From: Mathieu Baudier Date: Tue, 3 Jan 2023 05:52:16 +0000 (+0100) Subject: Start improving single-user login X-Git-Tag: v2.1.111~1^2~3 X-Git-Url: https://git.argeo.org/?p=lgpl%2Fargeo-commons.git;a=commitdiff_plain;h=e75cf778a87f1b2ef7cfc57339ccbf9657282e92 Start improving single-user login --- diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java index 289f8dcc6..379920724 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java @@ -45,6 +45,7 @@ class CmsAuthUtils { final static String SHARED_STATE_CERTIFICATE_CHAIN = "org.argeo.cms.auth.certificateChain"; final static String SHARED_STATE_REMOTE_ADDR = "org.argeo.cms.auth.remote.addr"; final static String SHARED_STATE_REMOTE_PORT = "org.argeo.cms.auth.remote.port"; + final static String SHARED_STATE_OS_USERNAME = "org.argeo.cms.os.username"; final static String SINGLE_USER_LOCAL_ID = "single-user"; diff --git a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java index 4b36f28ab..10e091ead 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/SingleUserLoginModule.java @@ -7,6 +7,7 @@ import javax.naming.ldap.LdapName; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.kerberos.KerberosPrincipal; +import javax.security.auth.login.CredentialException; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; import javax.security.auth.x500.X500Principal; @@ -35,8 +36,12 @@ public class SingleUserLoginModule implements LoginModule { @Override public boolean login() throws LoginException { String username = System.getProperty("user.name"); - if (!sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)) - sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, username); + if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME) + && !username.equals(sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME))) + throw new CredentialException( + "OS username already set with " + sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME)); + if (!sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME)) + sharedState.put(CmsAuthUtils.SHARED_STATE_OS_USERNAME, username); return true; } @@ -49,7 +54,7 @@ public class SingleUserLoginModule implements LoginModule { X500Principal principal = new X500Principal(userDn.toString()); authorizationName = principal.getName(); } else { - Object username = sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); + Object username = sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME); if (username == null) throw new LoginException("No username available"); String hostname = CmsContextImpl.getCmsContext().getCmsState().getHostname(); diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java index 2b5c41ddf..53161e58c 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java @@ -103,6 +103,11 @@ public class UserAdminLoginModule implements LoginModule { username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_NAME); password = null; preauth = true; + } else if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME)) { + // single user, we assume Kerberos or other mean for commit + username = (String) sharedState.get(CmsAuthUtils.SHARED_STATE_OS_USERNAME); + password = null; + preauth = true; } else { // ask for username and password @@ -205,7 +210,7 @@ public class UserAdminLoginModule implements LoginModule { // } UserAdmin userAdmin = CmsContextImpl.getCmsContext().getUserAdmin(); Authorization authorization; - if (callbackHandler == null) {// anonymous + if (callbackHandler == null && !sharedState.containsKey(CmsAuthUtils.SHARED_STATE_OS_USERNAME)) {// anonymous authorization = userAdmin.getAuthorization(null); } else if (bindAuthorization != null) {// bind authorization = bindAuthorization; diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/jaas-ipa.cfg b/org.argeo.cms/src/org/argeo/cms/internal/runtime/jaas-ipa.cfg index 51db582c6..0ef142f4a 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/jaas-ipa.cfg +++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/jaas-ipa.cfg @@ -32,7 +32,8 @@ SINGLE_USER { com.sun.security.auth.module.Krb5LoginModule optional storeKey=true useTicketCache=true; - org.argeo.cms.auth.SingleUserLoginModule requisite; + org.argeo.cms.auth.SingleUserLoginModule required; + org.argeo.cms.auth.UserAdminLoginModule optional; }; Jackrabbit {