From 0a7fef92aaf375d0cf5ae44d3a39ae6689e0d8d5 Mon Sep 17 00:00:00 2001 From: Jan Vonka Date: Thu, 3 Jan 2008 15:06:07 +0000 Subject: [PATCH] MT fixes to provide initial support for tenant-specific guests - explicit guest access is required, such as "guest@tenant1" (note: implicit/anonymous guest access can only login to the default domain) - also fixes issue with "Show All" users, when logged in as a tenant admin git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@7748 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../authentication-services-context.xml | 3 ++ .../AbstractAuthenticationComponent.java | 42 +++++++++++++++---- .../authority/AuthorityServiceImpl.java | 2 +- .../impl/PermissionServiceImpl.java | 12 +++++- .../repo/tenant/MultiTAdminServiceImpl.java | 6 +-- .../repo/tenant/MultiTServiceImpl.java | 38 +++++++++-------- .../repo/tenant/SingleTServiceImpl.java | 9 +++- .../alfresco/repo/tenant/TenantService.java | 4 ++ 8 files changed, 84 insertions(+), 32 deletions(-) diff --git a/config/alfresco/authentication-services-context.xml b/config/alfresco/authentication-services-context.xml index 1265f434de..452776e67d 100644 --- a/config/alfresco/authentication-services-context.xml +++ b/config/alfresco/authentication-services-context.xml @@ -157,6 +157,9 @@ true + + + diff --git a/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java b/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java index b7e31a3803..7fa9e46fb6 100644 --- a/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java +++ b/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java @@ -32,6 +32,7 @@ import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken; import net.sf.acegisecurity.providers.dao.User; import org.alfresco.error.AlfrescoRuntimeException; +import org.alfresco.repo.tenant.TenantService; import org.alfresco.service.cmr.security.PermissionService; /** @@ -46,6 +47,8 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC * The abstract class keeps track of support for guest login */ private Boolean allowGuestLogin = null; + + private TenantService tenantService; public AbstractAuthenticationComponent() { @@ -61,13 +64,18 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC { this.allowGuestLogin = allowGuestLogin; } + + public void setTenantService(TenantService tenantService) + { + this.tenantService = tenantService; + } public void authenticate(String userName, char[] password) throws AuthenticationException { // Support guest login from the login screen - if ((userName != null) && (userName.equalsIgnoreCase(PermissionService.GUEST_AUTHORITY))) + if (isGuestUserName(userName)) { - setGuestUserAsCurrentUser(); + setGuestUserAsCurrentUser(tenantService.getUserDomain(userName)); } else { @@ -111,10 +119,10 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC gas[0] = new GrantedAuthorityImpl("ROLE_SYSTEM"); ud = new User(AuthenticationUtil.SYSTEM_USER_NAME, "", true, true, true, true, gas); } - else if (userName.equalsIgnoreCase(PermissionService.GUEST_AUTHORITY)) + else if (isGuestUserName(userName)) { GrantedAuthority[] gas = new GrantedAuthority[0]; - ud = new User(PermissionService.GUEST_AUTHORITY.toLowerCase(), "", true, true, true, true, gas); + ud = new User(getGuestUserName(tenantService.getUserDomain(userName)), "", true, true, true, true, gas); } else { @@ -203,22 +211,37 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC /** * Get the name of the Guest User + * note: for MT, will get guest for default domain only */ public String getGuestUserName() { return PermissionService.GUEST_AUTHORITY.toLowerCase(); } + private String getGuestUserName(String tenantDomain) + { + return tenantService.getDomainUser(getGuestUserName(), tenantDomain); + } + + /** + * Set the guest user as the current user. + * note: for MT, will set to default domain only + */ + public Authentication setGuestUserAsCurrentUser() throws AuthenticationException + { + return setGuestUserAsCurrentUser(TenantService.DEFAULT_DOMAIN); + } + /** * Set the guest user as the current user. */ - public Authentication setGuestUserAsCurrentUser() throws AuthenticationException + private Authentication setGuestUserAsCurrentUser(String tenantDomain) throws AuthenticationException { if (allowGuestLogin == null) { if (implementationAllowsGuestLogin()) { - return setCurrentUser(PermissionService.GUEST_AUTHORITY); + return setCurrentUser(getGuestUserName(tenantDomain)); } else { @@ -229,7 +252,7 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC { if (allowGuestLogin.booleanValue()) { - return setCurrentUser(PermissionService.GUEST_AUTHORITY); + return setCurrentUser(getGuestUserName(tenantDomain)); } else { @@ -238,6 +261,11 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC } } + + private boolean isGuestUserName(String userName) + { + return ((userName != null) && tenantService.getBaseNameUser(userName).equalsIgnoreCase(PermissionService.GUEST_AUTHORITY)); + } protected abstract boolean implementationAllowsGuestLogin(); diff --git a/source/java/org/alfresco/repo/security/authority/AuthorityServiceImpl.java b/source/java/org/alfresco/repo/security/authority/AuthorityServiceImpl.java index 002e77983e..7a41ce41fb 100644 --- a/source/java/org/alfresco/repo/security/authority/AuthorityServiceImpl.java +++ b/source/java/org/alfresco/repo/security/authority/AuthorityServiceImpl.java @@ -154,7 +154,7 @@ public class AuthorityServiceImpl implements AuthorityService { authorities.addAll(adminSet); } - if(AuthorityType.getAuthorityType(currentUserName) != AuthorityType.GUEST) + if (AuthorityType.getAuthorityType(tenantService.getBaseNameUser(currentUserName)) != AuthorityType.GUEST) { authorities.addAll(allSet); } diff --git a/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java b/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java index 2034d2c51f..eb453f31e5 100644 --- a/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java +++ b/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java @@ -433,7 +433,15 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing } // TODO: Refactor and use the authentication service for this. User user = (User) auth.getPrincipal(); - auths.add(user.getUsername()); + + String username = user.getUsername(); + auths.add(username); + + if (tenantService.getBaseNameUser(username).equalsIgnoreCase(PermissionService.GUEST_AUTHORITY)) + { + auths.add(PermissionService.GUEST_AUTHORITY); + } + for (GrantedAuthority authority : auth.getAuthorities()) { auths.add(authority.getAuthority()); @@ -444,7 +452,7 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing { for (DynamicAuthority da : dynamicAuthorities) { - if (da.hasAuthority(nodeRef, user.getUsername())) + if (da.hasAuthority(nodeRef, username)) { auths.add(da.getAuthority()); } diff --git a/source/java/org/alfresco/repo/tenant/MultiTAdminServiceImpl.java b/source/java/org/alfresco/repo/tenant/MultiTAdminServiceImpl.java index 6a5322f38e..552cd0d5e0 100755 --- a/source/java/org/alfresco/repo/tenant/MultiTAdminServiceImpl.java +++ b/source/java/org/alfresco/repo/tenant/MultiTAdminServiceImpl.java @@ -601,9 +601,6 @@ public class MultiTAdminServiceImpl extends AbstractLifecycleBean implements Ten props.put("alfresco_user_store.adminusername", getTenantAdminUser(tenantDomain)); props.put("alfresco_user_store.adminpassword", passwordEncoder.encodePassword(new String(tenantAdminRawPassword), salt)); - // override guest username property - props.put("alfresco_user_store.guestusername", getTenantGuestUser(tenantDomain)); - userImporterBootstrap.bootstrap(); logger.debug("Bootstrapped store: " + tenantService.getBaseName(bootstrapStoreRef)); @@ -669,6 +666,9 @@ public class MultiTAdminServiceImpl extends AbstractLifecycleBean implements Ten // override admin username property Properties props = spacesImporterBootstrap.getConfiguration(); props.put("alfresco_user_store.adminusername", getTenantAdminUser(tenantDomain)); + + // override guest username property + props.put("alfresco_user_store.guestusername", getTenantGuestUser(tenantDomain)); spacesImporterBootstrap.bootstrap(); diff --git a/source/java/org/alfresco/repo/tenant/MultiTServiceImpl.java b/source/java/org/alfresco/repo/tenant/MultiTServiceImpl.java index 1e6ec81516..6af72d993e 100755 --- a/source/java/org/alfresco/repo/tenant/MultiTServiceImpl.java +++ b/source/java/org/alfresco/repo/tenant/MultiTServiceImpl.java @@ -183,7 +183,7 @@ public class MultiTServiceImpl implements TenantService String tenantDomain = getCurrentUserDomain(); - if (! tenantDomain.equals("")) + if (! tenantDomain.equals(DEFAULT_DOMAIN)) { int idx1 = name.indexOf(SEPARATOR); if (idx1 != 0) @@ -246,12 +246,12 @@ public class MultiTServiceImpl implements TenantService int idx2 = name.indexOf(SEPARATOR, 1); String nameDomain = name.substring(1, idx2); - if ((! tenantDomain.equals("")) && (! tenantDomain.equals(nameDomain))) + if ((! tenantDomain.equals(DEFAULT_DOMAIN)) && (! tenantDomain.equals(nameDomain))) { throw new AlfrescoRuntimeException("domain mismatch: expected = " + tenantDomain + ", actual = " + nameDomain); } - if ((! tenantDomain.equals("")) || (forceForNonTenant)) + if ((! tenantDomain.equals(DEFAULT_DOMAIN)) || (forceForNonTenant)) { // remove tenant domain name = name.substring(idx2+1); @@ -282,7 +282,7 @@ public class MultiTServiceImpl implements TenantService String tenantDomain = getCurrentUserDomain(); - if (! tenantDomain.equals("")) + if (! tenantDomain.equals(DEFAULT_DOMAIN)) { int idx2 = username.lastIndexOf(SEPARATOR); if ((idx2 > 0) && (idx2 < (username.length()-1))) @@ -317,7 +317,7 @@ public class MultiTServiceImpl implements TenantService String tenantDomain = getCurrentUserDomain(); - if (((nameDomain == null) && (! tenantDomain.equals(""))) || + if (((nameDomain == null) && (! tenantDomain.equals(DEFAULT_DOMAIN))) || ((nameDomain != null) && (! nameDomain.equals(tenantDomain)))) { throw new AlfrescoRuntimeException("domain mismatch: expected = " + tenantDomain + ", actual = " + nameDomain); @@ -432,17 +432,15 @@ public class MultiTServiceImpl implements TenantService return false; } - public String getCurrentUserDomain() + public String getUserDomain(String username) { - String user = AuthenticationUtil.getCurrentUserName(); - - // can be null (e.g. for System user / during app ctx init) - if (user != null) + // can be null (e.g. for System user / during app ctx init) + if (username != null) { - int idx = user.lastIndexOf(SEPARATOR); - if ((idx > 0) && (idx < (user.length()-1))) + int idx = username.lastIndexOf(SEPARATOR); + if ((idx > 0) && (idx < (username.length()-1))) { - String tenantDomain = user.substring(idx+1); + String tenantDomain = username.substring(idx+1); checkTenantEnabled(tenantDomain); @@ -450,7 +448,13 @@ public class MultiTServiceImpl implements TenantService } } - return ""; // default domain - non-tenant user + return DEFAULT_DOMAIN; // default domain - non-tenant user + } + + public String getCurrentUserDomain() + { + String user = AuthenticationUtil.getCurrentUserName(); + return getUserDomain(user); } public String getDomain(String name) @@ -460,7 +464,7 @@ public class MultiTServiceImpl implements TenantService String tenantDomain = getCurrentUserDomain(); - String nameDomain = ""; + String nameDomain = DEFAULT_DOMAIN; int idx1 = name.indexOf(SEPARATOR); if (idx1 == 0) @@ -468,7 +472,7 @@ public class MultiTServiceImpl implements TenantService int idx2 = name.indexOf(SEPARATOR, 1); nameDomain = name.substring(1, idx2); - if ((! tenantDomain.equals("")) && (! tenantDomain.equals(nameDomain))) + if ((! tenantDomain.equals(DEFAULT_DOMAIN)) && (! tenantDomain.equals(nameDomain))) { throw new AlfrescoRuntimeException("domain mismatch: expected = " + tenantDomain + ", actual = " + nameDomain); } @@ -483,7 +487,7 @@ public class MultiTServiceImpl implements TenantService ParameterCheck.mandatory("baseUsername", baseUsername); ParameterCheck.mandatory("tenantDomain", tenantDomain); - if (! tenantDomain.equals("")) + if (! tenantDomain.equals(DEFAULT_DOMAIN)) { if (baseUsername.contains(SEPARATOR)) { diff --git a/source/java/org/alfresco/repo/tenant/SingleTServiceImpl.java b/source/java/org/alfresco/repo/tenant/SingleTServiceImpl.java index d90ac8e823..3f1ff2db46 100644 --- a/source/java/org/alfresco/repo/tenant/SingleTServiceImpl.java +++ b/source/java/org/alfresco/repo/tenant/SingleTServiceImpl.java @@ -128,14 +128,19 @@ public class SingleTServiceImpl implements TenantService return false; } + public String getUserDomain(String username) + { + return DEFAULT_DOMAIN; + } + public String getCurrentUserDomain() { - return ""; + return DEFAULT_DOMAIN; } public String getDomain(String name) { - return ""; + return DEFAULT_DOMAIN; } public String getDomainUser(String baseUsername, String tenantDomain) diff --git a/source/java/org/alfresco/repo/tenant/TenantService.java b/source/java/org/alfresco/repo/tenant/TenantService.java index f9f3d71a97..aaf32ca747 100644 --- a/source/java/org/alfresco/repo/tenant/TenantService.java +++ b/source/java/org/alfresco/repo/tenant/TenantService.java @@ -42,6 +42,8 @@ public interface TenantService { public static final String SEPARATOR = "@"; + public static final String DEFAULT_DOMAIN = ""; + public static final String ADMIN_BASENAME = "admin"; public NodeRef getName(NodeRef nodeRef); @@ -80,6 +82,8 @@ public interface TenantService public boolean isTenantName(String name); + public String getUserDomain(String username); + public String getCurrentUserDomain(); public String getDomain(String name);