diff --git a/source/java/org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory.java b/source/java/org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory.java
index c101f170e1..14957b29d4 100644
--- a/source/java/org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory.java
+++ b/source/java/org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory.java
@@ -27,6 +27,7 @@ package org.alfresco.repo.web.scripts.servlet;
import javax.servlet.http.HttpSession;
+import org.alfresco.error.ExceptionStackUtil;
import org.alfresco.repo.SessionUser;
import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
@@ -43,6 +44,8 @@ import org.springframework.extensions.webscripts.Description.RequiredAuthenticat
import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest;
import org.springframework.extensions.webscripts.servlet.WebScriptServletResponse;
+import net.sf.acegisecurity.DisabledException;
+
/**
* Authenticator to provide Remote User based Header authentication dropping back to Basic Auth otherwise.
* Statelessly authenticating via a secure header now does not require a Session so can be used with
@@ -99,9 +102,25 @@ public class RemoteUserAuthenticatorFactory extends BasicHttpAuthenticatorFactor
final String userId = getRemoteUser();
if (userId != null)
{
- authenticationComponent.setCurrentUser(userId);
- listener.userAuthenticated(new TicketCredentials(authenticationService.getCurrentTicket()));
- authenticated = true;
+ try
+ {
+ authenticationComponent.setCurrentUser(userId);
+ listener.userAuthenticated(new TicketCredentials(authenticationService.getCurrentTicket()));
+ authenticated = true;
+ }
+ catch (AuthenticationException authErr)
+ {
+ // don't propagate if the user is disabled
+ Throwable disabledCause = ExceptionStackUtil.getCause(authErr, DisabledException.class);
+ if(disabledCause != null)
+ {
+ listener.authenticationFailed(new WebCredentials() {});
+ }
+ else
+ {
+ throw authErr;
+ }
+ }
}
else
{
diff --git a/source/test-java/org/alfresco/RemoteApi01TestSuite.java b/source/test-java/org/alfresco/RemoteApi01TestSuite.java
index d9b95d15e4..7611dcd8a7 100644
--- a/source/test-java/org/alfresco/RemoteApi01TestSuite.java
+++ b/source/test-java/org/alfresco/RemoteApi01TestSuite.java
@@ -25,8 +25,8 @@
*/
package org.alfresco;
-import junit.framework.JUnit4TestAdapter;
-import junit.framework.Test;
+import junit.framework.JUnit4TestAdapter;
+import junit.framework.Test;
import junit.framework.TestSuite;
/**
@@ -60,7 +60,8 @@ public class RemoteApi01TestSuite extends TestSuite
{
suite.addTestSuite(org.alfresco.repo.management.subsystems.test.SubsystemsTest.class);
suite.addTestSuite(org.alfresco.repo.remoteticket.RemoteAlfrescoTicketServiceTest.class);
- suite.addTest(new JUnit4TestAdapter(org.alfresco.rest.api.tests.TestCustomModelExport.class));
+ suite.addTest(new JUnit4TestAdapter(org.alfresco.rest.api.tests.TestCustomModelExport.class));
+ suite.addTest(new JUnit4TestAdapter(org.alfresco.repo.web.scripts.servlet.RemoteAuthenticatorFactoryTest.class));
}
static void tests2(TestSuite suite) //
diff --git a/source/test-java/org/alfresco/repo/web/scripts/servlet/RemoteAuthenticatorFactoryTest.java b/source/test-java/org/alfresco/repo/web/scripts/servlet/RemoteAuthenticatorFactoryTest.java
new file mode 100644
index 0000000000..dc0126d73e
--- /dev/null
+++ b/source/test-java/org/alfresco/repo/web/scripts/servlet/RemoteAuthenticatorFactoryTest.java
@@ -0,0 +1,220 @@
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+package org.alfresco.repo.web.scripts.servlet;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.io.Serializable;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.alfresco.model.ContentModel;
+import org.alfresco.repo.management.subsystems.ChildApplicationContextFactory;
+import org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
+import org.alfresco.repo.security.authentication.MutableAuthenticationDao;
+import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
+import org.alfresco.service.cmr.security.PersonService;
+import org.alfresco.service.namespace.QName;
+import org.alfresco.service.transaction.TransactionService;
+import org.alfresco.util.ApplicationContextHelper;
+import org.alfresco.util.GUID;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.springframework.context.ApplicationContext;
+import org.springframework.extensions.webscripts.Authenticator;
+import org.springframework.extensions.webscripts.Description.RequiredAuthentication;
+import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest;
+import org.springframework.extensions.webscripts.servlet.WebScriptServletResponse;
+
+/**
+ *
+ * @author sglover
+ *
+ */
+public class RemoteAuthenticatorFactoryTest
+{
+ private static final String[] contextLocations = new String[] {
+ "classpath:alfresco/application-context.xml",
+ "classpath:alfresco/web-scripts-application-context.xml",
+ "classpath:alfresco/web-scripts-application-context-test.xml"
+ };
+
+ private static RemoteUserAuthenticatorFactory remoteUserAuthenticatorFactory;
+ private static PersonService personService;
+ private static TransactionService transactionService;
+ private static MutableAuthenticationDao authenticationDAO;
+
+ @BeforeClass
+ public static void beforeClass() throws Exception
+ {
+ ApplicationContext ctx = ApplicationContextHelper.getApplicationContext(contextLocations);
+ DefaultChildApplicationContextManager childApplicationContextManager = (DefaultChildApplicationContextManager) ctx.getBean("Authentication");
+ remoteUserAuthenticatorFactory = (RemoteUserAuthenticatorFactory) ctx.getBean("webscripts.authenticator.remoteuser");
+ personService = (PersonService)ctx.getBean("PersonService");
+ transactionService = (TransactionService)ctx.getBean("TransactionService");
+ authenticationDAO = (MutableAuthenticationDao)ctx.getBean("authenticationDao");
+
+ childApplicationContextManager.stop();
+ childApplicationContextManager.setProperty("chain", "external1:external");
+ ChildApplicationContextFactory childApplicationContextFactory = childApplicationContextManager.getChildApplicationContextFactory("external1");
+ childApplicationContextFactory.stop();
+ childApplicationContextFactory.setProperty("external.authentication.proxyUserName", "");
+ }
+
+ private String createPerson(boolean enabled)
+ {
+ Map properties = new HashMap<>();
+ String username = "user" + GUID.generate();
+ properties.put(ContentModel.PROP_USERNAME, username);
+ properties.put(ContentModel.PROP_FIRSTNAME, username);
+ properties.put(ContentModel.PROP_LASTNAME, username);
+ if(!enabled)
+ {
+ properties.put(ContentModel.PROP_ENABLED, enabled);
+ }
+ personService.createPerson(properties);
+
+ authenticationDAO.createUser(username, "password".toCharArray());
+ authenticationDAO.setEnabled(username, enabled);
+
+ return username;
+ }
+
+ @Test
+ public void testDisabledUser() throws Exception
+ {
+ final String username = transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback()
+ {
+ @Override
+ public String execute() throws Throwable
+ {
+ return AuthenticationUtil.runAs(new RunAsWork()
+ {
+ @Override
+ public String doWork() throws Exception
+ {
+ return createPerson(false);
+ }
+ }, AuthenticationUtil.SYSTEM_USER_NAME);
+ }
+ }, false, true);
+
+ transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback()
+ {
+ @Override
+ public Void execute() throws Throwable
+ {
+ return AuthenticationUtil.runAs(new RunAsWork()
+ {
+ @Override
+ public Void doWork() throws Exception
+ {
+ // Mock a request with a username in the header
+ HttpServletRequest mockHttpRequest = mock(HttpServletRequest.class);
+ when(mockHttpRequest.getHeader("X-Alfresco-Remote-User")).thenReturn(username);
+ when(mockHttpRequest.getScheme()).thenReturn("http");
+ WebScriptServletRequest mockRequest = mock(WebScriptServletRequest.class);
+ when(mockRequest.getHttpServletRequest()).thenReturn(mockHttpRequest);
+
+ HttpServletResponse mockHttpResponse = mock(HttpServletResponse.class);
+ WebScriptServletResponse mockResponse = mock(WebScriptServletResponse.class);
+ when(mockResponse.getHttpServletResponse()).thenReturn(mockHttpResponse);
+
+ Authenticator authenticator = remoteUserAuthenticatorFactory.create(mockRequest, mockResponse);
+ assertFalse(authenticator.authenticate(RequiredAuthentication.user, false));
+
+ return null;
+ }
+ }, AuthenticationUtil.SYSTEM_USER_NAME);
+ }
+ }, false, true);
+ }
+
+ @Test
+ public void testEnabledUser() throws Exception
+ {
+ final String username = transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback()
+ {
+ @Override
+ public String execute() throws Throwable
+ {
+ return AuthenticationUtil.runAs(new RunAsWork()
+ {
+ @Override
+ public String doWork() throws Exception
+ {
+ return createPerson(true);
+ }
+ }, AuthenticationUtil.SYSTEM_USER_NAME);
+ }
+ }, false, true);
+
+ // Mock a request with a username in the header
+ HttpServletRequest mockHttpRequest = mock(HttpServletRequest.class);
+ when(mockHttpRequest.getHeader("X-Alfresco-Remote-User")).thenReturn(username);
+ when(mockHttpRequest.getScheme()).thenReturn("http");
+ WebScriptServletRequest mockRequest = mock(WebScriptServletRequest.class);
+ when(mockRequest.getHttpServletRequest()).thenReturn(mockHttpRequest);
+
+ HttpServletResponse mockHttpResponse = mock(HttpServletResponse.class);
+ WebScriptServletResponse mockResponse = mock(WebScriptServletResponse.class);
+ when(mockResponse.getHttpServletResponse()).thenReturn(mockHttpResponse);
+
+ Authenticator authenticator = remoteUserAuthenticatorFactory.create(mockRequest, mockResponse);
+ assertTrue(authenticator.authenticate(RequiredAuthentication.user, false));
+ }
+
+ @Test
+ public void testLogInWithNonExistingPerson()
+ {
+ // Random non existing person
+ final String username = GUID.generate();
+
+ // Mock a request with a username in the header
+ HttpServletRequest mockHttpRequest = mock(HttpServletRequest.class);
+ when(mockHttpRequest.getHeader("X-Alfresco-Remote-User")).thenReturn(username);
+ when(mockHttpRequest.getScheme()).thenReturn("http");
+ WebScriptServletRequest mockRequest = mock(WebScriptServletRequest.class);
+ when(mockRequest.getHttpServletRequest()).thenReturn(mockHttpRequest);
+
+ HttpServletResponse mockHttpResponse = mock(HttpServletResponse.class);
+ WebScriptServletResponse mockResponse = mock(WebScriptServletResponse.class);
+ when(mockResponse.getHttpServletResponse()).thenReturn(mockHttpResponse);
+
+ Authenticator authenticator = remoteUserAuthenticatorFactory.create(mockRequest, mockResponse);
+ assertTrue("The non existing user should be authenticated.", authenticator.authenticate(RequiredAuthentication.user, false));
+ assertTrue("The user should be auto created.", personService.personExists(username));
+ }
+}
+