Re: svn commit: r736660 - in /ofbiz/trunk/framework: common/webcommon/WEB-INF/common-controller.xml security/config/security.properties webapp/src/org/ofbiz/webapp/control/LoginWorker.java

> Author: jleroux
> Date: Thu Jan 22 06:52:24 2009
> New Revision: 736660
>
> URL: http://svn.apache.org/viewvc?rev=736660&view=rev
> Log:
> A patch from Guy Gershoni  "Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication"
> '(https://issues.apache.org/jira/browse/OFBIZ-1906) - OFBIZ-1906
> I did not test the CAS case, but reviewed the code and tested in std mode (not using CAS) and it's OK
>
> Modified:
>    ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
>    ofbiz/trunk/framework/security/config/security.properties
>    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
>
> Modified: ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml?rev=736660&r1=736659&r2=736660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml (original)
> +++ ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml Thu Jan 22 06:52:24 2009
> @@ -51,6 +51,7 @@
>         <!-- Events to run on every request before security (chains exempt) -->
>         <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="check509CertLogin"/>
>         <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkRequestHeaderLogin"/>
> +        <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkServletRequestRemoteUserLogin"/>
>         <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkExternalLoginKey"/>
>         <event type="java" path="org.ofbiz.webapp.control.ProtectViewWorker" invoke="checkProtectedView"/>
>     </preprocessor>
>
> Modified: ofbiz/trunk/framework/security/config/security.properties
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/config/security.properties?rev=736660&r1=736659&r2=736660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/security/config/security.properties (original)
> +++ ofbiz/trunk/framework/security/config/security.properties Thu Jan 22 06:52:24 2009
> @@ -72,6 +72,10 @@
> # -- HTTP header based ID (for integrations; uncomment to enable)
> #security.login.http.header=REMOTE_USER
>
> +# -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment to enable)
> +# Use for external authentication solutions like CAS which overload the getRemoteUser method.
> +#security.login.http.servlet.remoteuserlogin.allow=true
> +
> # -- pattern for the userlogin id in CN section of certificate
> security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$
>
>
> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=736660&r1=736659&r2=736660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java (original)
> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java Thu Jan 22 06:52:24 2009
> @@ -608,6 +608,49 @@
>         return "success";
>     }
>
> +    private static boolean isUserLoggedIn(HttpServletRequest request) {
> +        HttpSession session = request.getSession();
> +        GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
> +        if (currentUserLogin != null) {
> +            String hasLoggedOut = currentUserLogin.getString("hasLoggedOut");
> +            if (hasLoggedOut != null && "N".equals(hasLoggedOut)) {
> +                return true;
> +            }
> +            // User is not logged in so lets clear the attribute
> +            session.setAttribute("userLogin", null);
> +        }
> +        return false;
> +    }
> +
> +    /**
> +     * This method will log in a user with only their username (userLoginId).
> +     * @param request
> +     * @param response
> +     * @param userLoginId
> +     * @return Returns "success" if user could be logged in or "error" if there was a problem.
> +     */
> +    private static String loginUserWithUserLoginId(HttpServletRequest request, HttpServletResponse response, String userLoginId)
> {
> +        GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator");
> +        try {
> +            GenericValue userLogin = delegator.findOne("UserLogin", false, "userLoginId", userLoginId);
> +            if (userLogin != null) {
> +                String enabled = userLogin.getString("enabled");
> +                if (enabled == null || "Y".equals(enabled)) {
> +                    userLogin.set("hasLoggedOut", "N");
> +                    userLogin.store();
> +
> +                    // login the user
> +                    Map<String, Object> ulSessionMap = LoginServices.getUserLoginSession(userLogin);
> +                    return doMainLogin(request, response, userLogin, ulSessionMap); // doing the main login
> +                }
> +            }
> +        } catch (GeneralException e) {
> +            Debug.logError(e, module);
> +        }
> +        // Shouldn't be here if all went well
> +        return "error";
> +    }
> +
>     // preprocessor method to login a user from a HTTP request header (configured in security.properties)
>     public static String checkRequestHeaderLogin(HttpServletRequest request, HttpServletResponse response) {
>         String httpHeader = UtilProperties.getPropertyValue("security.properties", "security.login.http.header", null);
> @@ -616,45 +659,44 @@
>         if (UtilValidate.isNotEmpty(httpHeader)) {
>
>             // make sure the user isn't already logged in
> -            HttpSession session = request.getSession();
> -            GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
> -            if (currentUserLogin != null) {
> -                String hasLoggedOut = currentUserLogin.getString("hasLoggedOut");
> -                if (hasLoggedOut != null && "Y".equals(hasLoggedOut)) {
> -                    currentUserLogin = null;
> +            if (!LoginWorker.isUserLoggedIn(request)) {
> +                // user is not logged in; check the header field
> +                String headerValue = request.getHeader(httpHeader);
> +                if (UtilValidate.isNotEmpty(headerValue)) {
> +                    return LoginWorker.loginUserWithUserLoginId(request, response, headerValue);
> +                }
> +                else {
> +                    // empty headerValue is not good
> +                    return "error";
>                 }
>             }
> +        }
>
> -            // user is not logged in; check the header field
> -            if (currentUserLogin == null) {
> -                String headerValue = request.getHeader(httpHeader);
> -                if (UtilValidate.isNotEmpty(headerValue)) {
> -                    GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator");
> +        return "success";
> +    }
>
> -                    // header field found; log the user in
> -                    try {
> -                        GenericValue userLogin = delegator.findOne("UserLogin", false, "userLoginId", headerValue);
> -                        if (userLogin != null) {
> -                            String enabled = userLogin.getString("enabled");
> -                            if (enabled == null || "Y".equals(enabled)) {
> -                                userLogin.set("hasLoggedOut", "N");
> -                                userLogin.store();
> -
> -                                // login the user
> -                                Map<String, Object> ulSessionMap = LoginServices.getUserLoginSession(userLogin);
> -                                return doMainLogin(request, response, userLogin, ulSessionMap); // doing the main login
> -                            }
> -                        }
> -                    } catch (GeneralException e) {
> -                        Debug.logError(e, module);
> -                    }
> +    // preprocessor method to login a user from HttpServletRequest.getRemoteUser() (configured in security.properties)
> +    public static String checkServletRequestRemoteUserLogin(HttpServletRequest request, HttpServletResponse response) {
> +        Boolean allowRemoteUserLogin = "true".equals(UtilProperties.getPropertyValue("security",
> "security.login.http.servlet.remoteuserlogin.allow", "false"));
> +        // make sure logging users via remote user is allowed in security.properties; if not just return
> +        if (allowRemoteUserLogin) {
> +
> +            // make sure the user isn't already logged in
> +            if (!LoginWorker.isUserLoggedIn(request)) {
> +                // lets grab the remoteUserId
> +                String remoteUserId = request.getRemoteUser();
> +                if (UtilValidate.isNotEmpty(remoteUserId)) {
> +                    return LoginWorker.loginUserWithUserLoginId(request, response, remoteUserId);
> +                }
> +                else {
> +                    // empty remoteUserId is not good
> +                    return "error";
>                 }
>             }
>         }
>
>         return "success";
>     }
> -
>     // preprocessor method to login a user w/ client certificate see security.properties to configure the pattern of CN
>     public static String check509CertLogin(HttpServletRequest request, HttpServletResponse response) {
>         boolean doCheck = "true".equalsIgnoreCase(UtilProperties.getPropertyValue("security.properties",
> "security.login.cert.allow", "true"));
>
>