Index: lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java =================================================================== diff -u -r20ce199831888b996374f8873220db09b375a74c -rc7dc0249ead6c4ea15d25498aaf97fa8544f4613 --- lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java (.../UniversalLoginModule.java) (revision 20ce199831888b996374f8873220db09b375a74c) +++ lams_central/src/java/org/lamsfoundation/lams/security/UniversalLoginModule.java (.../UniversalLoginModule.java) (revision c7dc0249ead6c4ea15d25498aaf97fa8544f4613) @@ -111,6 +111,7 @@ User user = service.getUserByLogin(username); log.debug("===> authenticating user: " + username); + // LDAP user provisioning if (user == null) { // provision a new user by checking ldap server if (Configuration.getAsBoolean(ConfigurationKeys.LDAP_PROVISIONING_ENABLED)) { @@ -136,11 +137,19 @@ } } + // disabled users can't login if (user.getDisabledFlag()) { log.debug("===> user is disabled."); return false; } + // allow sysadmin to login as another user; in this case, the LAMS shared session + // will be present, allowing the following check to work + if (service.isUserSysAdmin()) { + isValid = true; + } + + // perform password checking according to user's authentication method if (!isValid) { String type = user.getAuthenticationMethod().getAuthenticationMethodType().getDescription(); log.debug("===> authentication type: " + type); Index: lams_central/src/java/org/lamsfoundation/lams/web/LoginAsAction.java =================================================================== diff -u -r54f5e17d1a5e8baae23bb9332f83ad8d8e5ac405 -rc7dc0249ead6c4ea15d25498aaf97fa8544f4613 --- lams_central/src/java/org/lamsfoundation/lams/web/LoginAsAction.java (.../LoginAsAction.java) (revision 54f5e17d1a5e8baae23bb9332f83ad8d8e5ac405) +++ lams_central/src/java/org/lamsfoundation/lams/web/LoginAsAction.java (.../LoginAsAction.java) (revision c7dc0249ead6c4ea15d25498aaf97fa8544f4613) @@ -23,17 +23,8 @@ /* $Id$ */ package org.lamsfoundation.lams.web; -import java.sql.Connection; -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; - -import javax.naming.InitialContext; -import javax.naming.NamingException; -import javax.security.auth.login.FailedLoginException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.sql.DataSource; import org.apache.struts.action.Action; import org.apache.struts.action.ActionForm; @@ -42,7 +33,6 @@ import org.lamsfoundation.lams.usermanagement.service.IUserManagementService; import org.lamsfoundation.lams.util.MessageService; import org.lamsfoundation.lams.util.WebUtil; -import org.lamsfoundation.lams.web.session.SessionManager; import org.springframework.web.context.WebApplicationContext; import org.springframework.web.context.support.WebApplicationContextUtils; @@ -54,9 +44,6 @@ */ public class LoginAsAction extends Action { - private static final String JNDI_DATASOURCE = "java:/jdbc/lams-ds"; - private static final String PASSWORD_QUERY = "select password from lams_user where login=?"; - public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, @@ -70,14 +57,12 @@ if (service.isUserSysAdmin()) { if (login!=null && login.trim().length()>0) { if (service.getUserByLogin(login)!=null) { - // logout + // logout, but not the LAMS shared session; needed by UniversalLoginModule + // to check for sysadmin role request.getSession().invalidate(); - SessionManager.getSession().invalidate(); - // send to index page; session attributes will be cleared there - String pass = getUserPassword(login); + // send to index page; the following attribute will be cleared there request.getSession().setAttribute("login", login); - request.getSession().setAttribute("pass", pass); return (new ActionForward("/index.jsp")); } } @@ -90,31 +75,4 @@ return mapping.findForward("usersearch"); } - // Copied from LoginRequestServlet.java - // using JDBC connection to prevent the caching of passwords by hibernate - private String getUserPassword(String username) throws FailedLoginException, NamingException, - SQLException { - InitialContext ctx = new InitialContext(); - - DataSource ds = (DataSource) ctx.lookup(JNDI_DATASOURCE); - Connection conn = null; - String password = null; - try { - conn = ds.getConnection(); - PreparedStatement ps = conn.prepareStatement(PASSWORD_QUERY); - ps.setString(1, username); - ResultSet rs = ps.executeQuery(); - - // check if there is any result - if (rs.next() == false) - throw new FailedLoginException("invalid username"); - - password = rs.getString(1); - rs.close(); - } finally { - if (conn != null && !conn.isClosed()) - conn.close(); - } - return password; - } } Index: lams_central/web/login.jsp =================================================================== diff -u -r20ce199831888b996374f8873220db09b375a74c -rc7dc0249ead6c4ea15d25498aaf97fa8544f4613 --- lams_central/web/login.jsp (.../login.jsp) (revision 20ce199831888b996374f8873220db09b375a74c) +++ lams_central/web/login.jsp (.../login.jsp) (revision c7dc0249ead6c4ea15d25498aaf97fa8544f4613) @@ -19,11 +19,9 @@ // for sysadmin to be able to login as someone else String login = (String)session.getAttribute("login"); - String pass = (String)session.getAttribute("pass"); - if (login!=null && pass!=null) { + if (login!=null) { session.removeAttribute("login"); - session.removeAttribute("pass"); - response.sendRedirect("j_security_check?j_username="+login+"&j_password="+pass); + response.sendRedirect("j_security_check?j_username="+login+"&j_password=dummy"); } %>