Start improving single-user login

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
index 289f8dcc65eabf2e101c0af6208bbb2ead05ff90..37992072482e0cf36b1a08ed899de0afcf2f8601 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
@@ -45,6 +45,7 @@ class CmsAuthUtils {
        final static String SHARED_STATE_CERTIFICATE_CHAIN = "org.argeo.cms.auth.certificateChain";
        final static String SHARED_STATE_REMOTE_ADDR = "org.argeo.cms.auth.remote.addr";
        final static String SHARED_STATE_REMOTE_PORT = "org.argeo.cms.auth.remote.port";
+       final static String SHARED_STATE_OS_USERNAME = "org.argeo.cms.os.username";
 
        final static String SINGLE_USER_LOCAL_ID = "single-user";
 

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java
index 4b36f28abb90f927df087b743f81c09852241319..10e091ead0a4953e2236f2ad4860c5d04ba277c2 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java
@@ -7,6 +7,7 @@ import javax.naming.ldap.LdapName;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.login.CredentialException;
 import javax.security.auth.login.LoginException;
 import javax.security.auth.spi.LoginModule;
 import javax.security.auth.x500.X500Principal;
@@ -35,8 +36,12 @@ public class SingleUserLoginModule implements LoginModule {
        @Override
        public boolean login() throws LoginException {
                String username = System.getProperty("user.name");
-               if (!sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME))
-                       sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, username);
+               if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME)
+                               && !username.equals(sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME)))
+                       throw new CredentialException(
+                                       "OS username already set with " + sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME));
+               if (!sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME))
+                       sharedState.put(CmsAuthUtils.SHARED_STATE_OS_USERNAME, username);
                return true;
        }
 
@@ -49,7 +54,7 @@ public class SingleUserLoginModule implements LoginModule {
                        X500Principal principal = new X500Principal(userDn.toString());
                        authorizationName = principal.getName();
                } else {
-                       Object username = sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
+                       Object username = sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME);
                        if (username == null)
                                throw new LoginException("No username available");
                        String hostname = CmsContextImpl.getCmsContext().getCmsState().getHostname();

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index 2b5c41ddf8333395ddccf823d14124b5000ddcbf..53161e58c5533103ad136fbd5cd829cca147d5fa 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -103,6 +103,11 @@ public class UserAdminLoginModule implements LoginModule {
                        username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME);
                        password = null;
                        preauth = true;
+               } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME)) {
+                       // single user, we assume Kerberos or other mean for commit
+                       username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME);
+                       password = null;
+                       preauth = true;
                } else {
 
                        // ask for username and password
@@ -205,7 +210,7 @@ public class UserAdminLoginModule implements LoginModule {
 //             }
                UserAdmin userAdmin = CmsContextImpl.getCmsContext().getUserAdmin();
                Authorization authorization;
-               if (callbackHandler == null) {// anonymous
+               if (callbackHandler == null && !sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME)) {// anonymous
                        authorization = userAdmin.getAuthorization(null);
                } else if (bindAuthorization != null) {// bind
                        authorization = bindAuthorization;

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/jaas-ipa.cfg b/org.argeo.cms/src/org/argeo/cms/internal/runtime/jaas-ipa.cfg
index 51db582c69c091bdd7aa79036ff21005b0a9c7e8..0ef142f4aed07132db1d29a7145a1df5b5ede851 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/jaas-ipa.cfg
+++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/jaas-ipa.cfg
@@ -32,7 +32,8 @@ SINGLE_USER {
     com.sun.security.auth.module.Krb5LoginModule optional
      storeKey=true
      useTicketCache=true;
-    org.argeo.cms.auth.SingleUserLoginModule requisite;
+    org.argeo.cms.auth.SingleUserLoginModule required;
+    org.argeo.cms.auth.UserAdminLoginModule optional;
 };
 
 Jackrabbit {