- public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
- Map<String, ?> options) {
- this.subject = subject;
- this.sharedState = (Map<String, Object>) sharedState;
- }
-
- @Override
- public boolean login() throws LoginException {
- // if (authorization == null)
- // throw new FailedLoginException("No authorization available");
- // Iterator<Authorization> auth = subject.getPrivateCredentials(
- // Authorization.class).iterator();
- // if (!auth.hasNext())
- // throw new FailedLoginException("No authorization available");
- // authorization = auth.next();
- return true;
- }
-
- @Override
- public boolean commit() throws LoginException {
- Authorization authorization = (Authorization) sharedState.get(CmsAuthUtils.SHARED_STATE_AUTHORIZATION);
- if (authorization == null)
- throw new LoginException("Authorization should not be null");
- CmsAuthUtils.addAuthentication(subject, authorization);
- return true;
- // // required for display name:
- // subject.getPrivateCredentials().add(authorization);
- //
- // Set<Principal> principals = subject.getPrincipals();
- // try {
- // String authName = authorization.getName();
- //
- // // determine user's principal
- // final LdapName name;
- // final Principal userPrincipal;
- // if (authName == null) {
- // name = ROLE_ANONYMOUS_NAME;
- // userPrincipal = ROLE_ANONYMOUS_PRINCIPAL;
- // principals.add(userPrincipal);
- // principals.add(new AnonymousPrincipal());
- // } else {
- // name = new LdapName(authName);
- // checkUserName(name);
- // userPrincipal = new X500Principal(name.toString());
- // principals.add(userPrincipal);
- // principals.add(new ImpliedByPrincipal(ROLE_USER_NAME,
- // userPrincipal));
- // }
- //
- // // Add roles provided by authorization
- // for (String role : authorization.getRoles()) {
- // LdapName roleName = new LdapName(role);
- // if (roleName.equals(name)) {
- // // skip
- // } else {
- // checkImpliedPrincipalName(roleName);
- // principals.add(new ImpliedByPrincipal(roleName.toString(),
- // userPrincipal));
- // if (roleName.equals(ROLE_ADMIN_NAME))
- // principals.add(new AdminPrincipal(SecurityConstants.ADMIN_ID));
- // }
- // }
- //
- // return true;
- // } catch (InvalidNameException e) {
- // throw new CmsException("Cannot commit", e);
- // }
- }
-
- @Override
- public boolean abort() throws LoginException {
- cleanUp();
- return true;
- }
-
- @Override
- public boolean logout() throws LoginException {
- if (subject == null)
- throw new LoginException("Subject should not be null");
- // Clean up principals
- CmsAuthUtils.cleanUp(subject);
- // Clean up private credentials
- subject.getPrivateCredentials().clear();
- cleanUp();
- return true;
- }
-
- private void cleanUp() {
- subject = null;
- // authorization = null;
- }
-
-// private void checkUserName(LdapName name) {
-// if (RESERVED_ROLES.contains(name))
-// throw new CmsException(name + " is a reserved name");
-// }
-//
-// private void checkImpliedPrincipalName(LdapName roleName) {
-// if (ROLE_USER_NAME.equals(roleName) || ROLE_ANONYMOUS_NAME.equals(roleName))
-// throw new CmsException(roleName + " cannot be listed as role");
-// }
-}