ALF-2265: Share 'Uber Filter' part 2

- WebScriptNTLMAuthenticationFilter detached from its superclass and renamed to WebScriptSSOAuthenticationFilter
- Now the filter simply chains to the downstream authentication filter rather than call its superclass
- This means the same filter can be used for Kerberos-protected webscripts as well as NTLM
- Wired globalAuthenticationFilter behind webscriptAuthenticationFilter in the filter chain in web.xml
- Configured webscriptAuthenticationFilter for Kerberos subsystem


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@20616 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

config/alfresco/subsystems/Authentication/alfrescoNtlm/ntlm-filter-context.xml

@@ -38,13 +38,10 @@
       </property>
    </bean>
 
-   <bean id="webscriptAuthenticationFilter" class="org.alfresco.web.app.servlet.WebScriptNTLMAuthenticationFilter">
+   <bean id="webscriptAuthenticationFilter" class="org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter">
       <property name="active">
          <value>${ntlm.authentication.sso.enabled}</value>
       </property>
-      <property name="serverConfiguration">
-         <ref bean="fileServerConfiguration" />
-      </property>
       <property name="authenticationService">
          <ref bean="AuthenticationService" />
       </property>
@@ -60,12 +57,6 @@
       <property name="transactionService">
          <ref bean="TransactionService" />
       </property>
-      <property name="mapUnknownUserToGuest">
-         <value>${ntlm.authentication.mapUnknownUserToGuest}</value>
-      </property>
-      <property name="configService">
-         <ref bean="webClientConfigService" />
-      </property>
       <property name="container">
          <ref bean="webscripts.container" />
       </property>

config/alfresco/subsystems/Authentication/kerberos/kerberos-filter-context.xml

@@ -1,7 +1,14 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
 <beans>
-   <bean id="authenticationFilter" class="org.alfresco.web.app.servlet.KerberosAuthenticationFilter">
+   <!-- NullFilter used for this bean, as we are using the more widely-scoped globalAuthenticationFilter -->
+   <bean id="authenticationFilter" class="org.alfresco.repo.web.filter.beans.NullFilter">
+      <property name="active">
+         <value>${kerberos.authentication.sso.enabled}</value>
+      </property>
+   </bean>
+
+   <bean id="globalAuthenticationFilter" class="org.alfresco.web.app.servlet.KerberosAuthenticationFilter">
       <property name="active">
          <value>${kerberos.authentication.sso.enabled}</value>
       </property>
@@ -37,17 +44,28 @@
       </property>
    </bean>
 
-   <!-- NullFilter used for these beans, as they are currenly only required by NTLM -->
+   <bean id="webscriptAuthenticationFilter" class="org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter">
-   <bean id="globalAuthenticationFilter" class="org.alfresco.repo.web.filter.beans.NullFilter">
-      <property name="active">
-         <value>${kerberos.authentication.sso.enabled}</value>		 
-      </property>
-   </bean>
-
-   <bean id="webscriptAuthenticationFilter" class="org.alfresco.repo.web.filter.beans.NullFilter">
       <property name="active">
          <value>${kerberos.authentication.sso.enabled}</value>
       </property>
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="authenticationComponent">
+         <ref bean="AuthenticationComponent" />
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="NodeService" />
+      </property>
+      <property name="transactionService">
+         <ref bean="TransactionService" />
+      </property>
+      <property name="container">
+         <ref bean="webscripts.container" />
+      </property>
    </bean>
 
    <bean id="webDavAuthenticationFilter" class="org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter">

source/java/org/alfresco/web/app/servlet/WebScriptSSOAuthenticationFilter.java

@@ -28,24 +28,34 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.alfresco.repo.management.subsystems.ActivateableBean;
+import org.alfresco.repo.web.filter.beans.DependencyInjectedFilter;
+import org.alfresco.repo.webdav.auth.BaseAuthenticationFilter;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.extensions.surf.util.URLDecoder;
 import org.springframework.extensions.webscripts.Match;
 import org.springframework.extensions.webscripts.RuntimeContainer;
 import org.springframework.extensions.webscripts.Description.RequiredAuthentication;
 
 /**
- * WebScript aware NTLM Authentication Filter Class.
+ * WebScript aware Authentication Filter Class. Takes into account the authentication setting in the descriptor for the
- * 
+ * webscript before chaining to the downstream authentication filters. If authentication is not required then chains
- * Takes into account the authentication setting in the descriptor for the webscript.
+ * with the NO_AUTH_REQUIRED request attribute set, which should cause any downstream authentication filter to bypass
- * If authentication is not required then simply chains. Otherwise will delegate
+ * authentication checks. Also directly handles login script calls, allowing Surf to establish a cookie for a manual log
- * back to the usual web-client NTLM filter code path.
+ * in, rather than the usual stateless ticket based logins used in non-SSO mode.
  * 
  * @author Kevin Roast
+ * @author dward
  */
-public class WebScriptNTLMAuthenticationFilter extends NTLMAuthenticationFilter
+public class WebScriptSSOAuthenticationFilter extends BaseAuthenticationFilter implements DependencyInjectedFilter,
+        ActivateableBean
 {
     private static final String API_LOGIN = "/api/login";
+    private static final Log logger = LogFactory.getLog(WebScriptSSOAuthenticationFilter.class);
     private RuntimeContainer container;        
+    private boolean isActive = true;
+    
     
     /**
      * @param container the container to set
@@ -56,10 +66,29 @@ public class WebScriptNTLMAuthenticationFilter extends NTLMAuthenticationFilter
     }
 
     
+    /**
+     * Activates or deactivates the bean
+     * 
+     * @param active
+     *            <code>true</code> if the bean is active and initialization should complete
+     */
+    public final void setActive(boolean active)
+    {
+        this.isActive = active;
+    }
+
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive()
+     */
+    public final boolean isActive()
+    {
+        return isActive;
+    }
+
     /* (non-Javadoc)
      * @see org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter#doFilter(javax.servlet.ServletContext, javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
      */
-    @Override
     public void doFilter(ServletContext context, ServletRequest sreq, ServletResponse sresp, FilterChain chain)
             throws IOException, ServletException
     {
@@ -84,7 +113,7 @@ public class WebScriptNTLMAuthenticationFilter extends NTLMAuthenticationFilter
             {
                 if (getLogger().isDebugEnabled())
                     getLogger().debug("Found webscript with no authentication - set NO_AUTH_REQUIRED flag.");
-                req.setAttribute(AbstractAuthenticationFilter.NO_AUTH_REQUIRED, Boolean.TRUE);
+                req.setAttribute(NO_AUTH_REQUIRED, Boolean.TRUE);
             }
         }
 
@@ -96,17 +125,16 @@ public class WebScriptNTLMAuthenticationFilter extends NTLMAuthenticationFilter
         }
         else
         {
-            super.doFilter(context, sreq, sresp, chain);
+            chain.doFilter(sreq, sresp);
         }
     }
-    
+
-    /*
+    /* (non-Javadoc)
-     * (non-Javadoc)
+     * @see org.alfresco.repo.webdav.auth.BaseAuthenticationFilter#getLogger()
-     * @see org.alfresco.web.app.servlet.NTLMAuthenticationFilter#onLoginComplete(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, boolean)
      */
-    protected boolean onLoginComplete(ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean userInit)
+    @Override
-            throws IOException
+    protected Log getLogger()
     {
-        return true;
+        return logger;
     }
 }

source/web/WEB-INF/web.xml

@@ -99,24 +99,11 @@
          <param-name>beanName</param-name>
          <param-value>AuthenticationFilter</param-value>
       </init-param>
-
-      <!-- For Novell IChain support use the following filter -->
-      <!--
-      <filter-class>org.alfresco.web.app.servlet.HTTPRequestAuthenticationFilter</filter-class>
-      <init-param>
-         <param-name>httpServletRequestAuthHeaderName</param-name>
-         <param-value>x-user</param-value>
-      </init-param>
-      <init-param>
-         <param-name>authPatternString</param-name>
-         <param-value>.*</param-value>
-      </init-param>
-      -->
    </filter>
    
    <filter>
       <filter-name>Global Authentication Filter</filter-name>
-      <description>Authentication filter mapped to all authenticated URLs (except web scripts). Mainly for NTLM support</description>
+      <description>Authentication filter mapped to all authenticated URLs. Mainly for SSO support</description>
       <filter-class>org.alfresco.repo.web.filter.beans.BeanProxyFilter</filter-class>
       <init-param>
          <param-name>beanName</param-name>
@@ -126,7 +113,7 @@
 
    <filter>
       <filter-name>WebScript Authentication Filter</filter-name>
-      <description>Authentication filter mapped to web script URLs. Mainly for NTLM support</description>
+      <description>Authentication filter mapped to web script URLs. Mainly for SSO support</description>
       <filter-class>org.alfresco.repo.web.filter.beans.BeanProxyFilter</filter-class>
       <init-param>
          <param-name>beanName</param-name>
@@ -199,6 +186,7 @@
       <url-pattern>/d/*</url-pattern>
    </filter-mapping>
    
+   <!-- The WebScript Authentication filter sits in front of web service URLs in addition to the global authentication filter -->
    <filter-mapping>
       <filter-name>WebScript Authentication Filter</filter-name>
       <url-pattern>/wcservice/*</url-pattern>
@@ -209,6 +197,16 @@
       <url-pattern>/wcs/*</url-pattern>
    </filter-mapping>
    
+   <filter-mapping>
+      <filter-name>Global Authentication Filter</filter-name>
+      <url-pattern>/wcservice/*</url-pattern>
+   </filter-mapping>
+   
+   <filter-mapping>
+      <filter-name>Global Authentication Filter</filter-name>
+      <url-pattern>/wcs/*</url-pattern>
+   </filter-mapping>
+
    <filter-mapping>
       <filter-name>Global Authentication Filter</filter-name>
       <url-pattern>/ajax/*</url-pattern>