I put the documentation in FAQ
http://docs.ofbiz.org/display/OFBIZ/FAQ+-+Tips+-+Tricks+-+Cookbook+-+HowTo#FAQ-Tips-Tricks-Cookbook-HowTo-CAS

Jacques

From: <jler...@apache.org>
Author: jleroux
Date: Thu Jan 22 06:52:24 2009
New Revision: 736660

URL: http://svn.apache.org/viewvc?rev=736660&view=rev
Log:
A patch from Guy Gershoni "Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication" '(https://issues.apache.org/jira/browse/OFBIZ-1906) - OFBIZ-1906
I did not test the CAS case, but reviewed the code and tested in std mode (not 
using CAS) and it's OK

Modified:
   ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
   ofbiz/trunk/framework/security/config/security.properties
   ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java

Modified: ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml?rev=736660&r1=736659&r2=736660&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml 
(original)
+++ ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml Thu 
Jan 22 06:52:24 2009
@@ -51,6 +51,7 @@
        <!-- Events to run on every request before security (chains exempt) -->
        <event type="java" path="org.ofbiz.webapp.control.LoginWorker" 
invoke="check509CertLogin"/>
        <event type="java" path="org.ofbiz.webapp.control.LoginWorker" 
invoke="checkRequestHeaderLogin"/>
+        <event type="java" path="org.ofbiz.webapp.control.LoginWorker" 
invoke="checkServletRequestRemoteUserLogin"/>
        <event type="java" path="org.ofbiz.webapp.control.LoginWorker" 
invoke="checkExternalLoginKey"/>
        <event type="java" path="org.ofbiz.webapp.control.ProtectViewWorker" 
invoke="checkProtectedView"/>
    </preprocessor>

Modified: ofbiz/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/config/security.properties?rev=736660&r1=736659&r2=736660&view=diff
==============================================================================
--- ofbiz/trunk/framework/security/config/security.properties (original)
+++ ofbiz/trunk/framework/security/config/security.properties Thu Jan 22 
06:52:24 2009
@@ -72,6 +72,10 @@
# -- HTTP header based ID (for integrations; uncomment to enable)
#security.login.http.header=REMOTE_USER

+# -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment 
to enable)
+# Use for external authentication solutions like CAS which overload the 
getRemoteUser method.
+#security.login.http.servlet.remoteuserlogin.allow=true
+
# -- pattern for the userlogin id in CN section of certificate
security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$


Modified: 
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=736660&r1=736659&r2=736660&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java 
(original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java 
Thu Jan 22 06:52:24 2009
@@ -608,6 +608,49 @@
        return "success";
    }

+    private static boolean isUserLoggedIn(HttpServletRequest request) {
+        HttpSession session = request.getSession();
+        GenericValue currentUserLogin = (GenericValue) 
session.getAttribute("userLogin");
+        if (currentUserLogin != null) {
+            String hasLoggedOut = currentUserLogin.getString("hasLoggedOut");
+            if (hasLoggedOut != null && "N".equals(hasLoggedOut)) {
+                return true;
+            }
+            // User is not logged in so lets clear the attribute
+            session.setAttribute("userLogin", null);
+        }
+        return false;
+    }
+
+    /**
+     * This method will log in a user with only their username (userLoginId).
+     * @param request
+     * @param response
+     * @param userLoginId
+     * @return Returns "success" if user could be logged in or "error" if 
there was a problem.
+     */
+ private static String loginUserWithUserLoginId(HttpServletRequest request, HttpServletResponse response, String userLoginId) {
+        GenericDelegator delegator = (GenericDelegator) 
request.getAttribute("delegator");
+        try {
+            GenericValue userLogin = delegator.findOne("UserLogin", false, 
"userLoginId", userLoginId);
+            if (userLogin != null) {
+                String enabled = userLogin.getString("enabled");
+                if (enabled == null || "Y".equals(enabled)) {
+                    userLogin.set("hasLoggedOut", "N");
+                    userLogin.store();
+
+                    // login the user
+                    Map<String, Object> ulSessionMap = 
LoginServices.getUserLoginSession(userLogin);
+                    return doMainLogin(request, response, userLogin, 
ulSessionMap); // doing the main login
+                }
+            }
+        } catch (GeneralException e) {
+            Debug.logError(e, module);
+        }
+        // Shouldn't be here if all went well
+        return "error";
+    }
+
    // preprocessor method to login a user from a HTTP request header 
(configured in security.properties)
    public static String checkRequestHeaderLogin(HttpServletRequest request, 
HttpServletResponse response) {
        String httpHeader = UtilProperties.getPropertyValue("security.properties", 
"security.login.http.header", null);
@@ -616,45 +659,44 @@
        if (UtilValidate.isNotEmpty(httpHeader)) {

            // make sure the user isn't already logged in
-            HttpSession session = request.getSession();
-            GenericValue currentUserLogin = (GenericValue) 
session.getAttribute("userLogin");
-            if (currentUserLogin != null) {
-                String hasLoggedOut = 
currentUserLogin.getString("hasLoggedOut");
-                if (hasLoggedOut != null && "Y".equals(hasLoggedOut)) {
-                    currentUserLogin = null;
+            if (!LoginWorker.isUserLoggedIn(request)) {
+                // user is not logged in; check the header field
+                String headerValue = request.getHeader(httpHeader);
+                if (UtilValidate.isNotEmpty(headerValue)) {
+                    return LoginWorker.loginUserWithUserLoginId(request, 
response, headerValue);
+                }
+                else {
+                    // empty headerValue is not good
+                    return "error";
                }
            }
+        }

-            // user is not logged in; check the header field
-            if (currentUserLogin == null) {
-                String headerValue = request.getHeader(httpHeader);
-                if (UtilValidate.isNotEmpty(headerValue)) {
-                    GenericDelegator delegator = (GenericDelegator) 
request.getAttribute("delegator");
+        return "success";
+    }

-                    // header field found; log the user in
-                    try {
-                        GenericValue userLogin = delegator.findOne("UserLogin", false, 
"userLoginId", headerValue);
-                        if (userLogin != null) {
-                            String enabled = userLogin.getString("enabled");
-                            if (enabled == null || "Y".equals(enabled)) {
-                                userLogin.set("hasLoggedOut", "N");
-                                userLogin.store();
-
-                                // login the user
-                                Map<String, Object> ulSessionMap = 
LoginServices.getUserLoginSession(userLogin);
-                                return doMainLogin(request, response, 
userLogin, ulSessionMap); // doing the main login
-                            }
-                        }
-                    } catch (GeneralException e) {
-                        Debug.logError(e, module);
-                    }
+    // preprocessor method to login a user from 
HttpServletRequest.getRemoteUser() (configured in security.properties)
+    public static String checkServletRequestRemoteUserLogin(HttpServletRequest 
request, HttpServletResponse response) {
+ Boolean allowRemoteUserLogin = "true".equals(UtilProperties.getPropertyValue("security", "security.login.http.servlet.remoteuserlogin.allow", "false"));
+        // make sure logging users via remote user is allowed in 
security.properties; if not just return
+        if (allowRemoteUserLogin) {
+
+            // make sure the user isn't already logged in
+            if (!LoginWorker.isUserLoggedIn(request)) {
+                // lets grab the remoteUserId
+                String remoteUserId = request.getRemoteUser();
+                if (UtilValidate.isNotEmpty(remoteUserId)) {
+                    return LoginWorker.loginUserWithUserLoginId(request, 
response, remoteUserId);
+                }
+                else {
+                    // empty remoteUserId is not good
+                    return "error";
                }
            }
        }

        return "success";
    }
-
    // preprocessor method to login a user w/ client certificate see 
security.properties to configure the pattern of CN
    public static String check509CertLogin(HttpServletRequest request, 
HttpServletResponse response) {
boolean doCheck = "true".equalsIgnoreCase(UtilProperties.getPropertyValue("security.properties", "security.login.cert.allow", "true"));



Reply via email to