Merged V3.2 to HEAD

17475: ETHREEOH-3295: Fix to AuthorityMigrationPatch
      - Forces transaction retry if worker thread reaches child authority before a parent authority
      - Tested on Kev's 3.1.1 repository with ~20,000 bulk loaded users and ~2,000 Share sites
      - Now completes in 5 minutes as opposed to 45
   17461: ETHREEOH-3268: Added MutableAuthenticationService.isAuthenticationCreationAllowed () to allow conditional display of external user invitation UI
   17450: ETHREEOH-2762: Correction to previous fix. Do not generate new name when working copy copied back on check in.
   17440: ETHREEOH-3295: Fixed logging in FixNameCrcValuesPatch
   17439: ETHREEOH-2762: Improved behaviour when a working copy is copied
      - Working copy aspect already removed the working copy aspect on copy
      - Now derives a new name from the node checked out from and a UUID, preserving the extension
   17438: ETHREEOH-2690: Fix sequencing of jgroups system property setting
      - declared dependency between internalEHCacheManager and jgroupsPropertySetter
   17436: ETHREEOH-3295: Further performance improvements to AuthorityMigrationPatch
      - authority created at same time as all its parent associations to save lots of reindexing, as per LDAP sync
      - multi-threaded BatchProcessor (as used by LDAP sync, FixNameCrcValuesPatch) used to process work in 2 threads in batches of 20, report progress every 100 entries and handle transaction retries
      - BatchProcessor now promoted to its own package
   17394: Fix for license issue in local enterprise builds.
      - Replace Community with Enterprise in version.properties during enterprise war building
   17365: ETHREEOH-3229: Visited and fixed all SearchService result set leaks
   17362: ETHREEOH-3254: Eliminate needless ping to LDAP server in LDAPAuthenticationComponentImpl.implementationAllowsGuestLogin()
   17348: ETHREEOH-3003: Fix NPE in Hyperic when LicenseDescriptor has null fields
   17316: Merged V3.1 to V3.2
      17315: ETHREEOH-3092: PersonService won't let you create duplicate persons anymore.
      17314: ETHREEOH-3158: Fix RepoServerMgmt to work with external authentication methods
         - AuthenticationService.getCurrentTicket / getNewTicket now call pre authentication check before issuing a new ticket, thus still allowing ticket enforcement when external authentication is in use.
      17312: ETHREEOH-3219: Enable resolution of JMX server password file path on JBoss 5
      17299: Merged V3.2 to V3.1 (Record only)
         17297: ETHREEOH-1593: Changed name of username cookie and fixed login.jsp to decode it properly
         17248: ETHREEOH-1593: alfUser cookie value should be base 64 encoded to allow for non-ASCII characters
   17297: ETHREEOH-1593: Changed name of username cookie and fixed login.jsp to decode it properly
      - thanks Kev!
   17292: ETHREEOH-1842: Ticket association with HttpSession IDs tracked so that we don't invalidate a ticket in use by multiple sessions prematurely
      - AuthenticationService validate, getCurrentTicket, etc. methods now take optional sessionId arguments
   17269: Fix failing unit test
      - reinstate original behaviour of AbstractChainingAuthenticationService.getAuthenticationEnabled()
   17268: Fix InvitationService
      - Runs as system to do privileged AuthenticationService actions


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@18105 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java

@@ -86,7 +86,7 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
         }
         ticketComponent.clearCurrentTicket();
         
-        ticketComponent.getCurrentTicket(userName); // to ensure new ticket is created (even if client does not explicitly call getCurrentTicket)
+        ticketComponent.getCurrentTicket(userName, null, true); // to ensure new ticket is created (even if client does not explicitly call getCurrentTicket)
     }
     
     public String getCurrentUserName() throws AuthenticationException
@@ -104,9 +104,9 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
     	return ticketComponent.getUsersWithTickets(nonExpiredOnly);
     }
 
-    public void invalidateTicket(String ticket) throws AuthenticationException
+    public void invalidateTicket(String ticket, String sessionId) throws AuthenticationException
     {
-        ticketComponent.invalidateTicketById(ticket);
+        ticketComponent.invalidateTicketById(ticket, sessionId);
     }
     
     public int countTickets(boolean nonExpiredOnly)
@@ -120,7 +120,7 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
     }
     
 
-    public void validate(String ticket) throws AuthenticationException
+    public void validate(String ticket, String sessionId) throws AuthenticationException
     {
         String currentUser = null;
         try
@@ -128,7 +128,7 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
 
             // clear context - to avoid MT concurrency issue (causing domain mismatch) - see also 'authenticate' above
             clearCurrentSecurityContext();
-            currentUser = ticketComponent.validateTicket(ticket);
+            currentUser = ticketComponent.validateTicket(ticket, sessionId);
             authenticationComponent.setCurrentUser(currentUser, UserNameValidationMode.CHECK);
         }
         catch (AuthenticationException ae)
@@ -138,14 +138,43 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
         }
     }
 
-    public String getCurrentTicket()
+    public String getCurrentTicket(String sessionId) throws AuthenticationException
     {
-        return ticketComponent.getCurrentTicket(getCurrentUserName());
+        String userName = getCurrentUserName();
+        // So that preAuthenticationCheck can constrain the creation of new tickets, we first ask for the current ticket
+        // without auto-creation
+        String ticket = ticketComponent.getCurrentTicket(userName, sessionId, false);
+        if (ticket == null)
+        {
+            try
+            {
+                preAuthenticationCheck(userName);
+            }
+            catch (AuthenticationException e)
+            {
+                clearCurrentSecurityContext();
+                throw e;
+            }
+            // If we get through the authentication check then it's safe to issue a new ticket (e.g. for
+            // SSO/external-based login)
+            return ticketComponent.getCurrentTicket(userName, sessionId, true);
+        }
+        return ticket;
     }
 
-    public String getNewTicket()
+    public String getNewTicket(String sessionId)
     {
-        return ticketComponent.getNewTicket(getCurrentUserName());
+        String userName = getCurrentUserName();
+        try
+        {
+            preAuthenticationCheck(userName);
+        }
+        catch (AuthenticationException e)
+        {
+            clearCurrentSecurityContext();
+            throw e;
+        }
+        return ticketComponent.getNewTicket(userName, sessionId);
     }
     
     public void clearCurrentSecurityContext()
@@ -165,7 +194,7 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
         authenticationComponent.setGuestUserAsCurrentUser();
         String guestUser = authenticationComponent.getCurrentUserName();
         ticketComponent.clearCurrentTicket();
-        ticketComponent.getCurrentTicket(guestUser); // to ensure new ticket is created (even if client does not explicitly call getCurrentTicket)
+        ticketComponent.getCurrentTicket(guestUser, null, true); // to ensure new ticket is created (even if client does not explicitly call getCurrentTicket)
     }
     
     public boolean guestUserAuthenticationAllowed()