Fix anonymous login

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
index fb7a6123acba9bc94677c8caab12f37ae78ab9a1..461080295ccc4d298228069ae3bbcf1f8e5df32d 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
@@ -48,7 +48,7 @@ class CmsAuthUtils {
        final static String HEADER_AUTHORIZATION = "Authorization";
        final static String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
 
-       static void addAuthentication(Subject subject, Authorization authorization) {
+       static void addAuthorization(Subject subject, Authorization authorization, HttpServletRequest request) {
                assert subject != null;
                checkSubjectEmpty(subject);
                assert authorization != null;
@@ -92,6 +92,8 @@ class CmsAuthUtils {
                } catch (InvalidNameException e) {
                        throw new CmsException("Cannot commit", e);
                }
+
+               registerSessionAuthorization(request, subject, authorization);
        }
 
        private static void checkSubjectEmpty(Subject subject) {
@@ -121,69 +123,33 @@ class CmsAuthUtils {
        // public static final String SHARED_STATE_PASSWORD =
        // "javax.security.auth.login.password";
 
-       static void registerSessionAuthorization(BundleContext bc, HttpServletRequest request, Subject subject,
+       private static void registerSessionAuthorization(HttpServletRequest request, Subject subject,
                        Authorization authorization) {
-               HttpSession httpSession = request.getSession();
-               String httpSessId = httpSession.getId();
-               if (authorization.getName() != null) {
-                       request.setAttribute(HttpContext.REMOTE_USER, authorization.getName());
-                       request.setAttribute(HttpContext.AUTHORIZATION, authorization);
-
-                       CmsSession cmsSession = CmsSessionImpl.getByLocalId(httpSessId);
-                       if (cmsSession == null)
-                               cmsSession = new WebCmsSessionImpl(subject, authorization, httpSessId);
-                       request.setAttribute(CmsSession.class.getName(), cmsSession);
-                       // else
-                       // throw new CmsException("Already a CMS session registered for
-                       // "+httpSessId);
-
-                       // if (httpSession.getAttribute(HttpContext.AUTHORIZATION) == null)
-                       // {
-
-                       // Collection<ServiceReference<CmsSession>> sr;
-                       // try {
-                       // sr = bc.getServiceReferences(CmsSession.class,
-                       // "(" + CmsSession.SESSION_LOCAL_ID + "=" + httpSessId + ")");
-                       // } catch (InvalidSyntaxException e) {
-                       // throw new CmsException("Cannot get CMS session for id " +
-                       // httpSessId, e);
-                       // }
-                       // ServiceReference<CmsSession> cmsSessionRef;
-                       // if (sr.size() == 1) {
-                       // cmsSessionRef = sr.iterator().next();
-                       // } else if (sr.size() == 0) {
-                       // WebCmsSessionImpl cmsSessionImpl = new WebCmsSessionImpl(subject,
-                       // authorization, httpSessId);
-                       // cmsSessionRef =
-                       // cmsSessionImpl.getServiceRegistration().getReference();
-                       // if (log.isDebugEnabled())
-                       // log.debug("Initialized " + cmsSessionImpl + " for " +
-                       // authorization.getName());
-                       // } else
-                       // throw new CmsException(sr.size() + " CMS sessions registered for
-                       // " + httpSessId);
-                       //
-                       // cmsSession = (CmsSession) bc.getService(cmsSessionRef);
-                       // cmsSession.addHttpSession(request);
-                       // if (log.isTraceEnabled())
-                       // log.trace("Added " + request.getServletPath() + " to " +
-                       // cmsSession + " (" + request.getRequestURI()
-                       // + ")");
-                       // httpSession.setAttribute(HttpContext.REMOTE_USER,
-                       // authorization.getName());
-                       // httpSession.setAttribute(HttpContext.AUTHORIZATION,
-                       // authorization);
-                       CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid());
-                       if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0)
-                               subject.getPrivateCredentials().add(nodeSessionId);
-                       else {
-                               UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next().getUuid();
-                               // if (storedSessionId.equals(httpSessionId.getValue()))
-                               throw new CmsException(
-                                               "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")");
+               if (request != null) {
+                       HttpSession httpSession = request.getSession();
+                       String httpSessId = httpSession.getId();
+                       if (authorization.getName() != null) {
+                               request.setAttribute(HttpContext.REMOTE_USER, authorization.getName());
+                               request.setAttribute(HttpContext.AUTHORIZATION, authorization);
+
+                               CmsSession cmsSession = CmsSessionImpl.getByLocalId(httpSessId);
+                               if (cmsSession == null)
+                                       cmsSession = new WebCmsSessionImpl(subject, authorization, httpSessId);
+                               request.setAttribute(CmsSession.class.getName(), cmsSession);
+                               CmsSessionId nodeSessionId = new CmsSessionId(cmsSession.getUuid());
+                               if (subject.getPrivateCredentials(CmsSessionId.class).size() == 0)
+                                       subject.getPrivateCredentials().add(nodeSessionId);
+                               else {
+                                       UUID storedSessionId = subject.getPrivateCredentials(CmsSessionId.class).iterator().next()
+                                                       .getUuid();
+                                       // if (storedSessionId.equals(httpSessionId.getValue()))
+                                       throw new CmsException(
+                                                       "Subject already logged with session " + storedSessionId + " (not " + nodeSessionId + ")");
+                               }
                        }
+               } else {
+                       // TODO desktop, CLI
                }
-               // }
        }
 
        static boolean logoutSession(BundleContext bc, Subject subject) {

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
index 19f6ee0c6f792748c9c8310623778f1d5aabc4f4..9e05ac95aec0212b320dccb3424a573b06de83cc 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
@@ -102,8 +102,8 @@ public class HttpSessionLoginModule implements LoginModule {
        @Override
        public boolean commit() throws LoginException {
                if(authorization!=null){
-                       CmsAuthUtils.addAuthentication(subject, authorization);
-                       CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization);
+                       CmsAuthUtils.addAuthorization(subject, authorization,request);
+//                     CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization);
                }
                
                // TODO create CmsSession in another module

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index b368b1de5345da3aad3118d217d5a0c3fb9ba3a0..0f7f0bdeed37c6e489f67cd9a67bd4cd965d99aa 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -157,43 +157,48 @@ public class UserAdminLoginModule implements LoginModule {
                // return true;
                // }
                UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class));
-               Authorization authorization = null;
-               User authenticatingUser;
-               Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
-               if (kerberosPrincipals.isEmpty()) {
-                       if (callbackHandler == null) {
-                               authorization = userAdmin.getAuthorization(null);
-                       }
-                       if (authenticatedUser == null) {
-                               return false;
+               Authorization authorization;
+               if (callbackHandler == null) {// anonymous
+                       authorization = userAdmin.getAuthorization(null);
+               } else {
+                       User authenticatingUser;
+                       Set<KerberosPrincipal> kerberosPrincipals = subject.getPrincipals(KerberosPrincipal.class);
+                       if (kerberosPrincipals.isEmpty()) {
+                               if (authenticatedUser == null) {
+                                       if(log.isTraceEnabled())
+                                               log.trace("Neither kerberos nor user admin login succeeded. Login failed.");
+                                       return false;
+                               } else {
+                                       authenticatingUser = authenticatedUser;
+                               }
                        } else {
-                               authenticatingUser = authenticatedUser;
+                               KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next();
+                               LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName());
+                               authenticatingUser = new AuthenticatingUser(dn);
+                               if (authenticatedUser != null && !authenticatingUser.getName().equals(authenticatedUser.getName()))
+                                       throw new LoginException("Kerberos login " + authenticatingUser.getName()
+                                                       + " is inconsistent with user admin login " + authenticatedUser.getName());
                        }
-               } else {
-                       KerberosPrincipal kerberosPrincipal = kerberosPrincipals.iterator().next();
-                       LdapName dn = IpaUtils.kerberosToDn(kerberosPrincipal.getName());
-                       authenticatingUser = new AuthenticatingUser(dn);
-               }
-               if (authorization == null)
-                       authorization = Subject.doAs(subject, new PrivilegedAction<Authorization>() {
+                               authorization = Subject.doAs(subject, new PrivilegedAction<Authorization>() {
 
-                               @Override
-                               public Authorization run() {
-                                       Authorization authorization = userAdmin.getAuthorization(authenticatingUser);
-                                       return authorization;
-                               }
+                                       @Override
+                                       public Authorization run() {
+                                               Authorization authorization = userAdmin.getAuthorization(authenticatingUser);
+                                               return authorization;
+                                       }
 
-                       });
-               if (authorization == null)
-                       return false;
+                               });
+                       if (authorization == null)
+                               throw new LoginException("User admin found no authorization for authenticated user "+authenticatingUser.getName());
+               }
                // Log and monitor new login
-               CmsAuthUtils.addAuthentication(subject, authorization);
+               CmsAuthUtils.addAuthorization(subject, authorization, (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST));
+//             HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
+//             if (request != null) {
+//                     CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization);
+//             }
                if (log.isDebugEnabled())
                        log.debug("Logged in to CMS: " + subject);
-               HttpServletRequest request = (HttpServletRequest) sharedState.get(CmsAuthUtils.SHARED_STATE_HTTP_REQUEST);
-               if (request != null) {
-                       CmsAuthUtils.registerSessionAuthorization(bc, request, subject, authorization);
-               }
                return true;
        }