You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2009/01/22 16:23:44 UTC
Re: svn commit: r736660 - in /ofbiz/trunk/framework: common/webcommon/WEB-INF/common-controller.xml security/config/security.properties webapp/src/org/ofbiz/webapp/control/LoginWorker.java
I put the documentation in FAQ
http://docs.ofbiz.org/display/OFBIZ/FAQ+-+Tips+-+Tricks+-+Cookbook+-+HowTo#FAQ-Tips-Tricks-Cookbook-HowTo-CAS
Jacques
From: <jl...@apache.org>
> Author: jleroux
> Date: Thu Jan 22 06:52:24 2009
> New Revision: 736660
>
> URL: http://svn.apache.org/viewvc?rev=736660&view=rev
> Log:
> A patch from Guy Gershoni "Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication"
> '(https://issues.apache.org/jira/browse/OFBIZ-1906) - OFBIZ-1906
> I did not test the CAS case, but reviewed the code and tested in std mode (not using CAS) and it's OK
>
> Modified:
> ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
> ofbiz/trunk/framework/security/config/security.properties
> ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
>
> Modified: ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml?rev=736660&r1=736659&r2=736660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml (original)
> +++ ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml Thu Jan 22 06:52:24 2009
> @@ -51,6 +51,7 @@
> <!-- Events to run on every request before security (chains exempt) -->
> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="check509CertLogin"/>
> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkRequestHeaderLogin"/>
> + <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkServletRequestRemoteUserLogin"/>
> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkExternalLoginKey"/>
> <event type="java" path="org.ofbiz.webapp.control.ProtectViewWorker" invoke="checkProtectedView"/>
> </preprocessor>
>
> Modified: ofbiz/trunk/framework/security/config/security.properties
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/config/security.properties?rev=736660&r1=736659&r2=736660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/security/config/security.properties (original)
> +++ ofbiz/trunk/framework/security/config/security.properties Thu Jan 22 06:52:24 2009
> @@ -72,6 +72,10 @@
> # -- HTTP header based ID (for integrations; uncomment to enable)
> #security.login.http.header=REMOTE_USER
>
> +# -- HttpServletRequest.getRemoteUser() based ID (for integration; uncomment to enable)
> +# Use for external authentication solutions like CAS which overload the getRemoteUser method.
> +#security.login.http.servlet.remoteuserlogin.allow=true
> +
> # -- pattern for the userlogin id in CN section of certificate
> security.login.cert.pattern=^(\\w*\\s?\\w*)\\W*.*$
>
>
> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=736660&r1=736659&r2=736660&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java (original)
> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java Thu Jan 22 06:52:24 2009
> @@ -608,6 +608,49 @@
> return "success";
> }
>
> + private static boolean isUserLoggedIn(HttpServletRequest request) {
> + HttpSession session = request.getSession();
> + GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
> + if (currentUserLogin != null) {
> + String hasLoggedOut = currentUserLogin.getString("hasLoggedOut");
> + if (hasLoggedOut != null && "N".equals(hasLoggedOut)) {
> + return true;
> + }
> + // User is not logged in so lets clear the attribute
> + session.setAttribute("userLogin", null);
> + }
> + return false;
> + }
> +
> + /**
> + * This method will log in a user with only their username (userLoginId).
> + * @param request
> + * @param response
> + * @param userLoginId
> + * @return Returns "success" if user could be logged in or "error" if there was a problem.
> + */
> + private static String loginUserWithUserLoginId(HttpServletRequest request, HttpServletResponse response, String userLoginId)
> {
> + GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator");
> + try {
> + GenericValue userLogin = delegator.findOne("UserLogin", false, "userLoginId", userLoginId);
> + if (userLogin != null) {
> + String enabled = userLogin.getString("enabled");
> + if (enabled == null || "Y".equals(enabled)) {
> + userLogin.set("hasLoggedOut", "N");
> + userLogin.store();
> +
> + // login the user
> + Map<String, Object> ulSessionMap = LoginServices.getUserLoginSession(userLogin);
> + return doMainLogin(request, response, userLogin, ulSessionMap); // doing the main login
> + }
> + }
> + } catch (GeneralException e) {
> + Debug.logError(e, module);
> + }
> + // Shouldn't be here if all went well
> + return "error";
> + }
> +
> // preprocessor method to login a user from a HTTP request header (configured in security.properties)
> public static String checkRequestHeaderLogin(HttpServletRequest request, HttpServletResponse response) {
> String httpHeader = UtilProperties.getPropertyValue("security.properties", "security.login.http.header", null);
> @@ -616,45 +659,44 @@
> if (UtilValidate.isNotEmpty(httpHeader)) {
>
> // make sure the user isn't already logged in
> - HttpSession session = request.getSession();
> - GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
> - if (currentUserLogin != null) {
> - String hasLoggedOut = currentUserLogin.getString("hasLoggedOut");
> - if (hasLoggedOut != null && "Y".equals(hasLoggedOut)) {
> - currentUserLogin = null;
> + if (!LoginWorker.isUserLoggedIn(request)) {
> + // user is not logged in; check the header field
> + String headerValue = request.getHeader(httpHeader);
> + if (UtilValidate.isNotEmpty(headerValue)) {
> + return LoginWorker.loginUserWithUserLoginId(request, response, headerValue);
> + }
> + else {
> + // empty headerValue is not good
> + return "error";
> }
> }
> + }
>
> - // user is not logged in; check the header field
> - if (currentUserLogin == null) {
> - String headerValue = request.getHeader(httpHeader);
> - if (UtilValidate.isNotEmpty(headerValue)) {
> - GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator");
> + return "success";
> + }
>
> - // header field found; log the user in
> - try {
> - GenericValue userLogin = delegator.findOne("UserLogin", false, "userLoginId", headerValue);
> - if (userLogin != null) {
> - String enabled = userLogin.getString("enabled");
> - if (enabled == null || "Y".equals(enabled)) {
> - userLogin.set("hasLoggedOut", "N");
> - userLogin.store();
> -
> - // login the user
> - Map<String, Object> ulSessionMap = LoginServices.getUserLoginSession(userLogin);
> - return doMainLogin(request, response, userLogin, ulSessionMap); // doing the main login
> - }
> - }
> - } catch (GeneralException e) {
> - Debug.logError(e, module);
> - }
> + // preprocessor method to login a user from HttpServletRequest.getRemoteUser() (configured in security.properties)
> + public static String checkServletRequestRemoteUserLogin(HttpServletRequest request, HttpServletResponse response) {
> + Boolean allowRemoteUserLogin = "true".equals(UtilProperties.getPropertyValue("security",
> "security.login.http.servlet.remoteuserlogin.allow", "false"));
> + // make sure logging users via remote user is allowed in security.properties; if not just return
> + if (allowRemoteUserLogin) {
> +
> + // make sure the user isn't already logged in
> + if (!LoginWorker.isUserLoggedIn(request)) {
> + // lets grab the remoteUserId
> + String remoteUserId = request.getRemoteUser();
> + if (UtilValidate.isNotEmpty(remoteUserId)) {
> + return LoginWorker.loginUserWithUserLoginId(request, response, remoteUserId);
> + }
> + else {
> + // empty remoteUserId is not good
> + return "error";
> }
> }
> }
>
> return "success";
> }
> -
> // preprocessor method to login a user w/ client certificate see security.properties to configure the pattern of CN
> public static String check509CertLogin(HttpServletRequest request, HttpServletResponse response) {
> boolean doCheck = "true".equalsIgnoreCase(UtilProperties.getPropertyValue("security.properties",
> "security.login.cert.allow", "true"));
>
>