From: Mathieu Baudier Date: Thu, 1 Feb 2018 20:24:46 +0000 (+0100) Subject: OS user as single user X-Git-Tag: argeo-commons-2.1.71~33 X-Git-Url: https://git.argeo.org/?p=lgpl%2Fargeo-commons.git;a=commitdiff_plain;h=54e74b900b1c0f7b1de0def771de35e50a8d4071 OS user as single user --- diff --git a/demo/argeo_node_local.properties b/demo/argeo_node_local.properties new file mode 100644 index 000000000..827375433 --- /dev/null +++ b/demo/argeo_node_local.properties @@ -0,0 +1,38 @@ +argeo.osgi.start.2.node=\ +org.eclipse.equinox.http.servlet,\ +org.eclipse.equinox.http.jetty,\ +org.eclipse.equinox.metatype,\ +org.eclipse.equinox.cm,\ +org.eclipse.rap.rwt.osgi + +argeo.osgi.start.3.node=\ +org.argeo.cms + +argeo.osgi.start.4.apps=\ +org.eclipse.gemini.blueprint.extender + +argeo.osgi.start.4.workbench=\ +org.eclipse.equinox.http.registry,\ + +java.security.manager= +java.security.policy=file:../../all.policy + +argeo.node.repo.type=h2 + +argeo.node.useradmin.uris=os:/// + +# HTTP +org.osgi.service.http.port=7070 + +# Logging +log4j.configuration=file:../../log4j.properties + +# DON'T CHANGE BELOW +org.eclipse.rap.workbenchAutostart=false +org.eclipse.equinox.http.jetty.autostart=false +org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\ +com.sun.jndi.ldap.sasl,\ +com.sun.security.jgss,\ +com.sun.jndi.dns,\ +com.sun.nio.file,\ +com.sun.nio.sctp diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java index 4762eb96c..dadcc4dbc 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java @@ -19,6 +19,7 @@ import org.argeo.cms.CmsException; import org.argeo.cms.internal.auth.CmsSessionImpl; import org.argeo.cms.internal.auth.ImpliedByPrincipal; import org.argeo.cms.internal.http.WebCmsSessionImpl; +import org.argeo.cms.internal.kernel.Activator; import org.argeo.node.NodeConstants; import org.argeo.node.security.AnonymousPrincipal; import org.argeo.node.security.DataAdminPrincipal; @@ -49,6 +50,10 @@ class CmsAuthUtils { // required for display name: subject.getPrivateCredentials().add(authorization); + if (Activator.isSingleUser()) { + subject.getPrincipals().add(new DataAdminPrincipal()); + } + Set principals = subject.getPrincipals(); try { String authName = authorization.getName(); diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java index e99387639..e39918e40 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java @@ -27,9 +27,11 @@ import javax.servlet.http.HttpServletRequest; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.argeo.cms.CmsException; +import org.argeo.cms.internal.kernel.Activator; import org.argeo.naming.LdapAttrs; import org.argeo.osgi.useradmin.AuthenticatingUser; import org.argeo.osgi.useradmin.IpaUtils; +import org.argeo.osgi.useradmin.OsUserUtils; import org.osgi.framework.BundleContext; import org.osgi.framework.FrameworkUtil; import org.osgi.service.useradmin.Authorization; @@ -53,6 +55,8 @@ public class UserAdminLoginModule implements LoginModule { private Authorization bindAuthorization = null; + private boolean singleUser = Activator.isSingleUser(); + @SuppressWarnings("unchecked") @Override public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, @@ -85,7 +89,11 @@ public class UserAdminLoginModule implements LoginModule { username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); certificateChain = (X509Certificate[]) sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN); password = null; + } else if (singleUser) { + username = OsUserUtils.getOsUsername(); + password = null; } else { + // ask for username and password NameCallback nameCallback = new NameCallback("User"); PasswordCallback passwordCallback = new PasswordCallback("Password", false); @@ -141,8 +149,11 @@ public class UserAdminLoginModule implements LoginModule { } } else if (certificateChain != null) { // TODO check CRLs/OSCP validity? - // NB: authorization in commit() will work only if an LDAP connection password is provided - }else { + // NB: authorization in commit() will work only if an LDAP connection password + // is provided + } else if (singleUser) { + // TODO verify IP address? + } else { throw new CredentialNotFoundException("No credentials provided"); } @@ -152,6 +163,9 @@ public class UserAdminLoginModule implements LoginModule { @Override public boolean commit() throws LoginException { + if (singleUser) { + OsUserUtils.loginAsSystemUser(subject); + } UserAdmin userAdmin = bc.getService(bc.getServiceReference(UserAdmin.class)); Authorization authorization; if (callbackHandler == null) {// anonymous diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java index e7dcfc1a2..25746a481 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java @@ -161,9 +161,18 @@ public class Activator implements BundleActivator { } public static GSSCredential getAcceptorCredentials() { + return getNodeUserAdmin().getAcceptorCredentials(); + } + + public static boolean isSingleUser() { + return getNodeUserAdmin().isSingleUser(); + } + + private static NodeUserAdmin getNodeUserAdmin() { ServiceReference sr = instance.bc.getServiceReference(UserAdmin.class); NodeUserAdmin userAdmin = (NodeUserAdmin) instance.bc.getService(sr); - return userAdmin.getAcceptorCredentials(); + return userAdmin; + } // static CmsSecurity getCmsSecurity() { diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/FirstInit.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/FirstInit.java index 9d7b9bed1..6175e4d03 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/FirstInit.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/FirstInit.java @@ -148,7 +148,7 @@ class FirstInit { u = new URI(uri); } else throw new CmsException("Cannot interpret " + uri + " as an uri"); - } else if (u.getScheme().equals("file")) { + } else if (u.getScheme().equals(UserAdminConf.SCHEME_FILE)) { u = new File(u).getCanonicalFile().toURI(); } } catch (Exception e) { diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java index 8410b3958..436d30058 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java @@ -44,6 +44,7 @@ import org.argeo.osgi.useradmin.AbstractUserDirectory; import org.argeo.osgi.useradmin.AggregatingUserAdmin; import org.argeo.osgi.useradmin.LdapUserAdmin; import org.argeo.osgi.useradmin.LdifUserAdmin; +import org.argeo.osgi.useradmin.OsUserDirectory; import org.argeo.osgi.useradmin.UserAdminConf; import org.argeo.osgi.useradmin.UserDirectory; import org.ietf.jgss.GSSCredential; @@ -84,6 +85,8 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor private Path nodeKeyTab = KernelUtils.getOsgiInstancePath(KernelConstants.NODE_KEY_TAB_PATH); private GSSCredential acceptorCredentials; + private boolean singleUser = false; + public NodeUserAdmin(String systemRolesBaseDn) { super(systemRolesBaseDn); tmTracker = new ServiceTracker<>(bc, TransactionManager.class, null); @@ -105,8 +108,17 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor } // Create - AbstractUserDirectory userDirectory = u.getScheme().equals("ldap") ? new LdapUserAdmin(properties) - : new LdifUserAdmin(u, properties); + AbstractUserDirectory userDirectory; + if (UserAdminConf.SCHEME_LDAP.equals(u.getScheme())) { + userDirectory = new LdapUserAdmin(properties); + } else if (UserAdminConf.SCHEME_FILE.equals(u.getScheme())) { + userDirectory = new LdifUserAdmin(u, properties); + } else if (UserAdminConf.SCHEME_OS.equals(u.getScheme())) { + userDirectory = new OsUserDirectory(u, properties); + singleUser = true; + } else { + throw new CmsException("Unsupported scheme " + u.getScheme()); + } Object realm = userDirectory.getProperties().get(UserAdminConf.realm.name()); addUserDirectory(userDirectory); @@ -272,6 +284,10 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor return acceptorCredentials; } + public boolean isSingleUser() { + return singleUser; + } + public final static Oid KERBEROS_OID; static { try { diff --git a/org.argeo.enterprise/ext/test/org/argeo/osgi/useradmin/UserAdminConfTest.java b/org.argeo.enterprise/ext/test/org/argeo/osgi/useradmin/UserAdminConfTest.java new file mode 100644 index 000000000..d69cae4c0 --- /dev/null +++ b/org.argeo.enterprise/ext/test/org/argeo/osgi/useradmin/UserAdminConfTest.java @@ -0,0 +1,53 @@ +package org.argeo.osgi.useradmin; + +import static org.argeo.osgi.useradmin.UserAdminConf.propertiesAsUri; +import static org.argeo.osgi.useradmin.UserAdminConf.uriAsProperties; + +import java.net.URI; +import java.util.Dictionary; + +import junit.framework.TestCase; + +public class UserAdminConfTest extends TestCase { + public void testUriFormat() throws Exception { + // LDAP + URI uriIn = new URI("ldap://" + "uid=admin,ou=system:secret@localhost:10389" + "/dc=example,dc=com" + + "?readOnly=false&userObjectClass=person"); + Dictionary props = uriAsProperties(uriIn.toString()); + System.out.println(props); + assertEquals("dc=example,dc=com", props.get(UserAdminConf.baseDn.name())); + assertEquals("false", props.get(UserAdminConf.readOnly.name())); + assertEquals("person", props.get(UserAdminConf.userObjectClass.name())); + URI uriOut = propertiesAsUri(props); + System.out.println(uriOut); + assertEquals("/dc=example,dc=com?userObjectClass=person&readOnly=false", uriOut.toString()); + + // File + uriIn = new URI("file://some/dir/dc=example,dc=com.ldif"); + props = uriAsProperties(uriIn.toString()); + System.out.println(props); + assertEquals("dc=example,dc=com", props.get(UserAdminConf.baseDn.name())); + + // Base configuration + uriIn = new URI("/dc=example,dc=com.ldif?readOnly=true&userBase=ou=CoWorkers,ou=People&groupBase=ou=Roles"); + props = uriAsProperties(uriIn.toString()); + System.out.println(props); + assertEquals("dc=example,dc=com", props.get(UserAdminConf.baseDn.name())); + assertEquals("true", props.get(UserAdminConf.readOnly.name())); + assertEquals("ou=CoWorkers,ou=People", props.get(UserAdminConf.userBase.name())); + assertEquals("ou=Roles", props.get(UserAdminConf.groupBase.name())); + uriOut = propertiesAsUri(props); + System.out.println(uriOut); + assertEquals("/dc=example,dc=com?userBase=ou=CoWorkers,ou=People&groupBase=ou=Roles&readOnly=true", uriOut.toString()); + + // OS + uriIn = new URI("os:///dc=example,dc=com"); + props = uriAsProperties(uriIn.toString()); + System.out.println(props); + assertEquals("dc=example,dc=com", props.get(UserAdminConf.baseDn.name())); + assertEquals("true", props.get(UserAdminConf.readOnly.name())); + uriOut = propertiesAsUri(props); + System.out.println(uriOut); + assertEquals("/dc=example,dc=com?readOnly=true", uriOut.toString()); + } +} diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java index 6d33edb35..56f2f5c17 100644 --- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java +++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java @@ -419,15 +419,17 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory return true; if (uri.getScheme() == null) return false;// assume relative file to be writable - if (uri.getScheme().equals("file")) { + if (uri.getScheme().equals(UserAdminConf.SCHEME_FILE)) { File file = new File(uri); if (file.exists()) return !file.canWrite(); else return !file.getParentFile().canWrite(); - } else if (uri.getScheme().equals("ldap")) { + } else if (uri.getScheme().equals(UserAdminConf.SCHEME_LDAP)) { if (uri.getAuthority() != null)// assume writable if authenticated return false; + } else if (uri.getScheme().equals(UserAdminConf.SCHEME_OS)) { + return true; } return true;// read only by default } diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/OsUserDirectory.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/OsUserDirectory.java new file mode 100644 index 000000000..3953a70d0 --- /dev/null +++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/OsUserDirectory.java @@ -0,0 +1,66 @@ +package org.argeo.osgi.useradmin; + +import java.net.URI; +import java.util.ArrayList; +import java.util.Dictionary; +import java.util.List; + +import javax.naming.NameNotFoundException; +import javax.naming.NamingException; +import javax.naming.directory.Attributes; +import javax.naming.directory.BasicAttributes; +import javax.naming.ldap.LdapName; + +import org.argeo.naming.LdapAttrs; +import org.osgi.framework.Filter; +import org.osgi.service.useradmin.User; + +public class OsUserDirectory extends AbstractUserDirectory { + private final String osUsername = System.getProperty("user.name"); + private final LdapName osUserDn; + private final LdifUser osUser; + + public OsUserDirectory(URI uriArg, Dictionary props) { + super(uriArg, props); + try { + osUserDn = new LdapName(LdapAttrs.uid.name() + "=" + osUsername + "," + getUserBase() + "," + getBaseDn()); + Attributes attributes = new BasicAttributes(); + attributes.put(LdapAttrs.uid.name(), osUsername); + osUser = new LdifUser(this, osUserDn, attributes); + } catch (NamingException e) { + throw new UserDirectoryException("Cannot create system user", e); + } + } + + @Override + protected List getDirectGroups(LdapName dn) { + return new ArrayList<>(); + } + + @Override + protected Boolean daoHasRole(LdapName dn) { + return osUserDn.equals(dn); + } + + @Override + protected DirectoryUser daoGetRole(LdapName key) throws NameNotFoundException { + if (osUserDn.equals(key)) + return osUser; + else + throw new NameNotFoundException("Not an OS role"); + } + + @Override + protected List doGetRoles(Filter f) { + List res = new ArrayList<>(); + if (f.match(osUser.getProperties())) + res.add(osUser); + return res; + } + + @Override + protected AbstractUserDirectory scope(User user) { + throw new UnsupportedOperationException(); + } + +} diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/OsUserUtils.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/OsUserUtils.java new file mode 100644 index 000000000..8a36cb082 --- /dev/null +++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/OsUserUtils.java @@ -0,0 +1,53 @@ +package org.argeo.osgi.useradmin; + +import java.net.URISyntaxException; +import java.net.URL; +import java.security.NoSuchAlgorithmException; +import java.security.URIParameter; + +import javax.security.auth.Subject; +import javax.security.auth.login.Configuration; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; + +public class OsUserUtils { + private static String LOGIN_CONTEXT_USER_NIX = "USER_NIX"; + private static String LOGIN_CONTEXT_USER_WINDOWS = "USER_WINDOWS"; + + public static String getOsUsername() { + return System.getProperty("user.name"); + } + + public static LoginContext loginAsSystemUser(Subject subject) { + try { + URL jaasConfigurationUrl = OsUserUtils.class.getClassLoader() + .getResource("org/argeo/osgi/useradmin/jaas-os.cfg"); + URIParameter uriParameter = new URIParameter(jaasConfigurationUrl.toURI()); + Configuration jaasConfiguration = Configuration.getInstance("JavaLoginConfig", uriParameter); + LoginContext lc = new LoginContext(isWindows() ? LOGIN_CONTEXT_USER_WINDOWS : LOGIN_CONTEXT_USER_NIX, + subject, null, jaasConfiguration); + lc.login(); + return lc; + } catch (URISyntaxException | NoSuchAlgorithmException | LoginException e) { + throw new RuntimeException("Cannot loging as system user", e); + } + } + + public static void main(String args[]) { + Subject subject = new Subject(); + LoginContext loginContext = loginAsSystemUser(subject); + System.out.println(subject); + try { + loginContext.logout(); + } catch (LoginException e) { + // silent + } + } + + private static boolean isWindows() { + return System.getProperty("os.name").startsWith("Windows"); + } + + private OsUserUtils() { + } +} diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/UserAdminConf.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/UserAdminConf.java index 19426b6c5..b3ead140c 100644 --- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/UserAdminConf.java +++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/UserAdminConf.java @@ -4,6 +4,7 @@ import java.io.IOException; import java.net.InetAddress; import java.net.URI; import java.net.URISyntaxException; +import java.net.UnknownHostException; import java.util.Dictionary; import java.util.Enumeration; import java.util.Hashtable; @@ -48,6 +49,11 @@ public enum UserAdminConf { public final static String FACTORY_PID = "org.argeo.osgi.useradmin.config"; private final static Log log = LogFactory.getLog(UserAdminConf.class); + public final static String SCHEME_LDAP = "ldap"; + public final static String SCHEME_FILE = "file"; + public final static String SCHEME_OS = "os"; + public final static String SCHEME_IPA = "ipa"; + /** The default value. */ private Object def; @@ -124,28 +130,33 @@ public enum UserAdminConf { Hashtable res = new Hashtable(); URI u = new URI(uriStr); String scheme = u.getScheme(); - if (scheme != null && scheme.equals("ipa")) { + if (scheme != null && scheme.equals(SCHEME_IPA)) { u = convertIpaConfig(u); scheme = u.getScheme(); } String path = u.getPath(); // base DN String bDn = path.substring(path.lastIndexOf('/') + 1, path.length()); + if (bDn.equals("") && SCHEME_OS.equals(scheme)) { + bDn = getBaseDnFromHostname(); + } + if (bDn.endsWith(".ldif")) bDn = bDn.substring(0, bDn.length() - ".ldif".length()); String principal = null; String credentials = null; if (scheme != null) - if (scheme.equals("ldap") || scheme.equals("ldaps")) { + if (scheme.equals(SCHEME_LDAP) || scheme.equals("ldaps")) { // TODO additional checks if (u.getUserInfo() != null) { String[] userInfo = u.getUserInfo().split(":"); principal = userInfo.length > 0 ? userInfo[0] : null; credentials = userInfo.length > 1 ? userInfo[1] : null; } - } else if (scheme.equals("file")) { - } else if (scheme.equals("ipa")) { + } else if (scheme.equals(SCHEME_FILE)) { + } else if (scheme.equals(SCHEME_IPA)) { + } else if (scheme.equals(SCHEME_OS)) { } else throw new UserDirectoryException("Unsupported scheme " + scheme); Map> query = NamingUtils.queryToMap(u); @@ -159,14 +170,20 @@ public enum UserAdminConf { } } res.put(baseDn.name(), bDn); + if (SCHEME_OS.equals(scheme)) + res.put(readOnly.name(), "true"); if (principal != null) res.put(Context.SECURITY_PRINCIPAL, principal); if (credentials != null) res.put(Context.SECURITY_CREDENTIALS, credentials); if (scheme != null) {// relative URIs are dealt with externally - URI bareUri = new URI(scheme, null, u.getHost(), u.getPort(), - scheme.equals("file") ? u.getPath() : null, null, null); - res.put(uri.name(), bareUri.toString()); + if (SCHEME_OS.equals(scheme)) { + res.put(uri.name(), SCHEME_OS + ":///"); + } else { + URI bareUri = new URI(scheme, null, u.getHost(), u.getPort(), + scheme.equals(SCHEME_FILE) ? u.getPath() : null, null, null); + res.put(uri.name(), bareUri.toString()); + } } return res; } catch (Exception e) { @@ -196,7 +213,7 @@ public enum UserAdminConf { } } URI convertedUri = new URI( - "ldap://" + ldapHostsStr + "/" + IpaUtils.domainToUserDirectoryConfigPath(kerberosRealm)); + SCHEME_LDAP + "://" + ldapHostsStr + "/" + IpaUtils.domainToUserDirectoryConfigPath(kerberosRealm)); if (log.isDebugEnabled()) log.debug("Converted " + uri + " to " + convertedUri); return convertedUri; @@ -219,38 +236,22 @@ public enum UserAdminConf { } - // private static Map> splitQuery(String query) throws - // UnsupportedEncodingException { - // final Map> query_pairs = new LinkedHashMap>(); - // if (query == null) - // return query_pairs; - // final String[] pairs = query.split("&"); - // for (String pair : pairs) { - // final int idx = pair.indexOf("="); - // final String key = idx > 0 ? URLDecoder.decode(pair.substring(0, idx), - // "UTF-8") : pair; - // if (!query_pairs.containsKey(key)) { - // query_pairs.put(key, new LinkedList()); - // } - // final String value = idx > 0 && pair.length() > idx + 1 - // ? URLDecoder.decode(pair.substring(idx + 1), "UTF-8") : null; - // query_pairs.get(key).add(value); - // } - // return query_pairs; - // } - - public static void main(String[] args) { - Dictionary props = uriAsProperties("ldap://" + "uid=admin,ou=system:secret@localhost:10389" - + "/dc=example,dc=com" + "?readOnly=false&userObjectClass=person"); - System.out.println(props); - System.out.println(propertiesAsUri(props)); - - System.out.println(uriAsProperties("file://some/dir/dc=example,dc=com.ldif")); - - props = uriAsProperties( - "/dc=example,dc=com.ldif?readOnly=true" + "&userBase=ou=CoWorkers,ou=People&groupBase=ou=Roles"); - System.out.println(props); - System.out.println(propertiesAsUri(props)); + private static String getBaseDnFromHostname() { + String hostname; + try { + hostname = InetAddress.getLocalHost().getHostName(); + } catch (UnknownHostException e) { + log.warn("Using localhost as hostname", e); + hostname = "localhost.localdomain"; + } + int dotIdx = hostname.indexOf('.'); + if (dotIdx >= 0) { + String domain = hostname.substring(dotIdx + 1, hostname.length()); + String bDn = ("." + domain).replaceAll("\\.", ",dc="); + bDn = bDn.substring(1, bDn.length()); + return bDn; + } else { + return "dc=" + hostname; + } } } diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/jaas-os.cfg b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/jaas-os.cfg new file mode 100644 index 000000000..da04505a7 --- /dev/null +++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/jaas-os.cfg @@ -0,0 +1,8 @@ +USER_NIX { + com.sun.security.auth.module.UnixLoginModule requisite; +}; + +USER_NT { + com.sun.security.auth.module.NTLoginModule requisite; +}; + diff --git a/org.argeo.node.api/src/org/argeo/node/security/DataAdminPrincipal.java b/org.argeo.node.api/src/org/argeo/node/security/DataAdminPrincipal.java index 280d537ae..53d2cedc6 100644 --- a/org.argeo.node.api/src/org/argeo/node/security/DataAdminPrincipal.java +++ b/org.argeo.node.api/src/org/argeo/node/security/DataAdminPrincipal.java @@ -20,7 +20,7 @@ public final class DataAdminPrincipal implements Principal { @Override public boolean equals(Object obj) { - return this == obj; + return obj instanceof DataAdminPrincipal; } @Override diff --git a/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java b/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java index 97618d5ec..fd01cc6c6 100644 --- a/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java +++ b/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java @@ -10,11 +10,13 @@ import javax.naming.ldap.LdapName; import org.argeo.node.NodeConstants; public class NodeSecurityUtils { - public final static LdapName ROLE_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, ROLE_USER_ADMIN_NAME; + public final static LdapName ROLE_ADMIN_NAME, ROLE_DATA_ADMIN_NAME, ROLE_ANONYMOUS_NAME, ROLE_USER_NAME, + ROLE_USER_ADMIN_NAME; public final static List RESERVED_ROLES; static { try { ROLE_ADMIN_NAME = new LdapName(NodeConstants.ROLE_ADMIN); + ROLE_DATA_ADMIN_NAME = new LdapName(NodeConstants.ROLE_DATA_ADMIN); ROLE_USER_NAME = new LdapName(NodeConstants.ROLE_USER); ROLE_USER_ADMIN_NAME = new LdapName(NodeConstants.ROLE_USER_ADMIN); ROLE_ANONYMOUS_NAME = new LdapName(NodeConstants.ROLE_ANONYMOUS);