inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-24 17:32:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Replaced the file server code with the Alfresco JLAN project.

Browse Source 
Restructured the file server code packages.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@7757 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Gary Spencer
2008-01-06 16:44:00 +00:00
parent 0a7fef92aa
commit 6478d72321
396 changed files with 6336 additions and 118542 deletions
Download Patch File Download Diff File Expand all files Collapse all files

544
source/java/org/alfresco/filesys/auth/cifs/AlfrescoCifsAuthenticator.java Normal file
View File

@@ -0,0 +1,544 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing"
*/
package org.alfresco.filesys.auth.cifs;
import java.security.NoSuchAlgorithmException;
import javax.transaction.Status;
import javax.transaction.UserTransaction;
import net.sf.acegisecurity.Authentication;
import org.alfresco.filesys.alfresco.AlfrescoClientInfo;
import org.alfresco.jlan.server.SrvSession;
import org.alfresco.jlan.server.auth.AuthContext;
import org.alfresco.jlan.server.auth.CifsAuthenticator;
import org.alfresco.jlan.server.auth.ClientInfo;
import org.alfresco.jlan.server.auth.NTLanManAuthContext;
import org.alfresco.jlan.server.core.SharedDevice;
import org.alfresco.jlan.smb.server.SMBSrvSession;
import org.alfresco.jlan.util.HexDump;
import org.alfresco.repo.security.authentication.NTLMMode;
import org.alfresco.repo.security.authentication.ntlm.NTLMPassthruToken;
/**
* Alfresco Authenticator Class
*
* <p>The Alfresco authenticator implementation enables user level security mode using the Alfresco authentication
* component.
*
* <p>Note: Switching off encrypted password support will cause later NT4 service pack releases and
* Win2000 to refuse to connect to the server without a registry update on the client.
*
* @author gkspencer
*/
public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase
{
/**
* Default Constructor
*
* <p>Default to user mode security with encrypted password support.
*/
public AlfrescoCifsAuthenticator()
{
}
/**
* Validate that the authentication component supports the required mode
*
* @return boolean
*/
protected boolean validateAuthenticationMode()
{
// Make sure the authentication component supports MD4 hashed passwords or passthru mode
if ( getAuthenticationComponent().getNTLMMode() != NTLMMode.MD4_PROVIDER &&
getAuthenticationComponent().getNTLMMode() != NTLMMode.PASS_THROUGH)
return false;
return true;
}
/**
* Authenticate a user
*
* @param client Client information
* @param sess Server session
* @param alg Encryption algorithm
*/
public int authenticateUser(ClientInfo client, SrvSession sess, int alg)
{
// Check that the client is an Alfresco client
if ( client instanceof AlfrescoClientInfo == false)
return CifsAuthenticator.AUTH_DISALLOW;
AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
// Check if this is an SMB/CIFS null session logon.
//
// The null session will only be allowed to connect to the IPC$ named pipe share.
if (client.isNullSession() && sess instanceof SMBSrvSession)
{
// Debug
if ( logger.isDebugEnabled())
logger.debug("Null CIFS logon allowed");
return CifsAuthenticator.AUTH_ALLOW;
}
// Check if the client is already authenticated, and it is not a null logon
if ( alfClient.getAuthenticationToken() != null && client.getLogonType() != ClientInfo.LogonNull)
{
// Use the existing authentication token
getAuthenticationComponent().setCurrentUser(client.getUserName());
// Debug
if ( logger.isDebugEnabled())
logger.debug("Re-using existing authentication token");
// Return the authentication status
return client.getLogonType() != ClientInfo.LogonGuest ? AUTH_ALLOW : AUTH_GUEST;
}
// Check if this is a guest logon
int authSts = AUTH_DISALLOW;
UserTransaction tx = null;
try
{
if ( client.isGuest() || client.getUserName().equalsIgnoreCase(getGuestUserName()))
{
// Check if guest logons are allowed
if ( allowGuest() == false)
return AUTH_DISALLOW;
// Get a guest authentication token
doGuestLogon( client, sess);
// Indicate logged on as guest
authSts = AUTH_GUEST;
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Authenticated user " + client.getUserName() + " sts=" + getStatusAsString(authSts));
// Return the guest status
return authSts;
}
// Check if MD4 or passthru mode is configured
else if ( getAuthenticationComponent().getNTLMMode() == NTLMMode.MD4_PROVIDER)
{
// Start a transaction
tx = getTransactionService().getUserTransaction( true);
tx.begin();
// Perform local MD4 password check
authSts = doMD4UserAuthentication(client, sess, alg);
}
else
{
// Start a transaction
tx = getTransactionService().getUserTransaction( true);
tx.begin();
// Perform passthru authentication password check
authSts = doPassthruUserAuthentication(client, sess, alg);
}
// Check if the logon status indicates a guest logon
if ( authSts == AUTH_GUEST)
{
// Only allow the guest logon if user mapping is enabled
if ( mapUnknownUserToGuest())
{
// Logon as guest, setup the security context
doGuestLogon( client, sess);
}
else
{
// Do not allow the guest logon
authSts = AUTH_DISALLOW;
}
}
}
catch ( Exception ex)
{
if ( logger.isDebugEnabled())
logger.debug( ex);
}
finally
{
// Commit the transaction
if ( tx != null)
{
try
{
// Commit or rollback the transaction
if ( tx.getStatus() == Status.STATUS_MARKED_ROLLBACK)
{
// Transaction is marked for rollback
tx.rollback();
}
else
{
// Commit the transaction
tx.commit();
}
}
catch ( Exception ex)
{
}
}
}
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Authenticated user " + client.getUserName() + " sts=" + getStatusAsString(authSts) +
" via " + (getAuthenticationComponent().getNTLMMode() == NTLMMode.MD4_PROVIDER ? "MD4" : "Passthru"));
// Return the authentication status
return authSts;
}
/**
* Authenticate a connection to a share.
*
* @param client User/client details from the tree connect request.
* @param share Shared device the client wants to connect to.
* @param pwd Share password.
* @param sess Server session.
* @return int Granted file permission level or disallow status if negative. See the
* FilePermission class.
*/
public int authenticateShareConnect(ClientInfo client, SharedDevice share, String sharePwd, SrvSession sess)
{
// Allow write access
//
// Main authentication is handled by authenticateUser()
return CifsAuthenticator.Writeable;
}
/**
* Return an authentication context for the new session
*
* @return AuthContext
*/
public AuthContext getAuthContext( SMBSrvSession sess)
{
// Check if the client is already authenticated, and it is not a null logon
AuthContext authCtx = null;
if ( sess.hasAuthenticationContext() && sess.getClientInformation().getLogonType() != ClientInfo.LogonNull)
{
// Return the previous challenge, user is already authenticated
authCtx = sess.getAuthenticationContext();
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Re-using existing challenge, already authenticated");
}
else if ( getAuthenticationComponent().getNTLMMode() == NTLMMode.MD4_PROVIDER)
{
// Create a new authentication context for the session
authCtx = new NTLanManAuthContext();
sess.setAuthenticationContext( authCtx);
}
else
{
// Create an authentication token for the session
NTLMPassthruToken authToken = new NTLMPassthruToken( mapClientAddressToDomain( sess.getRemoteAddress()));
// Run the first stage of the passthru authentication to get the challenge
getAuthenticationComponent().authenticate( authToken);
// Save the authentication token for the second stage of the authentication
sess.setAuthenticationContext( new AuthTokenAuthContext( authToken));
// Get the challenge from the token
if ( authToken.getChallenge() != null)
{
authCtx = new NTLanManAuthContext( authToken.getChallenge().getBytes());
sess.setAuthenticationContext( authCtx);
}
}
// Return the authentication context
return authCtx;
}
/**
* Perform MD4 user authentication
*
* @param client Client information
* @param sess Server session
* @param alg Encryption algorithm
* @return int
*/
private final int doMD4UserAuthentication(ClientInfo client, SrvSession sess, int alg)
{
// Get the stored MD4 hashed password for the user, or null if the user does not exist
String md4hash = getAuthenticationComponent().getMD4HashedPassword(client.getUserName());
if ( md4hash != null)
{
// Check if the client has supplied an NTLM hashed password, if not then do not allow access
if ( client.getPassword() == null)
return CifsAuthenticator.AUTH_BADPASSWORD;
try
{
// Generate the local encrypted password using the challenge that was sent to the client
byte[] p21 = new byte[21];
byte[] md4byts = null;
md4byts = m_md4Encoder.decodeHash(md4hash);
System.arraycopy(md4byts, 0, p21, 0, 16);
// Get the challenge that was sent to the client
NTLanManAuthContext authCtx = null;
if ( sess.hasAuthenticationContext() && sess.getAuthenticationContext() instanceof NTLanManAuthContext)
authCtx = (NTLanManAuthContext) sess.getAuthenticationContext();
else
return CifsAuthenticator.AUTH_DISALLOW;
// Generate the local hash of the password using the same challenge
byte[] localHash = getEncryptor().doNTLM1Encryption(p21, authCtx.getChallenge());
// Validate the password
byte[] clientHash = client.getPassword();
if ( clientHash == null || clientHash.length != 24)
{
// Use the secondary password hash from the client
clientHash = client.getANSIPassword();
// DEBUG
if ( logger.isDebugEnabled())
{
logger.debug( "Using secondary password hash - " + HexDump.hexString(clientHash));
logger.debug( " Local hash - " + HexDump.hexString( localHash));
}
}
if ( clientHash == null || clientHash.length != localHash.length)
return CifsAuthenticator.AUTH_BADPASSWORD;
for ( int i = 0; i < clientHash.length; i++)
{
if ( clientHash[i] != localHash[i])
return CifsAuthenticator.AUTH_BADPASSWORD;
}
// Logging
if ( logger.isInfoEnabled())
logger.info( "Logged on user " + client.getUserName() + " (" + sess.getRemoteAddress() + ") using auto-logon shared password");
// Set the current user to be authenticated, save the authentication token
AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser(client.getUserName()));
// Get the users home folder node, if available
getHomeFolderForUser( client);
// Passwords match, grant access
return CifsAuthenticator.AUTH_ALLOW;
}
catch (NoSuchAlgorithmException ex)
{
}
// Error during password check, do not allow access
return CifsAuthenticator.AUTH_DISALLOW;
}
// Check if this is an SMB/CIFS null session logon.
//
// The null session will only be allowed to connect to the IPC$ named pipe share.
if (client.isNullSession() && sess instanceof SMBSrvSession)
return CifsAuthenticator.AUTH_ALLOW;
// User does not exist, check if guest access is allowed
return allowGuest() ? CifsAuthenticator.AUTH_GUEST : CifsAuthenticator.AUTH_DISALLOW;
}
/**
* Perform passthru user authentication
*
* @param client Client information
* @param sess Server session
* @param alg Encryption algorithm
* @return int
*/
private final int doPassthruUserAuthentication(ClientInfo client, SrvSession sess, int alg)
{
// Default logon status to disallow
int authSts = CifsAuthenticator.AUTH_DISALLOW;
// Get the authentication token for the session
AuthContext authCtx = sess.getAuthenticationContext();
if ( authCtx == null || authCtx instanceof AuthTokenAuthContext == false)
return CifsAuthenticator.AUTH_DISALLOW;
AuthTokenAuthContext tokenCtx = (AuthTokenAuthContext) authCtx;
NTLMPassthruToken authToken = tokenCtx.getToken();
if ( authToken == null)
return CifsAuthenticator.AUTH_DISALLOW;
// Get the appropriate hashed password for the algorithm
byte[] hashedPassword = null;
if ( alg == NTLM1)
hashedPassword = client.getPassword();
else if ( alg == LANMAN)
hashedPassword = client.getANSIPassword();
else
{
// Invalid/unsupported algorithm specified
return CifsAuthenticator.AUTH_DISALLOW;
}
// Set the username and hashed password in the authentication token
authToken.setUserAndPassword( client.getUserName(), hashedPassword, alg);
// Authenticate the user
Authentication genAuthToken = null;
try
{
// Run the second stage of the passthru authentication
genAuthToken = getAuthenticationComponent().authenticate( authToken);
// Check if the user has been logged on as a guest
if (authToken.isGuestLogon())
{
// Check if the local server allows guest access
if (allowGuest() == true)
{
// Allow the user access as a guest
authSts = CifsAuthenticator.AUTH_GUEST;
}
}
else
{
// Allow the user full access to the server
authSts = CifsAuthenticator.AUTH_ALLOW;
}
// Set the current user to be authenticated, save the authentication token
AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
alfClient.setAuthenticationToken( genAuthToken);
// Get the users home folder node, if available
getHomeFolderForUser( client);
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Auth token " + genAuthToken);
}
catch ( Exception ex)
{
logger.error("Error during passthru authentication", ex);
}
// Clear the authentication context
sess.setAuthenticationContext(null);
// Return the authentication status
return authSts;
}
}

60
source/java/org/alfresco/filesys/auth/cifs/AuthTokenAuthContext.java Normal file
View File

@@ -0,0 +1,60 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing"
*/
package org.alfresco.filesys.auth.cifs;
import org.alfresco.jlan.server.auth.AuthContext;
import org.alfresco.repo.security.authentication.ntlm.NTLMPassthruToken;
/**
* Authenitcation Token Authentication Context Class
*
* @author gkspencer
*/
public class AuthTokenAuthContext extends AuthContext {
// Passthru authentication token
private NTLMPassthruToken m_token;
/**
* Class constructor
*
* @param token NTLMPassthruToken
*/
public AuthTokenAuthContext( NTLMPassthruToken token)
{
m_token = token;
}
/**
* Return the passthru authentication token
*
* @return NTLMPassthruToken
*/
public final NTLMPassthruToken getToken()
{
return m_token;
}
}

339
source/java/org/alfresco/filesys/auth/cifs/CifsAuthenticatorBase.java Normal file
View File

@@ -0,0 +1,339 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing"
*/
package org.alfresco.filesys.auth.cifs;
import javax.transaction.UserTransaction;
import net.sf.acegisecurity.Authentication;
import org.alfresco.config.ConfigElement;
import org.alfresco.filesys.AlfrescoConfigSection;
import org.alfresco.filesys.alfresco.AlfrescoClientInfo;
import org.alfresco.filesys.repo.ContentContext;
import org.alfresco.jlan.server.SrvSession;
import org.alfresco.jlan.server.auth.CifsAuthenticator;
import org.alfresco.jlan.server.auth.ClientInfo;
import org.alfresco.jlan.server.config.InvalidConfigurationException;
import org.alfresco.jlan.server.config.ServerConfiguration;
import org.alfresco.jlan.server.core.SharedDevice;
import org.alfresco.jlan.server.filesys.DiskDeviceContext;
import org.alfresco.jlan.server.filesys.DiskInterface;
import org.alfresco.jlan.server.filesys.DiskSharedDevice;
import org.alfresco.jlan.server.filesys.SrvDiskInfo;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.MD4PasswordEncoder;
import org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.transaction.TransactionService;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* CIFS Authenticator Base Class
*
* <p>
* Base class for Alfresco CIFS authenticator implementations.
*
* @author gkspencer
*/
public abstract class CifsAuthenticatorBase extends CifsAuthenticator
{
// Logging
protected static final Log logger = LogFactory.getLog("org.alfresco.smb.protocol.auth");
// MD4 hash decoder
protected MD4PasswordEncoder m_md4Encoder = new MD4PasswordEncoderImpl();
// Alfresco configuration
protected AlfrescoConfigSection m_alfrescoConfig;
/**
* Initialize the authenticator
*
* @param config ServerConfiguration
* @param params ConfigElement
* @exception InvalidConfigurationException
*/
public void initialize(ServerConfiguration config, ConfigElement params) throws InvalidConfigurationException
{
super.initialize(config, params);
// Get the alfresco configuration section, required to get hold of various services/components
m_alfrescoConfig = (AlfrescoConfigSection) config.getConfigSection( AlfrescoConfigSection.SectionName);
// Check that the required authentication classes are available
if ( m_alfrescoConfig == null || getAuthenticationComponent() == null)
throw new InvalidConfigurationException("Authentication component not available");
// Set the guest user name
setGuestUserName( getAuthenticationComponent().getGuestUserName());
// Check that the authentication component is the required type for this authenticator
if ( validateAuthenticationMode() == false)
throw new InvalidConfigurationException("Required authentication mode not available");
}
/**
* Validate that the authentication component supports the required mode
*
* @return boolean
*/
protected boolean validateAuthenticationMode()
{
return true;
}
/**
* Logon using the guest user account
*
* @param client ClientInfo
* @param sess SrvSession
*/
protected void doGuestLogon( ClientInfo client, SrvSession sess)
{
// Check that the client is an Alfresco client
if ( client instanceof AlfrescoClientInfo == false)
return;
AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
// Get a guest authentication token
getAuthenticationService().authenticateAsGuest();
Authentication authToken = getAuthenticationComponent().getCurrentAuthentication();
alfClient.setAuthenticationToken( authToken);
// Set the home folder for the guest user
client.setUserName( getGuestUserName());
getHomeFolderForUser( client);
// Mark the client as being a guest logon
client.setGuest( true);
// Create a dynamic share for the guest user, create the disk driver and context
DiskInterface diskDrv = m_alfrescoConfig.getRepoDiskInterface();
DiskDeviceContext diskCtx = new ContentContext(client.getUserName(), "", "", alfClient.getHomeFolder());
// Default the filesystem to look like an 80Gb sized disk with 90% free space
diskCtx.setDiskInformation(new SrvDiskInfo(2560, 64, 512, 2304));
// Create a temporary shared device for the users home directory
sess.addDynamicShare( new DiskSharedDevice( client.getUserName(), diskDrv, diskCtx, SharedDevice.Temporary));
}
/**
* Get the home folder for the user
*
* @param client ClientInfo
*/
protected final void getHomeFolderForUser(ClientInfo client)
{
// Check if the client is an Alfresco client
if ( client instanceof AlfrescoClientInfo == false)
return;
AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
// Get the home folder for the user
UserTransaction tx = getTransactionService().getUserTransaction();
NodeRef homeSpaceRef = null;
try
{
tx.begin();
homeSpaceRef = (NodeRef) getNodeService().getProperty(getPersonService().getPerson(client.getUserName()), ContentModel.PROP_HOMEFOLDER);
alfClient.setHomeFolder( homeSpaceRef);
tx.commit();
}
catch (Throwable ex)
{
try
{
tx.rollback();
}
catch (Throwable ex2)
{
logger.error("Failed to rollback transaction", ex2);
}
// Re-throw the exception
if (ex instanceof RuntimeException)
{
throw (RuntimeException) ex;
}
else
{
throw new RuntimeException("Error during execution of transaction.", ex);
}
}
}
/**
* Map the case insensitive logon name to the internal person object user name
*
* @param userName String
* @return String
*/
protected final String mapUserNameToPerson(String userName)
{
// Get the home folder for the user
UserTransaction tx = m_alfrescoConfig.getTransactionService().getUserTransaction();
String personName = null;
try
{
tx.begin();
personName = m_alfrescoConfig.getPersonService().getUserIdentifier( userName);
tx.commit();
}
catch (Throwable ex)
{
try
{
tx.rollback();
}
catch (Throwable ex2)
{
logger.error("Failed to rollback transaction", ex2);
}
// Re-throw the exception
if (ex instanceof RuntimeException)
{
throw (RuntimeException) ex;
}
else
{
throw new RuntimeException("Error during execution of transaction.", ex);
}
}
// Return the person name
return personName;
}
/**
* Set the current authenticated user context for this thread
*
* @param client ClientInfo
*/
public void setCurrentUser(ClientInfo client) {
// Check the account type and setup the authentication context
if (client.isNullSession())
{
// Clear the authentication, null user should not be allowed to do any service calls
getAuthenticationComponent().clearCurrentSecurityContext();
}
else if (client.isGuest() == false && client instanceof AlfrescoClientInfo)
{
// Set the authentication context for the request
AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
getAuthenticationComponent().setCurrentAuthentication(alfClient.getAuthenticationToken());
}
else
{
// Enable guest access for the request
getAuthenticationComponent().setGuestUserAsCurrentUser();
}
}
/**
* Return the authentication component
*
* @return AuthenticationComponent
*/
protected final AuthenticationComponent getAuthenticationComponent()
{
return m_alfrescoConfig.getAuthenticationComponent();
}
/**
* Return the authentication service
*
* @return AuthenticationService
*/
protected final AuthenticationService getAuthenticationService()
{
return m_alfrescoConfig.getAuthenticationService();
}
/**
* Return the node service
*
* @return NodeService
*/
protected final NodeService getNodeService()
{
return m_alfrescoConfig.getNodeService();
}
/**
* Return the person service
*
* @return PersonService
*/
protected final PersonService getPersonService()
{
return m_alfrescoConfig.getPersonService();
}
/**
* Return the transaction service
*
* @return TransactionService
*/
protected final TransactionService getTransactionService()
{
return m_alfrescoConfig.getTransactionService();
}
}

2196
source/java/org/alfresco/filesys/auth/cifs/EnterpriseCifsAuthenticator.java Normal file
View File

File diff suppressed because it is too large Load Diff

1398
source/java/org/alfresco/filesys/auth/cifs/PassthruCifsAuthenticator.java Normal file
View File

File diff suppressed because it is too large Load Diff

296
source/java/org/alfresco/filesys/auth/ftp/AlfrescoFtpAuthenticator.java Normal file
View File

@@ -0,0 +1,296 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing"
*/
package org.alfresco.filesys.auth.ftp;
import javax.transaction.Status;
import javax.transaction.UserTransaction;
import net.sf.acegisecurity.Authentication;
import org.alfresco.config.ConfigElement;
import org.alfresco.filesys.AlfrescoConfigSection;
import org.alfresco.filesys.alfresco.AlfrescoClientInfo;
import org.alfresco.jlan.ftp.FTPAuthenticator;
import org.alfresco.jlan.ftp.FTPSrvSession;
import org.alfresco.jlan.server.SrvSession;
import org.alfresco.jlan.server.auth.ClientInfo;
import org.alfresco.jlan.server.auth.PasswordEncryptor;
import org.alfresco.jlan.server.config.InvalidConfigurationException;
import org.alfresco.jlan.server.config.ServerConfiguration;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.MD4PasswordEncoder;
import org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl;
import org.alfresco.repo.security.authentication.NTLMMode;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.transaction.TransactionService;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* Alfresco FTP Authenticator Class
*
* @author gkspencer
*/
public class AlfrescoFtpAuthenticator implements FTPAuthenticator {
// Logging
protected static final Log logger = LogFactory.getLog("org.alfresco.ftp.protocol.auth");
// MD4 hash decoder
protected MD4PasswordEncoder m_md4Encoder = new MD4PasswordEncoderImpl();
// Password encryptor, for MD4 hashing
protected PasswordEncryptor m_encryptor = new PasswordEncryptor();
// Alfresco configuration section
private AlfrescoConfigSection m_alfrescoConfig;
/**
* Initialize the authenticator
*
* @param config ServerConfiguration
* @param params ConfigElement
* @exception InvalidConfigurationException
*/
public void initialize(ServerConfiguration config, ConfigElement params)
throws InvalidConfigurationException
{
// Get the alfresco configuration section, required to get hold of various services/components
m_alfrescoConfig = (AlfrescoConfigSection) config.getConfigSection( AlfrescoConfigSection.SectionName);
// Check that the required authentication classes are available
if ( m_alfrescoConfig == null || getAuthenticationComponent() == null)
throw new InvalidConfigurationException("Authentication component not available");
}
/**
* Authenticate the user
*
* @param client ClientInfo
* @param sess FTPSrvSession
* @return boolean
*/
public boolean authenticateUser( ClientInfo client, FTPSrvSession sess)
{
// Check that the client is an Alfresco client
if ( client instanceof AlfrescoClientInfo == false)
return false;
// Check if this is a guest logon
boolean authSts = false;
UserTransaction tx = null;
try
{
if ( client.isGuest())
{
// Get a guest authentication token
doGuestLogon((AlfrescoClientInfo) client, sess);
// Indicate logged on as guest
authSts = true;
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Authenticated user " + client.getUserName() + " sts=" + authSts);
// Return the guest status
return authSts;
}
// Start a transaction
tx = getTransactionService().getUserTransaction( true);
tx.begin();
// Perform local MD4 password check
authSts = doMD4UserAuthentication(client, sess);
}
catch ( Exception ex)
{
if ( logger.isDebugEnabled())
logger.debug( ex);
}
finally
{
// Commit the transaction
if ( tx != null)
{
try
{
// Commit or rollback the transaction
if ( tx.getStatus() == Status.STATUS_MARKED_ROLLBACK)
{
// Transaction is marked for rollback
tx.rollback();
}
else
{
// Commit the transaction
tx.commit();
}
}
catch ( Exception ex)
{
}
}
}
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Authenticated user " + client.getUserName() + " sts=" + authSts +
" via " + (getAuthenticationComponent().getNTLMMode() == NTLMMode.MD4_PROVIDER ? "MD4" : "Passthru"));
// Return the authentication status
return authSts;
}
/**
* Logon using the guest user account
*
* @param client AlfrescoClientInfo
* @param sess SrvSession
*/
protected void doGuestLogon( AlfrescoClientInfo client, SrvSession sess)
{
// Get a guest authentication token
getAuthenticationService().authenticateAsGuest();
Authentication authToken = getAuthenticationComponent().getCurrentAuthentication();
client.setAuthenticationToken( authToken);
// Mark the client as being a guest logon
client.setGuest( true);
}
/**
* Perform MD4 user authentication
*
* @param client Client information
* @param sess Server session
* @return boolean
*/
private final boolean doMD4UserAuthentication(ClientInfo client, SrvSession sess)
{
// Get the stored MD4 hashed password for the user, or null if the user does not exist
String md4hash = getAuthenticationComponent().getMD4HashedPassword(client.getUserName());
if ( md4hash != null)
{
// Check if the client has supplied an NTLM hashed password, if not then do not allow access
if ( client.getPassword() == null)
return false;
// Encode the user supplied password
String userMd4 = m_md4Encoder.encodePassword( client.getPasswordAsString(), null);
// Compare the hashed passwords
if ( md4hash.equals( userMd4) == false)
{
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Password mismatch for user " + client.getUserName());
// Access not allowed
return false;
}
// Logging
if ( logger.isInfoEnabled())
logger.info( "Logged on user " + client.getUserName() + " ( address " + sess.getRemoteAddress() + ")");
// Set the current user to be authenticated, save the authentication token
AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser(client.getUserName()));
// Passwords match, grant access
return true;
}
// User does not exist
return false;
}
/**
* Return the authentication componenet
*
* @return AuthenticationComponent
*/
protected final AuthenticationComponent getAuthenticationComponent()
{
return m_alfrescoConfig.getAuthenticationComponent();
}
/**
* Return the authentication service
*
* @return AuthenticationService
*/
protected final AuthenticationService getAuthenticationService()
{
return m_alfrescoConfig.getAuthenticationService();
}
/**
* Return the transaction service
*
* @return TransactionService
*/
protected final TransactionService getTransactionService()
{
return m_alfrescoConfig.getTransactionService();
}
}

462
source/java/org/alfresco/filesys/auth/nfs/AlfrescoRpcAuthenticator.java Normal file
View File

@@ -0,0 +1,462 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing"
*/
package org.alfresco.filesys.auth.nfs;
import java.util.HashMap;
import java.util.List;
import javax.transaction.Status;
import javax.transaction.UserTransaction;
import org.alfresco.config.ConfigElement;
import org.alfresco.filesys.AlfrescoConfigSection;
import org.alfresco.filesys.alfresco.AlfrescoClientInfo;
import org.alfresco.jlan.oncrpc.AuthType;
import org.alfresco.jlan.oncrpc.Rpc;
import org.alfresco.jlan.oncrpc.RpcAuthenticationException;
import org.alfresco.jlan.oncrpc.RpcAuthenticator;
import org.alfresco.jlan.oncrpc.RpcPacket;
import org.alfresco.jlan.oncrpc.nfs.NFS;
import org.alfresco.jlan.server.SrvSession;
import org.alfresco.jlan.server.auth.ClientInfo;
import org.alfresco.jlan.server.config.InvalidConfigurationException;
import org.alfresco.jlan.server.config.ServerConfiguration;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* Alfresco RPC Authenticator Class
*
* <p>Provides authentication support for the NFS server.
*
* @author gkspencer
*/
public class AlfrescoRpcAuthenticator implements RpcAuthenticator {
// Debug logging
private static final Log logger = LogFactory.getLog("org.alfresco.nfs.protocol.auth");
// Authentication types aupported by this implementation
private int[] _authTypes = { AuthType.Unix };
// UID/GID to username conversions
private HashMap<Integer, String> m_idMap;
// Alfresco configuration
protected AlfrescoConfigSection m_alfrescoConfig;
/**
* Authenticate an RPC client and create a unique session id key.
*
* @param authType int
* @param rpc RpcPacket
* @return Object
* @throws RpcAuthenticationException
*/
public Object authenticateRpcClient(int authType, RpcPacket rpc)
throws RpcAuthenticationException {
// Create a unique session key depending on the authentication type
Object sessKey = null;
if (authType == AuthType.Unix) {
// Get the gid and uid from the credentials data in the request
rpc.positionAtCredentialsData();
rpc.skipBytes(4);
int nameLen = rpc.unpackInt();
rpc.skipBytes(nameLen);
int gid = rpc.unpackInt();
int uid = rpc.unpackInt();
// DEBUG
if ( logger.isDebugEnabled())
logger.debug( "RpcAuth: Type=Unix uid=" + uid + ", gid=" + gid);
// Check that there is a user name mapping for the uid/gid
Integer idKey = new Integer((gid << 16) + uid);
String userName = m_idMap.get( idKey);
if ( userName == null)
throw new RpcAuthenticationException( NFS.StsAccess);
// Check if the Unix authentication session table is valid
sessKey = new Long((((long) rpc.getClientAddress().hashCode()) << 32) + (gid << 16) + uid);
}
else if ( authType == AuthType.Null)
{
// Set the session key for the null authentication
sessKey = new Integer(rpc.getClientAddress().hashCode());
// DEBUG
if ( logger.isDebugEnabled())
logger.debug( "RpcAuth: Type=Null client=" + rpc.getClientAddress());
}
// Check if the session key is valid, if not then the authentication
// type is unsupported
if (sessKey == null)
throw new RpcAuthenticationException(Rpc.AuthBadCred, "Unsupported auth type, " + authType);
// DEBUG
if (logger.isDebugEnabled())
logger.debug("RpcAuth: RPC from " + rpc.getClientDetails()
+ ", authType=" + AuthType.getTypeAsString(authType)
+ ", sessKey=" + sessKey);
// Return the session key
return sessKey;
}
/**
* Return the authentication types that are supported by this
* implementation.
*
* @return int[]
*/
public int[] getRpcAuthenticationTypes() {
return _authTypes;
}
/**
* Return the client information for the specified RPC request
*
* @param sessKey Object
* @param rpc RpcPacket
* @return ClientInfo
*/
public ClientInfo getRpcClientInformation(Object sessKey, RpcPacket rpc)
{
// Create a client information object to hold the client details
ClientInfo cInfo = null;
// Get the authentication type
int authType = rpc.getCredentialsType();
// Unpack the client details from the RPC request
if ( authType == AuthType.Unix) {
// Unpack the credentials data
rpc.positionAtCredentialsData();
rpc.skipBytes(4); // stamp id
String clientAddr = rpc.unpackString();
int uid = rpc.unpackInt();
int gid = rpc.unpackInt();
// Check for an additional groups list
int grpLen = rpc.unpackInt();
int[] groups = null;
if (grpLen > 0) {
groups = new int[grpLen];
rpc.unpackIntArray(groups);
}
// Get the user name mapping for the uid/gid and authenticate
Integer idKey = new Integer((gid << 16) + uid);
String userName = m_idMap.get( idKey);
// DEBUG
if ( logger.isDebugEnabled())
logger.debug( "RpcClientInfo: username=" + userName + ", uid=" + uid + ", gid=" + gid);
// Create the client information if there is a valid mapping
if ( userName != null)
{
// Create the client information and fill in relevant fields
cInfo = ClientInfo.getFactory().createInfo( userName, null);
cInfo.setNFSAuthenticationType( authType);
cInfo.setClientAddress( clientAddr);
cInfo.setUid( uid);
cInfo.setGid( gid);
cInfo.setGroupsList(groups);
}
// DEBUG
if (logger.isDebugEnabled())
logger.debug("RpcAuth: Client info, type=" + AuthType.getTypeAsString(authType) + ", name="
+ clientAddr + ", uid=" + uid + ", gid=" + gid + ", groups=" + grpLen);
}
else if ( authType == AuthType.Null)
{
// Create the client information
cInfo = ClientInfo.getFactory().createInfo( "", null);
cInfo.setClientAddress(rpc.getClientAddress().getHostAddress());
// DEBUG
if (logger.isDebugEnabled())
logger.debug("RpcAuth: Client info, type=" + AuthType.getTypeAsString(authType) + ", addr="
+ rpc.getClientAddress().getHostAddress());
}
// Return the client information
return cInfo;
}
/**
* Set the current authenticated user context for this thread
*
* @param sess SrvSession
* @param client ClientInfo
*/
public void setCurrentUser( SrvSession sess, ClientInfo client)
{
// Start a transaction
UserTransaction tx = m_alfrescoConfig.getTransactionService().getUserTransaction( true);
try
{
// start the transaction
tx.begin();
// Check the account type and setup the authentication context
if ( client == null || client.isNullSession() || client instanceof AlfrescoClientInfo == false)
{
// Clear the authentication, null user should not be allowed to do any service calls
m_alfrescoConfig.getAuthenticationComponent().clearCurrentSecurityContext();
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Clear security context, client=" + client);
}
else if ( client.isGuest() == false)
{
// Access the Alfresco client
AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
// Check if the authentication token has been set for the client
if ( alfClient.hasAuthenticationToken() == false)
{
// Set the current user and retrieve the authentication token
m_alfrescoConfig.getAuthenticationComponent().setCurrentUser( client.getUserName());
alfClient.setAuthenticationToken( m_alfrescoConfig.getAuthenticationComponent().getCurrentAuthentication());
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Set user name=" + client.getUserName() + ", token=" + alfClient.getAuthenticationToken());
}
else
{
// Set the authentication context for the request
m_alfrescoConfig.getAuthenticationComponent().setCurrentAuthentication( alfClient.getAuthenticationToken());
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Set user using auth token, token=" + alfClient.getAuthenticationToken());
}
}
else
{
// Enable guest access for the request
m_alfrescoConfig.getAuthenticationComponent().setGuestUserAsCurrentUser();
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Set guest user");
}
}
catch ( Exception ex)
{
if ( logger.isDebugEnabled())
logger.debug( ex);
}
finally
{
// Commit the transaction
if ( tx != null)
{
try
{
// Commit or rollback the transaction
if ( tx.getStatus() == Status.STATUS_MARKED_ROLLBACK)
{
// Transaction is marked for rollback
tx.rollback();
}
else
{
// Commit the transaction
tx.commit();
}
}
catch ( Exception ex)
{
}
}
}
}
/**
* Initialize the RPC authenticator
*
* @param config ServerConfiguration
* @param params NameValueList
* @throws InvalidConfigurationException
*/
public void initialize(ServerConfiguration config, ConfigElement params)
throws InvalidConfigurationException {
// Get the Alfresco configuration section, for access to services
m_alfrescoConfig = (AlfrescoConfigSection) config.getConfigSection( AlfrescoConfigSection.SectionName);
// Check for the user mappings
ConfigElement userMappings = params.getChild("userMappings");
if ( userMappings != null)
{
// Allocate the id mappings table
m_idMap = new HashMap<Integer, String>();
// Get the user map elements
List<ConfigElement> userMaps = userMappings.getChildren();
// Process the user list
for ( ConfigElement userElem : userMaps)
{
// Validate the element type
if ( userElem.getName().equalsIgnoreCase( "user"))
{
// Get the user name, user id and group id
String userName = userElem.getAttribute("name");
String uidStr = userElem.getAttribute("uid");
String gidStr = userElem.getAttribute("gid");
if ( userName == null || userName.length() == 0)
throw new InvalidConfigurationException("Empty user name, or name not specified");
if ( uidStr == null || uidStr.length() == 0)
throw new InvalidConfigurationException("Invalid uid, or uid not specified, for user " + userName);
if ( gidStr == null || gidStr.length() == 0)
throw new InvalidConfigurationException("Invalid gid, or gid not specified, for user " + userName);
// Parse the uid/gid
int uid = -1;
int gid = -1;
try
{
uid = Integer.parseInt( uidStr);
}
catch ( NumberFormatException ex)
{
throw new InvalidConfigurationException("Invalid uid value, " + uidStr + " for user " + userName);
}
try
{
gid = Integer.parseInt( gidStr);
}
catch ( NumberFormatException ex)
{
throw new InvalidConfigurationException("Invalid gid value, " + gidStr + " for user " + userName);
}
// Check if the mapping already exists
Integer idKey = new Integer(( gid << 16) + uid);
if ( m_idMap.containsKey( idKey) == false)
{
// Add the username uid/gid mapping
m_idMap.put( idKey, userName);
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Added RPC user mapping for user " + userName + " uid=" + uid + ", gid=" + gid);
}
else if ( logger.isDebugEnabled())
{
// DEBUG
logger.debug("Ignored duplicate mapping for uid=" + uid + ", gid=" + gid);
}
}
else
throw new InvalidConfigurationException( "Invalid user mapping, " + userElem.getName());
}
}
// Make sure there are some user mappings
if ( m_idMap == null || m_idMap.size() == 0)
throw new InvalidConfigurationException("No user mappings for RPC authenticator");
}
}