fix #571 modify ldap handling

src/main/java/org/codelibs/fess/app/web/base/FessSearchAction.java

@@ -29,7 +29,7 @@ import org.apache.commons.lang3.StringEscapeUtils;
 import org.codelibs.core.lang.StringUtil;
 import org.codelibs.core.net.URLUtil;
 import org.codelibs.fess.Constants;
-import org.codelibs.fess.app.web.login.LoginAction;
+import org.codelibs.fess.app.web.sso.SsoAction;
 import org.codelibs.fess.es.client.FessEsClient;
 import org.codelibs.fess.helper.LabelTypeHelper;
 import org.codelibs.fess.helper.OpenSearchHelper;
@@ -206,7 +206,7 @@ public abstract class FessSearchAction extends FessBaseAction {
     }
 
     protected HtmlResponse redirectToLogin() {
-        return redirect(LoginAction.class);
+        return redirect(SsoAction.class);
     }
 
     protected HtmlResponse redirectToRoot() {

src/main/java/org/codelibs/fess/app/web/sso/SsoAction.java

@@ -15,6 +15,8 @@
  */
 package org.codelibs.fess.app.web.sso;
 
+import javax.servlet.http.HttpServletResponse;
+
 import org.codelibs.fess.app.web.base.FessLoginAction;
 import org.codelibs.fess.app.web.base.login.EmptyLoginCredential;
 import org.codelibs.fess.app.web.base.login.LoginCredential;
@@ -24,6 +26,7 @@ import org.codelibs.fess.util.ComponentUtil;
 import org.lastaflute.web.Execute;
 import org.lastaflute.web.login.exception.LoginFailureException;
 import org.lastaflute.web.response.ActionResponse;
+import org.lastaflute.web.servlet.filter.RequestLoggingFilter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -48,7 +51,8 @@ public class SsoAction extends FessLoginAction {
             saveError(messages -> messages.addErrorsSsoLoginError(GLOBAL));
             return redirect(LoginAction.class);
         } else if (loginCredential instanceof EmptyLoginCredential) {
-            return null;
+            throw new RequestLoggingFilter.RequestClientErrorException("Your request is not authorized.", "401 Unauthorized",
+                    HttpServletResponse.SC_UNAUTHORIZED);
         }
         try {
             return fessLoginAssist.loginRedirect(loginCredential, op -> {}, () -> {
@@ -59,7 +63,9 @@ public class SsoAction extends FessLoginAction {
             if (logger.isDebugEnabled()) {
                 logger.debug("SSO login failure.", lfe);
             }
-            saveError(messages -> messages.addErrorsSsoLoginError(GLOBAL));
+            if (fessConfig.isSsoEnabled()) {
+                saveError(messages -> messages.addErrorsSsoLoginError(GLOBAL));
+            }
             return redirect(LoginAction.class);
         }
     }

src/main/java/org/codelibs/fess/helper/RoleQueryHelper.java

@@ -106,9 +106,14 @@ public class RoleQueryHelper {
 
         final FessConfig fessConfig = ComponentUtil.getFessConfig();
         final RequestManager requestManager = ComponentUtil.getRequestManager();
-        requestManager.findUserBean(FessUserBean.class)
-                .ifPresent(fessUserBean -> stream(fessUserBean.getPermissions()).of(stream -> stream.forEach(roleList::add)))
-                .orElse(() -> roleList.addAll(fessConfig.getSearchGuestPermissionList()));
+        try {
+            requestManager.findUserBean(FessUserBean.class)
+                    .ifPresent(fessUserBean -> stream(fessUserBean.getPermissions()).of(stream -> stream.forEach(roleList::add)))
+                    .orElse(() -> roleList.addAll(fessConfig.getSearchGuestPermissionList()));
+        } catch (RuntimeException e) {
+            requestManager.findLoginManager(FessUserBean.class).ifPresent(manager -> manager.logout());
+            throw e;
+        }
 
         if (defaultRoleList != null) {
             roleList.addAll(defaultRoleList);

src/main/java/org/codelibs/fess/ldap/LdapManager.java

@@ -74,21 +74,29 @@ public class LdapManager {
 
     protected Hashtable<String, String> createAdminEnv() {
         final FessConfig fessConfig = ComponentUtil.getFessConfig();
-        return createEnvironment(fessConfig.getLdapAdminInitialContextFactory(), fessConfig.getLdapAdminSecurityAuthentication(),
-                fessConfig.getLdapAdminProviderUrl(), fessConfig.getLdapAdminSecurityPrincipal(),
+        return createEnvironment(//
+                fessConfig.getLdapAdminInitialContextFactory(), //
+                fessConfig.getLdapAdminSecurityAuthentication(), fessConfig.getLdapAdminProviderUrl(), //
+                fessConfig.getLdapAdminSecurityPrincipal(), //
                 fessConfig.getLdapAdminSecurityCredentials());
     }
 
     protected Hashtable<String, String> createSearchEnv(final String username, final String password) {
         final FessConfig fessConfig = ComponentUtil.getFessConfig();
-        return createEnvironment(fessConfig.getLdapInitialContextFactory(), fessConfig.getLdapSecurityAuthentication(),
-                fessConfig.getLdapProviderUrl(), fessConfig.getLdapSecurityPrincipal(username), password);
+        return createEnvironment(//
+                fessConfig.getLdapInitialContextFactory(), //
+                fessConfig.getLdapSecurityAuthentication(), //
+                fessConfig.getLdapProviderUrl(), //
+                fessConfig.getLdapSecurityPrincipal(username), password);
     }
 
     protected Hashtable<String, String> createSearchEnv() {
         final FessConfig fessConfig = ComponentUtil.getFessConfig();
-        return createEnvironment(fessConfig.getLdapInitialContextFactory(), fessConfig.getLdapSecurityAuthentication(),
-                fessConfig.getLdapProviderUrl(), fessConfig.getLdapAdminSecurityPrincipal(), fessConfig.getLdapAdminSecurityCredentials());
+        return createEnvironment(//
+                fessConfig.getLdapAdminInitialContextFactory(), //
+                fessConfig.getLdapAdminSecurityAuthentication(), fessConfig.getLdapAdminProviderUrl(), //
+                fessConfig.getLdapAdminSecurityPrincipal(), //
+                fessConfig.getLdapAdminSecurityCredentials());
     }
 
     public OptionalEntity<FessUser> login(final String username, final String password) {
@@ -141,19 +149,18 @@ public class LdapManager {
         // LDAP: cn=%s
         // AD: (&(objectClass=user)(sAMAccountName=%s))
         final String filter = String.format(accountFilter, ldapUser.getName());
-        search(bindDn, filter, new String[] { fessConfig.getLdapMemberofAttribute() },
-                () -> createSearchEnv(ldapUser.getName(), ldapUser.getPassword()), result -> {
-                    processSearchRoles(result, (entryDn, name) -> {
-                        final boolean isRole = entryDn.toLowerCase(Locale.ROOT).indexOf("ou=role") != -1;
-                        if (isRole) {
-                            if (fessConfig.isLdapRoleSearchRoleEnabled()) {
-                                roleList.add(systemHelper.getSearchRoleByRole(name));
-                            }
-                        } else if (fessConfig.isLdapRoleSearchGroupEnabled()) {
-                            roleList.add(systemHelper.getSearchRoleByGroup(name));
-                        }
-                    });
-                });
+        search(bindDn, filter, new String[] { fessConfig.getLdapMemberofAttribute() }, () -> ldapUser.getEnvironment(), result -> {
+            processSearchRoles(result, (entryDn, name) -> {
+                final boolean isRole = entryDn.toLowerCase(Locale.ROOT).indexOf("ou=role") != -1;
+                if (isRole) {
+                    if (fessConfig.isLdapRoleSearchRoleEnabled()) {
+                        roleList.add(systemHelper.getSearchRoleByRole(name));
+                    }
+                } else if (fessConfig.isLdapRoleSearchGroupEnabled()) {
+                    roleList.add(systemHelper.getSearchRoleByGroup(name));
+                }
+            });
+        });
 
         return roleList.toArray(new String[roleList.size()]);
     }

src/main/java/org/codelibs/fess/ldap/LdapUser.java

@@ -84,7 +84,4 @@ public class LdapUser implements FessUser {
         return env;
     }
 
-    public String getPassword() {
-        return getEnvironment().get(Context.SECURITY_CREDENTIALS);
-    }
 }

src/main/java/org/codelibs/fess/sso/spnego/SpnegoAuthenticator.java

@@ -15,6 +15,7 @@
  */
 package org.codelibs.fess.sso.spnego;
 
+import java.io.File;
 import java.util.Enumeration;
 
 import javax.annotation.PostConstruct;
@@ -22,7 +23,7 @@ import javax.servlet.FilterConfig;
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletResponse;
 
-import org.codelibs.core.lang.StringUtil;
+import org.codelibs.core.io.ResourceUtil;
 import org.codelibs.fess.app.web.base.login.EmptyLoginCredential;
 import org.codelibs.fess.app.web.base.login.LoginCredential;
 import org.codelibs.fess.app.web.base.login.SsoLoginCredential;
@@ -100,11 +101,8 @@ public class SpnegoAuthenticator implements SsoAuthenticator {
                     logger.debug("principal=" + principal);
                 }
 
-                final String username = LaRequestUtil.getOptionalRequest().map(r -> r.getRemoteUser()).orElseGet(() -> null);
-                if (StringUtil.isBlank(username)) {
-                    return null;
-                }
-                return new SsoLoginCredential(username);
+                final String[] username = principal.getName().split("@", 2);
+                return new SsoLoginCredential(username[0]);
             }).orElseGet(() -> null);
 
     }
@@ -128,9 +126,9 @@ public class SpnegoAuthenticator implements SsoAuthenticator {
             if (SpnegoHttpFilter.Constants.LOGGER_LEVEL.equals(name)) {
                 return fessConfig.getSpnegoLoggerLevel();
             } else if (SpnegoHttpFilter.Constants.LOGIN_CONF.equals(name)) {
-                return fessConfig.getSpnegoLoginConf();
+                return getResourcePath(fessConfig.getSpnegoLoginConf());
             } else if (SpnegoHttpFilter.Constants.KRB5_CONF.equals(name)) {
-                return fessConfig.getSpnegoKrb5Conf();
+                return getResourcePath(fessConfig.getSpnegoKrb5Conf());
             } else if (SpnegoHttpFilter.Constants.CLIENT_MODULE.equals(name)) {
                 return fessConfig.getSpnegoLoginClientModule();
             } else if (SpnegoHttpFilter.Constants.SERVER_MODULE.equals(name)) {
@@ -153,6 +151,14 @@ public class SpnegoAuthenticator implements SsoAuthenticator {
             return null;
         }
 
+        protected String getResourcePath(final String path) {
+            final File file = ResourceUtil.getResourceAsFileNoException(path);
+            if (file != null) {
+                return file.getAbsolutePath();
+            }
+            return null;
+        }
+
         @Override
         public Enumeration<String> getInitParameterNames() {
             throw new UnsupportedOperationException();