Merged V3.2 to HEAD

17475: ETHREEOH-3295: Fix to AuthorityMigrationPatch
      - Forces transaction retry if worker thread reaches child authority before a parent authority
      - Tested on Kev's 3.1.1 repository with ~20,000 bulk loaded users and ~2,000 Share sites
      - Now completes in 5 minutes as opposed to 45
   17461: ETHREEOH-3268: Added MutableAuthenticationService.isAuthenticationCreationAllowed () to allow conditional display of external user invitation UI
   17450: ETHREEOH-2762: Correction to previous fix. Do not generate new name when working copy copied back on check in.
   17440: ETHREEOH-3295: Fixed logging in FixNameCrcValuesPatch
   17439: ETHREEOH-2762: Improved behaviour when a working copy is copied
      - Working copy aspect already removed the working copy aspect on copy
      - Now derives a new name from the node checked out from and a UUID, preserving the extension
   17438: ETHREEOH-2690: Fix sequencing of jgroups system property setting
      - declared dependency between internalEHCacheManager and jgroupsPropertySetter
   17436: ETHREEOH-3295: Further performance improvements to AuthorityMigrationPatch
      - authority created at same time as all its parent associations to save lots of reindexing, as per LDAP sync
      - multi-threaded BatchProcessor (as used by LDAP sync, FixNameCrcValuesPatch) used to process work in 2 threads in batches of 20, report progress every 100 entries and handle transaction retries
      - BatchProcessor now promoted to its own package
   17394: Fix for license issue in local enterprise builds.
      - Replace Community with Enterprise in version.properties during enterprise war building
   17365: ETHREEOH-3229: Visited and fixed all SearchService result set leaks
   17362: ETHREEOH-3254: Eliminate needless ping to LDAP server in LDAPAuthenticationComponentImpl.implementationAllowsGuestLogin()
   17348: ETHREEOH-3003: Fix NPE in Hyperic when LicenseDescriptor has null fields
   17316: Merged V3.1 to V3.2
      17315: ETHREEOH-3092: PersonService won't let you create duplicate persons anymore.
      17314: ETHREEOH-3158: Fix RepoServerMgmt to work with external authentication methods
         - AuthenticationService.getCurrentTicket / getNewTicket now call pre authentication check before issuing a new ticket, thus still allowing ticket enforcement when external authentication is in use.
      17312: ETHREEOH-3219: Enable resolution of JMX server password file path on JBoss 5
      17299: Merged V3.2 to V3.1 (Record only)
         17297: ETHREEOH-1593: Changed name of username cookie and fixed login.jsp to decode it properly
         17248: ETHREEOH-1593: alfUser cookie value should be base 64 encoded to allow for non-ASCII characters
   17297: ETHREEOH-1593: Changed name of username cookie and fixed login.jsp to decode it properly
      - thanks Kev!
   17292: ETHREEOH-1842: Ticket association with HttpSession IDs tracked so that we don't invalidate a ticket in use by multiple sessions prematurely
      - AuthenticationService validate, getCurrentTicket, etc. methods now take optional sessionId arguments
   17269: Fix failing unit test
      - reinstate original behaviour of AbstractChainingAuthenticationService.getAuthenticationEnabled()
   17268: Fix InvitationService
      - Runs as system to do privileged AuthenticationService actions


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@18105 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/repo/security/authentication/TicketComponent.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007 Alfresco Software Limited.
+ * Copyright (C) 2005-2009 Alfresco Software Limited.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -18,7 +18,7 @@
  * As a special exception to the terms and conditions of version 2.0 of 
  * the GPL, you may redistribute this Program in connection with Free/Libre 
  * and Open Source Software ("FLOSS") applications as described in Alfresco's 
- * FLOSS exception.  You should have recieved a copy of the text describing 
+ * FLOSS exception.  You should have received a copy of the text describing 
  * the FLOSS exception, and it is also available here: 
  * http://www.alfresco.com/legal/licensing"
  */
@@ -36,54 +36,68 @@ import java.util.Set;
 public interface TicketComponent
 {
     /**
-     * Register a new ticket
+     * Register a new ticket. If a session ID is given, an association with that session ID will be recorded for the
+     * returned ticket.
      * 
      * @param userName
+     * @param sessionId
+     *            the app server session ID (e.g. HttpSession ID) or <code>null</code> if not applicable.
      * @return - the ticket
      * @throws AuthenticationException
      */
-    public String getNewTicket(String userName) throws AuthenticationException;
+    public String getNewTicket(String userName, String sessionId) throws AuthenticationException;
 
     /**
-     * Get the current ticket
+     * Gets the current ticket. If a session ID is given, an association with that session ID will be recorded for the
+     * returned ticket.
      * 
      * @param userName
+     * @param sessionId
+     *            the app server session ID (e.g. HttpSession ID) or <code>null</code> if not applicable.
+     * @param autoCreate
+     *            should we create one automatically if there isn't one?
      * @return - the ticket
-     */
-    
-    public String getCurrentTicket(String userName);
+     */    
+    public String getCurrentTicket(String userName, String sessionId, boolean autoCreate);
     
     /**
-     * Check that a certificate is valid and can be used in place of a login.
-     * 
-     * Tickets may be rejected because:
+     * Check that a certificate is valid and can be used in place of a login. Optionally records an association between
+     * the ticket and a given app server session Id. This is so that we don't expire tickets prematurely referenced by
+     * more than one application server session. Tickets may be rejected because:
      * <ol>
-     * <li> The certificate does not exists
-     * <li> The status of the user has changed 
+     * <li>The certificate does not exists
+     * <li>The status of the user has changed
      * <ol>
-     * <li> The user is locked
-     * <li> The account has expired
-     * <li> The credentials have expired
-     * <li> The account is disabled
+     * <li>The user is locked
+     * <li>The account has expired
+     * <li>The credentials have expired
+     * <li>The account is disabled
      * </ol>
-     * <li> The ticket may have expired
+     * <li>The ticket may have expired
      * <ol>
-     * <li> The ticked my be invalid by timed expiry
-     * <li> An attemp to reuse a once only ticket
+     * <li>The ticked my be invalid by timed expiry
+     * <li>An attemp to reuse a once only ticket
      * </ol>
      * </ol>
      * 
      * @param ticket
+     * @param sessionId
+     *            the app server session ID (e.g. HttpSession ID) or <code>null</code> if not applicable.
      * @return - the user name
      * @throws AuthenticationException
      */
-    public String validateTicket(String ticket) throws AuthenticationException;
+    public String validateTicket(String ticket, String sessionId) throws AuthenticationException;
     
     /**
-     * Invalidate the tickets by id
+     * Invalidates a ticket, or disassociates it from an app server session. Once it has been disassociated from all
+     * sessions, the ticket will be invalidated globally.
+     * 
      * @param ticket
+     * @param sessionId
+     *            the app server session ID (e.g. HttpSession ID) or <code>null</code> if the ticket should be
+     *            invalidated globally.
      */
-    public void invalidateTicketById(String ticket);
+    public void invalidateTicketById(String ticket, String sessionId);
     
     /**
      * Invalidate all user tickets