Author: jleroux
Date: Thu Jan 22 06:52:24 2009
New Revision: 736660
URL: http://svn.apache.org/viewvc?rev=736660&view=rev
Log:
A patch from Guy Gershoni "Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication"
'(https://issues.apache.org/jira/browse/OFBIZ-1906) - OFBIZ-1906
I did not test the CAS case, but reviewed the code and tested in std mode (not
using CAS) and it's OK
Modified:
ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
ofbiz/trunk/framework/security/config/security.properties
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
Modified: ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml?rev=736660&r1=736659&r2=736660&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
(original)
+++ ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml Thu
Jan 22 06:52:24 2009
@@ -51,6 +51,7 @@
<!-- Events to run on every request before security (chains exempt) -->
<event type="java" path="org.ofbiz.webapp.control.LoginWorker"
invoke="check509CertLogin"/>
<event type="java" path="org.ofbiz.webapp.control.LoginWorker"
invoke="checkRequestHeaderLogin"/>
+ <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
invoke="checkServletRequestRemoteUserLogin"/>
<event type="java" path="org.ofbiz.webapp.control.LoginWorker"
invoke="checkExternalLoginKey"/>
<event type="java" path="org.ofbiz.webapp.control.ProtectViewWorker"
invoke="checkProtectedView"/>
</preprocessor>
Modified: ofbiz/trunk/framework/security/config/security.properties
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/config/security.properties?rev=736660&r1=736659&r2=736660&view=diff
==============================================================================
--- ofbiz/trunk/framework/security/config/security.properties (original)
+++ ofbiz/trunk/framework/security/config/security.properties Thu Jan 22
06:52:24 2009
@@ -72,6 +72,10 @@
# -- HTTP header based ID (for integrations; uncomment to enable)
#security.login.http.header=REMOTE_USER
+# -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment
to enable)
+# Use for external authentication solutions like CAS which overload the
getRemoteUser method.
+#security.login.http.servlet.remoteuserlogin.allow=true
+
# -- pattern for the userlogin id in CN section of certificate
security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=736660&r1=736659&r2=736660&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
(original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
Thu Jan 22 06:52:24 2009
@@ -608,6 +608,49 @@
return "success";
}
+ private static boolean isUserLoggedIn(HttpServletRequest request) {
+ HttpSession session = request.getSession();
+ GenericValue currentUserLogin = (GenericValue)
session.getAttribute("userLogin");
+ if (currentUserLogin != null) {
+ String hasLoggedOut = currentUserLogin.getString("hasLoggedOut");
+ if (hasLoggedOut != null && "N".equals(hasLoggedOut)) {
+ return true;
+ }
+ // User is not logged in so lets clear the attribute
+ session.setAttribute("userLogin", null);
+ }
+ return false;
+ }
+
+ /**
+ * This method will log in a user with only their username (userLoginId).
+ * @param request
+ * @param response
+ * @param userLoginId
+ * @return Returns "success" if user could be logged in or "error" if
there was a problem.
+ */
+ private static String loginUserWithUserLoginId(HttpServletRequest request, HttpServletResponse response, String userLoginId)
{
+ GenericDelegator delegator = (GenericDelegator)
request.getAttribute("delegator");
+ try {
+ GenericValue userLogin = delegator.findOne("UserLogin", false,
"userLoginId", userLoginId);
+ if (userLogin != null) {
+ String enabled = userLogin.getString("enabled");
+ if (enabled == null || "Y".equals(enabled)) {
+ userLogin.set("hasLoggedOut", "N");
+ userLogin.store();
+
+ // login the user
+ Map<String, Object> ulSessionMap =
LoginServices.getUserLoginSession(userLogin);
+ return doMainLogin(request, response, userLogin,
ulSessionMap); // doing the main login
+ }
+ }
+ } catch (GeneralException e) {
+ Debug.logError(e, module);
+ }
+ // Shouldn't be here if all went well
+ return "error";
+ }
+
// preprocessor method to login a user from a HTTP request header
(configured in security.properties)
public static String checkRequestHeaderLogin(HttpServletRequest request,
HttpServletResponse response) {
String httpHeader = UtilProperties.getPropertyValue("security.properties",
"security.login.http.header", null);
@@ -616,45 +659,44 @@
if (UtilValidate.isNotEmpty(httpHeader)) {
// make sure the user isn't already logged in
- HttpSession session = request.getSession();
- GenericValue currentUserLogin = (GenericValue)
session.getAttribute("userLogin");
- if (currentUserLogin != null) {
- String hasLoggedOut =
currentUserLogin.getString("hasLoggedOut");
- if (hasLoggedOut != null && "Y".equals(hasLoggedOut)) {
- currentUserLogin = null;
+ if (!LoginWorker.isUserLoggedIn(request)) {
+ // user is not logged in; check the header field
+ String headerValue = request.getHeader(httpHeader);
+ if (UtilValidate.isNotEmpty(headerValue)) {
+ return LoginWorker.loginUserWithUserLoginId(request,
response, headerValue);
+ }
+ else {
+ // empty headerValue is not good
+ return "error";
}
}
+ }
- // user is not logged in; check the header field
- if (currentUserLogin == null) {
- String headerValue = request.getHeader(httpHeader);
- if (UtilValidate.isNotEmpty(headerValue)) {
- GenericDelegator delegator = (GenericDelegator)
request.getAttribute("delegator");
+ return "success";
+ }
- // header field found; log the user in
- try {
- GenericValue userLogin = delegator.findOne("UserLogin", false,
"userLoginId", headerValue);
- if (userLogin != null) {
- String enabled = userLogin.getString("enabled");
- if (enabled == null || "Y".equals(enabled)) {
- userLogin.set("hasLoggedOut", "N");
- userLogin.store();
-
- // login the user
- Map<String, Object> ulSessionMap =
LoginServices.getUserLoginSession(userLogin);
- return doMainLogin(request, response,
userLogin, ulSessionMap); // doing the main login
- }
- }
- } catch (GeneralException e) {
- Debug.logError(e, module);
- }
+ // preprocessor method to login a user from
HttpServletRequest.getRemoteUser() (configured in security.properties)
+ public static String checkServletRequestRemoteUserLogin(HttpServletRequest
request, HttpServletResponse response) {
+ Boolean allowRemoteUserLogin = "true".equals(UtilProperties.getPropertyValue("security",
"security.login.http.servlet.remoteuserlogin.allow", "false"));
+ // make sure logging users via remote user is allowed in
security.properties; if not just return
+ if (allowRemoteUserLogin) {
+
+ // make sure the user isn't already logged in
+ if (!LoginWorker.isUserLoggedIn(request)) {
+ // lets grab the remoteUserId
+ String remoteUserId = request.getRemoteUser();
+ if (UtilValidate.isNotEmpty(remoteUserId)) {
+ return LoginWorker.loginUserWithUserLoginId(request,
response, remoteUserId);
+ }
+ else {
+ // empty remoteUserId is not good
+ return "error";
}
}
}
return "success";
}
-
// preprocessor method to login a user w/ client certificate see
security.properties to configure the pattern of CN
public static String check509CertLogin(HttpServletRequest request,
HttpServletResponse response) {
boolean doCheck = "true".equalsIgnoreCase(UtilProperties.getPropertyValue("security.properties",
"security.login.cert.allow", "true"));