From 0063bc49ce0acd41ceb24edfdc0791273d012732 Mon Sep 17 00:00:00 2001 From: jensp Date: Wed, 16 Oct 2019 18:27:11 +0000 Subject: [PATCH] JndiLoginModule is working git-svn-id: https://svn.libreccm.org/ccm/trunk@6268 8810af33-2d31-482b-a856-94f89814c4df --- .../kernel/security/JndiLoginModule.java | 58 +++++++++++++------ .../kernel/security/PasswordLoginModule.java | 4 +- .../kernel/security/SecurityConfig.java | 28 +++++++++ 3 files changed, 69 insertions(+), 21 deletions(-) diff --git a/ccm-core/src/com/arsdigita/kernel/security/JndiLoginModule.java b/ccm-core/src/com/arsdigita/kernel/security/JndiLoginModule.java index 083e37123..9587726bd 100644 --- a/ccm-core/src/com/arsdigita/kernel/security/JndiLoginModule.java +++ b/ccm-core/src/com/arsdigita/kernel/security/JndiLoginModule.java @@ -30,6 +30,7 @@ import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginException; import javax.security.auth.spi.LoginModule; +import com.arsdigita.domain.DataObjectNotFoundException; import com.arsdigita.kernel.UserAuthentication; import java.math.BigDecimal; @@ -47,8 +48,8 @@ public class JndiLoginModule extends PasswordLoginModule implements LoginModule private Map sharedState; private Map options; - private String username; - + private UserAuthentication userAuthentication; + @Override @SuppressWarnings({"unchecked", "rawtypes"}) public void initialize(final Subject subject, @@ -62,51 +63,70 @@ public class JndiLoginModule extends PasswordLoginModule implements LoginModule this.options = options; } + @Override + public boolean login() throws LoginException { + + try { + userAuthentication = UserAuthentication + .retrieveForSSOlogin(getUsername()); + } catch (DataObjectNotFoundException ex) { + return false; + } + final boolean result = super.login(); + return result; + } + @Override public boolean commit() throws LoginException { LOGGER.debug("Commit"); - - final UserAuthentication auth = UserAuthentication - .retrieveForSSOlogin(username); - final BigDecimal userId = auth.getUser().getID(); + + if (userAuthentication == null) { + return false; + } + + final BigDecimal userId = userAuthentication.getUser().getID(); subject.getPrincipals().add(new PartyPrincipal(userId)); - + return true; } @Override public boolean abort() throws LoginException { LOGGER.debug("Aborting"); + if (userAuthentication == null) { + return false; + } return true; } @Override public boolean logout() throws LoginException { LOGGER.debug("Logout"); + if (userAuthentication == null) { + return false; + } return true; } @Override protected void checkPassword(final String username, final char[] password) throws LoginException { - - this.username = username; + final SecurityConfig securityConfig = SecurityConfig.getConfig(); + final String connectionUrl = securityConfig.getLdapConnectionUrl(); + final String userBase = securityConfig.getLdapUserBase(); + final String userSearch = securityConfig.getLdapUserSearch(); + final Hashtable env = new Hashtable<>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); - env.put(Context.PROVIDER_URL, options.get("connectionURL")); + env.put(Context.PROVIDER_URL, connectionUrl); env.put(Context.SECURITY_AUTHENTICATION, "none"); try { final DirContext context = new InitialDirContext(env); - final String userBase = (String) options.get("userBase"); - final MessageFormat userSearchFormat = new MessageFormat( - (String) options.get("userSearch") - ); - final String filter = userSearchFormat - .format(new String[]{username}); + final String filter = String.format(userSearch, username); final SearchControls searchControls = new SearchControls(); final NamingEnumeration results = context.search( userBase, filter, searchControls @@ -148,14 +168,14 @@ public class JndiLoginModule extends PasswordLoginModule implements LoginModule throw new KernelLoginException(ex); } } - + final String userDn = name.toString(); context.addToEnvironment(Context.SECURITY_PRINCIPAL, userDn); context.addToEnvironment(Context.SECURITY_CREDENTIALS, password); - + try { context.getAttributes("", null); - } catch(AuthenticationException ex) { + } catch (AuthenticationException ex) { LOGGER.info("LDAP login failed."); throw new FailedLoginException( "Bad username / password for LDAP" diff --git a/ccm-core/src/com/arsdigita/kernel/security/PasswordLoginModule.java b/ccm-core/src/com/arsdigita/kernel/security/PasswordLoginModule.java index fb5c6c161..8ba343251 100755 --- a/ccm-core/src/com/arsdigita/kernel/security/PasswordLoginModule.java +++ b/ccm-core/src/com/arsdigita/kernel/security/PasswordLoginModule.java @@ -100,7 +100,7 @@ public abstract class PasswordLoginModule implements LoginModule { * * @throws LoginException if an error occurs. */ - private String getUsername() throws LoginException { + protected String getUsername() throws LoginException { // get name from shared data // TODO: only if *Pass option set String username = (String)m_shared.get(NAME_KEY); @@ -129,7 +129,7 @@ public abstract class PasswordLoginModule implements LoginModule { * * @throws LoginException if an error occurs. */ - private char[] getPassword() throws LoginException { + protected char[] getPassword() throws LoginException { // get password from shared data // TODO: only if *Pass option set char[] password = (char[])m_shared.get(PASSWORD_KEY); diff --git a/ccm-core/src/com/arsdigita/kernel/security/SecurityConfig.java b/ccm-core/src/com/arsdigita/kernel/security/SecurityConfig.java index edb0f98d3..494886ffa 100755 --- a/ccm-core/src/com/arsdigita/kernel/security/SecurityConfig.java +++ b/ccm-core/src/com/arsdigita/kernel/security/SecurityConfig.java @@ -141,6 +141,18 @@ public class SecurityConfig extends AbstractConfig { private final Parameter m_enableQuestion = new BooleanParameter( "waf.user_question.enable", Parameter.REQUIRED, Boolean.FALSE); + private final Parameter m_ldapConnectionUrl = new StringParameter( + "waf.ldap.connectionUrl", Parameter.REQUIRED, "localhost" + ); + + private final Parameter m_ldapUserBase = new StringParameter( + "waf.ldap.userBase", Parameter.REQUIRED, "ou=users,dc=example,dc=org" + ); + + private final Parameter m_ldapUserSearch = new StringParameter( + "waf.ldap.userSearch", Parameter.REQUIRED, "(mail=%s)" + ); + private final Parameter m_enableSaml = new BooleanParameter( "waf.enable_saml", Parameter.REQUIRED, Boolean.FALSE); private final Parameter m_oneLoginSaml2Strict = new BooleanParameter( @@ -222,6 +234,10 @@ public class SecurityConfig extends AbstractConfig { register(m_userBanOn); register(m_enableQuestion); + register(m_ldapConnectionUrl); + register(m_ldapUserBase); + register(m_ldapUserSearch); + register(m_enableSaml); register(m_oneLoginSaml2Debug); @@ -331,6 +347,18 @@ public class SecurityConfig extends AbstractConfig { return ((Boolean) get(m_autoRegistrationOn)).booleanValue(); } + public final String getLdapConnectionUrl() { + return (String) get(m_ldapConnectionUrl); + } + + public final String getLdapUserBase() { + return (String) get(m_ldapUserBase); + } + + public final String getLdapUserSearch() { + return (String) get(m_ldapUserSearch); + } + public final boolean getEnableSaml() { return (Boolean) get(m_enableSaml); }