svn commit: r656008 - in /ofbiz/trunk/framework: common/webcommon/WEB-INF/common-controller.xml security/config/security.properties webapp/src/org/ofbiz/webapp/control/LoginWorker.java

Author: jaz
Date: Tue May 13 13:59:03 2008
New Revision: 656008

URL: http://svn.apache.org/viewvc?rev=656008&view=rev
Log:
added support for third party policy servicers; setting the userLoginId in a request header, ofbiz will assume the user has already been authenticated and log the user in.

This is DISABLED by default (see security.properties) be sure your policy server is running in front of ofbiz to avoid security issues (spoofing).

Jira: OFBIZ-1781

Modified:
    ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
    ofbiz/trunk/framework/security/config/security.properties
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java

Modified: ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml?rev=656008&r1=656007&r2=656008&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml (original)
+++ ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml Tue May 13 13:59:03 2008
@@ -42,6 +42,7 @@
     <preprocessor>
         <!-- Events to run on every request before security (chains exempt) -->
         <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="check509CertLogin"/>
+        <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkRequestHeaderLogin"/>
         <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkExternalLoginKey"/>
     </preprocessor>
     <postprocessor>

Modified: ofbiz/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/config/security.properties?rev=656008&r1=656007&r2=656008&view=diff
==============================================================================
--- ofbiz/trunk/framework/security/config/security.properties (original)
+++ ofbiz/trunk/framework/security/config/security.properties Tue May 13 13:59:03 2008
@@ -63,6 +63,9 @@
 # -- should we allow x509 certificate login
 security.login.cert.allow=true
 
+# -- HTTP header based ID (for integrations; uncomment to enable)
+#security.login.http.header=REMOTE_USER
+
 # -- pattern for the userlogin id in CN section of certificate
 security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$
 

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=656008&r1=656007&r2=656008&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java Tue May 13 13:59:03 2008
@@ -603,6 +603,53 @@
         return "success";
     }
 
+    // preprocessor method to login a user from a HTTP request header (configured in security.properties)
+    public static String checkRequestHeaderLogin(HttpServletRequest request, HttpServletResponse response) {
+        String httpHeader = UtilProperties.getPropertyValue("security.properties", "security.login.http.header", null);
+
+        // make sure the header field is set in security.properties; if not, then this is disabled and just return
+        if (UtilValidate.isNotEmpty(httpHeader)) {
+
+            // make sure the user isn't already logged in
+            HttpSession session = request.getSession();
+            GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
+            if (currentUserLogin != null) {
+                String hasLoggedOut = currentUserLogin.getString("hasLoggedOut");
+                if (hasLoggedOut != null && "Y".equals(hasLoggedOut)) {
+                    currentUserLogin = null;
+                }
+            }
+
+            // user is not logged in; check the header field
+            if (currentUserLogin == null) {
+                String headerValue = request.getHeader(httpHeader);
+                if (UtilValidate.isNotEmpty(headerValue)) {
+                    GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator");
+
+                    // header field found; log the user in
+                    try {
+                        GenericValue userLogin = delegator.findOne("UserLogin", false, "userLoginId", headerValue);
+                        if (userLogin != null) {
+                            String enabled = userLogin.getString("enabled");
+                            if (enabled == null || "Y".equals(enabled)) {
+                                userLogin.set("hasLoggedOut", "N");
+                                userLogin.store();
+
+                                // login the user
+                                Map ulSessionMap = LoginServices.getUserLoginSession(userLogin);
+                                return doMainLogin(request, response, userLogin, ulSessionMap); // doing the main login
+                            }
+                        }
+                    } catch (GeneralException e) {
+                        Debug.logError(e, module);
+                    }
+                }
+            }
+        }
+
+        return "success";
+    }
+
     // preprocessor method to login a user w/ client certificate see security.properties to configure the pattern of CN
     public static String check509CertLogin(HttpServletRequest request, HttpServletResponse response) {
         boolean doCheck = "true".equalsIgnoreCase(UtilProperties.getPropertyValue("security.properties", "security.login.cert.allow", "true"));