inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-24 17:32:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged 1.4 to HEAD

Browse Source 
svn merge svn://svn.alfresco.com:3691/alfresco/BRANCHES/V1.4@4313 svn://svn.alfresco.com:3691/alfresco/BRANCHES/V1.4@4314 .
   svn merge svn://svn.alfresco.com:3691/alfresco/BRANCHES/V1.4@4317 svn://svn.alfresco.com:3691/alfresco/BRANCHES/V1.4@4318 .


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@4656 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Derek Hulley
2006-12-19 14:28:55 +00:00
parent cfb373ae36
commit 488450a988
17 changed files with 1807 additions and 877 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
source/java/org/alfresco/filesys/server/auth/CifsAuthenticator.java
View File

@@ -41,6 +41,7 @@ import org.alfresco.filesys.smb.server.SMBSrvException;
import org.alfresco.filesys.smb.server.SMBSrvPacket;
import org.alfresco.filesys.smb.server.SMBSrvSession;
import org.alfresco.filesys.smb.server.SecurityMode;
import org.alfresco.filesys.smb.server.VirtualCircuit;
import org.alfresco.filesys.smb.server.repo.ContentContext;
import org.alfresco.filesys.util.DataPacker;
import org.alfresco.filesys.util.HexDump;
@@ -491,8 +492,6 @@ public abstract class CifsAuthenticator
// Authenticate the user
boolean isGuest = false;
int sts = authenticateUser(client, sess, CifsAuthenticator.NTLM1);
if (sts > 0 && (sts & CifsAuthenticator.AUTH_GUEST) != 0)
@@ -500,7 +499,7 @@ public abstract class CifsAuthenticator
// Guest logon
isGuest = true;
client.setGuest( true);
// DEBUG
@@ -509,57 +508,55 @@ public abstract class CifsAuthenticator
}
else if (sts != CifsAuthenticator.AUTH_ALLOW)
{
// DEBUG
// Check if the session already has valid client details and the new client details
// have null username/password values
if (logger.isDebugEnabled() && sess.hasDebug(SMBSrvSession.DBG_NEGOTIATE))
logger.debug("User " + user + ", access denied");
if (sess.getClientInformation() != null && client.getUserName().length() == 0)
{
// Invalid user, reject the session setup request
// Use the existing client information details
client = sess.getClientInformation();
// DEBUG
if (logger.isDebugEnabled() && sess.hasDebug(SMBSrvSession.DBG_NEGOTIATE))
logger.debug("Null client information, reusing existing client=" + client);
}
else
{
// DEBUG
if (logger.isDebugEnabled() && sess.hasDebug(SMBSrvSession.DBG_NEGOTIATE))
logger.debug("User " + user + ", access denied");
// Invalid user, reject the session setup request
throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.DOSAccessDenied, SMBStatus.ErrDos);
}
throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.DOSAccessDenied, SMBStatus.ErrDos);
}
else if (logger.isDebugEnabled() && sess.hasDebug(SMBSrvSession.DBG_NEGOTIATE))
{
// Save the current user token in the client information
if ( client.isNullSession() == false)
client.setAuthenticationToken( m_authComponent.getCurrentAuthentication());
else
client.setAuthenticationToken( null);
// DEBUG
logger.debug("User " + user + " logged on "
+ (client != null ? " (type " + client.getLogonTypeString() + ")" : ""));
}
// Update the client information if not already set
// Create a virtual circuit and allocate a UID to the new circuit
if (sess.getClientInformation() == null
|| sess.getClientInformation().getUserName().length() == 0)
VirtualCircuit vc = new VirtualCircuit( vcNum, client);
int uid = sess.addVirtualCircuit( vc);
if ( uid == VirtualCircuit.InvalidUID)
{
// Set the client details for the session
sess.setClientInformation(client);
// DEBUG
if ( logger.isDebugEnabled() && sess.hasDebug( SMBSrvSession.DBG_NEGOTIATE))
logger.debug("Failed to allocate UID for virtual circuit, " + vc);
// Failed to allocate a UID
throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.DOSAccessDenied, SMBStatus.ErrDos);
}
else if ( logger.isDebugEnabled() && sess.hasDebug( SMBSrvSession.DBG_NEGOTIATE)) {
// DEBUG
logger.debug("Allocated UID=" + uid + " for VC=" + vc);
}
// Set the guest flag for the client, indicate that the session is logged on
// Indicate that the session is logged on
client.setGuest(isGuest);
sess.setLoggedOn(true);
// Build the session setup response SMB
@@ -567,11 +564,11 @@ public abstract class CifsAuthenticator
respPkt.setParameterCount(3);
respPkt.setParameter(0, 0); // No chained response
respPkt.setParameter(1, 0); // Offset to chained response
respPkt.setParameter(2, isGuest ? 1 : 0);
respPkt.setParameter(2, client.isGuest() ? 1 : 0);
respPkt.setByteCount(0);
respPkt.setTreeId(0);
respPkt.setUserId(0);
respPkt.setUserId(uid);
// Set the various flags
@@ -832,8 +829,7 @@ public abstract class CifsAuthenticator
client.setGuest( true);
// Create a dynamic share for the guest user
// Create the disk driver and context
// Create a dynamic share for the guest user, create the disk driver and context
DiskInterface diskDrv = m_config.getDiskInterface();
DiskDeviceContext diskCtx = new ContentContext(client.getUserName(), "", "", client.getHomeFolder());
@@ -936,4 +932,33 @@ public abstract class CifsAuthenticator
return personName;
}
/**
* Set the current authenticated user context for this thread
*
* @param client ClientInfo
*/
public void setCurrentUser( ClientInfo client)
{
// Check the account type and setup the authentication context
if ( client.isNullSession())
{
// Clear the authentication, null user should not be allowed to do any service calls
m_authComponent.clearCurrentSecurityContext();
}
else if ( client.isGuest() == false)
{
// Set the authentication context for the request
m_authComponent.setCurrentAuthentication( client.getAuthenticationToken());
}
else
{
// Enable guest access for the request
m_authComponent.setGuestUserAsCurrentUser();
}
}
}

24
source/java/org/alfresco/filesys/server/auth/ClientInfo.java
View File

@@ -67,6 +67,10 @@ public class ClientInfo
private String m_ipAddr;
// PID of the logon process for multi-stage logons
private int m_pid = -1;
// Authentication token
private Authentication m_authToken;
@@ -394,6 +398,26 @@ public class ClientInfo
return m_nfsAuthType;
}
/**
* Return the process id
*
* @return int
*/
public final int getProcessId()
{
return m_pid;
}
/**
* Set the process id
*
* @param pid int
*/
public final void setProcessId( int pid)
{
m_pid = pid;
}
/**
* Set the remote users domain
*

140
source/java/org/alfresco/filesys/server/auth/EnterpriseCifsAuthenticator.java
View File

@@ -60,6 +60,7 @@ import org.alfresco.filesys.smb.SMBStatus;
import org.alfresco.filesys.smb.server.SMBSrvException;
import org.alfresco.filesys.smb.server.SMBSrvPacket;
import org.alfresco.filesys.smb.server.SMBSrvSession;
import org.alfresco.filesys.smb.server.VirtualCircuit;
import org.alfresco.filesys.util.DataPacker;
import org.alfresco.filesys.util.HexDump;
import org.alfresco.repo.security.authentication.NTLMMode;
@@ -507,29 +508,17 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
if ( reqPkt.getParameterCount() == 13)
{
try
{
// Process the hashed password session setup
// Process the hashed password session setup
doHashedPasswordLogon( sess, reqPkt, respPkt);
return;
}
catch (SMBSrvException ex)
{
// Cleanup any stored context
sess.setSetupObject( null);
// Rethrow the exception
throw ex;
}
doHashedPasswordLogon( sess, reqPkt, respPkt);
return;
}
// Extract the session details
int maxBufSize = reqPkt.getParameter(2);
int maxMpx = reqPkt.getParameter(3);
int vcNum = reqPkt.getParameter(4);
int secBlobLen = reqPkt.getParameter(7);
int capabs = reqPkt.getParameterLong(10);
@@ -601,9 +590,13 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
if ( sess.hasRemoteAddress())
client.setClientAddress(sess.getRemoteAddress().getHostAddress());
// Save the setup object, if valid
// Set the process id for this client, for multi-stage logons
Object setupObj = sess.getSetupObject();
client.setProcessId( reqPkt.getProcessId());
// Get the current sesion setup object, or null
Object setupObj = sess.getSetupObject( client.getProcessId());
// Process the security blob
@@ -646,7 +639,7 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
{
// Cleanup any stored context
sess.setSetupObject( null);
sess.removeSetupObject( client.getProcessId());
// Rethrow the exception
@@ -675,15 +668,23 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
// Check if there is/was a session setup object stored in the session, this indicates a multi-stage session
// setup so set the status code accordingly
if ( useRawNTLMSSP() || isNTLMSSP == true || sess.hasSetupObject() || setupObj != null)
boolean loggedOn = false;
if ( useRawNTLMSSP() || isNTLMSSP == true || sess.hasSetupObject( client.getProcessId()) || setupObj != null)
{
// NTLMSSP has two stages, if there is a stored setup object then indicate more processing
// required
if ( sess.hasSetupObject())
if ( sess.hasSetupObject( client.getProcessId()))
respPkt.setLongErrorCode( SMBStatus.NTMoreProcessingRequired);
else
{
respPkt.setLongErrorCode( SMBStatus.NTSuccess);
// Indicate that the user is logged on
loggedOn = true;
}
respPkt.setParameterCount(4);
respPkt.setParameter(0, 0xFF); // No chained response
@@ -712,6 +713,44 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
// security blob length
respPkt.setParameterLong(8, 0); // reserved
respPkt.setParameterLong(10, getServerCapabilities());
// Indicate that the user is logged on
loggedOn = true;
}
// If the user is logged on then allocate a virtual circuit
int uid = 0;
if ( loggedOn == true) {
// Clear any stored session setup object for the logon
sess.removeSetupObject( client.getProcessId());
// Create a virtual circuit for the new logon
VirtualCircuit vc = new VirtualCircuit( vcNum, client);
uid = sess.addVirtualCircuit( vc);
if ( uid == VirtualCircuit.InvalidUID)
{
// DEBUG
if ( logger.isDebugEnabled() && sess.hasDebug( SMBSrvSession.DBG_NEGOTIATE))
logger.debug("Failed to allocate UID for virtual circuit, " + vc);
// Failed to allocate a UID
throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.DOSAccessDenied, SMBStatus.ErrDos);
}
else if ( logger.isDebugEnabled() && sess.hasDebug( SMBSrvSession.DBG_NEGOTIATE)) {
// DEBUG
logger.debug("Allocated UID=" + uid + " for VC=" + vc);
}
}
// Common session setup response
@@ -719,8 +758,8 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
respPkt.setCommand( reqPkt.getCommand());
respPkt.setByteCount(0);
respPkt.setTreeId(0);
respPkt.setUserId(0);
respPkt.setTreeId( 0);
respPkt.setUserId( uid);
// Set the various flags
@@ -834,7 +873,7 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
// Store the type 2 message in the session until the session setup is complete
sess.setSetupObject( type2Msg);
sess.setSetupObject( client.getProcessId(), type2Msg);
// Set the response blob using the type 2 message
@@ -848,11 +887,11 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
// Make sure a type 2 message was stored in the first stage of the session setup
if ( sess.hasSetupObject() == false || sess.getSetupObject() instanceof Type2NTLMMessage == false)
if ( sess.hasSetupObject( client.getProcessId()) == false || sess.getSetupObject( client.getProcessId()) instanceof Type2NTLMMessage == false)
{
// Clear the setup object
sess.setSetupObject( null);
sess.removeSetupObject( client.getProcessId());
// Return a logon failure
@@ -937,7 +976,7 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
NegTokenTarg negTarg = null;
if ( tokType == SPNEGO.NegTokenTarg && sess.hasSetupObject() && sess.getSetupObject() instanceof Type2NTLMMessage)
if ( tokType == SPNEGO.NegTokenTarg && sess.hasSetupObject( client.getProcessId()) && sess.getSetupObject( client.getProcessId()) instanceof Type2NTLMMessage)
{
// Get the NTLMSSP blob from the NegTokenTarg blob
@@ -972,7 +1011,7 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
int spnegoSts = SPNEGO.AcceptCompleted;
if ( sess.hasSetupObject())
if ( sess.hasSetupObject( client.getProcessId()))
spnegoSts = SPNEGO.AcceptIncomplete;
// Package the NTLMSSP response in an SPNEGO response
@@ -1022,7 +1061,7 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
int spnegoSts = SPNEGO.AcceptCompleted;
if ( sess.hasSetupObject())
if ( sess.hasSetupObject( client.getProcessId()))
spnegoSts = SPNEGO.AcceptIncomplete;
// Package the NTLMSSP response in an SPNEGO response
@@ -1183,8 +1222,8 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
// Get the type 2 message that contains the challenge sent to the client
Type2NTLMMessage type2Msg = (Type2NTLMMessage) sess.getSetupObject();
sess.setSetupObject( null);
Type2NTLMMessage type2Msg = (Type2NTLMMessage) sess.getSetupObject( client.getProcessId());
sess.removeSetupObject( client.getProcessId());
// Check if we are using local MD4 password hashes or passthru authentication
@@ -1432,8 +1471,8 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
{
// Get the type 2 message that contains the challenge sent to the client
Type2NTLMMessage type2Msg = (Type2NTLMMessage) sess.getSetupObject();
sess.setSetupObject( null);
Type2NTLMMessage type2Msg = (Type2NTLMMessage) sess.getSetupObject( client.getProcessId());
sess.removeSetupObject( client.getProcessId());
// Check if we are using local MD4 password hashes or passthru authentication
@@ -1677,8 +1716,8 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
{
// Get the type 2 message that contains the challenge sent to the client
Type2NTLMMessage type2Msg = (Type2NTLMMessage) sess.getSetupObject();
sess.setSetupObject( null);
Type2NTLMMessage type2Msg = (Type2NTLMMessage) sess.getSetupObject( client.getProcessId());
sess.removeSetupObject( client.getProcessId());
// Check if we are using local MD4 password hashes or passthru authentication
@@ -1980,17 +2019,30 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
logger.debug("User " + user + ", logged on as guest");
}
// Update the client information if not already set
// Create a virtual circuit and allocate a UID to the new circuit
if (sess.getClientInformation() == null
|| sess.getClientInformation().getUserName().length() == 0)
VirtualCircuit vc = new VirtualCircuit( vcNum, client);
int uid = sess.addVirtualCircuit( vc);
if ( uid == VirtualCircuit.InvalidUID)
{
// Set the client details for the session
sess.setClientInformation(client);
// DEBUG
if ( logger.isDebugEnabled() && sess.hasDebug( SMBSrvSession.DBG_NEGOTIATE))
logger.debug("Failed to allocate UID for virtual circuit, " + vc);
// Failed to allocate a UID
throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.DOSAccessDenied, SMBStatus.ErrDos);
}
else if ( logger.isDebugEnabled() && sess.hasDebug( SMBSrvSession.DBG_NEGOTIATE))
{
// DEBUG
logger.debug("Allocated UID=" + uid + " for VC=" + vc);
}
// Set the guest flag for the client, indicate that the session is logged on
client.setGuest(isGuest);
@@ -2005,7 +2057,7 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticator implements Ca
respPkt.setByteCount(0);
respPkt.setTreeId(0);
respPkt.setUserId(0);
respPkt.setUserId(uid);
// Set the various flags