Merged V2.2 to HEAD

7260: Basic JMX sys admin - to manage session/tickets and server modes such as read-only and single-user git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@8242 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-10-08 14:51:49 +00:00 · 2008-02-11 11:07:46 +00:00
parent 1041c6ceb0
commit 17b806c6c0
12 changed files with 603 additions and 14 deletions
--- a/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
+++ b/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
@@ -25,8 +25,10 @@
 package org.alfresco.repo.security.authentication;

 import java.util.Collections;
+import java.util.List;
 import java.util.Set;

+import org.alfresco.repo.cache.SimpleCache;
 import org.alfresco.service.cmr.security.AuthenticationService;

 public class AuthenticationServiceImpl implements AuthenticationService
@@ -45,10 +47,20 @@ public class AuthenticationServiceImpl implements AuthenticationService
    
    private boolean allowsUserPasswordChange = true;
    
+    // SysAdmin cache - used to cluster certain JMX operations
+    private SimpleCache<String, Object> sysAdminCache;
+    private final static String KEY_SYSADMIN_ALLOWED_USERS = "sysAdminCache.authAllowedUsers";
+
+    
    public AuthenticationServiceImpl()
    {
        super();
    }
+    
+    public void setSysAdminCache(SimpleCache<String, Object> sysAdminCache)
+    {
+        this.sysAdminCache = sysAdminCache;
+    }

    public void setAuthenticationDao(MutableAuthenticationDao authenticationDao)
    {
@@ -105,13 +117,20 @@ public class AuthenticationServiceImpl implements AuthenticationService
        authenticationDao.setEnabled(userName, enabled);
    }

+    @SuppressWarnings("unchecked")
    public void authenticate(String userName, char[] password) throws AuthenticationException
    {
        try
        {
-           // clear context - to avoid MT concurrency issue (causing domain mismatch) - see also 'validate' below
-           clearCurrentSecurityContext();
-           authenticationComponent.authenticate(userName, password);
+            // clear context - to avoid MT concurrency issue (causing domain mismatch) - see also 'validate' below
+            clearCurrentSecurityContext();
+        	List<String> allowedUsers = (List<String>)sysAdminCache.get(KEY_SYSADMIN_ALLOWED_USERS);
+           
+        	if ((allowedUsers != null) && (! allowedUsers.contains(userName)))
+			{
+				throw new AuthenticationException("Username not allowed: " + userName);
+			}
+		    authenticationComponent.authenticate(userName, password);
        }
        catch(AuthenticationException ae)
        {
@@ -119,6 +138,8 @@ public class AuthenticationServiceImpl implements AuthenticationService
            throw ae;
        }
        ticketComponent.clearCurrentTicket();
+        
+        ticketComponent.getCurrentTicket(userName); // to ensure new ticket is created (even if client does not explicitly call getCurrentTicket)
    }
    
    public boolean authenticationExists(String userName)
@@ -135,11 +156,32 @@ public class AuthenticationServiceImpl implements AuthenticationService
    {
        ticketComponent.invalidateTicketByUser(userName);
    }
+    
+    public Set<String> getUsersWithTickets(boolean nonExpiredOnly)
+    {
+    	return ticketComponent.getUsersWithTickets(nonExpiredOnly);
+    }
+    
+    public void setAllowedUsers(List<String> allowedUsers)
+    {
+    	sysAdminCache.put(KEY_SYSADMIN_ALLOWED_USERS, allowedUsers);
+    }

    public void invalidateTicket(String ticket) throws AuthenticationException
    {
        ticketComponent.invalidateTicketById(ticket);
    }
+    
+    public int countTickets(boolean nonExpiredOnly)
+    {
+    	return ticketComponent.countTickets(nonExpiredOnly);
+    }
+    
+    public int invalidateTickets(boolean expiredOnly)
+    {
+    	return ticketComponent.invalidateTickets(expiredOnly);
+    }
+    

    public void validate(String ticket) throws AuthenticationException
    {
--- a/source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java
+++ b/source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java
@@ -144,6 +144,76 @@ public class InMemoryTicketComponentImpl implements TicketComponent
        String key = ticketString.substring(GRANTED_AUTHORITY_TICKET_PREFIX.length());
        ticketsCache.remove(key);
    }
+    
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.repo.security.authentication.TicketComponent#getUsersWithTickets(boolean)
+     */
+    public Set<String> getUsersWithTickets(boolean nonExpiredOnly) 
+    {
+    	Set<String> users = new HashSet<String>();
+    	for (String key : ticketsCache.getKeys())
+        {
+    		Ticket ticket = ticketsCache.get(key);
+    		if ((nonExpiredOnly == false) || (! ticket.hasExpired()))
+    		{
+    			users.add(ticket.getUserName());
+    		}
+        }
+    	return users;
+    }
+    
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.repo.security.authentication.TicketComponent#countTickets(boolean)
+     */
+    public int countTickets(boolean nonExpiredOnly)
+    {
+    	if (nonExpiredOnly)
+    	{
+    		int count = 0;
+    		for (String key : ticketsCache.getKeys())
+            {
+    			Ticket ticket = ticketsCache.get(key);
+    			if (! ticket.hasExpired())
+    			{
+    				count++;
+    			}
+            }
+    		return count;
+    	}
+    	else
+    	{
+    		return ticketsCache.getKeys().size();
+    	}
+    }
+    
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.repo.security.authentication.TicketComponent#invalidateTickets(boolean)
+     */
+    public int invalidateTickets(boolean expiredOnly)
+    {
+    	int count = 0;
+    	if (! expiredOnly)
+    	{
+    		count = ticketsCache.getKeys().size();
+    		ticketsCache.clear();
+    	}
+    	else
+    	{
+	    	for (String key : ticketsCache.getKeys())
+	        {
+	    		Ticket ticket = ticketsCache.get(key);
+	    		if (ticket.hasExpired())
+	    		{
+	    			count++;
+	    			ticketsCache.remove(key);
+	    		}
+	        }
+    	}
+    	return count;
+    }

    public void invalidateTicketByUser(String userName)
    {
--- a/source/java/org/alfresco/repo/security/authentication/TicketComponent.java
+++ b/source/java/org/alfresco/repo/security/authentication/TicketComponent.java
@@ -24,6 +24,8 @@
 */
 package org.alfresco.repo.security.authentication;

+import java.util.Set;
+

 /**
 * Manage authentication tickets
@@ -89,6 +91,34 @@ public interface TicketComponent
     * @param userName
     */
    public void invalidateTicketByUser(String userName);
+      
+	/**
+	 * Count tickets
+	 * 
+	 * This may be higher than the user count, since a user can have more than one ticket/session
+	 *
+	 * @param nonExpiredOnly  true for non expired tickets, false for all (including expired) tickets
+	 * @return int number of tickets
+	 */
+    public int countTickets(boolean nonExpiredOnly);
+    
+	/**
+	 * Get set of users with tickets
+	 * 
+	 * This may be lower than the ticket count, since a user can have more than one ticket/session
+	 *
+	 * @param nonExpiredOnly  true for non expired tickets, false for all (including expired) tickets
+	 * @return Set<String>   set of users with (one or more) tickets
+	 */
+    public Set<String> getUsersWithTickets(boolean nonExpiredOnly);
+
+	/**
+	 * Invalidate tickets
+	 * 
+	 * @param expiredOnly  true for EXPIRED tickets, false for ALL (including non-expired) tickets
+	 * @return int  count of invalidated tickets
+	 */
+    public int invalidateTickets(boolean expiredOnly);
    
    /**
     * Get the authority for the given ticket