From e3db628e4f6a05a13637d010617fe740be98a445 Mon Sep 17 00:00:00 2001 From: Adam Cooper Date: Thu, 3 Mar 2016 10:27:28 +0000 Subject: [PATCH] Removal of a large amount of code from the login method so that we can just pass straight up to the super implementation. This means that the bob swift CLI access works and does not through 401 errors. Also ensure that the full name of the user is not replaced if it's already been set. --- .../shibboleth/RemoteUserAuthenticator.java | 190 ++---------------- 1 file changed, 15 insertions(+), 175 deletions(-) diff --git a/src/main/java/shibauth/confluence/authentication/shibboleth/RemoteUserAuthenticator.java b/src/main/java/shibauth/confluence/authentication/shibboleth/RemoteUserAuthenticator.java index da743cd..bd62429 100644 --- a/src/main/java/shibauth/confluence/authentication/shibboleth/RemoteUserAuthenticator.java +++ b/src/main/java/shibauth/confluence/authentication/shibboleth/RemoteUserAuthenticator.java @@ -337,6 +337,14 @@ private void updateUser(User user, String fullName, String emailAddress) { userBuilder.emailAddress(crowdUser.getEmailAddress()); userBuilder.name(crowdUser.getName()); + if ((fullName == null) && (crowdUser.getDisplayName() == null || (crowdUser.getDisplayName().length() == 0))) { + if (log.isDebugEnabled()) { + log.debug("User full name was null or empty. Defaulting full name to user id."); + } + + fullName = user.getName(); + } + if ((fullName != null) && !fullName.equals(crowdUser.getDisplayName())) { if (log.isDebugEnabled()) { log.debug("Updating user fullName to '" + fullName + "'"); @@ -505,14 +513,6 @@ private String getFullName(HttpServletRequest request, String userid) { } } - if ((fullName == null) || (fullName.length() == 0)) { - if (log.isDebugEnabled()) { - log.debug("User full name was null or empty. Defaulting full name to user id."); - } - - fullName = userid; - } - return fullName; } @@ -627,179 +627,19 @@ private void readyToReturnFromLogin(HttpServletRequest request) { /** * @see com.atlassian.confluence.user.ConfluenceAuthenticator#login( - *javax.servlet.http.HttpServletRequest, - * javax.servlet.http.HttpServletResponse, - * java.lang.String username, - * java.lang.String password, - * boolean cookie) + * javax.servlet.http.HttpServletRequest, + * javax.servlet.http.HttpServletResponse, java.lang.String username, + * java.lang.String password, boolean cookie) *

- * Check if user has been authenticated by Shib. Username, password, and cookie are totally ignored. + * Log the attempt and pass through to ConfluenceAuthenticator */ public boolean login(HttpServletRequest request, HttpServletResponse response, String username, String password, boolean cookie) throws AuthenticatorException { - - String remoteIP = request.getRemoteAddr(); - String remoteHost = request.getRemoteHost(); - - // avoid circular calls - if (isSecondTimeThroughLoginWithoutReturning(request)) { - loginFailed(request, username, remoteHost, remoteIP, "LocalUserLoginWithNoCredentials"); - - if (log.isDebugEnabled()) { - log.debug("Authenticator is returning false from second call to public boolean login(HttpServletRequest request, HttpServletResponse response, String username, String password, boolean cookie)"); - } - - readyToReturnFromLogin(request); - return false; - } - - guardFromInfiniteLoginRecursion(request); - - if (RedirectUtils.isBasicAuthentication(request, getAuthType())) { - final Principal basicAuthUser = getUserFromBasicAuthentication(request, response); - if (basicAuthUser != null) { - if (log.isDebugEnabled()) { - log.debug(String.format("Login for user %s succeeded via Basic Auth", basicAuthUser.getName())); - } - readyToReturnFromLogin(request); - return true; - } - } - - // Converting reliance on getUser(request,response) to use login(...) instead. The logic flow is: - // 1) Seraph Login filter, which is based on username/password kicks in (declared at web.xml) - // 2) It bails out altogether and identified user as invalid (without calling any of login(request,response) - // declared here. - // 3) Seraph Security filter kicks in (declared at web.xml) - // 4) It calls getUser(request,response) and assign roles to known user. - // Hence, getUser(request,response) will only be called from Seraph SecurityFilter. This authenticator can use - // ShibLoginFilter to make sure login is performed in some versions of Confluence, but it works without it, so - // that is off by default. - - if (log.isDebugEnabled()) { - log.debug("login(...) called. requestURL=" + request.getRequestURL() + ", username=" + username + ", remoteIP=" + remoteIP + ", remoteHost=" + remoteHost); - } - - // Since they aren't logged in, get the user name from the configured header (e.g. REMOTE_USER). - String userid = createSafeUserid(getLoggedInUser(request)); - - // Does the user have a "Remember Me" cookie set? - final Principal cookieUser = getUserFromCookie(request, response); - if (cookieUser != null) { - log.debug(String.format("Login for user %s succeeded via Remember Me cookie", cookieUser.getName())); - readyToReturnFromLogin(request); - return true; - } - - if ((userid == null) || (userid.length() <= 0)) { - if (log.isDebugEnabled()) { - log.debug("Remote user was null or empty."); - } - - // Calling super.login to try local login if username and password are set. Local login won't work if - // ShibLoginFilter is used - if (config.isLocalLoginSupported() && username != null && password != null) { - if (log.isDebugEnabled()) { - log.debug("Trying local login for user " + username); - } - - boolean localLoginSuccess = super.login(request, response, username, password, cookie); - if (localLoginSuccess) { - User user = getCrowdUser(username, request, remoteHost, remoteIP); - loginSuccessful(request, response, username, user, remoteHost, remoteIP); - } else { - loginFailed(request, username, remoteHost, remoteIP, "LocalUserLoginFailed"); - } - - if (log.isDebugEnabled()) { - log.debug("Authenticator is returning " + localLoginSuccess + " from call to public boolean login(HttpServletRequest request, HttpServletResponse response, String username, String password, boolean cookie)"); - } - - return localLoginSuccess; - } else { - if (config.isLocalLoginSupported() && log.isDebugEnabled()) { - log.debug("Cannot perform local login because username or password was not provided."); - } - - loginFailed(request, username, remoteHost, remoteIP, "LocalUserLoginWithNoCredentials"); - - if (log.isDebugEnabled()) { - log.debug("Authenticator is returning false from call to public boolean login(HttpServletRequest request, HttpServletResponse response, String username, String password, boolean cookie)"); - } - - readyToReturnFromLogin(request); - return false; - } - } - - // Now that we know we will be trying to log the user in, - // let's see if we should reload the config file first - checkReloadConfig(); - - // Convert username to all lowercase because of issues with case, at least in earlier versions of Confluence. - if (config.isUsernameConvertCase()) { - userid = convertUsername(userid); - } - - User crowdUser = getCrowdUser(userid, request, remoteHost, remoteIP); - - // Pull name and address from headers - String fullName = getFullName(request, userid); - String emailAddress = getEmailAddress(request); - - // Try to get the user's account based on the user name - Principal user = getUser(userid); - boolean newUser = false; - - // User didn't exist or was problem getting it. we'll try to create it if we can, otherwise will try to get it - // again. - if (user == null) { - if (config.isCreateUsers()) { - createUser(userid, fullName, emailAddress); - newUser = true; - } else { - if (log.isDebugEnabled()) { - log.debug("Configuration does NOT allow creation of new user accounts, authentication will fail for " + - username); - } - - loginFailed(request, username, remoteHost, remoteIP, "CreateUserDisabled"); - - if (log.isDebugEnabled()) { - log.debug("Authenticator is returning false from call to public boolean login(HttpServletRequest request, HttpServletResponse response, String username, String password, boolean cookie)"); - } - readyToReturnFromLogin(request); - return false; - } - - user = getUser(userid); - if (user != null) { - // update the first time even if update not set, because we need to set full name and email - updateUser(crowdUser, fullName, emailAddress); - } else { - // this could be a warning rather than debug, but in certain environments it might happen more often. - if (log.isDebugEnabled()) { - log.debug("Got null user after creating user " + username + " so could not update it to set its fullname or email."); - } - } - } else { - if (config.isUpdateInfo()) { - updateUser(crowdUser, fullName, emailAddress); - } - } - - if (config.isUpdateRoles() || newUser) { - updateGroupMemberships(request, crowdUser); - } - - // kick off login related methods - loginSuccessful(request, response, userid, crowdUser, remoteHost, remoteIP); - if (log.isDebugEnabled()) { - log.debug("Authenticator is returning true from call to public boolean login(HttpServletRequest request, HttpServletResponse response, String username, String password, boolean cookie)"); + String remoteIP = request.getHeader("X-Forwarded-For"); + log.debug("login(...) called. requestURL=" + request.getRequestURL() + ", username=" + username + ", remoteIP=" + remoteIP); } - readyToReturnFromLogin(request); - return true; + return super.login(request, response, username, password, cookie); } private void loginSuccessful(HttpServletRequest request,