mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-21 18:09:20 +00:00
Merged V3.2 to HEAD
18088: ETHREEOH-3787: Addition of liferay-display.xml to define category for demo portlet
18053: Build fix: Re-enable log ins to Alfresco web app when not running in a portlet container
- Removed direct dependencies between FacesHelper and portlet API
18037: Merged DEV/DAVEW/SURFPORTLET to V3.2
17669: Changes to enable surf rendering from a portlet
- New DispatcherPortlet forwards portlet requests to the DispatcherServlet as servlet requests.
- A new filter 'lazily' creates users' dashboard pages to avoid the need to have to redirect from site-index.jsp
- Build against JSR 286 portlet 2.0 API jar
- Exclude portlet API jar from war to avoid ClassCastExceptions
- Lazily init portlet authenticators to avoid ClassNotFoundExceptions when not running in a portlet container
- Fix web.xml schema validation problems
- UserFactory session keys given unique prefix to avoid class with Liferay shared session attributes
- Liferay deployment descriptor to enable user principal name resolution
- Fixed subsystem problem that prevented the override of a property with the empty string in alfresco-global.properties. Stopped 'unprotected' external auth from working.
18019: ETHREEOH-3770: LDAP sync now supports attribute range retrieval to get around limits imposed by Active Directory on multi-valued attributes
- Meant that groups with more than 1000 members were getting truncated in Active Directory
- Now switched on in ldap-ad and off in ldap subsystem
- Also switched off result set paging in ldap subsystem by default for wider compatibility with non-AD systems
17759: Merged DEV/BELARUS/V3.2-2009_11_24 to V3.2
17755: ETHREEOH-3739: build 283: Upgrades from 3.1.1 and 3.1.2 fail on JBoss 5.1
- The getFile method was created for ImapFoldersPatch to retrieve acp file for ACPImportPackageHandler.
- This method tries to load ACP file from file location and if it is unsuccessful then creates temporary file from resource input stream.
- In other words we apply aproach from ImporterBootstrap.
17600: ETHREEOH-1002: Avoid using HTTP 1.1 chunked transfer encoding to send heartbeat data because some proxy servers can't cope with it!
- Unit test can now parse chunked and un-chunked HTTP requests
17597: Further optimizations to authority caching
- Don't invalidate entire user authority lookup cache when user added to or removed from an authority
17588: Fix up authority caching
- Need to include tenant domain in cache key
- Also reinstated cache of user recursive group memberships for performance purposes
17559: ETHREEOH-3440: Authority search performance improvements
- AuthorityDAO now uses Lucene (again) to do wildcard style authority searches by name, type and zone
- Retrieval by exact name, type and zone still performed by DB methods
- DB methods now optimized to avoid having to load group child nodes to determine group membership
- Authority cache now stores authority node refs by name to reduce authority resolution queries
- ScriptGroup avoids hammering repository with multiple searches to determine group membership
17545: ETHREEOH-3371: Fixed group searches to search within the default zone and thus hide 'invisible' WCM and Share groups.
17527: ETHREEOH-3375: Use static inner class for cache key to avoid non serializable exceptions
17523: ETHREEOH-3337: Fix NPEs in RepoServerMgmt operations
- Transactional cache can have entries with non-null keys and null values
17521: ETHREEOH-3158: Proper handling of user validation failures in Kerberos Authentication filters.
17490: Fix failing HeartBeatTest
- Prevent possibility of both test and non-test public keys being used at the same time
17481: Fix build for Jan
- Removed JDK 1.6 String.isEmpty() references
17472: Follow-on for ETHREEOH-2648 - tighten guest login, eg. if no guest configured (in auth chain)
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@18108 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Dave Ward
@@ -190,7 +190,7 @@
|
||||
</bean>
|
||||
|
||||
<!-- JSR-168 Authenticator (Portal based) -->
|
||||
<bean id="webscripts.authenticator.jsr168" class="org.alfresco.repo.web.scripts.portlet.JSR168PortletAuthenticatorFactory">
|
||||
<bean id="webscripts.authenticator.jsr168" class="org.alfresco.repo.web.scripts.portlet.JSR168PortletAuthenticatorFactory" lazy-init="true">
|
||||
<property name="unprotAuthenticationService" ref="authenticationService" />
|
||||
<property name="transactionService" ref="TransactionService" />
|
||||
</bean>
|
||||
|
||||
@@ -56,6 +56,7 @@ import org.alfresco.jlan.server.auth.spnego.NegTokenTarg;
|
||||
import org.alfresco.jlan.server.auth.spnego.OID;
|
||||
import org.alfresco.jlan.server.auth.spnego.SPNEGO;
|
||||
import org.alfresco.repo.SessionUser;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationException;
|
||||
import org.apache.commons.codec.binary.Base64;
|
||||
import org.ietf.jgss.Oid;
|
||||
|
||||
@@ -313,6 +314,17 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
return;
|
||||
}
|
||||
|
||||
// Check if the login page is being accessed, do not intercept the login page
|
||||
if (hasLoginPage() && req.getRequestURI().endsWith(getLoginPage()))
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Login page requested, chaining ...");
|
||||
|
||||
// Chain to the next filter
|
||||
chain.doFilter( sreq, sresp);
|
||||
return;
|
||||
}
|
||||
|
||||
// Check the authorization header
|
||||
|
||||
if ( authHdr == null) {
|
||||
@@ -325,6 +337,9 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
|
||||
if (checkForTicketParameter(context, req, resp))
|
||||
{
|
||||
// Filter validate hook
|
||||
onValidate( context, req, resp);
|
||||
|
||||
// Chain to the next filter
|
||||
|
||||
chain.doFilter(sreq, sresp);
|
||||
@@ -397,9 +412,12 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
{
|
||||
// Kerberos logon
|
||||
|
||||
try
|
||||
{
|
||||
if ( doKerberosLogon( negToken, req, resp, httpSess) != null)
|
||||
{
|
||||
// Allow the user to access the requested page
|
||||
onValidate(context, req, resp);
|
||||
|
||||
chain.doFilter( req, resp);
|
||||
}
|
||||
@@ -410,6 +428,14 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
restartLoginChallenge( resp, httpSess);
|
||||
}
|
||||
}
|
||||
catch (AuthenticationException ex)
|
||||
{
|
||||
// Even though the user successfully authenticated, the ticket may not be granted, e.g. to
|
||||
// max user limit
|
||||
onValidateFailed(req, resp, httpSess);
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
catch ( IOException ex)
|
||||
{
|
||||
@@ -512,7 +538,6 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
|
||||
if ( negTokenTarg != null)
|
||||
{
|
||||
|
||||
// Create and store the user authentication context
|
||||
|
||||
SessionUser user = createUserEnvironment(httpSess, krbDetails.getUserName());
|
||||
@@ -531,6 +556,14 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
getLogger().debug( "No SPNEGO response, Kerberos logon failed");
|
||||
}
|
||||
}
|
||||
catch (AuthenticationException ex)
|
||||
{
|
||||
// Pass on validation failures
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Failed to validate user " + krbDetails.getUserName(), ex);
|
||||
|
||||
throw ex;
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
// Log the error
|
||||
|
||||
Reference in New Issue
Block a user