fix(ZNTA-1067): fix kerberos authentication

This change solves a problem where Kerberos authentication doesn't get triggered due to the new Url rewriter changing the expected response code and thus stopping the whole process. The old klogin.xhtml page is replaced with a servlet which performs the same tasks without the need to go through the Url rewriter.
zanata · May 5, 2016 · 0acb853 · 0acb853
1 parent a39a548
commit 0acb853
Show file tree

Hide file tree

Showing 7 changed files with 108 additions and 65 deletions.
diff --git a/zanata-war/src/main/java/org/zanata/action/LoginAction.java b/zanata-war/src/main/java/org/zanata/action/LoginAction.java
@@ -42,6 +42,7 @@
 import org.zanata.security.openid.GoogleOpenIdProvider;
 import org.zanata.security.openid.OpenIdProviderType;
 import org.zanata.security.openid.YahooOpenIdProvider;
+import org.zanata.util.FacesNavigationUtil;
 
 /**
  * This action takes care of logging a user into the system. It contains logic
@@ -133,14 +134,9 @@ public String login() {
     }
 
     private String continueToPreviousUrl() {
-        ExternalContext ec = FacesContext.getCurrentInstance().getExternalContext();
-        try {
-            ec.redirect(userRedirect.getUrl());
-            return "continue";
-        } catch (IOException e) {
-            log.warn("error redirecting user to previous url: {}", userRedirect.getUrl(), e);
-            return "dashboard";
-        }
+        FacesNavigationUtil.redirect(FacesContext.getCurrentInstance(),
+                userRedirect.getUrl());
+        return "continue";
     }
 
     /**

diff --git a/zanata-war/src/main/java/org/zanata/security/SpNegoIdentity.java b/zanata-war/src/main/java/org/zanata/security/SpNegoIdentity.java
@@ -20,16 +20,17 @@
  */
 package org.zanata.security;
 
+import org.apache.deltaspike.core.api.literal.DeltaSpikeLiteral;
 import org.jboss.security.SecurityContextAssociation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.zanata.events.AlreadyLoggedInEvent;
 import org.zanata.util.ServiceLocator;
 
 import javax.enterprise.event.Event;
-import javax.faces.context.FacesContext;
 import javax.inject.Inject;
 import javax.inject.Named;
+import javax.servlet.http.HttpServletRequest;
 import java.io.Serializable;
 
 @Named("spNegoIdentity")
@@ -53,12 +54,10 @@ public void authenticate() {
             return;
         }
 
-        // String username =
-        // FacesContext.getCurrentInstance().getExternalContext().getRemoteUser();
-        // Workaround for SECURITY-719, remove once it's fixed
+        HttpServletRequest servletRequest = ServiceLocator.instance()
+                .getInstance(HttpServletRequest.class, new DeltaSpikeLiteral());
         String username =
-                FacesContext.getCurrentInstance().getExternalContext()
-                        .getUserPrincipal().getName();
+                servletRequest.getUserPrincipal().getName();
         // Remove the domain name, if there is one
         if (username.indexOf('@') > 0) {
             username = username.substring(0, username.indexOf('@'));

diff --git a/zanata-war/src/main/java/org/zanata/servlet/KLoginServlet.java b/zanata-war/src/main/java/org/zanata/servlet/KLoginServlet.java
@@ -0,0 +1,98 @@
+/*
+ * Copyright 2016, Red Hat, Inc. and individual contributors as indicated by the
+ * @author tags. See the copyright.txt file in the distribution for a full
+ * listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 2.1 of the License, or (at your option)
+ * any later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this software; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
+ * site: http://www.fsf.org.
+ */
+package org.zanata.servlet;
+
+import org.zanata.security.AuthenticationManager;
+import org.zanata.security.UserRedirectBean;
+
+import javax.inject.Inject;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * Servlet which serves as a landing place to perform kerberos ticket
+ * based authentication.
+ * @author Carlos Munoz <a href="mailto:camunoz@redhat.com">camunoz@redhat.com</a>
+ */
+@WebServlet(
+        urlPatterns = {"/account/klogin"}
+)
+public class KLoginServlet extends HttpServlet {
+
+    @Inject
+    private UserRedirectBean userRedirect;
+
+    @Inject
+    private AuthenticationManager authenticationManager;
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp)
+            throws ServletException, IOException {
+        // Set the continue parameter
+        String continueUrl = req.getParameter("continue");
+        if(continueUrl != null)
+            userRedirect.setEncodedUrl(continueUrl);
+        // perform the authentication
+        authenticationManager.kerberosLogin();
+        performRedirection(resp, continueUrl);
+    }
+
+    /**
+     * Performs the redirection based on the results from the authentication
+     * process.
+     * This is logic that would normally be in faces-config.xml, but as this is
+     * a servlet, it cannot take advantage of that.
+     */
+    private void performRedirection(HttpServletResponse resp,
+            String continueUrl) throws IOException {
+        String authRedirectResult =
+                authenticationManager.getAuthenticationRedirect();
+        switch (authRedirectResult) {
+            case "login":
+                resp.sendRedirect("/account/login");
+                break;
+
+            case "edit":
+                resp.sendRedirect("/profile/create_user");
+                break;
+
+            case "inactive":
+                resp.sendRedirect("/account/inactive_account");
+                break;
+
+            case "dashboard":
+                resp.sendRedirect("/dashboard");
+                break;
+
+            case "home":
+                resp.sendRedirect("/");
+                break;
+
+            case "redirect":
+                resp.sendRedirect(continueUrl);
+                break;
+        }
+    }
+}
diff --git a/zanata-war/src/main/java/org/zanata/servlet/UrlRewriteConfig.java b/zanata-war/src/main/java/org/zanata/servlet/UrlRewriteConfig.java
@@ -52,7 +52,6 @@ public Configuration getConfiguration(final ServletContext context) {
                 .addRule(Join.path("/account/password_reset/{key}").to("/account/password_reset.xhtml"))
                 .addRule(Join.path("/account/password_reset_request").to("/account/password_reset_request.xhtml"))
                 .addRule(Join.path("/account/inactive").to("/account/inactive_account.xhtml"))
-                .addRule(Join.path("/account/klogin").to("/account/klogin.xhtml"))
                 .addRule(Join.path("/account/sign_in").to("/account/login.xhtml"))
                 .addRule(Join.path("/account/register").to("/account/register.xhtml"))
                 .addRule(Join.path("/account/sign_out").to("/account/logout.xhtml"))

diff --git a/zanata-war/src/main/webapp/WEB-INF/faces-config.xml b/zanata-war/src/main/webapp/WEB-INF/faces-config.xml
@@ -118,36 +118,6 @@
     </navigation-case>
   </navigation-rule>
 
-  <!-- Landing page for Kerberos ticket-based Authentication -->
-  <navigation-rule>
-    <from-view-id>/account/klogin.xhtml</from-view-id>
-    <navigation-case>
-      <if>#{authenticationManager.authenticationRedirect eq 'login'}</if>
-      <to-view-id>/account/login.xhtml</to-view-id>
-      <redirect />
-    </navigation-case>
-    <navigation-case>
-      <if>#{authenticationManager.authenticationRedirect eq 'edit'}</if>
-      <to-view-id>/profile/create_user.xhtml</to-view-id>
-      <redirect />
-    </navigation-case>
-    <navigation-case>
-      <if>#{authenticationManager.authenticationRedirect eq 'inactive'}</if>
-      <to-view-id>/account/inactive_account.xhtml</to-view-id>
-      <redirect />
-    </navigation-case>
-    <navigation-case>
-      <if>#{authenticationManager.authenticationRedirect eq 'dashboard'}</if>
-      <to-view-id>/dashboard/home.xhtml</to-view-id>
-      <redirect />
-    </navigation-case>
-    <navigation-case>
-      <if>#{authenticationManager.authenticationRedirect eq 'home'}</if>
-      <to-view-id>/home.xhtml</to-view-id>
-      <redirect />
-    </navigation-case>
-  </navigation-rule>
-
   <!-- Landing page for Internal, JAAS and Kerberos form-based
        authentication -->
   <navigation-rule>

diff --git a/zanata-war/src/main/webapp/WEB-INF/template/banner.xhtml b/zanata-war/src/main/webapp/WEB-INF/template/banner.xhtml
@@ -182,7 +182,7 @@
       </h:form>
 
       <h:outputLink id="ksignin_link"
-        value="#{request.contextPath}/account/klogin.xhtml?continue=#{urlUtil.getEncodedLocalUrl(request)}"
+        value="#{request.contextPath}/account/klogin?continue=#{urlUtil.getEncodedLocalUrl(request)}"
         propagation="none" styleClass="l--push-left-half button--primary"
         rendered="#{applicationConfiguration.kerberosAuth}">
         #{msgs['jsf.Login']}

diff --git a/zanata-war/src/main/webapp/account/klogin.xhtml b/zanata-war/src/main/webapp/account/klogin.xhtml