diff --git a/src/main/java/org/codelibs/fess/app/web/base/FessSearchAction.java b/src/main/java/org/codelibs/fess/app/web/base/FessSearchAction.java index b931b6929..31fb0330f 100644 --- a/src/main/java/org/codelibs/fess/app/web/base/FessSearchAction.java +++ b/src/main/java/org/codelibs/fess/app/web/base/FessSearchAction.java @@ -29,7 +29,7 @@ import org.apache.commons.lang3.StringEscapeUtils; import org.codelibs.core.lang.StringUtil; import org.codelibs.core.net.URLUtil; import org.codelibs.fess.Constants; -import org.codelibs.fess.app.web.login.LoginAction; +import org.codelibs.fess.app.web.sso.SsoAction; import org.codelibs.fess.es.client.FessEsClient; import org.codelibs.fess.helper.LabelTypeHelper; import org.codelibs.fess.helper.OpenSearchHelper; @@ -206,7 +206,7 @@ public abstract class FessSearchAction extends FessBaseAction { } protected HtmlResponse redirectToLogin() { - return redirect(LoginAction.class); + return redirect(SsoAction.class); } protected HtmlResponse redirectToRoot() { diff --git a/src/main/java/org/codelibs/fess/app/web/sso/SsoAction.java b/src/main/java/org/codelibs/fess/app/web/sso/SsoAction.java index 505415dee..8f1a60cde 100644 --- a/src/main/java/org/codelibs/fess/app/web/sso/SsoAction.java +++ b/src/main/java/org/codelibs/fess/app/web/sso/SsoAction.java @@ -15,6 +15,8 @@ */ package org.codelibs.fess.app.web.sso; +import javax.servlet.http.HttpServletResponse; + import org.codelibs.fess.app.web.base.FessLoginAction; import org.codelibs.fess.app.web.base.login.EmptyLoginCredential; import org.codelibs.fess.app.web.base.login.LoginCredential; @@ -24,6 +26,7 @@ import org.codelibs.fess.util.ComponentUtil; import org.lastaflute.web.Execute; import org.lastaflute.web.login.exception.LoginFailureException; import org.lastaflute.web.response.ActionResponse; +import org.lastaflute.web.servlet.filter.RequestLoggingFilter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -48,7 +51,8 @@ public class SsoAction extends FessLoginAction { saveError(messages -> messages.addErrorsSsoLoginError(GLOBAL)); return redirect(LoginAction.class); } else if (loginCredential instanceof EmptyLoginCredential) { - return null; + throw new RequestLoggingFilter.RequestClientErrorException("Your request is not authorized.", "401 Unauthorized", + HttpServletResponse.SC_UNAUTHORIZED); } try { return fessLoginAssist.loginRedirect(loginCredential, op -> {}, () -> { @@ -59,7 +63,9 @@ public class SsoAction extends FessLoginAction { if (logger.isDebugEnabled()) { logger.debug("SSO login failure.", lfe); } - saveError(messages -> messages.addErrorsSsoLoginError(GLOBAL)); + if (fessConfig.isSsoEnabled()) { + saveError(messages -> messages.addErrorsSsoLoginError(GLOBAL)); + } return redirect(LoginAction.class); } } diff --git a/src/main/java/org/codelibs/fess/helper/RoleQueryHelper.java b/src/main/java/org/codelibs/fess/helper/RoleQueryHelper.java index ce5344c3a..53f0c29bb 100644 --- a/src/main/java/org/codelibs/fess/helper/RoleQueryHelper.java +++ b/src/main/java/org/codelibs/fess/helper/RoleQueryHelper.java @@ -106,9 +106,14 @@ public class RoleQueryHelper { final FessConfig fessConfig = ComponentUtil.getFessConfig(); final RequestManager requestManager = ComponentUtil.getRequestManager(); - requestManager.findUserBean(FessUserBean.class) - .ifPresent(fessUserBean -> stream(fessUserBean.getPermissions()).of(stream -> stream.forEach(roleList::add))) - .orElse(() -> roleList.addAll(fessConfig.getSearchGuestPermissionList())); + try { + requestManager.findUserBean(FessUserBean.class) + .ifPresent(fessUserBean -> stream(fessUserBean.getPermissions()).of(stream -> stream.forEach(roleList::add))) + .orElse(() -> roleList.addAll(fessConfig.getSearchGuestPermissionList())); + } catch (RuntimeException e) { + requestManager.findLoginManager(FessUserBean.class).ifPresent(manager -> manager.logout()); + throw e; + } if (defaultRoleList != null) { roleList.addAll(defaultRoleList); diff --git a/src/main/java/org/codelibs/fess/ldap/LdapManager.java b/src/main/java/org/codelibs/fess/ldap/LdapManager.java index ebe1f80cf..72c450f9a 100644 --- a/src/main/java/org/codelibs/fess/ldap/LdapManager.java +++ b/src/main/java/org/codelibs/fess/ldap/LdapManager.java @@ -74,21 +74,29 @@ public class LdapManager { protected Hashtable createAdminEnv() { final FessConfig fessConfig = ComponentUtil.getFessConfig(); - return createEnvironment(fessConfig.getLdapAdminInitialContextFactory(), fessConfig.getLdapAdminSecurityAuthentication(), - fessConfig.getLdapAdminProviderUrl(), fessConfig.getLdapAdminSecurityPrincipal(), + return createEnvironment(// + fessConfig.getLdapAdminInitialContextFactory(), // + fessConfig.getLdapAdminSecurityAuthentication(), fessConfig.getLdapAdminProviderUrl(), // + fessConfig.getLdapAdminSecurityPrincipal(), // fessConfig.getLdapAdminSecurityCredentials()); } protected Hashtable createSearchEnv(final String username, final String password) { final FessConfig fessConfig = ComponentUtil.getFessConfig(); - return createEnvironment(fessConfig.getLdapInitialContextFactory(), fessConfig.getLdapSecurityAuthentication(), - fessConfig.getLdapProviderUrl(), fessConfig.getLdapSecurityPrincipal(username), password); + return createEnvironment(// + fessConfig.getLdapInitialContextFactory(), // + fessConfig.getLdapSecurityAuthentication(), // + fessConfig.getLdapProviderUrl(), // + fessConfig.getLdapSecurityPrincipal(username), password); } protected Hashtable createSearchEnv() { final FessConfig fessConfig = ComponentUtil.getFessConfig(); - return createEnvironment(fessConfig.getLdapInitialContextFactory(), fessConfig.getLdapSecurityAuthentication(), - fessConfig.getLdapProviderUrl(), fessConfig.getLdapAdminSecurityPrincipal(), fessConfig.getLdapAdminSecurityCredentials()); + return createEnvironment(// + fessConfig.getLdapAdminInitialContextFactory(), // + fessConfig.getLdapAdminSecurityAuthentication(), fessConfig.getLdapAdminProviderUrl(), // + fessConfig.getLdapAdminSecurityPrincipal(), // + fessConfig.getLdapAdminSecurityCredentials()); } public OptionalEntity login(final String username, final String password) { @@ -141,19 +149,18 @@ public class LdapManager { // LDAP: cn=%s // AD: (&(objectClass=user)(sAMAccountName=%s)) final String filter = String.format(accountFilter, ldapUser.getName()); - search(bindDn, filter, new String[] { fessConfig.getLdapMemberofAttribute() }, - () -> createSearchEnv(ldapUser.getName(), ldapUser.getPassword()), result -> { - processSearchRoles(result, (entryDn, name) -> { - final boolean isRole = entryDn.toLowerCase(Locale.ROOT).indexOf("ou=role") != -1; - if (isRole) { - if (fessConfig.isLdapRoleSearchRoleEnabled()) { - roleList.add(systemHelper.getSearchRoleByRole(name)); - } - } else if (fessConfig.isLdapRoleSearchGroupEnabled()) { - roleList.add(systemHelper.getSearchRoleByGroup(name)); - } - }); - }); + search(bindDn, filter, new String[] { fessConfig.getLdapMemberofAttribute() }, () -> ldapUser.getEnvironment(), result -> { + processSearchRoles(result, (entryDn, name) -> { + final boolean isRole = entryDn.toLowerCase(Locale.ROOT).indexOf("ou=role") != -1; + if (isRole) { + if (fessConfig.isLdapRoleSearchRoleEnabled()) { + roleList.add(systemHelper.getSearchRoleByRole(name)); + } + } else if (fessConfig.isLdapRoleSearchGroupEnabled()) { + roleList.add(systemHelper.getSearchRoleByGroup(name)); + } + }); + }); return roleList.toArray(new String[roleList.size()]); } diff --git a/src/main/java/org/codelibs/fess/ldap/LdapUser.java b/src/main/java/org/codelibs/fess/ldap/LdapUser.java index 4c4ca77b5..440ed337b 100644 --- a/src/main/java/org/codelibs/fess/ldap/LdapUser.java +++ b/src/main/java/org/codelibs/fess/ldap/LdapUser.java @@ -84,7 +84,4 @@ public class LdapUser implements FessUser { return env; } - public String getPassword() { - return getEnvironment().get(Context.SECURITY_CREDENTIALS); - } } diff --git a/src/main/java/org/codelibs/fess/sso/spnego/SpnegoAuthenticator.java b/src/main/java/org/codelibs/fess/sso/spnego/SpnegoAuthenticator.java index 5cc36cf45..a0721b4ee 100644 --- a/src/main/java/org/codelibs/fess/sso/spnego/SpnegoAuthenticator.java +++ b/src/main/java/org/codelibs/fess/sso/spnego/SpnegoAuthenticator.java @@ -15,6 +15,7 @@ */ package org.codelibs.fess.sso.spnego; +import java.io.File; import java.util.Enumeration; import javax.annotation.PostConstruct; @@ -22,7 +23,7 @@ import javax.servlet.FilterConfig; import javax.servlet.ServletContext; import javax.servlet.http.HttpServletResponse; -import org.codelibs.core.lang.StringUtil; +import org.codelibs.core.io.ResourceUtil; import org.codelibs.fess.app.web.base.login.EmptyLoginCredential; import org.codelibs.fess.app.web.base.login.LoginCredential; import org.codelibs.fess.app.web.base.login.SsoLoginCredential; @@ -100,11 +101,8 @@ public class SpnegoAuthenticator implements SsoAuthenticator { logger.debug("principal=" + principal); } - final String username = LaRequestUtil.getOptionalRequest().map(r -> r.getRemoteUser()).orElseGet(() -> null); - if (StringUtil.isBlank(username)) { - return null; - } - return new SsoLoginCredential(username); + final String[] username = principal.getName().split("@", 2); + return new SsoLoginCredential(username[0]); }).orElseGet(() -> null); } @@ -128,9 +126,9 @@ public class SpnegoAuthenticator implements SsoAuthenticator { if (SpnegoHttpFilter.Constants.LOGGER_LEVEL.equals(name)) { return fessConfig.getSpnegoLoggerLevel(); } else if (SpnegoHttpFilter.Constants.LOGIN_CONF.equals(name)) { - return fessConfig.getSpnegoLoginConf(); + return getResourcePath(fessConfig.getSpnegoLoginConf()); } else if (SpnegoHttpFilter.Constants.KRB5_CONF.equals(name)) { - return fessConfig.getSpnegoKrb5Conf(); + return getResourcePath(fessConfig.getSpnegoKrb5Conf()); } else if (SpnegoHttpFilter.Constants.CLIENT_MODULE.equals(name)) { return fessConfig.getSpnegoLoginClientModule(); } else if (SpnegoHttpFilter.Constants.SERVER_MODULE.equals(name)) { @@ -153,6 +151,14 @@ public class SpnegoAuthenticator implements SsoAuthenticator { return null; } + protected String getResourcePath(final String path) { + final File file = ResourceUtil.getResourceAsFileNoException(path); + if (file != null) { + return file.getAbsolutePath(); + } + return null; + } + @Override public Enumeration getInitParameterNames() { throw new UnsupportedOperationException();