You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by ja...@apache.org on 2008/05/13 22:59:03 UTC
svn commit: r656008 - in /ofbiz/trunk/framework:
common/webcommon/WEB-INF/common-controller.xml
security/config/security.properties
webapp/src/org/ofbiz/webapp/control/LoginWorker.java
Author: jaz
Date: Tue May 13 13:59:03 2008
New Revision: 656008
URL: http://svn.apache.org/viewvc?rev=656008&view=rev
Log:
added support for third party policy servicers; setting the userLoginId in a request header, ofbiz will assume the user has already been authenticated and log the user in.
This is DISABLED by default (see security.properties) be sure your policy server is running in front of ofbiz to avoid security issues (spoofing).
Jira: OFBIZ-1781
Modified:
ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
ofbiz/trunk/framework/security/config/security.properties
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
Modified: ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml?rev=656008&r1=656007&r2=656008&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml (original)
+++ ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml Tue May 13 13:59:03 2008
@@ -42,6 +42,7 @@
<preprocessor>
<!-- Events to run on every request before security (chains exempt) -->
<event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="check509CertLogin"/>
+ <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkRequestHeaderLogin"/>
<event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkExternalLoginKey"/>
</preprocessor>
<postprocessor>
Modified: ofbiz/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/config/security.properties?rev=656008&r1=656007&r2=656008&view=diff
==============================================================================
--- ofbiz/trunk/framework/security/config/security.properties (original)
+++ ofbiz/trunk/framework/security/config/security.properties Tue May 13 13:59:03 2008
@@ -63,6 +63,9 @@
# -- should we allow x509 certificate login
security.login.cert.allow=true
+# -- HTTP header based ID (for integrations; uncomment to enable)
+#security.login.http.header=REMOTE_USER
+
# -- pattern for the userlogin id in CN section of certificate
security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=656008&r1=656007&r2=656008&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java Tue May 13 13:59:03 2008
@@ -603,6 +603,53 @@
return "success";
}
+ // preprocessor method to login a user from a HTTP request header (configured in security.properties)
+ public static String checkRequestHeaderLogin(HttpServletRequest request, HttpServletResponse response) {
+ String httpHeader = UtilProperties.getPropertyValue("security.properties", "security.login.http.header", null);
+
+ // make sure the header field is set in security.properties; if not, then this is disabled and just return
+ if (UtilValidate.isNotEmpty(httpHeader)) {
+
+ // make sure the user isn't already logged in
+ HttpSession session = request.getSession();
+ GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
+ if (currentUserLogin != null) {
+ String hasLoggedOut = currentUserLogin.getString("hasLoggedOut");
+ if (hasLoggedOut != null && "Y".equals(hasLoggedOut)) {
+ currentUserLogin = null;
+ }
+ }
+
+ // user is not logged in; check the header field
+ if (currentUserLogin == null) {
+ String headerValue = request.getHeader(httpHeader);
+ if (UtilValidate.isNotEmpty(headerValue)) {
+ GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator");
+
+ // header field found; log the user in
+ try {
+ GenericValue userLogin = delegator.findOne("UserLogin", false, "userLoginId", headerValue);
+ if (userLogin != null) {
+ String enabled = userLogin.getString("enabled");
+ if (enabled == null || "Y".equals(enabled)) {
+ userLogin.set("hasLoggedOut", "N");
+ userLogin.store();
+
+ // login the user
+ Map ulSessionMap = LoginServices.getUserLoginSession(userLogin);
+ return doMainLogin(request, response, userLogin, ulSessionMap); // doing the main login
+ }
+ }
+ } catch (GeneralException e) {
+ Debug.logError(e, module);
+ }
+ }
+ }
+ }
+
+ return "success";
+ }
+
// preprocessor method to login a user w/ client certificate see security.properties to configure the pattern of CN
public static String check509CertLogin(HttpServletRequest request, HttpServletResponse response) {
boolean doCheck = "true".equalsIgnoreCase(UtilProperties.getPropertyValue("security.properties", "security.login.cert.allow", "true"));