- add TenantService hooks to org.alfresco.repo.security services

- Authentication, Person, Permission, Authority - add user/tenant-based logging via log4j NDC (nested diagnostic context) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@6399 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-07-24 17:32:48 +00:00 · 2007-08-02 10:56:30 +00:00
parent 56a0b7e164
commit 65f660c26c
11 changed files with 141 additions and 22 deletions
--- a/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java
+++ b/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java
@@ -107,6 +107,11 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
        {
            throw new AuthenticationException(ae.getMessage(), ae);
        }
+        finally
+        {       
+            // Support for logging tenantdomain / username (via log4j NDC)        
+            AuthenticationUtil.logNDC(userName);
+        }
    }

    /**
--- a/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
+++ b/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
@@ -109,6 +109,8 @@ public class AuthenticationServiceImpl implements AuthenticationService
    {
        try
        {
+           // clear context - to avoid MT concurrency issue (causing domain mismatch) - see also 'validate' below
+           clearCurrentSecurityContext();
           authenticationComponent.authenticate(userName, password);
        }
        catch(AuthenticationException ae)
@@ -142,6 +144,8 @@ public class AuthenticationServiceImpl implements AuthenticationService
    {
        try
        {
+           // clear context - to avoid MT concurrency issue (causing domain mismatch) - see also 'authenticate' above
+           clearCurrentSecurityContext();
           authenticationComponent.setCurrentUser(ticketComponent.validateTicket(ticket));
        }
           catch(AuthenticationException ae)
--- a/source/java/org/alfresco/repo/security/authentication/AuthenticationUtil.java
+++ b/source/java/org/alfresco/repo/security/authentication/AuthenticationUtil.java
@@ -35,7 +35,9 @@ import net.sf.acegisecurity.context.security.SecureContextImpl;
 import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import net.sf.acegisecurity.providers.dao.User;

+import org.alfresco.repo.tenant.TenantService;
 import org.alfresco.service.cmr.security.PermissionService;
+import org.apache.log4j.NDC;

 public abstract class AuthenticationUtil
 {
@@ -151,8 +153,33 @@ public abstract class AuthenticationUtil
        }
        authentication.setAuthenticated(true);
        sc.setAuthentication(authentication);
+
+        // Support for logging tenant domain / username (via log4j NDC)
+        String userName = SYSTEM_USER_NAME;
+        if (authentication.getPrincipal() instanceof UserDetails)
+        {
+            userName = ((UserDetails) authentication.getPrincipal()).getUsername();            
+        }
+        
+        logNDC(userName);
+        
        return authentication;
    }
+    
+    public static void logNDC(String userName)
+    {
+        NDC.remove();
+
+        int idx = userName.indexOf(TenantService.SEPARATOR);
+        if ((idx != -1) && (idx < (userName.length()-1)))
+        {            
+            NDC.push("Tenant:"+userName.substring(idx+1)+" User:"+userName.substring(0,idx));
+        }
+        else
+        {
+            NDC.push("User:"+userName);
+        }
+    }

    /**
     * Get the current authentication context
--- a/source/java/org/alfresco/repo/security/authentication/RepositoryAuthenticationDao.java
+++ b/source/java/org/alfresco/repo/security/authentication/RepositoryAuthenticationDao.java
@@ -39,7 +39,7 @@ import net.sf.acegisecurity.providers.encoding.PasswordEncoder;

 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.model.ContentModel;
-import org.alfresco.repo.search.impl.lucene.LuceneQueryParser;
+import org.alfresco.repo.tenant.TenantService;
 import org.alfresco.service.cmr.dictionary.DictionaryService;
 import org.alfresco.service.cmr.repository.ChildAssociationRef;
 import org.alfresco.service.cmr.repository.NodeRef;
@@ -60,6 +60,7 @@ public class RepositoryAuthenticationDao implements MutableAuthenticationDao
    private static final StoreRef STOREREF_USERS = new StoreRef("user", "alfrescoUserStore");

    private NodeService nodeService;
+    private TenantService tenantService;

    private NamespacePrefixResolver namespacePrefixResolver;

@@ -97,6 +98,11 @@ public class RepositoryAuthenticationDao implements MutableAuthenticationDao
        this.nodeService = nodeService;
    }

+    public void setTenantService(TenantService tenantService)
+    {
+        this.tenantService = tenantService;
+    }
+
    public void setPasswordEncoder(PasswordEncoder passwordEncoder)
    {
        this.passwordEncoder = passwordEncoder;
@@ -146,7 +152,16 @@ public class RepositoryAuthenticationDao implements MutableAuthenticationDao
        SearchParameters sp = new SearchParameters();
        sp.setLanguage(SearchService.LANGUAGE_LUCENE);
        sp.setQuery("@usr\\:username:\"" + searchUserName + "\"");
-        sp.addStore(STOREREF_USERS);
+       
+        try
+        {
+            sp.addStore(tenantService.getName(searchUserName, STOREREF_USERS));
+        }
+        catch (AlfrescoRuntimeException e)
+        {
+            return null; // no such tenant or tenant not enabled
+        }
+
        sp.excludeDataInTheCurrentTransaction(false);

        ResultSet rs = null;
@@ -210,12 +225,14 @@ public class RepositoryAuthenticationDao implements MutableAuthenticationDao

    public void createUser(String caseSensitiveUserName, char[] rawPassword) throws AuthenticationException
    {
+        tenantService.checkDomainUser(caseSensitiveUserName);
+
        NodeRef userRef = getUserOrNull(caseSensitiveUserName);
        if (userRef != null)
        {
            throw new AuthenticationException("User already exists: " + caseSensitiveUserName);
        }
-        NodeRef typesNode = getUserFolderLocation();
+        NodeRef typesNode = getUserFolderLocation(caseSensitiveUserName);
        Map<QName, Serializable> properties = new HashMap<QName, Serializable>();
        properties.put(ContentModel.PROP_USER_USERNAME, caseSensitiveUserName);
        String salt = null; // GUID.generate();
@@ -230,12 +247,15 @@ public class RepositoryAuthenticationDao implements MutableAuthenticationDao

    }

-    private NodeRef getUserFolderLocation()
+    private NodeRef getUserFolderLocation(String caseSensitiveUserName)
    {
        QName qnameAssocSystem = QName.createQName("sys", "system", namespacePrefixResolver);
        QName qnameAssocUsers = QName.createQName("sys", "people", namespacePrefixResolver); // see
+
+        StoreRef userStoreRef = tenantService.getName(caseSensitiveUserName, new StoreRef(STOREREF_USERS.getProtocol(), STOREREF_USERS.getIdentifier()));
+
        // AR-527
-        NodeRef rootNode = nodeService.getRootNode(STOREREF_USERS);
+        NodeRef rootNode = nodeService.getRootNode(userStoreRef);
        List<ChildAssociationRef> results = nodeService.getChildAssocs(rootNode, RegexQNamePattern.MATCH_ALL,
                qnameAssocSystem);
        NodeRef sysNodeRef = null;