modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/CoreGUI.gwt.xml | 3 modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java | 130 ++--- modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/SearchGUI.java | 3 modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java | 213 +++++---- modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/RoleEditView.java | 70 ++- modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/RoleLdapGroupSelector.java | 218 ++++++---- modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/components/selector/AbstractSelector.java | 3 modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/AuthorizationGWTService.java | 7 modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java | 23 - modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java | 26 - modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/AutodiscoveryQueueDataSource.java | 10 modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/ResourceAutodiscoveryView.java | 3 modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/util/rpc/MonitoringRequestCallback.java | 3 modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/AuthorizationGWTServiceImpl.java | 15 modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java | 163 ------- modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java | 33 - modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/admin/user/RegisterAction.java | 58 -- modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/authentication/AuthenticateUserAction.java | 44 -- modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java | 100 ++++ modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerLocal.java | 1 modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/LdapLoginModule.java | 43 - 21 files changed, 533 insertions(+), 636 deletions(-)
New commits: commit f30c1641e3821253a6597f7af3721576a345c05d Author: Simeon Pinder spinder@redhat.com Date: Sun Oct 24 15:34:39 2010 -0400
i)fixes to UserSessionManager and SubjectManagerBean for login process. ii)fixes to LoginView for refresh/F5 registration problems iii)start on returning LdapGroup objects where possible.
diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/CoreGUI.gwt.xml b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/CoreGUI.gwt.xml index a5f67c1..98ce5ec 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/CoreGUI.gwt.xml +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/CoreGUI.gwt.xml @@ -24,7 +24,8 @@ <!-- ============================ gwt-log ============================= -->
<!-- For development, a default of 'DEBUG' is recommended. --> - <inherits name="com.allen_sauer.gwt.log.gwt-log-DEBUG" /> + <!-- <inherits name="com.allen_sauer.gwt.log.gwt-log-DEBUG" />--> + <inherits name="com.allen_sauer.gwt.log.gwt-log-TRACE" />
<!-- For production, most teams prefer to set the default log level to 'OFF'. --> <!--<inherits name="com.allen_sauer.gwt.log.gwt-log-OFF" />--> diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java index c59ce69..813e9fc 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java @@ -100,7 +100,7 @@ public class LoginView extends Canvas { private static final String PHONE = "phone"; private static final String DEPARTMENT = "department"; private static final String SESSIONID = "ldap.sessionid"; - private static final String PASSWORD = "ldap.password"; + static final String PASSWORD = "ldap.password";
public void showLoginDialog(String message) { showLoginDialog(); @@ -190,15 +190,16 @@ public class LoginView extends Canvas { */ public void showRegistrationDialog(String user, final String sessionId, final String password, final AsyncCallback<Subject> callback) { - if (!loginShowing) { - if ((user != null) && (!user.trim().isEmpty())) { + //store registration values as cookies for F5 refresh + if ((user != null) && (!user.trim().isEmpty()) && (Cookies.getCookie(USERNAME) == null)) { Cookies.setCookie(USERNAME, user); + } + if ((password != null) && (!password.trim().isEmpty()) && (Cookies.getCookie(PASSWORD) == null)) { Cookies.setCookie(PASSWORD, password); } - loginShowing = true;
- // forms = new ArrayList<DynamicForm>(); + loginShowing = true;
form = new DynamicForm(); form.setMargin(25); @@ -231,7 +232,6 @@ public class LoginView extends Canvas {
username.setDisabled(true); username.setWidth(fieldWidth); - //column.addMember(wrapInDynamicForm(6, first, last, username)); } email = new TextItem(EMAIL, "Email"); email.setRequired(true); @@ -383,6 +383,7 @@ public class LoginView extends Canvas { private void resetLogin() { window.destroy(); loginShowing = false; + UserSessionManager.setSessionState(UserSessionManager.State.IS_LOGGED_OUT); new LoginView().showLoginDialog(); }
@@ -392,7 +393,9 @@ public class LoginView extends Canvas { * @param callback */ protected void registerLdapUser(DynamicForm populatedForm, final AsyncCallback<Subject> callback) { + final Subject newSubject = new Subject(); + newSubject.setId(0);//enforce registration element for LDAP processing
//insert some required data checking boolean proceed = true; @@ -438,14 +441,14 @@ public class LoginView extends Canvas { newSubject.setFsystem(false);
if (proceed) { - GWTServiceLookup.getLdapService().processSubjectForLdap(newSubject, password, true, + Log.trace("New LDAP user registration details valid for user'" + newSubject.getName() + "'."); + //proceed with LDAP processing request. + GWTServiceLookup.getSubjectService().processSubjectForLdap(newSubject, password, new AsyncCallback<Subject>() { public void onFailure(Throwable caught) { - Log.debug("Failed to register LDAP subject:" + caught.getMessage()); - //TODO: how/what to display in LoginView when unexpected communication with server occurs? - // LoginView - // .displayFormError("UserSessionManager: Unable to check subject for LDAP authorization " - // + "- check Server status."); + Log.debug("Failed to register LDAP subject '" + newSubject.getName() + "' " + + caught.getMessage()); + //TODO: pass in warning message to Login Dialog. new LoginView().showLoginDialog(); }
@@ -455,6 +458,8 @@ public class LoginView extends Canvas { CoreGUI.getMessageCenter().notify( new Message("Succesfully registered the new ldap Subject.", Message.Severity.Info)); Log.trace("Succesfully registered the new ldap Subject."); + //clean out password from cookie. No further need. + Cookies.removeCookie(PASSWORD); window.destroy(); loginShowing = false; callback.onSuccess(checked); @@ -462,8 +467,11 @@ public class LoginView extends Canvas { });
} else {//log them out then reload LoginView - Log.warn("Failed to locate username required to create LDAP subject."); + Log.warn("Failed to locate required components to create LDAP subject."); UserSessionManager.logout(); + window.destroy(); + loginShowing = false; + //TODO: pass informative message to login. new LoginView().showLoginDialog(); } } diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/SearchGUI.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/SearchGUI.java index 0932e6f..d716136 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/SearchGUI.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/SearchGUI.java @@ -19,6 +19,7 @@ package org.rhq.enterprise.gui.coregui.client;
import com.google.gwt.core.client.EntryPoint; +import com.google.gwt.user.client.Cookies; import com.google.gwt.user.client.rpc.AsyncCallback; import com.smartgwt.client.util.SC;
@@ -46,7 +47,7 @@ public class SearchGUI implements EntryPoint { return; }
- UserSessionManager.checkLoginStatus(null, null, new AsyncCallback<Subject>() { + UserSessionManager.checkLoginStatus(Cookies.getCookie("username"), null, new AsyncCallback<Subject>() { @Override public void onFailure(Throwable caught) { SC.say("Unable to determine login status, check server status"); diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java index d505fd1..1b47e02 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java @@ -33,6 +33,8 @@ import com.google.gwt.user.client.Timer; import com.google.gwt.user.client.rpc.AsyncCallback;
import org.rhq.core.domain.auth.Subject; +import org.rhq.core.domain.criteria.SubjectCriteria; +import org.rhq.core.domain.util.PageList; import org.rhq.enterprise.gui.coregui.client.gwt.GWTServiceLookup; import org.rhq.enterprise.gui.coregui.client.util.BrowserUtility; import org.rhq.enterprise.gui.coregui.client.util.preferences.UserPreferences; @@ -60,7 +62,7 @@ public class UserSessionManager { private static Subject sessionSubject; private static UserPreferences userPreferences;
- private enum State { + enum State { IS_LOGGED_IN, // IS_REGISTERING, // IS_LOGGED_OUT; @@ -135,48 +137,128 @@ public class UserSessionManager { Log.info("sessionAccess-reschedulingSessionTimeout: " + expiryMillis); sessionTimer.schedule((int) expiryMillis); } + if (Cookies.getCookie("username") == null) { + Cookies.setCookie("username", user); + }
// set the session subject, so the fetch to load the configuration works - Subject subject = new Subject(); + final Subject subject = new Subject(); subject.setId(subjectId); subject.setSessionId(Integer.valueOf(sessionId)); sessionSubject = subject;
- subject.setName(user); - // figure out if ldap auth is used and whether case insenitive ldap auth requests should be handled. - GWTServiceLookup.getLdapService().processSubjectForLdap(subject, password, false, - new AsyncCallback<Subject>() { - public void onFailure(Throwable caught) { - Log.debug("Failed to load user's subject:" + caught.getMessage()); - //TODO: how/what to display in LoginView when unexpected communication with server occurs? - // LoginView - // .displayFormError("UserSessionManager: Unable to check subject for LDAP authorization " - // + "- check Server status."); - new LoginView().showLoginDialog(); - } - - public void onSuccess(Subject checked) { - Log.trace("Successfully checked subject '" + checked + "' for LDAP processing."); - if (checked.getId() > 0) {//subject is already registered. - sessionState = State.IS_LOGGED_IN; + //populate the username for the subject for isUserWithPrincipal check + subject.setName(Cookies.getCookie("username")); + + if (subject.getId() == 0) {//either i)ldap new user registration ii)ldap case sensitive match + //BZ-586435: insert case insensitivity for usernames with ldap auth + // locate first matching subject and attach. + SubjectCriteria subjectCriteria = new SubjectCriteria(); + subjectCriteria.setCaseSensitive(false); + subjectCriteria.setStrict(true); + subjectCriteria.fetchRoles(false); + subjectCriteria.fetchConfiguration(false); + subjectCriteria.addFilterName(subject.getName()); + + //check for case insensitive matches. + GWTServiceLookup.getSubjectService().findSubjectsByCriteria(subjectCriteria, + new AsyncCallback<PageList<Subject>>() { + + public void onFailure(Throwable caught) {//none found, launch registration + //TODO: log to Login.error + Log + .warn("There was a problem querying subjects by criteria during loginStatus check." + + caught.getMessage()); + } + + //pipe through method to handle case insensitive + public void onSuccess(PageList<Subject> result) { + if (result.size() == 0) {//none found, launch registration + Log.trace("Proceeding with registration for ldap user '" + user + "'."); + sessionState = State.IS_REGISTERING; + //no need to store username away in cookie for F5 refresh as registration ui handles. + new LoginView().showRegistrationDialog(subject.getName(), sessionId, + password, callback); + } else {//launch case sensitive code handling + Log + .trace("Checking login and determined that ldap case insensitive login '" + + subject.getName() + "' should be used instead of '" + user + "'"); + //use the original username to pass session check. + subject.setName(user); + GWTServiceLookup.getSubjectService().processSubjectForLdap(subject, + password, new AsyncCallback<Subject>() { + public void onFailure(Throwable caught) { + Log.debug("Failed to complete ldap processing for subject:" + + caught.getMessage()); + //TODO: pass message to login dialog. + new LoginView().showLoginDialog(); + } + + public void onSuccess(Subject checked) { + Log.trace("Proceeding with registration for ldap user '" + user + + "'."); + sessionState = State.IS_LOGGED_IN; + callback.onSuccess(checked); + } + });//end processSubjectForLdap + } + } + });//end findSubjectsByCriteria + + } else {//else send through regular session check + + SubjectCriteria criteria = new SubjectCriteria(); + criteria.fetchConfiguration(true); + criteria.addFilterId(subjectId); + + GWTServiceLookup.getSubjectService().findSubjectsByCriteria(criteria, + new AsyncCallback<PageList<Subject>>() { + public void onFailure(Throwable caught) { + CoreGUI.getErrorHandler().handleError( + "UserSessionManager: Failed to load user's subject", caught); + Log.info("Failed to load user's subject"); + //TODO: pass message to login ui. + new LoginView().showLoginDialog(); + } + + public void onSuccess(PageList<Subject> result) { + final Subject validSessionSubject = result.get(0); + //include session for subject session processing with LDAP + validSessionSubject.setSessionId(Integer.valueOf(sessionId)); + Log.trace("Completed session check for subject '" + result + "'."); + + //initiate ldap check for ldap authz update(wrt roles) of subject with silent update + GWTServiceLookup.getSubjectService().processSubjectForLdap(validSessionSubject, + "", new AsyncCallback<Subject>() { + public void onFailure(Throwable caught) { + Log.warn("Errors occurred processing subject for LDAP." + + caught.getMessage()); + //TODO: pass informative message to Login UI. + } + + public void onSuccess(Subject result) { + Log.trace("Succesfully updated authorization for ldap subject '" + + validSessionSubject.getName() + "'"); + } + }); + + //update the returned subject with current session id + validSessionSubject.setSessionId(Integer.valueOf(sessionId)); + // reset the session subject to the latest, for wrapping in user preferences - sessionSubject = checked; - //insert ldap check logic + sessionSubject = validSessionSubject; userPreferences = new UserPreferences(sessionSubject); refresh(); - - callback.onSuccess(checked); - - Log.trace("Subject registration required:" + needsRegistration); - } else {//subject requires registration - Log.trace("Proceeding with registration for ldap user '" + user + "'."); - sessionState = State.IS_REGISTERING; - new LoginView().showRegistrationDialog(user, sessionId, password, callback); + sessionState = State.IS_LOGGED_IN; + callback.onSuccess(validSessionSubject); } - } - }); + }); + } } else {//invalid session. Back to login sessionState = State.IS_LOGGED_OUT; + //clean out cookies if actually logged out. + Cookies.removeCookie("username"); + Cookies.removeCookie(LoginView.PASSWORD); new LoginView().showLoginDialog(); } } @@ -194,7 +276,7 @@ public class UserSessionManager { }
public static void login() { - login(null, null); + login(Cookies.getCookie("username"), null); }
/**Same as login, but passes in credentials optionally needed during new LDAP user registration. @@ -207,9 +289,12 @@ public class UserSessionManager { public void onSuccess(Subject result) { // will build UI if necessary, then fires history event sessionState = State.IS_LOGGED_IN; - // subject and session has been updated during this login request - Log.trace("A new subject and session may has been returned. Updating sessionSubject."); - sessionSubject = result; + // subject and session may have been updated during this login request + if (sessionSubject.getSessionId() != result.getSessionId()) {//update + Log.trace("A new subject and session may has been returned. Updating sessionSubject."); + sessionSubject = result; + } + Cookies.setCookie("username", sessionSubject.getName()); CoreGUI.get().buildCoreUI(); }
@@ -309,4 +394,8 @@ public class UserSessionManager { public static UserPreferences getUserPreferences() { return userPreferences; } + + public static void setSessionState(State newSessionState) { + sessionState = newSessionState; + } } diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/RoleEditView.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/RoleEditView.java index 836a355..b40ac2b 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/RoleEditView.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/RoleEditView.java @@ -21,6 +21,7 @@ package org.rhq.enterprise.gui.coregui.client.admin.roles; import java.util.ArrayList; import java.util.HashSet; import java.util.List; +import java.util.Map; import java.util.Set;
import com.google.gwt.user.client.History; @@ -29,6 +30,7 @@ import com.smartgwt.client.data.DSCallback; import com.smartgwt.client.data.DSRequest; import com.smartgwt.client.data.DSResponse; import com.smartgwt.client.data.Record; +import com.smartgwt.client.data.RecordList; import com.smartgwt.client.types.Alignment; import com.smartgwt.client.types.DSOperationType; import com.smartgwt.client.types.Overflow; @@ -46,6 +48,7 @@ import org.rhq.core.domain.auth.Subject; import org.rhq.core.domain.authz.Permission; import org.rhq.core.domain.authz.Role; import org.rhq.core.domain.criteria.RoleCriteria; +import org.rhq.core.domain.resource.group.LdapGroup; import org.rhq.core.domain.resource.group.ResourceGroup; import org.rhq.core.domain.util.PageList; import org.rhq.enterprise.gui.coregui.client.BookmarkableView; @@ -170,7 +173,8 @@ public class RoleEditView extends LocatableVLayout implements BookmarkableView { public void save() { final HashSet<Integer> groupSelection = this.groupSelector.getSelection(); final HashSet<Integer> userSelection = this.subjectSelector.getSelection(); - final HashSet<String> ldapGroupSelection = this.ldapGroupSelector.getGroupSelection(); + // final HashSet<String> ldapGroupSelection = this.ldapGroupSelector.getGroupSelection(); + final HashSet<Integer> ldapGroupSelection = this.ldapGroupSelector.getSelection();
// The form.saveData() call triggers either RolesDataSource.executeAdd() to create the new Role, // or executeUpdate() if saving changes to an existing Role. On success we need to perform the @@ -217,7 +221,10 @@ public class RoleEditView extends LocatableVLayout implements BookmarkableView { } });
- List<String> selectedGroupList = new ArrayList<String>(ldapGroupSelection); + // List<String> selectedGroupList = new ArrayList<String>(ldapGroupSelection); + List<String> selectedGroupList = new ArrayList<String>(); + selectedGroupList = loadLdapGroupSelection(ldapGroupSelection); + // List<Integer> selectedGroupList = new ArrayList<Integer>(ldapGroupSelection); if (!selectedGroupList.isEmpty()) { GWTServiceLookup.getLdapService().setLdapGroupsForRole(roleId, selectedGroupList, new AsyncCallback<Void>() { @@ -235,6 +242,24 @@ public class RoleEditView extends LocatableVLayout implements BookmarkableView { }
} + + /** Return list of group names from selection indices. + * + * @param ldapGroupSelection + * @return + */ + private List<String> loadLdapGroupSelection(HashSet<Integer> ldapGroupSelection) { + List<String> groupNames = new ArrayList<String>(); + if (ldapGroupSelection != null) { + RecordList recordList = ldapGroupSelector.getAssignedGrid().getDataAsRecordList(); + for (int index : ldapGroupSelection) { + Record record = recordList.get(index); + String name = record.getAttributeAsString("name"); + groupNames.add(name); + } + } + return groupNames; + } }); }
@@ -246,7 +271,9 @@ public class RoleEditView extends LocatableVLayout implements BookmarkableView { .getAttributeAsObject("subjects")); this.ldapGroupSelector = new RoleLdapGroupSelector(this.extendLocatorId("LdapGroups"), record .getAttributeAsInt("id")); - + // this.ldapGroupSelector = new RoleLdapGroupSelector(this.extendLocatorId("LdapGroups"), (Set<LdapGroup>) record + // .getAttributeAsObject("ldapGroupsAvailable"), (Set<LdapGroup>) record + // .getAttributeAsObject("ldapGroupsAssigned")); this.groupSelectorItem.setCanvas(this.groupSelector); this.subjectSelectorItem.setCanvas(this.subjectSelector);
@@ -280,7 +307,6 @@ public class RoleEditView extends LocatableVLayout implements BookmarkableView { }
private void editRole(int roleId, final ViewId current) { - final int id = Integer.valueOf(current.getBreadcrumbs().get(0).getName());
if (id > 0) { @@ -298,12 +324,38 @@ public class RoleEditView extends LocatableVLayout implements BookmarkableView {
@Override public void onSuccess(PageList<Role> result) { - Role role = result.get(0); - Record record = new RolesDataSource().copyValues(role); - editRecord(record); + final Role role = result.get(0); + final Record record = new RolesDataSource().copyValues(role); + //if ldap configured + GWTServiceLookup.getLdapService().checkLdapConfiguredStatus(new AsyncCallback<Boolean>() { + public void onSuccess(Boolean result) { + //get available ldap groups + GWTServiceLookup.getLdapService().findAvailableGroups( + new AsyncCallback<Set<Map<String, String>>>() { + public void onFailure(Throwable caught) { + CoreGUI.getErrorHandler().handleError( + "Failed to retrieve available LDAP groups.", caught); + } + + public void onSuccess(Set<Map<String, String>> availableLdapGroups) { + //TODO: get assigned ldap groups + Set<LdapGroup> availableGroups = RoleLdapGroupSelector + .convertToCollection(availableLdapGroups); + //update record with both objects. + record.setAttribute("ldapGroupsAvailable", availableGroups); + editRecord(record); + current.getBreadcrumbs().get(0).setDisplayName("Editing: " + role.getName()); + CoreGUI.refreshBreadCrumbTrail(); + } + }); + }
- current.getBreadcrumbs().get(0).setDisplayName("Editing: " + role.getName()); - CoreGUI.refreshBreadCrumbTrail(); + public void onFailure(Throwable caught) {//ldap not configured, proceed + editRecord(record); + current.getBreadcrumbs().get(0).setDisplayName("Editing: " + role.getName()); + CoreGUI.refreshBreadCrumbTrail(); + } + }); } }); } else { diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/RoleLdapGroupSelector.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/RoleLdapGroupSelector.java index 2443c5b..580da5b 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/RoleLdapGroupSelector.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/admin/roles/RoleLdapGroupSelector.java @@ -42,6 +42,7 @@ import com.smartgwt.client.widgets.grid.events.DataArrivedEvent; import com.smartgwt.client.widgets.grid.events.DataArrivedHandler;
import org.rhq.core.domain.resource.group.LdapGroup; +import org.rhq.core.domain.util.PageList; import org.rhq.enterprise.gui.coregui.client.CoreGUI; import org.rhq.enterprise.gui.coregui.client.components.selector.AbstractSelector; import org.rhq.enterprise.gui.coregui.client.gwt.GWTServiceLookup; @@ -50,7 +51,8 @@ import org.rhq.enterprise.gui.coregui.client.util.RPCDataSource; /** * @author Simeon Pinder */ -public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, String>>> { +//public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, String>>> { +public class RoleLdapGroupSelector extends AbstractSelector<PageList<LdapGroup>> { public static final String id = "id"; public static final String name = "name"; public static final String description = "description"; @@ -61,6 +63,15 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, private int currentRole = -1; private boolean initialLdapSelectionsLoad = true;
+ // public RoleLdapGroupSelector(String locatorId, Set<LdapGroup> available, Set<LdapGroup> assigned) { + // super(locatorId); + // if (available != null) { + // ListGridRecord[] data = (new LdapGroupsDataSource()).buildRecords(available); + //// setAssigned(data); + //// setA + // } + // } + public RoleLdapGroupSelector(String locatorId, Integer integer) { super(locatorId); if (integer != null) { @@ -74,9 +85,11 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, }
@Override - protected RPCDataSource<HashSet<Map<String, String>>> getDataSource() { + // protected RPCDataSource<HashSet<Map<String, String>>> getDataSource() { + protected RPCDataSource<PageList<LdapGroup>> getDataSource() { if (availableDatasource == null) { availableDatasource = new LdapGroupsDataSource(); + Log.debug("++++++++++ RoleLDapGroupSelector.datasourceInit:" + availableDatasource); //add subsequent listener int currentRoleId = getCurrentRole(); if (currentRoleId > -1) { @@ -89,14 +102,16 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, if (currentRoleId > -1) { if (initialLdapSelectionsLoad) { GWTServiceLookup.getLdapService().findLdapGroupsAssignedToRole(currentRoleId, - new AsyncCallback<Set<Map<String, String>>>() { + // new AsyncCallback<Set<Map<String, String>>>() { + new AsyncCallback<PageList<LdapGroup>>() {
public void onFailure(Throwable throwable) { CoreGUI.getErrorHandler().handleError( "Failed to load LdapGroups available for role.", throwable); }
- public void onSuccess(Set<Map<String, String>> currentlyAssignedLdapGroups) { + // public void onSuccess(Set<Map<String, String>> currentlyAssignedLdapGroups) { + public void onSuccess(PageList<LdapGroup> currentlyAssignedLdapGroups) { //translate groups into records for grid // response.setData(buildRecords(locatedGroups)); // response.setData(buildAssignedRecords(currentlyAssignedLdapGroups)); @@ -106,9 +121,12 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, RecordList loaded = availableGrid.getDataAsRecordList(); if (loaded != null) { ArrayList<Integer> located = new ArrayList<Integer>(); - for (Map groupMap : currentlyAssignedLdapGroups) { - int index = loaded.findIndex(name, (String) groupMap.get(name)); + // for (Map groupMap : currentlyAssignedLdapGroups) { + for (LdapGroup group : currentlyAssignedLdapGroups) { + // int index = loaded.findIndex(name, (String) groupMap.get(name)); + int index = loaded.findIndex(name, (String) group.getName()); if (index > -1) { + group.setId(index);//overwrite RHQ Resource ID to match ldap fabricated id. located.add(Integer.valueOf(index)); } } @@ -124,6 +142,15 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, select(assignedGrid.getSelection()); updateButtons(); assignedGrid.deselectAllRecords(); + // assignedGrid.deselectAllRecords(); + // assignedGrid.transferSelectedData(availableGrid); + // select(assignedGrid.getSelection()); + // updateButtons(); + Record rec = assignedGrid.getDataAsRecordList().get(0); + // for (String attr : rec.getAttributes()) { + // Log.debug("%%%%%%%%%% attribute:" + attr + ":value:" + // + rec.getAttribute(attr) + ":"); + // } } } } @@ -142,38 +169,39 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, return null; // TODO: Implement this method. }
- protected void select(ListGridRecord[] records) { - availableGrid.deselectAllRecords(); - for (ListGridRecord record : records) { - record.setEnabled(false); - selection.add(record.getAttributeAsString(name)); - } - assignedGrid.markForRedraw(); - } - - protected void deselect(ListGridRecord[] records) { - HashSet<String> toRemove = new HashSet<String>(); - for (ListGridRecord record : records) { - toRemove.add(record.getAttributeAsString(name)); - } - selection.removeAll(toRemove); - - for (String name : toRemove) { - Record r = availableGrid.getDataAsRecordList().find(name, name); - if (r != null) { - ((ListGridRecord) r).setEnabled(true); - } - } - int cnt = 0; - for (Record lgr : availableGrid.getDataAsRecordList().toArray()) { - if (lgr.getAttributeAsBoolean("enabled")) { - cnt++; - } - } - availableGrid.markForRedraw(); - } - - public class LdapGroupsDataSource extends RPCDataSource<HashSet<Map<String, String>>> { + // protected void select(ListGridRecord[] records) { + // availableGrid.deselectAllRecords(); + // for (ListGridRecord record : records) { + // record.setEnabled(false); + // selection.add(record.getAttributeAsString(name)); + // } + // assignedGrid.markForRedraw(); + // } + // + // protected void deselect(ListGridRecord[] records) { + // HashSet<String> toRemove = new HashSet<String>(); + // for (ListGridRecord record : records) { + // toRemove.add(record.getAttributeAsString(name)); + // } + // selection.removeAll(toRemove); + // + // for (String name : toRemove) { + // Record r = availableGrid.getDataAsRecordList().find(name, name); + // if (r != null) { + // ((ListGridRecord) r).setEnabled(true); + // } + // } + // int cnt = 0; + // for (Record lgr : availableGrid.getDataAsRecordList().toArray()) { + // if (lgr.getAttributeAsBoolean("enabled")) { + // cnt++; + // } + // } + // availableGrid.markForRedraw(); + // } + + // public class LdapGroupsDataSource extends RPCDataSource<HashSet<Map<String, String>>> { + public class LdapGroupsDataSource extends RPCDataSource<PageList<LdapGroup>> {
public static final String LDAP_NOT_CONFIGURED_EMPTY_MESSAGE = "(LDAP not configured. 'Administrator'->System Settings to change)"; public static final String EMPTY_MESSAGE = "No items to show"; @@ -187,7 +215,9 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, setFields(nameField, descriptionField); }
- public ListGridRecord[] buildRecords(Set<Map<String, String>> locatedGroups) { + // public ListGridRecord[] buildRecords(Set<Map<String, String>> locatedGroups) { + // public ListGridRecord[] buildRecords(PageList<LdapGroup> locatedGroups) { + public ListGridRecord[] buildRecords(Set<LdapGroup> locatedGroups) { ListGridRecord[] records = new ListGridRecord[0]; int indx = 0; if ((locatedGroups != null) && (!locatedGroups.isEmpty())) { @@ -195,18 +225,20 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, records = new ListGridRecord[locatedGroups.size()]; int index = 0; //for each Map returned then iterate over to retrieve the values - Iterator<Map<String, String>> iterator = locatedGroups.iterator(); - while (iterator.hasNext()) { - Map<String, String> group = iterator.next(); + // Iterator<Map<String, String>> iterator = locatedGroups.iterator(); + // while (iterator.hasNext()) { + for (LdapGroup group : locatedGroups) { + // Map<String, String> group = iterator.next(); //iterate over the group data to translate into records ListGridRecord record = new ListGridRecord(); //load identifier record.setAttribute(id, index++); - //load name - record.setAttribute(name, group.get(name)); + //load name + // record.setAttribute(name, group.get(name)); + record.setAttribute(name, group.getName()); //load description - record.setAttribute(description, group.get(description)); - + // record.setAttribute(description, group.get(description)); + record.setAttribute(description, group.getDescription()); records[indx++] = record; }
@@ -220,12 +252,14 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, }
@Override - public HashSet<Map<String, String>> copyValues(ListGridRecord from) { + // public HashSet<Map<String, String>> copyValues(ListGridRecord from) { + public PageList<LdapGroup> copyValues(ListGridRecord from) { throw new UnsupportedOperationException("Ldap Group data is read only"); }
@Override - public ListGridRecord copyValues(HashSet<Map<String, String>> from) { + // public ListGridRecord copyValues(HashSet<Map<String, String>> from) { + public ListGridRecord copyValues(PageList<LdapGroup> from) { return null; }
@@ -246,9 +280,13 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, }
public void onSuccess(Set<Map<String, String>> locatedGroups) { - Log.debug("Successfully located groups."); + Log.trace("Successfully located groups."); + Log.debug("---------------------------------- Available groups:" + + locatedGroups.size()); //translate groups into records for grid - response.setData(buildRecords(locatedGroups)); + // response.setData(buildRecords(locatedGroups)); + // Set<LdapGroup> collection = new HashSet<LdapGroup>(); + response.setData(buildRecords(convertToCollection(locatedGroups))); //entry count if (null != locatedGroups) { response.setTotalRows(locatedGroups.size()); @@ -258,6 +296,22 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, //pass off for processing processResponse(request.getRequestId(), response); } + + // private PageList<LdapGroup> convertToCollection(Set<Map<String, String>> locatedGroups) { + // private Set<LdapGroup> convertToCollection(Set<Map<String, String>> locatedGroups) { + // Set<LdapGroup> converted = new HashSet<LdapGroup>(); + // if (locatedGroups != null) { + // Iterator<Map<String, String>> iterator = locatedGroups.iterator(); + // while (iterator.hasNext()) { + // Map<String, String> map = iterator.next(); + // LdapGroup group = new LdapGroup(); + // group.setDescription(map.get("description")); + // group.setName(map.get("name")); + // converted.add(group); + // } + // } + // return converted; + // } }); } else { Log.debug("(LDAP not currently enabled. " + EMPTY_MESSAGE); @@ -275,26 +329,43 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, } }
- public HashSet<String> getGroupSelection() { - RecordList records = assignedGrid.getDataAsRecordList(); - //empty out selection and populate with actual contents - selection.clear(); - if (!records.isEmpty()) { - for (Record r : records.toArray()) { - selection.add(r.getAttributeAsString(name)); + public static Set<LdapGroup> convertToCollection(Set<Map<String, String>> locatedGroups) { + Set<LdapGroup> converted = new HashSet<LdapGroup>(); + if (locatedGroups != null) { + Iterator<Map<String, String>> iterator = locatedGroups.iterator(); + int index = 0; + while (iterator.hasNext()) { + Map<String, String> map = iterator.next(); + LdapGroup group = new LdapGroup(); + group.setDescription(map.get("description")); + group.setName(map.get("name")); + group.setId(index++); + converted.add(group); } } - HashSet<String> assignedSelections = new HashSet<String>(); - for (ListGridRecord r : assignedGrid.getSelection()) { - assignedSelections.add(r.getAttributeAsString(name)); - } - HashSet<String> remainingRecords = new HashSet<String>(); - for (Record r : assignedGrid.getDataAsRecordList().toArray()) { - remainingRecords.add(r.getAttributeAsString(name)); - } - return remainingRecords; + return converted; }
+ // public HashSet<String> getGroupSelection() { + // RecordList records = assignedGrid.getDataAsRecordList(); + // //empty out selection and populate with actual contents + // selection.clear(); + // if (!records.isEmpty()) { + // for (Record r : records.toArray()) { + // selection.add(r.getAttributeAsString(name)); + // } + // } + // HashSet<String> assignedSelections = new HashSet<String>(); + // for (ListGridRecord r : assignedGrid.getSelection()) { + // assignedSelections.add(r.getAttributeAsString(name)); + // } + // HashSet<String> remainingRecords = new HashSet<String>(); + // for (Record r : assignedGrid.getDataAsRecordList().toArray()) { + // remainingRecords.add(r.getAttributeAsString(name)); + // } + // return remainingRecords; + // } + public class LdapAssignedGroupsDatasource extends RPCDataSource<Set<String>> { private Integer currentRoleId = Integer.valueOf(-1);
@@ -324,22 +395,26 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, }
GWTServiceLookup.getLdapService().findLdapGroupsAssignedToRole(currentRoleId, - new AsyncCallback<Set<Map<String, String>>>() { + // new AsyncCallback<Set<Map<String, String>>>() { + new AsyncCallback<PageList<LdapGroup>>() {
public void onFailure(Throwable throwable) { CoreGUI.getErrorHandler().handleError("Failed to load LdapGroups available for role.", throwable); }
- public void onSuccess(Set<Map<String, String>> currentlyAssignedLdapGroups) { + // public void onSuccess(Set<Map<String, String>> currentlyAssignedLdapGroups) { + public void onSuccess(PageList<LdapGroup> currentlyAssignedLdapGroups) { //translate groups into records for grid // response.setData(buildRecords(locatedGroups)); // response.setData(buildAssignedRecords(currentlyAssignedLdapGroups)); //instead of setting the data, find which ones are shared and transfer as before RecordList loaded = getAssignedGrid().getDataAsRecordList(); ArrayList<Integer> located = new ArrayList<Integer>(); - for (Map groupMap : currentlyAssignedLdapGroups) { - int index = loaded.findIndex(name, (String) groupMap.get(name)); + // for (Map groupMap : currentlyAssignedLdapGroups) { + for (LdapGroup groupMap : currentlyAssignedLdapGroups) { + // int index = loaded.findIndex(name, (String) groupMap.get(name)); + int index = loaded.findIndex(id, groupMap.getId()); if (index > -1) { located.add(Integer.valueOf(index)); } @@ -375,7 +450,8 @@ public class RoleLdapGroupSelector extends AbstractSelector<HashSet<Map<String, records = new ListGridRecord[currentlyAssignedLdapGroups.size()]; for (LdapGroup group : currentlyAssignedLdapGroups) { ListGridRecord record = new ListGridRecord(); - record.setAttribute(id, group.getName()); + // record.setAttribute(id, group.getName()); + record.setAttribute(id, group.getId()); //load name record.setAttribute(name, group.getName()); //load description diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/components/selector/AbstractSelector.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/components/selector/AbstractSelector.java index 91c622a..02d39f2 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/components/selector/AbstractSelector.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/components/selector/AbstractSelector.java @@ -311,6 +311,9 @@ public abstract class AbstractSelector<T> extends LocatableVLayout { protected void deselect(ListGridRecord[] records) { HashSet<Integer> toRemove = new HashSet<Integer>(); for (ListGridRecord record : records) { + // for (String attr : record.getAttributes()) { + // Log.debug("------- ATTR:" + attr + ":value:" + record.getAttribute(attr) + ":"); + // } toRemove.add(record.getAttributeAsInt("id")); } selection.removeAll(toRemove); diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java index 533fcd9..3045c5d 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java @@ -28,7 +28,8 @@ import java.util.Set;
import com.google.gwt.user.client.rpc.RemoteService;
-import org.rhq.core.domain.auth.Subject; +import org.rhq.core.domain.resource.group.LdapGroup; +import org.rhq.core.domain.util.PageList;
/** * @author Simeon Pinder @@ -59,21 +60,12 @@ public interface LdapGWTService extends RemoteService { */ void setLdapGroupsForRole(int roleId, List<String> groupIds);
- /** - * - * @param currentSubject - * @param user - * @param password - * @return - */ - Subject processSubjectForLdap(Subject currentSubject, String password, boolean ldapRegistration); - /** Finds ldap groups already assigned to this role. * * @param currentRoleId * @return */ - Set<Map<String, String>> findLdapGroupsAssignedToRole(int currentRoleId); + PageList<LdapGroup> findLdapGroupsAssignedToRole(int currentRoleId);
/** Boolean response about whether ldap configured.. * diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java index 4abe475..50aa21f 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java @@ -111,6 +111,6 @@ public interface SubjectGWTService extends RemoteService { * @param criteria details for the search * @return PageList<Subject> matching criteria. */ - Subject processSubjectForLdap(Subject subjectToModify, String password, boolean registerLdap); + Subject processSubjectForLdap(Subject subjectToModify, String password);
} diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/util/rpc/MonitoringRequestCallback.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/util/rpc/MonitoringRequestCallback.java index a1de14c..a479aa0 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/util/rpc/MonitoringRequestCallback.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/util/rpc/MonitoringRequestCallback.java @@ -21,6 +21,7 @@ package org.rhq.enterprise.gui.coregui.client.util.rpc; import com.google.gwt.http.client.Request; import com.google.gwt.http.client.RequestCallback; import com.google.gwt.http.client.Response; +import com.google.gwt.user.client.Cookies; import com.google.gwt.user.client.History; import com.google.gwt.user.client.rpc.AsyncCallback; import com.smartgwt.client.util.SC; @@ -64,7 +65,7 @@ public class MonitoringRequestCallback implements RequestCallback { + response.getStatusText());
// if we have a rich and coordinated client-side loggedIn state, do we need to check upon failure here? - UserSessionManager.checkLoginStatus(null, null, new AsyncCallback<Subject>() { + UserSessionManager.checkLoginStatus(Cookies.getCookie("username"), null, new AsyncCallback<Subject>() { @Override public void onSuccess(Subject result) { History.fireCurrentHistoryState(); diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java index 8cf63d5..330ed24 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java @@ -20,14 +20,12 @@ package org.rhq.enterprise.gui.coregui.server.gwt;
import java.util.ArrayList; import java.util.HashMap; -import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set;
import com.allen_sauer.gwt.log.client.Log;
-import org.rhq.core.domain.auth.Subject; import org.rhq.core.domain.resource.group.LdapGroup; import org.rhq.core.domain.util.PageControl; import org.rhq.core.domain.util.PageList; @@ -106,38 +104,11 @@ public class LdapGWTServiceImpl extends AbstractGWTServiceImpl implements LdapGW }
@Override - public Set<Map<String, String>> findLdapGroupsAssignedToRole(int roleId) { + public PageList<LdapGroup> findLdapGroupsAssignedToRole(int roleId) { try { PageList<LdapGroup> allAssignedLdapGroups = ldapManager.findLdapGroupsByRole(roleId, PageControl .getUnlimitedInstance()); - Set<Map<String, String>> ldapGroups = new HashSet<Map<String, String>>(); - - for (LdapGroup group : allAssignedLdapGroups) { - HashMap<String, String> map = new HashMap<String, String>(); - map.put("name", group.getName()); - map.put("id", group.getName()); - map.put("description", group.getDescription()); - ldapGroups.add(map); - } - - return SerialUtility.prepare(ldapGroups, "findLdapGroupsAssignedToRole"); - } catch (Exception e) { - throw new RuntimeException(ThrowableUtil.getAllMessages(e)); - } - } - - /** Does a series of LDAP checks and for case insensitive ldap matching accounts will return new Subject with session id. - * i) needs registration(user exists in ldap but not yet in RHQ) - * ii) if LDAP authentication is enabled. All authentication is piped through this method. - * - * - */ - @Override - public Subject processSubjectForLdap(Subject currentSubject, String password, boolean ldapRegistration) { - try { - currentSubject = subjectManager.processSubjectForLdap(currentSubject, password, ldapRegistration); - - return SerialUtility.prepare(currentSubject, "processSubjectForLdap"); + return SerialUtility.prepare(allAssignedLdapGroups, "findLdapGroupsAssignedToRole"); } catch (Exception e) { throw new RuntimeException(ThrowableUtil.getAllMessages(e)); } diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java index 378e269..15d7464 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java @@ -95,10 +95,10 @@ public class SubjectGWTServiceImpl extends AbstractGWTServiceImpl implements Sub } }
- public Subject processSubjectForLdap(Subject subjectToModify, String password, boolean registerLdap) { + public Subject processSubjectForLdap(Subject subjectToModify, String password) { try { - return SerialUtility.prepare(subjectManager.processSubjectForLdap(getSessionSubject(), password, - registerLdap), "SubjectManager.processSubjectForLdap"); + return SerialUtility.prepare(subjectManager.processSubjectForLdap(subjectToModify, password), + "SubjectManager.processSubjectForLdap"); } catch (Exception e) { throw new RuntimeException(ThrowableUtil.getAllMessages(e)); } diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java index e1ffe82..491f26e 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java @@ -291,14 +291,16 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe try { int sessionId = sessionManager.getSessionIdFromUsername(username); subject.setSessionId(sessionId); - //insert processing for LDAP users who have registered before and have jdbc credentials + //insert processing for LDAP users who have registered before and have jdbc credentials, but no principal. log.trace("Processing subject '" + subject.getName() + "' for LDAP functionality."); - subject = processSubjectForLdap(subject, password, false); + subject = processSubjectForLdap(subject, password); return subject; } catch (SessionException se) { // nope, no session; continue on so we can create the session } } else { + System.out.println("+++++++++++ i)Not yet registered ii)case insensitive login from ldap for username:" + + username + ":"); // There is no subject in the database yet. // If LDAP authentication is enabled and we cannot find the subject, // it means we must have authenticated via LDAP, not JDBC (otherwise, @@ -331,12 +333,12 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe * @return same or new Subject returned from LDAP processing. * @throws LoginException */ - public Subject processSubjectForLdap(Subject subject, String subjectPassword, boolean ldapRegistration) - throws LoginException { - + public Subject processSubjectForLdap(Subject subject, String subjectPassword) throws LoginException { if (subject != null) {//null check //if user has principal then bail as LDAP processing not required boolean userHasPrincipal = isUserWithPrincipal(subject.getName()); + log.trace("Processing subject '" + subject.getName() + "' for LDAP check, userHasPrincipal:" + + userHasPrincipal);
//if user has principal then return as non-ldap user if (userHasPrincipal) { @@ -346,26 +348,13 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe Properties config = systemManager.getSystemConfiguration(); boolean ldapConfigured = config.getProperty(RHQConstants.JAASProvider).equals( RHQConstants.LDAPJAASProvider); - if (ldapConfigured) {//i)registration ii)case sensitive matches iii)authorization updates //check that session is valid. RHQ auth has already occurred. if (!isValidSessionId(subject.getSessionId(), subject.getName(), subject.getId())) { throw new LoginException("User session not valid. Login to proceed."); } - if ((subject.getId() == 0) && ldapRegistration) {//insert overlord registration and login - //we've verified that this user has valid session, requires registration and that ldap is configured. - Subject superuser = getOverlord(); - - // create the subject, but don't add a principal since LDAP will handle authentication - log.trace("registering new LDAP-authenticated subject [" + subject.getName() + "]"); - createSubject(superuser, subject); - - // nuke the temporary session and establish a new - // one for this subject.. must be done before pulling the - // new subject in order to do it with his own credentials - logout(subject.getSessionId().intValue()); - subject = login(subject.getName(), subjectPassword); - } else {//already registered + if (subject.getId() == 0) {//i)case insensitive check or ii)ldap new user registration. + //BZ-586435: insert case insensitivity for usernames with ldap auth // locate first matching subject and attach. SubjectCriteria subjectCriteria = new SubjectCriteria(); @@ -387,12 +376,25 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe log.info(msg); subject = login(ldapSubject.getName(), subjectPassword); Integer sessionId = subject.getSessionId(); - log.debug("Logged in as [" + ldapSubject.getName() + "] with session id [" + sessionId + log.trace("Logged in as [" + ldapSubject.getName() + "] with session id [" + sessionId + "]"); + } else {//then this is a registration request. insert overlord registration and login + //we've verified that this user has valid session, requires registration and that ldap is configured. + Subject superuser = getOverlord(); + + // create the subject, but don't add a principal since LDAP will handle authentication + log.trace("registering new LDAP-authenticated subject [" + subject.getName() + "]"); + createSubject(superuser, subject); + + // nuke the temporary session and establish a new + // one for this subject.. must be done before pulling the + // new subject in order to do it with his own credentials + logout(subject.getSessionId().intValue()); + subject = login(subject.getName(), subjectPassword); } } {//now carry out authz refresh for this Subject - if (subject.getId() > 0) { + if (subject.getId() > 0) {//only act on persisted subjects //BZ-580127: only do group authz check if one or both of group filter fields is set Properties options = systemManager.getSystemConfiguration(); String groupFilter = (String) options.getProperty(RHQConstants.LDAPGroupFilter, ""); @@ -400,10 +402,13 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe if ((groupFilter.trim().length() > 0) || (groupMember.trim().length() > 0)) { List<String> groupNames = new ArrayList<String>(ldapManager .findAvailableGroupsFor(subject.getName())); + log.trace("Updating ldap authorization data for user '" + subject.getName() + "'"); ldapManager.assignRolesToLdapSubject(subject.getId(), groupNames); } } } + } else {//ldap not configured. Somehow authenticated for LDAP without being ldap being configured. Error. Bail + throw new LoginException("You are authenticated for LDAP, but LDAP is not configured."); } } } diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerLocal.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerLocal.java index 2b00345..9339811 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerLocal.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerLocal.java @@ -219,6 +219,5 @@ public interface SubjectManagerLocal { */ PageList<Subject> findSubjectsByCriteria(Subject subject, SubjectCriteria criteria);
- Subject processSubjectForLdap(Subject subject, String subjectPassword, boolean ldapRegistration) - throws LoginException; + Subject processSubjectForLdap(Subject subject, String subjectPassword) throws LoginException; } \ No newline at end of file
commit 82d0eb6866f0de15a8ff8e49ea6c39f2a8184b2b Author: Simeon Pinder spinder@redhat.com Date: Fri Oct 22 10:01:03 2010 -0400
Numerous changes: i) register new ldap user validation changes ii)UserSessionMgr cleanup iii)*GWTService cleanup iii)revert to use orig Authorization permissions approach iv)tighten up security process in processSubjectForLdap v)subjectCriteria performance change.
diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java index 41935c8..c59ce69 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java @@ -22,7 +22,6 @@ */ package org.rhq.enterprise.gui.coregui.client;
-import java.util.ArrayList; import java.util.EnumSet; import java.util.Map;
@@ -46,6 +45,7 @@ import com.smartgwt.client.widgets.Window; import com.smartgwt.client.widgets.events.ClickEvent; import com.smartgwt.client.widgets.events.ClickHandler; import com.smartgwt.client.widgets.form.DynamicForm; +import com.smartgwt.client.widgets.form.ValuesManager; import com.smartgwt.client.widgets.form.events.SubmitValuesEvent; import com.smartgwt.client.widgets.form.events.SubmitValuesHandler; import com.smartgwt.client.widgets.form.fields.CanvasItem; @@ -82,6 +82,7 @@ public class LoginView extends Canvas { private DynamicForm form;
private SubmitItem loginButton; + private ValuesManager valuesManager = new ValuesManager();
public LoginView() { } @@ -92,7 +93,6 @@ public class LoginView extends Canvas { private TextItem email; private TextItem phone; private TextItem department; - private ArrayList<DynamicForm> forms; private static final String FIRST = "first"; private static final String LAST = "last"; private static final String USERNAME = "ldap.username"; @@ -102,6 +102,11 @@ public class LoginView extends Canvas { private static final String SESSIONID = "ldap.sessionid"; private static final String PASSWORD = "ldap.password";
+ public void showLoginDialog(String message) { + showLoginDialog(); + form.setErrorsPreamble(message); + } + public void showLoginDialog() { if (!loginShowing) { loginShowing = true; @@ -193,7 +198,7 @@ public class LoginView extends Canvas { } loginShowing = true;
- forms = new ArrayList<DynamicForm>(); + // forms = new ArrayList<DynamicForm>();
form = new DynamicForm(); form.setMargin(25); @@ -237,7 +242,13 @@ public class LoginView extends Canvas { department.setWidth(fieldWidth); SpacerItem space = new SpacerItem(); space.setColSpan(1); - column.addMember(wrapInDynamicForm(6, header, first, last, username, email, phone, department)); + DynamicForm inputFields = new DynamicForm(); + inputFields.setNumCols(6); + inputFields.setFields(header, first, last, username, email, phone, department); + inputFields.setValuesManager(valuesManager); + loadValidators(inputFields); + column.addMember(inputFields); + HTMLFlow hr = new HTMLFlow("<br/><hr/><br/><br/>"); hr.setWidth(750); hr.setAlign(Alignment.CENTER); @@ -252,10 +263,11 @@ public class LoginView extends Canvas { //check for session timeout if (UserSessionManager.isLoggedOut()) { resetLogin(); + return; }
//validation - if (validateForms(forms)) { + if (valuesManager.validate()) { Log.trace("Successfully validated all data for user registration."); //populate form form.setValue(FIRST, String.valueOf(first.getValue())); @@ -301,6 +313,8 @@ public class LoginView extends Canvas { }
public void onFailure(Throwable caught) { + form.setFieldErrors(FIRST, + "Note: Optional retrieval of ldap details unsuccessful. Manual entry required.", true); Log.debug("Optional LDAP detail retrieval did not succeed. Registration prepopulation will occur."); } }); @@ -310,6 +324,7 @@ public class LoginView extends Canvas { public void onClick(ClickEvent event) { if (UserSessionManager.isLoggedOut()) { resetLogin(); + return; }
//clear out all validation messages. @@ -318,7 +333,7 @@ public class LoginView extends Canvas { first.setValue(empty); last.setValue(empty); email.setValue("test@test.com"); - validateForms(forms); + valuesManager.validate(); } first.clearValue(); last.clearValue(); @@ -334,6 +349,7 @@ public class LoginView extends Canvas { public void onClick(ClickEvent event) { UserSessionManager.logout(); resetLogin(); + return; } }); row.addMember(logout); @@ -362,21 +378,6 @@ public class LoginView extends Canvas { } }
- /** Iterates through the dynamic forms populated then calls validate(). - * - * @param forms - * @return - */ - private boolean validateForms(ArrayList<DynamicForm> forms) { - boolean allValid = true; - for (DynamicForm form : forms) { - if (!form.validate()) { - allValid = false; - } - } - return allValid; - } - /** Go through steps of invalidating this login and piping them back to CoreGUI Login. */ private void resetLogin() { @@ -467,29 +468,6 @@ public class LoginView extends Canvas { } }
- /**Helper method to wrap N form items one a single line/row represented by a DynamicForm - * - * @param columnCount - * @param header - * @return - */ - private Canvas wrapInDynamicForm(int columnCount, FormItem... header) { - DynamicForm form = new DynamicForm(); - if (header != null) { - if (columnCount < 1) {//default to label and details for each form item - form.setNumCols(header.length * 2); - } else { - form.setNumCols(columnCount); - } - form.setFields(header); - //store away all forms for final validation - forms.add(form); - //load validators for form - loadValidators(form); - } - return form; - } - /**Build and loads the validators for each of the formItems * * @param form diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java index e875f66..d505fd1 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java @@ -33,8 +33,6 @@ import com.google.gwt.user.client.Timer; import com.google.gwt.user.client.rpc.AsyncCallback;
import org.rhq.core.domain.auth.Subject; -import org.rhq.core.domain.criteria.SubjectCriteria; -import org.rhq.core.domain.util.PageList; import org.rhq.enterprise.gui.coregui.client.gwt.GWTServiceLookup; import org.rhq.enterprise.gui.coregui.client.util.BrowserUtility; import org.rhq.enterprise.gui.coregui.client.util.preferences.UserPreferences; @@ -195,56 +193,6 @@ public class UserSessionManager { } }
- /** - * - * @param subjectId - * @param sessionId - * @param user - * @param callback - */ - private static void locateSubjectOrLogin(int subjectId, final String sessionId, final String user, String password, - final AsyncCallback<Subject> callback) { - if (subjectId > 0) {//registration not needed - Log.trace("SubjectCriteria search with subjectId:" + subjectId); - SubjectCriteria criteria = new SubjectCriteria(); - criteria.fetchConfiguration(true); - criteria.addFilterId(subjectId); - - //pipe into next asynchronous call. - GWTServiceLookup.getSubjectService().findSubjectsByCriteria(criteria, - new AsyncCallback<PageList<Subject>>() { - public void onFailure(Throwable caught) { - //TODO: how/what to display in LoginView when unexpected communication with server occurs? - // LoginView - // .displayFormError("UserSessionManager: Unable to check subject for LDAP authorization " - // + "- check Server status."); - Log.debug("Failed to load user's subject"); - //show login dialog - new LoginView().showLoginDialog(); - } - - public void onSuccess(PageList<Subject> result) { - Subject subject = result.get(0); - Log.trace("Found subject [" + subject + "]."); - subject.setSessionId(Integer.valueOf(sessionId)); - - // reset the session subject to the latest, for wrapping in user preferences - sessionSubject = subject; - sessionState = State.IS_LOGGED_IN; - //insert ldap check logic - userPreferences = new UserPreferences(sessionSubject); - refresh(); - - callback.onSuccess(subject); - } - }); - } else { - Log.trace("Proceeding with registration for ldap user '" + user + "'."); - sessionState = State.IS_REGISTERING; - new LoginView().showRegistrationDialog(user, sessionId, password, callback); - } - } - public static void login() { login(null, null); } @@ -259,10 +207,9 @@ public class UserSessionManager { public void onSuccess(Subject result) { // will build UI if necessary, then fires history event sessionState = State.IS_LOGGED_IN; - if (result != null) {// subject and session has been updated during this login request - Log.trace("A new subject and session has been returned. Updating sessionSubject."); - sessionSubject = result; - } + // subject and session has been updated during this login request + Log.trace("A new subject and session may has been returned. Updating sessionSubject."); + sessionSubject = result; CoreGUI.get().buildCoreUI(); }
diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/AuthorizationGWTService.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/AuthorizationGWTService.java index 58bae69..13b5572 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/AuthorizationGWTService.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/AuthorizationGWTService.java @@ -72,11 +72,4 @@ public interface AuthorizationGWTService extends RemoteService { */ Set<Permission> getExplicitGlobalPermissions();
- /** - * Lightweight check of whether current user has manage inventory permissions. - * - * @return Boolean answer to manage inventory permissions status. - */ - Boolean checkUserGlobalPermission(Permission permission); - } diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java index 481ae0b..533fcd9 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java @@ -68,15 +68,6 @@ public interface LdapGWTService extends RemoteService { */ Subject processSubjectForLdap(Subject currentSubject, String password, boolean ldapRegistration);
- /** - * - * @param currentSubject - * @param user - * @param password - * @return - */ - void updateLdapGroupAssignmentsForSubject(Subject subject); - /** Finds ldap groups already assigned to this role. * * @param currentRoleId diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java index edb50a0..4abe475 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java @@ -94,8 +94,23 @@ public interface SubjectGWTService extends RemoteService { */ Subject updateSubject(Subject subjectToModify);
+ /** + * Queries subjects using current logged in user. + * + * @param criteria details for the search + * @return PageList<Subject> matching criteria. + */ PageList<Subject> findSubjectsByCriteria(SubjectCriteria criteria);
- Subject processSubjectForLdap(Subject subjectToModify, String password); + /** + * Checks the subject passed in for LDAP processing, to optionally + * i)perform registration of new RHQ LDAP user + * ii)handles case insentive username matches. + * iii)update ldap user->role ldap assignments + * + * @param criteria details for the search + * @return PageList<Subject> matching criteria. + */ + Subject processSubjectForLdap(Subject subjectToModify, String password, boolean registerLdap);
} diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/AutodiscoveryQueueDataSource.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/AutodiscoveryQueueDataSource.java index b6b23b6..3645614 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/AutodiscoveryQueueDataSource.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/AutodiscoveryQueueDataSource.java @@ -23,6 +23,7 @@ import java.util.Date; import java.util.HashSet; import java.util.List; import java.util.Map; +import java.util.Set;
import com.allen_sauer.gwt.log.client.Log; import com.google.gwt.user.client.rpc.AsyncCallback; @@ -128,9 +129,10 @@ public class AutodiscoveryQueueDataSource extends DataSource { }
//determine if has manage inventory perms, if so then chain and proceed with getting discovered resources - authorizationService.checkUserGlobalPermission(MANAGE_INVENTORY, new AsyncCallback<Boolean>() { - public void onSuccess(Boolean hasManageInventoryPermissions) { - if (hasManageInventoryPermissions) { + authorizationService.getExplicitGlobalPermissions(new AsyncCallback<Set<Permission>>() { + public void onSuccess(Set<Permission> globalPermissions) { + Boolean accessGranted = globalPermissions.contains(MANAGE_INVENTORY); + if (accessGranted) { if (dataContainerReference != null) { dataContainerReference.setEmptyMessage(EMPTY_MESSAGE); } diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/ResourceAutodiscoveryView.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/ResourceAutodiscoveryView.java index d269e30..be35794 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/ResourceAutodiscoveryView.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/ResourceAutodiscoveryView.java @@ -123,7 +123,8 @@ public class ResourceAutodiscoveryView extends LocatableVLayout {
treeGrid.setHeight100();
- treeGrid.setDataSource(dataSource = new AutodiscoveryQueueDataSource(treeGrid)); + dataSource = new AutodiscoveryQueueDataSource(treeGrid); + treeGrid.setDataSource(dataSource); treeGrid.setAutoFetchData(true); treeGrid.setResizeFieldsInRealTime(true);
diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/AuthorizationGWTServiceImpl.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/AuthorizationGWTServiceImpl.java index 7a13a94..56a4857 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/AuthorizationGWTServiceImpl.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/AuthorizationGWTServiceImpl.java @@ -83,19 +83,4 @@ public class AuthorizationGWTServiceImpl extends AbstractGWTServiceImpl implemen } }
- /** Lightweight check of whether user has requested permission. - * - * @return Boolean data point. - */ - public Boolean checkUserGlobalPermission(Permission permission) { - Boolean accessGranted = false; - try { - Set<Permission> globalPermissions = authorizationManager.getExplicitGlobalPermissions(getSessionSubject()); - accessGranted = globalPermissions.contains(permission); - return accessGranted; - } catch (Exception e) { - throw new RuntimeException(ThrowableUtil.getAllMessages(e)); - } - } - } diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java index d6723d6..8cf63d5 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java @@ -105,65 +105,6 @@ public class LdapGWTServiceImpl extends AbstractGWTServiceImpl implements LdapGW } }
- public void updateLdapGroupAssignmentsForSubject(Subject subject) { - try { - //BZ-580127: only do group authz check if one or both of group filter fields is set - // Properties options = systemManager.getSystemConfiguration(); - String groupFilter = LookupUtil.getSystemManager().getSystemConfiguration().getProperty( - RHQConstants.LDAPGroupFilter, ""); - String groupMember = LookupUtil.getSystemManager().getSystemConfiguration().getProperty( - RHQConstants.LDAPGroupMember, ""); - if ((groupFilter.trim().length() > 0) || (groupMember.trim().length() > 0)) { - String provider = LookupUtil.getSystemManager().getSystemConfiguration().getProperty( - RHQConstants.JAASProvider); - if (RHQConstants.LDAPJAASProvider.equals(provider)) { - List<String> groupNames = new ArrayList<String>(ldapManager.findAvailableGroupsFor(subject - .getName())); - ldapManager.assignRolesToLdapSubject(subject.getId(), groupNames); - } - } - // try { //defend against ldap communication runtime difficulties. - // } catch (EJBException ejx) { - // //this is the exception type thrown now that we use SLSB.Local methods - // // mine out other exceptions - // Exception cause = ejx.getCausedByException(); - // if (cause == null) { - // ActionMessages actionMessages = new ActionMessages(); - // actionMessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage("errors.cam.general")); - // saveErrors(request, actionMessages); - // } else { - // if (cause instanceof LdapFilterException) { - // ActionMessages actionMessages = new ActionMessages(); - // actionMessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage( - // "admin.role.LdapGroupFilterMessage")); - // saveErrors(request, actionMessages); - // } else if (cause instanceof LdapCommunicationException) { - // ActionMessages actionMessages = new ActionMessages(); - // SystemManagerLocal manager = LookupUtil.getSystemManager(); - // options = manager.getSystemConfiguration(); - // String providerUrl = options.getProperty(RHQConstants.LDAPUrl, "(unavailable)"); - // actionMessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage( - // "admin.role.LdapCommunicationMessage", providerUrl)); - // saveErrors(request, actionMessages); - // } - // } - // } catch (LdapFilterException lce) { - // ActionMessages actionMessages = new ActionMessages(); - // actionMessages.add(ActionMessages.GLOBAL_MESSAGE, - // new ActionMessage("admin.role.LdapGroupFilterMessage")); - // saveErrors(request, actionMessages); - // } catch (LdapCommunicationException lce) { - // ActionMessages actionMessages = new ActionMessages(); - // String providerUrl = options.getProperty(RHQConstants.LDAPUrl, "(unavailable)"); - // actionMessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage( - // "admin.role.LdapCommunicationMessage", providerUrl)); - // saveErrors(request, actionMessages); - // } - } catch (Exception e) { - throw new RuntimeException(ThrowableUtil.getAllMessages(e)); - } - } - @Override public Set<Map<String, String>> findLdapGroupsAssignedToRole(int roleId) { try { diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java index 953fc36..378e269 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java @@ -95,10 +95,10 @@ public class SubjectGWTServiceImpl extends AbstractGWTServiceImpl implements Sub } }
- public Subject processSubjectForLdap(Subject subjectToModify, String password) { + public Subject processSubjectForLdap(Subject subjectToModify, String password, boolean registerLdap) { try { - return SerialUtility.prepare(subjectManager.processSubjectForLdap(getSessionSubject(), password), - "SubjectManager.processSubjectForLdap"); + return SerialUtility.prepare(subjectManager.processSubjectForLdap(getSessionSubject(), password, + registerLdap), "SubjectManager.processSubjectForLdap"); } catch (Exception e) { throw new RuntimeException(ThrowableUtil.getAllMessages(e)); } diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java index 8e76409..e1ffe82 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java @@ -64,7 +64,6 @@ import org.rhq.enterprise.server.resource.group.ResourceGroupManagerLocal; import org.rhq.enterprise.server.system.SystemManagerLocal; import org.rhq.enterprise.server.util.CriteriaQueryGenerator; import org.rhq.enterprise.server.util.CriteriaQueryRunner; -import org.rhq.enterprise.server.util.LookupUtil;
/** * Provides functionality to access and manipulate subjects and principals, mainly for authentication purposes. @@ -349,11 +348,11 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe RHQConstants.LDAPJAASProvider);
if (ldapConfigured) {//i)registration ii)case sensitive matches iii)authorization updates + //check that session is valid. RHQ auth has already occurred. + if (!isValidSessionId(subject.getSessionId(), subject.getName(), subject.getId())) { + throw new LoginException("User session not valid. Login to proceed."); + } if ((subject.getId() == 0) && ldapRegistration) {//insert overlord registration and login - //check that session is valid - if (!isValidSessionId(subject.getSessionId(), subject.getName(), subject.getId())) { - throw new LoginException("User session not valid. Login to proceed."); - } //we've verified that this user has valid session, requires registration and that ldap is configured. Subject superuser = getOverlord();
@@ -372,9 +371,10 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe SubjectCriteria subjectCriteria = new SubjectCriteria(); subjectCriteria.setCaseSensitive(false); subjectCriteria.setStrict(true); + subjectCriteria.fetchRoles(false); + subjectCriteria.fetchConfiguration(false); subjectCriteria.addFilterName(subject.getName()); - PageList<Subject> subjectsLocated = LookupUtil.getSubjectManager().findSubjectsByCriteria( - subject, subjectCriteria); + PageList<Subject> subjectsLocated = findSubjectsByCriteria(subject, subjectCriteria); //if subject variants located then take the first one with a principal otherwise do nothing //To defend against the case where they create an account with the same name but not //case as an rhq sysadmin or higher perms, then make them relogin with same creds entered. @@ -390,19 +390,6 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe log.debug("Logged in as [" + ldapSubject.getName() + "] with session id [" + sessionId + "]"); } - // {//now carry out authz refresh for this Subject - // if (subject.getId() > 0) { - // //BZ-580127: only do group authz check if one or both of group filter fields is set - // Properties options = systemManager.getSystemConfiguration(); - // String groupFilter = (String) options.getProperty(RHQConstants.LDAPGroupFilter, ""); - // String groupMember = (String) options.getProperty(RHQConstants.LDAPGroupMember, ""); - // if ((groupFilter.trim().length() > 0) || (groupMember.trim().length() > 0)) { - // List<String> groupNames = new ArrayList<String>(ldapManager - // .findAvailableGroupsFor(subject.getName())); - // ldapManager.assignRolesToLdapSubject(subject.getId(), groupNames); - // } - // } - // } } {//now carry out authz refresh for this Subject if (subject.getId() > 0) {
commit bfb2345015cf187c7ded32562b1fbbc6e30a58d7 Author: Simeon Pinder spinder@redhat.com Date: Thu Oct 21 17:51:05 2010 -0400
refactor Subject SLSB to include more of LDAP logic.
diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java index e5d202e..41935c8 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/LoginView.java @@ -437,37 +437,29 @@ public class LoginView extends Canvas { newSubject.setFsystem(false);
if (proceed) { - GWTServiceLookup.getSubjectService().createSubjectUsingOverlord(newSubject, password, + GWTServiceLookup.getLdapService().processSubjectForLdap(newSubject, password, true, new AsyncCallback<Subject>() { - public void onSuccess(final Subject newLoggedInSubject) { - CoreGUI.getMessageCenter().notify( - new Message("Succesfully created new ldap Subject.", Message.Severity.Info)); - Log.trace("New subject created for ldap user."); - //now do group role assignment for initial login - GWTServiceLookup.getLdapService().updateLdapGroupAssignmentsForSubject(newLoggedInSubject, - new AsyncCallback<Void>() { - public void onFailure(Throwable caught) { - CoreGUI.getErrorHandler().handleError("Failed to assign roles for ldap Subject.", - caught); - Log.debug("Failed to assign roles to ldap subject."); - } - - public void onSuccess(Void result) { - CoreGUI.getMessageCenter().notify( - new Message("Succesfully assigned roles for ldap Subject.", - Message.Severity.Info)); - Log.trace("Role assignment update for ldap subject complete."); - window.destroy(); - loginShowing = false; - callback.onSuccess(newLoggedInSubject); - } - }); + public void onFailure(Throwable caught) { + Log.debug("Failed to register LDAP subject:" + caught.getMessage()); + //TODO: how/what to display in LoginView when unexpected communication with server occurs? + // LoginView + // .displayFormError("UserSessionManager: Unable to check subject for LDAP authorization " + // + "- check Server status."); + new LoginView().showLoginDialog(); }
- public void onFailure(Throwable caught) { - CoreGUI.getErrorHandler().handleError("Failed to create ldap Subject.", caught); + public void onSuccess(Subject checked) { + Log.trace("Successfully registered LDAP subject '" + checked + "'."); + + CoreGUI.getMessageCenter().notify( + new Message("Succesfully registered the new ldap Subject.", Message.Severity.Info)); + Log.trace("Succesfully registered the new ldap Subject."); + window.destroy(); + loginShowing = false; + callback.onSuccess(checked); } }); + } else {//log them out then reload LoginView Log.warn("Failed to locate username required to create LDAP subject."); UserSessionManager.logout(); diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java index 06c8604..e875f66 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/UserSessionManager.java @@ -144,21 +144,12 @@ public class UserSessionManager { subject.setSessionId(Integer.valueOf(sessionId)); sessionSubject = subject;
- //checks to see if this user needs registration. - if (subject.getId() == 0) { - // Subject with a ID of 0 means the subject wasn't in the database but the login succeeded. - // This means the login method detected that LDAP authenticated the user and just gave us a dummy subject. - // Set the needs-registration flag so we can eventually steer the user to the LDAP registration workflow. - // needsRegistration = true; - needsRegistration = true; - } - + subject.setName(user); // figure out if ldap auth is used and whether case insenitive ldap auth requests should be handled. - GWTServiceLookup.getLdapService().checkSubjectForLdapAuth(subject, user, password, + GWTServiceLookup.getLdapService().processSubjectForLdap(subject, password, false, new AsyncCallback<Subject>() { public void onFailure(Throwable caught) { - Log.warn("Unable to check subject for LDAP authorization - check Server status." - + caught.getMessage()); + Log.debug("Failed to load user's subject:" + caught.getMessage()); //TODO: how/what to display in LoginView when unexpected communication with server occurs? // LoginView // .displayFormError("UserSessionManager: Unable to check subject for LDAP authorization " @@ -167,20 +158,23 @@ public class UserSessionManager { }
public void onSuccess(Subject checked) { - //now pull the flags/information back out of this subject - if (checked == null) {//no new subject was returned. - // also handles case where user is JDBC-based - Log.trace("No alternative case insensitive LDAP accounts located."); - locateSubjectOrLogin(subjectId, sessionId, user, password, callback); - } else {//alternative Subject returned meaning we located - Log.trace("Case insensitive matching LDAP account located."); - needsRegistration = false; - //change the subject.sessionId + Log.trace("Successfully checked subject '" + checked + "' for LDAP processing."); + if (checked.getId() > 0) {//subject is already registered. + sessionState = State.IS_LOGGED_IN; + // reset the session subject to the latest, for wrapping in user preferences sessionSubject = checked; - locateSubjectOrLogin(checked.getId(), String.valueOf(checked.getSessionId()), - checked.getName(), password, callback); + //insert ldap check logic + userPreferences = new UserPreferences(sessionSubject); + refresh(); + + callback.onSuccess(checked); + + Log.trace("Subject registration required:" + needsRegistration); + } else {//subject requires registration + Log.trace("Proceeding with registration for ldap user '" + user + "'."); + sessionState = State.IS_REGISTERING; + new LoginView().showRegistrationDialog(user, sessionId, password, callback); } - Log.trace("Subject registration required:" + needsRegistration); } }); } else {//invalid session. Back to login @@ -236,6 +230,7 @@ public class UserSessionManager {
// reset the session subject to the latest, for wrapping in user preferences sessionSubject = subject; + sessionState = State.IS_LOGGED_IN; //insert ldap check logic userPreferences = new UserPreferences(sessionSubject); refresh(); diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java index 7915b80..481ae0b 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/LdapGWTService.java @@ -66,7 +66,7 @@ public interface LdapGWTService extends RemoteService { * @param password * @return */ - Subject checkSubjectForLdapAuth(Subject currentSubject, String user, String password); + Subject processSubjectForLdap(Subject currentSubject, String password, boolean ldapRegistration);
/** * diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java index a277f90..edb50a0 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/gwt/SubjectGWTService.java @@ -58,15 +58,6 @@ public interface SubjectGWTService extends RemoteService { Subject createSubject(Subject subjectToCreate);
/** - * Create a a new subject. Same as createSubject, but uses overlord privileges to automate Subject creation. Ex. Used during - * LDAP logins. - * - * @param subjectToCreate The subject to be created. - * @return the newly persisted {@link Subject} - */ - Subject createSubjectUsingOverlord(Subject subjectToCreate, String password); - - /** * Deletes the given set of users, including both the {@link Subject} and {@link org.rhq.core.domain.auth.Principal} objects associated with * those users. * @@ -105,4 +96,6 @@ public interface SubjectGWTService extends RemoteService {
PageList<Subject> findSubjectsByCriteria(SubjectCriteria criteria);
+ Subject processSubjectForLdap(Subject subjectToModify, String password); + } diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/AutodiscoveryQueueDataSource.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/AutodiscoveryQueueDataSource.java index a947c57..b6b23b6 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/AutodiscoveryQueueDataSource.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/client/inventory/resource/discovery/AutodiscoveryQueueDataSource.java @@ -150,7 +150,7 @@ public class AutodiscoveryQueueDataSource extends DataSource { Log.debug("(User does not have required managed inventory permissions. " + EMPTY_MESSAGE); response.setTotalRows(0); if (dataContainerReference != null) { - Log.debug("Setting better empty container message." + NO_MANAGE_INVENTORY_PERMS_EMPTY_MESSAGE); + Log.trace("Setting better empty container message." + NO_MANAGE_INVENTORY_PERMS_EMPTY_MESSAGE); dataContainerReference.setEmptyMessage(NO_MANAGE_INVENTORY_PERMS_EMPTY_MESSAGE); } processResponse(request.getRequestId(), response); diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java index 7b27fb6..d6723d6 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/LdapGWTServiceImpl.java @@ -28,7 +28,6 @@ import java.util.Set; import com.allen_sauer.gwt.log.client.Log;
import org.rhq.core.domain.auth.Subject; -import org.rhq.core.domain.criteria.SubjectCriteria; import org.rhq.core.domain.resource.group.LdapGroup; import org.rhq.core.domain.util.PageControl; import org.rhq.core.domain.util.PageList; @@ -193,81 +192,11 @@ public class LdapGWTServiceImpl extends AbstractGWTServiceImpl implements LdapGW * */ @Override - public Subject checkSubjectForLdapAuth(Subject currentSubject, String user, String password) { + public Subject processSubjectForLdap(Subject currentSubject, String password, boolean ldapRegistration) { try { - Subject newSubject = null; - Log.trace("Subject being checked for ldapAuthentication is :" + currentSubject); + currentSubject = subjectManager.processSubjectForLdap(currentSubject, password, ldapRegistration);
- boolean needsRegistrationOrCaseIncorrectOnAccountName = false; - - //null checks. - if ((currentSubject != null) && (user != null) && (password != null)) { - if (currentSubject.getId() == 0) { - // Subject with a ID of 0 means the subject wasn't in the database but the login succeeded. - // This means the login method detected the LDAP authenticated user and gave us a dummy subject. - // Set the needs-registration flag so we can eventually steer the user to the LDAP registration workflow. - needsRegistrationOrCaseIncorrectOnAccountName = true; - } - - Log.trace("Subject has id of :" + currentSubject.getId() + "and requires Registration:" - + needsRegistrationOrCaseIncorrectOnAccountName); - - // figure out if the user has a principal - String provider = LookupUtil.getSystemManager().getSystemConfiguration().getProperty( - RHQConstants.JAASProvider); - boolean ldapEnabled = ((provider != null) && provider.equals(RHQConstants.LDAPJAASProvider)); - - Log.trace("LDAP Authentication has been enabled :" + ldapEnabled); - boolean hasPrincipal = false; - - if (ldapEnabled) { - // when we allow for LDAP authentication, we may still have users logging in with JDBC. - // The only way we can distinguish these users is by checking to see if they have an - // entry in the principals table. If they do, then we know we use JDBC authentication - // for that user. If they do not, then we must be using LDAP to authenticate that user. - // hasPrincipal = subjectManager.isUserWithPrincipal(currentSubject.getName()); - hasPrincipal = subjectManager.isUserWithPrincipal(user); - Log.trace("Subject '" + user + "' hasPrincipal :" + hasPrincipal); - - if (!hasPrincipal && needsRegistrationOrCaseIncorrectOnAccountName) { - //for the case when they're already registered but entering a case sensitive different name - //BZ-586435: insert case insensitivity for usernames with ldap auth - // locate first matching subject and attach. - SubjectCriteria subjectCriteria = new SubjectCriteria(); - subjectCriteria.setCaseSensitive(false); - subjectCriteria.setStrict(true); - subjectCriteria.addFilterName(user); - subjectCriteria.fetchRoles(true); - subjectCriteria.fetchConfiguration(true); - PageList<Subject> subjectsLocated = LookupUtil.getSubjectManager().findSubjectsByCriteria( - LookupUtil.getSubjectManager().getOverlord(), subjectCriteria); - Log.trace("Subjects located with name '" + user + "' and found:" + subjectsLocated.size()); - - //if subject variants located then take the first one with a principal otherwise do nothing - //To defend against the case where they create an account with the same name but not - //case as an rhq sysadmin or higher perms, then make them relogin with same creds entered. - if (!subjectsLocated.isEmpty()) {//then case insensitive username matches found. Try to use instead. - Subject ldapSubject = subjectsLocated.get(0); - String msg = "Located existing ldap account with different case for [" - + ldapSubject.getName() + "]. " - + "Attempting to authenticate with that account instead."; - Log.info(msg); - Log.trace("Attempting to log back in with credentials passed in."); - newSubject = subjectManager.login(user, password); - Log.trace("Logged in as [" + ldapSubject.getName() + "] with session id [" - + newSubject.getSessionId() + "]"); - needsRegistrationOrCaseIncorrectOnAccountName = false; - } - } - - } else { - // with regular JDBC authentication, we are guaranteed to have a principal - hasPrincipal = true; - } - } else { - Log.debug("The Subject and user/password cannot be null to proceed."); - } - return SerialUtility.prepare(newSubject, "checkSubjectForLdapAuth"); + return SerialUtility.prepare(currentSubject, "processSubjectForLdap"); } catch (Exception e) { throw new RuntimeException(ThrowableUtil.getAllMessages(e)); } diff --git a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java index 8c5e9ea..953fc36 100644 --- a/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java +++ b/modules/enterprise/gui/coregui/src/main/java/org/rhq/enterprise/gui/coregui/server/gwt/SubjectGWTServiceImpl.java @@ -18,8 +18,6 @@ */ package org.rhq.enterprise.gui.coregui.server.gwt;
-import com.allen_sauer.gwt.log.client.Log; - import org.rhq.core.domain.auth.Subject; import org.rhq.core.domain.criteria.SubjectCriteria; import org.rhq.core.domain.util.PageList; @@ -64,28 +62,6 @@ public class SubjectGWTServiceImpl extends AbstractGWTServiceImpl implements Sub } }
- /**Same as create subject, but uses Overlord and returns new/non-temporary session. - * - * @param subjectToCreate - * @param password - * @return - */ - public Subject createSubjectUsingOverlord(Subject subjectToCreate, String password) { - try { - //Officially create the new subject - subjectToCreate = subjectManager.createSubject(subjectManager.getOverlord(), subjectToCreate); - // nuke the temporary session and establish a new - // one for this subject.. must be done before pulling the - // new subject in order to do it with his own credentials - subjectManager.logout(getSessionSubject().getSessionId()); - subjectToCreate = subjectManager.login(subjectToCreate.getName(), password); - Log.trace("Created new user with overlord and logged back in with that user."); - return SerialUtility.prepare(subjectToCreate, "SubjectManager.createSubjectUsingOverlord"); - } catch (Exception e) { - throw new RuntimeException(ThrowableUtil.getAllMessages(e)); - } - } - public void deleteSubjects(int[] subjectIds) { try { subjectManager.deleteSubjects(getSessionSubject(), subjectIds); @@ -119,6 +95,15 @@ public class SubjectGWTServiceImpl extends AbstractGWTServiceImpl implements Sub } }
+ public Subject processSubjectForLdap(Subject subjectToModify, String password) { + try { + return SerialUtility.prepare(subjectManager.processSubjectForLdap(getSessionSubject(), password), + "SubjectManager.processSubjectForLdap"); + } catch (Exception e) { + throw new RuntimeException(ThrowableUtil.getAllMessages(e)); + } + } + public PageList<Subject> findSubjectsByCriteria(SubjectCriteria criteria) { try { return SerialUtility.prepare(subjectManager.findSubjectsByCriteria(getSessionSubject(), criteria), diff --git a/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/admin/user/RegisterAction.java b/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/admin/user/RegisterAction.java index 91980ad..1702827 100644 --- a/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/admin/user/RegisterAction.java +++ b/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/admin/user/RegisterAction.java @@ -18,12 +18,8 @@ */ package org.rhq.enterprise.gui.admin.user;
-import java.util.ArrayList; import java.util.HashMap; -import java.util.List; -import java.util.Properties;
-import javax.ejb.EJBException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; @@ -33,8 +29,6 @@ import org.apache.commons.logging.LogFactory; import org.apache.struts.action.ActionForm; import org.apache.struts.action.ActionForward; import org.apache.struts.action.ActionMapping; -import org.apache.struts.action.ActionMessage; -import org.apache.struts.action.ActionMessages;
import org.rhq.core.domain.auth.Subject; import org.rhq.core.domain.configuration.Configuration; @@ -43,10 +37,7 @@ import org.rhq.enterprise.gui.legacy.WebUser; import org.rhq.enterprise.gui.legacy.action.BaseAction; import org.rhq.enterprise.gui.legacy.util.RequestUtils; import org.rhq.enterprise.gui.legacy.util.SessionUtils; -import org.rhq.enterprise.server.RHQConstants; import org.rhq.enterprise.server.auth.SubjectManagerLocal; -import org.rhq.enterprise.server.exception.LdapCommunicationException; -import org.rhq.enterprise.server.exception.LdapFilterException; import org.rhq.enterprise.server.resource.group.LdapGroupManagerLocal; import org.rhq.enterprise.server.system.SystemManagerLocal; import org.rhq.enterprise.server.util.LookupUtil; @@ -121,55 +112,6 @@ public class RegisterAction extends BaseAction { HashMap parms = new HashMap(1); parms.put(Constants.USER_PARAM, newSubject.getId());
- //BZ-580127: only do group authz check if one or both of group filter fields is set - Properties options = systemManager.getSystemConfiguration(); - String groupFilter = (String) options.getProperty(RHQConstants.LDAPGroupFilter, ""); - String groupMember = (String) options.getProperty(RHQConstants.LDAPGroupMember, ""); - if ((groupFilter.trim().length() > 0) || (groupMember.trim().length() > 0)) { - try { //defend against ldap communication runtime difficulties. - String provider = LookupUtil.getSystemManager().getSystemConfiguration().getProperty( - RHQConstants.JAASProvider); - if (RHQConstants.LDAPJAASProvider.equals(provider)) { - List<String> groupNames = new ArrayList(ldapManager.findAvailableGroupsFor(newSubject.getName())); - ldapManager.assignRolesToLdapSubject(newSubject.getId(), groupNames); - } - } catch (EJBException ejx) { - //this is the exception type thrown now that we use SLSB.Local methods - // mine out other exceptions - Exception cause = ejx.getCausedByException(); - if (cause == null) { - ActionMessages actionMessages = new ActionMessages(); - actionMessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage("errors.cam.general")); - saveErrors(request, actionMessages); - } else { - if (cause instanceof LdapFilterException) { - ActionMessages actionMessages = new ActionMessages(); - actionMessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage( - "admin.role.LdapGroupFilterMessage")); - saveErrors(request, actionMessages); - } else if (cause instanceof LdapCommunicationException) { - ActionMessages actionMessages = new ActionMessages(); - SystemManagerLocal manager = LookupUtil.getSystemManager(); - options = manager.getSystemConfiguration(); - String providerUrl = options.getProperty(RHQConstants.LDAPUrl, "(unavailable)"); - actionMessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage( - "admin.role.LdapCommunicationMessage", providerUrl)); - saveErrors(request, actionMessages); - } - } - } catch (LdapFilterException lce) { - ActionMessages actionMessages = new ActionMessages(); - actionMessages.add(ActionMessages.GLOBAL_MESSAGE, - new ActionMessage("admin.role.LdapGroupFilterMessage")); - saveErrors(request, actionMessages); - } catch (LdapCommunicationException lce) { - ActionMessages actionMessages = new ActionMessages(); - String providerUrl = options.getProperty(RHQConstants.LDAPUrl, "(unavailable)"); - actionMessages.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage( - "admin.role.LdapCommunicationMessage", providerUrl)); - saveErrors(request, actionMessages); - } - } return returnSuccess(request, mapping, parms, false); } } \ No newline at end of file diff --git a/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/authentication/AuthenticateUserAction.java b/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/authentication/AuthenticateUserAction.java index 432d95c..19d7bd3 100644 --- a/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/authentication/AuthenticateUserAction.java +++ b/modules/enterprise/gui/portal-war/src/main/java/org/rhq/enterprise/gui/authentication/AuthenticateUserAction.java @@ -38,8 +38,6 @@ import org.apache.struts.tiles.actions.TilesAction; import org.rhq.core.domain.auth.Subject; import org.rhq.core.domain.authz.Permission; import org.rhq.core.domain.configuration.Configuration; -import org.rhq.core.domain.criteria.SubjectCriteria; -import org.rhq.core.domain.util.PageList; import org.rhq.enterprise.gui.legacy.AttrConstants; import org.rhq.enterprise.gui.legacy.Constants; import org.rhq.enterprise.gui.legacy.WebUser; @@ -79,6 +77,7 @@ public class AuthenticateUserAction extends TilesAction {
log.debug("Logged in as [" + logonForm.getJ_username() + "] with session id [" + sessionId + "]");
+ boolean hasPrincipal = true; if (subject.getId() == 0) { // Subject with a ID of 0 means the subject wasn't in the database but the login succeeded. // This means the login method detected that LDAP authenticated the user and just gave us a dummy subject. @@ -86,47 +85,6 @@ public class AuthenticateUserAction extends TilesAction { needsRegistration = true; }
- // figure out if the user has a principal - boolean usingLDAP = usingLDAPAuthentication(ctx); - boolean hasPrincipal = false; - - if (usingLDAP) { - // when we allow for LDAP authentication, we may still have users logging in with JDBC. - // The only way we can distinguish these users is by checking to see if they have an - // entry in the principals table. If they do, then we know we use JDBC authentication - // for that user. If they do not, then we must be using LDAP to authenticate that user. - hasPrincipal = subjectManager.isUserWithPrincipal(logonForm.getJ_username()); - - if (!hasPrincipal && needsRegistration) { - //for the case when they're already registered but entering a case sensitive different name - //BZ-586435: insert case insensitivity for usernames with ldap auth - // locate first matching subject and attach. - SubjectCriteria subjectCriteria = new SubjectCriteria(); - subjectCriteria.setCaseSensitive(false); - subjectCriteria.setStrict(true); - subjectCriteria.addFilterName(logonForm.getJ_username()); - PageList<Subject> subjectsLocated = LookupUtil.getSubjectManager().findSubjectsByCriteria( - LookupUtil.getSubjectManager().getOverlord(), subjectCriteria); - //if subject variants located then take the first one with a principal otherwise do nothing - //To defend against the case where they create an account with the same name but not - //case as an rhq sysadmin or higher perms, then make them relogin with same creds entered. - if (!subjectsLocated.isEmpty()) {//then case insensitive username matches found. Try to use instead. - Subject ldapSubject = subjectsLocated.get(0); - String msg = "Located existing ldap account with different case for [" + ldapSubject.getName() - + "]. " + "Attempting to authenticate with that account instead."; - log.info(msg); - subject = subjectManager.login(ldapSubject.getName(), logonForm.getJ_password()); - sessionId = subject.getSessionId(); - log.debug("Logged in as [" + ldapSubject.getName() + "] with session id [" + sessionId + "]"); - needsRegistration = false; - } - } - - } else { - // with regular JDBC authentication, we are guaranteed to have a principal - hasPrincipal = true; - } - if (!needsRegistration) { subject = subjectManager.loadUserConfiguration(subject.getId()); subject.setSessionId(sessionId); // put the transient data back into our new subject diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java index 3b125e1..8e76409 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerBean.java @@ -59,10 +59,12 @@ import org.rhq.enterprise.server.authz.PermissionException; import org.rhq.enterprise.server.authz.RequiredPermission; import org.rhq.enterprise.server.core.CustomJaasDeploymentServiceMBean; import org.rhq.enterprise.server.exception.LoginException; +import org.rhq.enterprise.server.resource.group.LdapGroupManagerLocal; import org.rhq.enterprise.server.resource.group.ResourceGroupManagerLocal; import org.rhq.enterprise.server.system.SystemManagerLocal; import org.rhq.enterprise.server.util.CriteriaQueryGenerator; import org.rhq.enterprise.server.util.CriteriaQueryRunner; +import org.rhq.enterprise.server.util.LookupUtil;
/** * Provides functionality to access and manipulate subjects and principals, mainly for authentication purposes. @@ -84,6 +86,10 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe private ResourceGroupManagerLocal resourceGroupManager;
@EJB + @IgnoreDependency + private LdapGroupManagerLocal ldapManager; + + @EJB private SystemManagerLocal systemManager;
@EJB @@ -274,7 +280,7 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe
Subject subject = getSubjectByName(username);
- if (subject != null) { + if (subject != null) {//regular JDBC user if (!subject.getFactive()) { throw new LoginException("User account has been disabled."); } @@ -286,6 +292,9 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe try { int sessionId = sessionManager.getSessionIdFromUsername(username); subject.setSessionId(sessionId); + //insert processing for LDAP users who have registered before and have jdbc credentials + log.trace("Processing subject '" + subject.getName() + "' for LDAP functionality."); + subject = processSubjectForLdap(subject, password, false); return subject; } catch (SessionException se) { // nope, no session; continue on so we can create the session @@ -317,6 +326,103 @@ public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRe return subject; }
+ /**This method is applied to non-null Subject instances that may require LDAP auth/authz processing. + * + * @param subject Authenticated subject. + * @return same or new Subject returned from LDAP processing. + * @throws LoginException + */ + public Subject processSubjectForLdap(Subject subject, String subjectPassword, boolean ldapRegistration) + throws LoginException { + + if (subject != null) {//null check + //if user has principal then bail as LDAP processing not required + boolean userHasPrincipal = isUserWithPrincipal(subject.getName()); + + //if user has principal then return as non-ldap user + if (userHasPrincipal) { + return subject; //bail. No further checking required. + } else {//Start LDAP check. + //retrieve configuration properties and do LDAP check + Properties config = systemManager.getSystemConfiguration(); + boolean ldapConfigured = config.getProperty(RHQConstants.JAASProvider).equals( + RHQConstants.LDAPJAASProvider); + + if (ldapConfigured) {//i)registration ii)case sensitive matches iii)authorization updates + if ((subject.getId() == 0) && ldapRegistration) {//insert overlord registration and login + //check that session is valid + if (!isValidSessionId(subject.getSessionId(), subject.getName(), subject.getId())) { + throw new LoginException("User session not valid. Login to proceed."); + } + //we've verified that this user has valid session, requires registration and that ldap is configured. + Subject superuser = getOverlord(); + + // create the subject, but don't add a principal since LDAP will handle authentication + log.trace("registering new LDAP-authenticated subject [" + subject.getName() + "]"); + createSubject(superuser, subject); + + // nuke the temporary session and establish a new + // one for this subject.. must be done before pulling the + // new subject in order to do it with his own credentials + logout(subject.getSessionId().intValue()); + subject = login(subject.getName(), subjectPassword); + } else {//already registered + //BZ-586435: insert case insensitivity for usernames with ldap auth + // locate first matching subject and attach. + SubjectCriteria subjectCriteria = new SubjectCriteria(); + subjectCriteria.setCaseSensitive(false); + subjectCriteria.setStrict(true); + subjectCriteria.addFilterName(subject.getName()); + PageList<Subject> subjectsLocated = LookupUtil.getSubjectManager().findSubjectsByCriteria( + subject, subjectCriteria); + //if subject variants located then take the first one with a principal otherwise do nothing + //To defend against the case where they create an account with the same name but not + //case as an rhq sysadmin or higher perms, then make them relogin with same creds entered. + if ((!subjectsLocated.isEmpty()) + && (!subjectsLocated.get(0).getName().equals(subject.getName()))) {//then case insensitive username matches found. Try to use instead. + Subject ldapSubject = subjectsLocated.get(0); + String msg = "Located existing ldap account with different case for [" + + ldapSubject.getName() + "]. " + + "Attempting to authenticate with that account instead."; + log.info(msg); + subject = login(ldapSubject.getName(), subjectPassword); + Integer sessionId = subject.getSessionId(); + log.debug("Logged in as [" + ldapSubject.getName() + "] with session id [" + sessionId + + "]"); + } + // {//now carry out authz refresh for this Subject + // if (subject.getId() > 0) { + // //BZ-580127: only do group authz check if one or both of group filter fields is set + // Properties options = systemManager.getSystemConfiguration(); + // String groupFilter = (String) options.getProperty(RHQConstants.LDAPGroupFilter, ""); + // String groupMember = (String) options.getProperty(RHQConstants.LDAPGroupMember, ""); + // if ((groupFilter.trim().length() > 0) || (groupMember.trim().length() > 0)) { + // List<String> groupNames = new ArrayList<String>(ldapManager + // .findAvailableGroupsFor(subject.getName())); + // ldapManager.assignRolesToLdapSubject(subject.getId(), groupNames); + // } + // } + // } + } + {//now carry out authz refresh for this Subject + if (subject.getId() > 0) { + //BZ-580127: only do group authz check if one or both of group filter fields is set + Properties options = systemManager.getSystemConfiguration(); + String groupFilter = (String) options.getProperty(RHQConstants.LDAPGroupFilter, ""); + String groupMember = (String) options.getProperty(RHQConstants.LDAPGroupMember, ""); + if ((groupFilter.trim().length() > 0) || (groupMember.trim().length() > 0)) { + List<String> groupNames = new ArrayList<String>(ldapManager + .findAvailableGroupsFor(subject.getName())); + ldapManager.assignRolesToLdapSubject(subject.getId(), groupNames); + } + } + } + } + } + } + return subject; + } + /** * @see org.rhq.enterprise.server.auth.SubjectManagerLocal#logout(Subject) */ diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerLocal.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerLocal.java index d62096b..2b00345 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerLocal.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/auth/SubjectManagerLocal.java @@ -219,4 +219,6 @@ public interface SubjectManagerLocal { */ PageList<Subject> findSubjectsByCriteria(Subject subject, SubjectCriteria criteria);
+ Subject processSubjectForLdap(Subject subject, String subjectPassword, boolean ldapRegistration) + throws LoginException; } \ No newline at end of file diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/LdapLoginModule.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/LdapLoginModule.java index bb29a47..6136d27 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/LdapLoginModule.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/LdapLoginModule.java @@ -19,11 +19,8 @@ package org.rhq.enterprise.server.core.jaas;
import java.security.acl.Group; -import java.util.ArrayList; import java.util.Iterator; -import java.util.List; import java.util.Properties; -import java.util.Set; import java.util.Map.Entry;
import javax.naming.Context; @@ -39,12 +36,6 @@ import org.apache.commons.logging.LogFactory; import org.jboss.security.SimpleGroup; import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
-import org.rhq.core.domain.auth.Subject; -import org.rhq.core.domain.resource.group.LdapGroup; -import org.rhq.core.domain.util.PageControl; -import org.rhq.core.domain.util.PageList; -import org.rhq.enterprise.server.auth.SubjectManagerLocal; -import org.rhq.enterprise.server.authz.RoleManagerLocal; import org.rhq.enterprise.server.resource.group.LdapGroupManagerLocal; import org.rhq.enterprise.server.util.LookupUtil; import org.rhq.enterprise.server.util.security.UntrustedSSLSocketFactory; @@ -207,40 +198,6 @@ public class LdapLoginModule extends UsernamePasswordLoginModule { //if successful then verified that user and pw are valid ldap credentials ctx.reconnect(null);
- //if group auth enabled and user acct already exists then insert authorization check - String groupFilter = (String) options.get("GroupFilter"); - String groupMember = (String) options.get("GroupMemberFilter"); - SubjectManagerLocal sManager = LookupUtil.getSubjectManager(); - Subject ldapSubject = sManager.getSubjectByName(getUsername()); - if (ldapSubject != null && ((groupFilter != null) && !groupFilter.trim().equals("")) - && ((groupMember != null) && !groupMember.trim().equals(""))) { - //check authorized groups to see if this user is authorized via ldap - //BUT still must always return true as authz is handled by RHQ if roles/groups correct - - //retrieve all ldap groups that this user is authorized for based on ldap group filter and group member settings - Set<String> authorizedLdapGroups = ldapManager.findAvailableGroupsFor(userName); - RoleManagerLocal roleManager = LookupUtil.getRoleManager(); - - //find all currently mapped ldap groups - PageList<LdapGroup> allCurrentLdapGroupsRegistered = ldapManager.findLdapGroups(PageControl - .getUnlimitedInstance()); - - //find all roles for currently mapped ldap groups. - //empty current user from all groups -synch - for (LdapGroup gp : allCurrentLdapGroupsRegistered) { - if (gp.getRole() != null) { - gp.getRole().removeSubject(ldapSubject); - } - } - if (authorizedLdapGroups.isEmpty()) { - return true; //bailing out as now correctly authorized correctly. - } - - //else add this subject back to all AuthoriziedLdapGroups - //lookup all roles that map to the authorizedLdapGroup names - List authorizedList = new ArrayList(authorizedLdapGroups); - ldapManager.assignRolesToLdapSubject(ldapSubject.getId(), authorizedList); - } return true; }
commit 100fcb7bef6bafcc061e308c1a1240c7c2343372 Merge: 98209e5... e19fff4... Author: Simeon Pinder spinder@redhat.com Date: Wed Oct 20 13:11:14 2010 -0400
Merge remote branch 'origin/gwt-ldap' into gwt-ldap2
commit 98209e5176c76ad61bccc00313591f7eff3768aa Merge: b949685... 39280ce... Author: Simeon Pinder spinder@redhat.com Date: Wed Oct 20 12:31:16 2010 -0400
Merge remote branch 'origin/gwt-ldap' into gwt-ldap2
commit b9496858222af18d9d04a2b515390dc258495140 Author: Simeon Pinder spinder@redhat.com Date: Tue Oct 19 16:27:00 2010 -0400
Revert " BZ-644344: fix for ldap accounts named 'admin' case insensitive."
This reverts commit 3989386b8cf1fa4ff96c973b4f93eefe4df0f902. - no need. Case insensitive check still returns 'admin' which is still not allowed.
diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java index a821bde..e862db9 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java @@ -87,10 +87,9 @@ public class JDBCPrincipalCheckLoginModule extends UsernamePasswordLoginModule { @Override protected String getUsersPassword() throws LoginException { String username = getUsername(); - if ("admin".equalsIgnoreCase(username)) { + if ("admin".equals(username)) { throw new FailedLoginException("Cannot log in as overlord"); } - String password = getUsernameAndPassword()[1]; // what did the user enter? Connection conn = null; PreparedStatement ps = null;
commit 3989386b8cf1fa4ff96c973b4f93eefe4df0f902 Author: Simeon Pinder spinder@redhat.com Date: Tue Oct 19 12:26:46 2010 -0400
BZ-644344: fix for ldap accounts named 'admin' case insensitive.
diff --git a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java index e862db9..a821bde 100644 --- a/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java +++ b/modules/enterprise/server/jar/src/main/java/org/rhq/enterprise/server/core/jaas/JDBCPrincipalCheckLoginModule.java @@ -87,9 +87,10 @@ public class JDBCPrincipalCheckLoginModule extends UsernamePasswordLoginModule { @Override protected String getUsersPassword() throws LoginException { String username = getUsername(); - if ("admin".equals(username)) { + if ("admin".equalsIgnoreCase(username)) { throw new FailedLoginException("Cannot log in as overlord"); } + String password = getUsernameAndPassword()[1]; // what did the user enter? Connection conn = null; PreparedStatement ps = null;