inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-24 17:32:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged V2.2 to HEAD

Browse Source 
7260: Basic JMX sys admin - to manage session/tickets and server modes such as read-only and single-user


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@8242 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Derek Hulley
2008-02-11 11:07:46 +00:00
parent 1041c6ceb0
commit 17b806c6c0
12 changed files with 603 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

216
source/java/org/alfresco/repo/admin/RepoServerMgmt.java Normal file
View File

@@ -0,0 +1,216 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing"
*/
package org.alfresco.repo.admin;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import org.alfresco.repo.security.authentication.AuthenticationServiceImpl;
import org.alfresco.repo.transaction.TransactionServiceImpl;
import org.alfresco.service.license.LicenseService;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAware
{
private static final Log log = LogFactory.getLog(RepoServerMgmt.class);
private ApplicationContext ctx; // to get license component, if installed
private TransactionServiceImpl transactionService;
private AuthenticationServiceImpl authenticationService;
public void setTransactionService(TransactionServiceImpl transactionService)
{
this.transactionService = transactionService;
}
public void setAuthenticationService(AuthenticationServiceImpl authenticationService)
{
this.authenticationService = authenticationService;
}
public void setApplicationContext(ApplicationContext ctx)
{
this.ctx = ctx;
}
/*
* (non-Javadoc)
* @see org.alfresco.repo.admin.RepoServerMgmtMBean#setReadOnly(boolean)
*/
public void setReadOnly(boolean readOnly)
{
if (readOnly && isReadOnly())
{
log.info("Alfresco Repository is already READONLY");
return;
}
if (!readOnly && !isReadOnly())
{
log.info("Alfresco Repository is already WRITABLE");
return;
}
if (!readOnly)
{
LicenseService licenseService = null;
try
{
licenseService = (LicenseService)ctx.getBean("org.alfresco.license.LicenseComponent");
// verify license, but only if license component is installed
licenseService.verifyLicense();
}
catch (NoSuchBeanDefinitionException e)
{
// ignore
}
}
transactionService.setAllowWrite(!readOnly);
if (readOnly)
{
log.info("Alfresco Repository set to READONLY");
}
else
{
log.info("Alfresco Repository set to WRITABLE");
}
}
/*
* (non-Javadoc)
* @see org.alfresco.mbeans.RepoServerMgmtMBean#isReadOnly(java.lang.Boolean)
*/
public boolean isReadOnly()
{
return transactionService.isReadOnly();
}
// Note: implementing counts as managed attributes (without params) means that
// certain JMX consoles can create graphs
/*
* (non-Javadoc)
* @see org.alfresco.mbeans.RepoServerMgmtMBean#getTicketCountNonExpired()
*/
public int getTicketCountNonExpired()
{
return authenticationService.countTickets(true);
}
/*
* (non-Javadoc)
* @see org.alfresco.mbeans.RepoServerMgmtMBean#getTicketCountAll()
*/
public int getTicketCountAll()
{
return authenticationService.countTickets(false);
}
/*
* (non-Javadoc)
* @see org.alfresco.mbeans.RepoServerMgmtMBean#getUserCountNonExpired()
*/
public int getUserCountNonExpired()
{
return authenticationService.getUsersWithTickets(true).size();
}
/*
* (non-Javadoc)
* @see org.alfresco.mbeans.RepoServerMgmtMBean#getUserCountAll()
*/
public int getUserCountAll()
{
return authenticationService.getUsersWithTickets(false).size();
}
// Note: implement operations without boolean/Boolean parameter, due to problem with some JMX consoles (e.g. MC4J 1.9 Beta)
/*
* (non-Javadoc)
* @see org.alfresco.repo.admin.RepoServerMgmtMBean#listUserNamesNonExpired()
*/
public String[] listUserNamesNonExpired()
{
Set<String> userSet = authenticationService.getUsersWithTickets(true);
return userSet.toArray(new String[0]);
}
/*
* (non-Javadoc)
* @see org.alfresco.repo.admin.RepoServerMgmtMBean#listUserNamesAll()
*/
public String[] listUserNamesAll()
{
Set<String> userSet = authenticationService.getUsersWithTickets(false);
return userSet.toArray(new String[0]);
}
/*
* (non-Javadoc)
* @see org.alfresco.mbeans.RepoServerMgmtMBean#invalidateTicketsExpired()
*/
public int invalidateTicketsExpired()
{
return authenticationService.invalidateTickets(true);
}
/*
* (non-Javadoc)
* @see org.alfresco.mbeans.RepoServerMgmtMBean#invalidateTicketsAll()
*/
public int invalidateTicketsAll()
{
return authenticationService.invalidateTickets(false);
}
/*
* (non-Javadoc)
* @see org.alfresco.mbeans.RepoServerMgmtMBean#allowSingleUserOnly(java.lang.String)
*/
public void allowSingleUserOnly(String allowedUsername)
{
List<String> allowedUsers = null;
if (allowedUsername != null)
{
allowedUsers = new ArrayList<String>(0);
allowedUsers.add(allowedUsername);
invalidateTicketsAll();
}
authenticationService.setAllowedUsers(allowedUsers);
}
}

139
source/java/org/alfresco/repo/admin/RepoServerMgmtMBean.java Normal file
View File

@@ -0,0 +1,139 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing"
*/
package org.alfresco.repo.admin;
public interface RepoServerMgmtMBean
{
/**
* Set whether Repository allows writes or not
*
* Note: This operation can be clustered (ie. all servers in the cluster will be affected)
*
* @param readOnly true is READONLY, false is WRITEABLE
*/
public void setReadOnly(boolean readOnly);
/**
* Does the Repository allows writes or not ?
*
* Note: This operation can be clustered (ie. all servers in the cluster will be affected)
*
* @return boolean true is READONLY, false is WRITEABLE
*/
public boolean isReadOnly();
/**
* Get count of non-expired tickets
*
* This may be higher than the user count, since a user can have more than one ticket/session
*
* Note: This operation can be clustered (ie. all servers in the cluster will be affected)
*
* @return int number of non-expired tickets
*/
public int getTicketCountNonExpired();
/**
* Get count of all tickets
*
* This may be higher than the user count, since a user can have more than one ticket/session
*
* Note: This operation can be clustered (ie. all servers in the cluster will be affected)
*
* @return int number of tickets (non-expired and expired)
*/
public int getTicketCountAll();
/**
* Get count of non-expired users
*
* This may be lower than the ticket count, since a user can have more than one ticket/session
*
* Note: This operation can be clustered (ie. all servers in the cluster will be affected)
*
* @return int number of non-expired users
*/
public int getUserCountNonExpired();
/**
* Get count of all users
*
* This may be lower than the ticket count, since a user can have more than one ticket/session
*
* Note: This operation can be clustered (ie. all servers in the cluster will be affected)
*
* @return int number of users (non-expired and expired)
*/
public int getUserCountAll();
/**
* Get set of unique non-expired usernames
*
* Note: This operation can be clustered (ie. all servers in the cluster will be affected)
*
* @return String[] array of non-expired usernames
*/
public String[] listUserNamesNonExpired();
/**
* Get set of all unique usernames
*
* Note: This operation can be clustered (ie. all servers in the cluster will be affected)
*
* @return String[] array of all usernames (non-expired and expired)
*/
public String[] listUserNamesAll();
/**
* Invalidate expired tickets
*
* Note: This operation can be clustered (ie. all servers in the cluster will be affected)
*
* @return int count of expired invalidated tickets
*/
public int invalidateTicketsExpired();
/**
* Invalidate all tickets
*
* Note: This operation can be clustered (ie. all servers in the cluster will be affected)
*
* @return int count of all invalidated tickets (non-expired and expired)
*/
public int invalidateTicketsAll();
/**
* Set whether Repository allows single user mode or not
*
* If single user mode is set then all tickets will be invalidated first before allowing the
* named user to login (with one or more sessions)
*
* Note: This operation can be clustered (ie. all servers in the cluster will be affected)
*
* @param String allowed username (eg. 'admin') or null to unset (ie. allow all users)
*/
public void allowSingleUserOnly(String allowedUsername);
}

48
source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
View File

@@ -25,8 +25,10 @@
package org.alfresco.repo.security.authentication;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import org.alfresco.repo.cache.SimpleCache;
import org.alfresco.service.cmr.security.AuthenticationService;
public class AuthenticationServiceImpl implements AuthenticationService
@@ -45,10 +47,20 @@ public class AuthenticationServiceImpl implements AuthenticationService
private boolean allowsUserPasswordChange = true;
// SysAdmin cache - used to cluster certain JMX operations
private SimpleCache<String, Object> sysAdminCache;
private final static String KEY_SYSADMIN_ALLOWED_USERS = "sysAdminCache.authAllowedUsers";
public AuthenticationServiceImpl()
{
super();
}
public void setSysAdminCache(SimpleCache<String, Object> sysAdminCache)
{
this.sysAdminCache = sysAdminCache;
}
public void setAuthenticationDao(MutableAuthenticationDao authenticationDao)
{
@@ -105,13 +117,20 @@ public class AuthenticationServiceImpl implements AuthenticationService
authenticationDao.setEnabled(userName, enabled);
}
@SuppressWarnings("unchecked")
public void authenticate(String userName, char[] password) throws AuthenticationException
{
try
{
// clear context - to avoid MT concurrency issue (causing domain mismatch) - see also 'validate' below
clearCurrentSecurityContext();
authenticationComponent.authenticate(userName, password);
// clear context - to avoid MT concurrency issue (causing domain mismatch) - see also 'validate' below
clearCurrentSecurityContext();
List<String> allowedUsers = (List<String>)sysAdminCache.get(KEY_SYSADMIN_ALLOWED_USERS);
if ((allowedUsers != null) && (! allowedUsers.contains(userName)))
{
throw new AuthenticationException("Username not allowed: " + userName);
}
authenticationComponent.authenticate(userName, password);
}
catch(AuthenticationException ae)
{
@@ -119,6 +138,8 @@ public class AuthenticationServiceImpl implements AuthenticationService
throw ae;
}
ticketComponent.clearCurrentTicket();
ticketComponent.getCurrentTicket(userName); // to ensure new ticket is created (even if client does not explicitly call getCurrentTicket)
}
public boolean authenticationExists(String userName)
@@ -135,11 +156,32 @@ public class AuthenticationServiceImpl implements AuthenticationService
{
ticketComponent.invalidateTicketByUser(userName);
}
public Set<String> getUsersWithTickets(boolean nonExpiredOnly)
{
return ticketComponent.getUsersWithTickets(nonExpiredOnly);
}
public void setAllowedUsers(List<String> allowedUsers)
{
sysAdminCache.put(KEY_SYSADMIN_ALLOWED_USERS, allowedUsers);
}
public void invalidateTicket(String ticket) throws AuthenticationException
{
ticketComponent.invalidateTicketById(ticket);
}
public int countTickets(boolean nonExpiredOnly)
{
return ticketComponent.countTickets(nonExpiredOnly);
}
public int invalidateTickets(boolean expiredOnly)
{
return ticketComponent.invalidateTickets(expiredOnly);
}
public void validate(String ticket) throws AuthenticationException
{

70
source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java
View File

@@ -144,6 +144,76 @@ public class InMemoryTicketComponentImpl implements TicketComponent
String key = ticketString.substring(GRANTED_AUTHORITY_TICKET_PREFIX.length());
ticketsCache.remove(key);
}
/*
* (non-Javadoc)
* @see org.alfresco.repo.security.authentication.TicketComponent#getUsersWithTickets(boolean)
*/
public Set<String> getUsersWithTickets(boolean nonExpiredOnly)
{
Set<String> users = new HashSet<String>();
for (String key : ticketsCache.getKeys())
{
Ticket ticket = ticketsCache.get(key);
if ((nonExpiredOnly == false) || (! ticket.hasExpired()))
{
users.add(ticket.getUserName());
}
}
return users;
}
/*
* (non-Javadoc)
* @see org.alfresco.repo.security.authentication.TicketComponent#countTickets(boolean)
*/
public int countTickets(boolean nonExpiredOnly)
{
if (nonExpiredOnly)
{
int count = 0;
for (String key : ticketsCache.getKeys())
{
Ticket ticket = ticketsCache.get(key);
if (! ticket.hasExpired())
{
count++;
}
}
return count;
}
else
{
return ticketsCache.getKeys().size();
}
}
/*
* (non-Javadoc)
* @see org.alfresco.repo.security.authentication.TicketComponent#invalidateTickets(boolean)
*/
public int invalidateTickets(boolean expiredOnly)
{
int count = 0;
if (! expiredOnly)
{
count = ticketsCache.getKeys().size();
ticketsCache.clear();
}
else
{
for (String key : ticketsCache.getKeys())
{
Ticket ticket = ticketsCache.get(key);
if (ticket.hasExpired())
{
count++;
ticketsCache.remove(key);
}
}
}
return count;
}
public void invalidateTicketByUser(String userName)
{

30
source/java/org/alfresco/repo/security/authentication/TicketComponent.java
View File

@@ -24,6 +24,8 @@
*/
package org.alfresco.repo.security.authentication;
import java.util.Set;
/**
* Manage authentication tickets
@@ -89,6 +91,34 @@ public interface TicketComponent
* @param userName
*/
public void invalidateTicketByUser(String userName);
/**
* Count tickets
*
* This may be higher than the user count, since a user can have more than one ticket/session
*
* @param nonExpiredOnly true for non expired tickets, false for all (including expired) tickets
* @return int number of tickets
*/
public int countTickets(boolean nonExpiredOnly);
/**
* Get set of users with tickets
*
* This may be lower than the ticket count, since a user can have more than one ticket/session
*
* @param nonExpiredOnly true for non expired tickets, false for all (including expired) tickets
* @return Set<String> set of users with (one or more) tickets
*/
public Set<String> getUsersWithTickets(boolean nonExpiredOnly);
/**
* Invalidate tickets
*
* @param expiredOnly true for EXPIRED tickets, false for ALL (including non-expired) tickets
* @return int count of invalidated tickets
*/
public int invalidateTickets(boolean expiredOnly);
/**
* Get the authority for the given ticket

27
source/java/org/alfresco/repo/transaction/TransactionServiceImpl.java
View File

@@ -26,6 +26,7 @@ package org.alfresco.repo.transaction;
import javax.transaction.UserTransaction;
import org.alfresco.repo.cache.SimpleCache;
import org.alfresco.service.transaction.TransactionService;
import org.alfresco.util.transaction.SpringAwareUserTransaction;
import org.springframework.transaction.PlatformTransactionManager;
@@ -39,9 +40,13 @@ import org.springframework.transaction.TransactionDefinition;
public class TransactionServiceImpl implements TransactionService
{
private PlatformTransactionManager transactionManager;
private boolean readOnly = false;
private int maxRetries = 20;
// SysAdmin cache - used to cluster certain JMX operations
private SimpleCache<String, Object> sysAdminCache;
private final static String KEY_SYSADMIN_ALLOW_WRITE = "sysAdminCache.txAllowWrite";
/**
* Set the transaction manager to use
*
@@ -51,6 +56,11 @@ public class TransactionServiceImpl implements TransactionService
{
this.transactionManager = transactionManager;
}
public void setSysAdminCache(SimpleCache<String, Object> sysAdminCache)
{
this.sysAdminCache = sysAdminCache;
}
/**
* Set the read-only mode for all generated transactions.
@@ -59,12 +69,13 @@ public class TransactionServiceImpl implements TransactionService
*/
public void setAllowWrite(boolean allowWrite)
{
this.readOnly = !allowWrite;
sysAdminCache.put(KEY_SYSADMIN_ALLOW_WRITE, allowWrite);
}
public boolean isReadOnly()
{
return readOnly;
Boolean allowWrite = (Boolean)sysAdminCache.get(KEY_SYSADMIN_ALLOW_WRITE);
return (allowWrite == null ? false : ! allowWrite);
}
/**
@@ -85,7 +96,7 @@ public class TransactionServiceImpl implements TransactionService
{
SpringAwareUserTransaction txn = new SpringAwareUserTransaction(
transactionManager,
this.readOnly,
isReadOnly(),
TransactionDefinition.ISOLATION_DEFAULT,
TransactionDefinition.PROPAGATION_REQUIRED,
TransactionDefinition.TIMEOUT_DEFAULT);
@@ -99,7 +110,7 @@ public class TransactionServiceImpl implements TransactionService
{
SpringAwareUserTransaction txn = new SpringAwareUserTransaction(
transactionManager,
(readOnly | this.readOnly),
(readOnly | isReadOnly()),
TransactionDefinition.ISOLATION_DEFAULT,
TransactionDefinition.PROPAGATION_REQUIRED,
TransactionDefinition.TIMEOUT_DEFAULT);
@@ -113,7 +124,7 @@ public class TransactionServiceImpl implements TransactionService
{
SpringAwareUserTransaction txn = new SpringAwareUserTransaction(
transactionManager,
this.readOnly,
isReadOnly(),
TransactionDefinition.ISOLATION_DEFAULT,
TransactionDefinition.PROPAGATION_REQUIRES_NEW,
TransactionDefinition.TIMEOUT_DEFAULT);
@@ -127,7 +138,7 @@ public class TransactionServiceImpl implements TransactionService
{
SpringAwareUserTransaction txn = new SpringAwareUserTransaction(
transactionManager,
(readOnly | this.readOnly),
(readOnly | isReadOnly()),
TransactionDefinition.ISOLATION_DEFAULT,
TransactionDefinition.PROPAGATION_REQUIRES_NEW,
TransactionDefinition.TIMEOUT_DEFAULT);
@@ -142,7 +153,7 @@ public class TransactionServiceImpl implements TransactionService
RetryingTransactionHelper helper = new RetryingTransactionHelper();
helper.setMaxRetries(maxRetries);
helper.setTransactionService(this);
helper.setReadOnly(readOnly);
helper.setReadOnly(isReadOnly());
return helper;
}
}

14
source/java/org/alfresco/repo/transaction/TransactionServiceImplTest.java
View File

@@ -29,7 +29,10 @@ import javax.transaction.Status;
import javax.transaction.UserTransaction;
import junit.framework.TestCase;
import net.sf.ehcache.Cache;
import net.sf.ehcache.CacheManager;
import org.alfresco.repo.cache.EhCacheAdapter;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
import org.alfresco.service.cmr.repository.NodeService;
@@ -57,8 +60,17 @@ public class TransactionServiceImplTest extends TestCase
transactionManager = (PlatformTransactionManager) ctx.getBean("transactionManager");
transactionService = new TransactionServiceImpl();
transactionService.setTransactionManager(transactionManager);
transactionService.setAllowWrite(true);
CacheManager cacheManager = new CacheManager();
Cache sysAdminEhCache = new Cache("sysAdminCache", 10, false, true, 0L, 0L);
cacheManager.addCache(sysAdminEhCache);
EhCacheAdapter<String, Object> sysAdminCache = new EhCacheAdapter<String, Object>();
sysAdminCache.setCache(sysAdminEhCache);
transactionService.setSysAdminCache(sysAdminCache);
transactionService.setAllowWrite(true);
nodeService = (NodeService) ctx.getBean("dbNodeService");
}