OFBiz OFBiz - Commits

svn commit: r736660 - in /ofbiz/trunk/framework: common/webcommon/WEB-INF/common-controller.xml security/config/security.properties webapp/src/org/ofbiz/webapp/control/LoginWorker.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

svn commit: r736660 - in /ofbiz/trunk/framework: common/webcommon/WEB-INF/common-controller.xml security/config/security.properties webapp/src/org/ofbiz/webapp/control/LoginWorker.java

jleroux@apache.org
Author: jleroux
Date: Thu Jan 22 06:52:24 2009
New Revision: 736660

URL: http://svn.apache.org/viewvc?rev=736660&view=rev
Log:
A patch from Guy Gershoni  "Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication"  '(https://issues.apache.org/jira/browse/OFBIZ-1906) - OFBIZ-1906
I did not test the CAS case, but reviewed the code and tested in std mode (not using CAS) and it's OK

Modified:
    ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
    ofbiz/trunk/framework/security/config/security.properties
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java

Modified: ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml?rev=736660&r1=736659&r2=736660&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml (original)
+++ ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml Thu Jan 22 06:52:24 2009
@@ -51,6 +51,7 @@
         <!-- Events to run on every request before security (chains exempt) -->
         <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="check509CertLogin"/>
         <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkRequestHeaderLogin"/>
+        <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkServletRequestRemoteUserLogin"/>
         <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkExternalLoginKey"/>
         <event type="java" path="org.ofbiz.webapp.control.ProtectViewWorker" invoke="checkProtectedView"/>
     </preprocessor>

Modified: ofbiz/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/config/security.properties?rev=736660&r1=736659&r2=736660&view=diff
==============================================================================
--- ofbiz/trunk/framework/security/config/security.properties (original)
+++ ofbiz/trunk/framework/security/config/security.properties Thu Jan 22 06:52:24 2009
@@ -72,6 +72,10 @@
 # -- HTTP header based ID (for integrations; uncomment to enable)
 #security.login.http.header=REMOTE_USER
 
+# -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment to enable)
+# Use for external authentication solutions like CAS which overload the getRemoteUser method.
+#security.login.http.servlet.remoteuserlogin.allow=true
+
 # -- pattern for the userlogin id in CN section of certificate
 security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$
 

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=736660&r1=736659&r2=736660&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java Thu Jan 22 06:52:24 2009
@@ -608,6 +608,49 @@
         return "success";
     }
 
+    private static boolean isUserLoggedIn(HttpServletRequest request) {
+        HttpSession session = request.getSession();
+        GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
+        if (currentUserLogin != null) {
+            String hasLoggedOut = currentUserLogin.getString("hasLoggedOut");
+            if (hasLoggedOut != null && "N".equals(hasLoggedOut)) {
+                return true;
+            }
+            // User is not logged in so lets clear the attribute
+            session.setAttribute("userLogin", null);
+        }
+        return false;
+    }
+
+    /**
+     * This method will log in a user with only their username (userLoginId).
+     * @param request
+     * @param response
+     * @param userLoginId
+     * @return Returns "success" if user could be logged in or "error" if there was a problem.
+     */
+    private static String loginUserWithUserLoginId(HttpServletRequest request, HttpServletResponse response, String userLoginId) {
+        GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator");
+        try {
+            GenericValue userLogin = delegator.findOne("UserLogin", false, "userLoginId", userLoginId);
+            if (userLogin != null) {
+                String enabled = userLogin.getString("enabled");
+                if (enabled == null || "Y".equals(enabled)) {
+                    userLogin.set("hasLoggedOut", "N");
+                    userLogin.store();
+
+                    // login the user
+                    Map<String, Object> ulSessionMap = LoginServices.getUserLoginSession(userLogin);
+                    return doMainLogin(request, response, userLogin, ulSessionMap); // doing the main login
+                }
+            }
+        } catch (GeneralException e) {
+            Debug.logError(e, module);
+        }
+        // Shouldn't be here if all went well
+        return "error";
+    }
+    
     // preprocessor method to login a user from a HTTP request header (configured in security.properties)
     public static String checkRequestHeaderLogin(HttpServletRequest request, HttpServletResponse response) {
         String httpHeader = UtilProperties.getPropertyValue("security.properties", "security.login.http.header", null);
@@ -616,45 +659,44 @@
         if (UtilValidate.isNotEmpty(httpHeader)) {
 
             // make sure the user isn't already logged in
-            HttpSession session = request.getSession();
-            GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
-            if (currentUserLogin != null) {
-                String hasLoggedOut = currentUserLogin.getString("hasLoggedOut");
-                if (hasLoggedOut != null && "Y".equals(hasLoggedOut)) {
-                    currentUserLogin = null;
+            if (!LoginWorker.isUserLoggedIn(request)) {
+                // user is not logged in; check the header field
+                String headerValue = request.getHeader(httpHeader);
+                if (UtilValidate.isNotEmpty(headerValue)) {
+                    return LoginWorker.loginUserWithUserLoginId(request, response, headerValue);
+                }
+                else {
+                    // empty headerValue is not good
+                    return "error";
                 }
             }
+        }
 
-            // user is not logged in; check the header field
-            if (currentUserLogin == null) {
-                String headerValue = request.getHeader(httpHeader);
-                if (UtilValidate.isNotEmpty(headerValue)) {
-                    GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator");
+        return "success";
+    }
 
-                    // header field found; log the user in
-                    try {
-                        GenericValue userLogin = delegator.findOne("UserLogin", false, "userLoginId", headerValue);
-                        if (userLogin != null) {
-                            String enabled = userLogin.getString("enabled");
-                            if (enabled == null || "Y".equals(enabled)) {
-                                userLogin.set("hasLoggedOut", "N");
-                                userLogin.store();
-
-                                // login the user
-                                Map<String, Object> ulSessionMap = LoginServices.getUserLoginSession(userLogin);
-                                return doMainLogin(request, response, userLogin, ulSessionMap); // doing the main login
-                            }
-                        }
-                    } catch (GeneralException e) {
-                        Debug.logError(e, module);
-                    }
+    // preprocessor method to login a user from HttpServletRequest.getRemoteUser() (configured in security.properties)
+    public static String checkServletRequestRemoteUserLogin(HttpServletRequest request, HttpServletResponse response) {
+        Boolean allowRemoteUserLogin = "true".equals(UtilProperties.getPropertyValue("security", "security.login.http.servlet.remoteuserlogin.allow", "false"));
+        // make sure logging users via remote user is allowed in security.properties; if not just return
+        if (allowRemoteUserLogin) {
+
+            // make sure the user isn't already logged in
+            if (!LoginWorker.isUserLoggedIn(request)) {
+                // lets grab the remoteUserId
+                String remoteUserId = request.getRemoteUser();
+                if (UtilValidate.isNotEmpty(remoteUserId)) {
+                    return LoginWorker.loginUserWithUserLoginId(request, response, remoteUserId);
+                }
+                else {
+                    // empty remoteUserId is not good
+                    return "error";
                 }
             }
         }
 
         return "success";
     }
-
     // preprocessor method to login a user w/ client certificate see security.properties to configure the pattern of CN
     public static String check509CertLogin(HttpServletRequest request, HttpServletResponse response) {
         boolean doCheck = "true".equalsIgnoreCase(UtilProperties.getPropertyValue("security.properties", "security.login.cert.allow", "true"));


Free forum by Nabble Edit this page