From 7f6435087f86932ea8df86cb28073f6d6dbf4d77 Mon Sep 17 00:00:00 2001 From: Dave Ward Date: Mon, 18 Jan 2010 17:41:59 +0000 Subject: [PATCH] Merged V3.2 to HEAD 17475: ETHREEOH-3295: Fix to AuthorityMigrationPatch - Forces transaction retry if worker thread reaches child authority before a parent authority - Tested on Kev's 3.1.1 repository with ~20,000 bulk loaded users and ~2,000 Share sites - Now completes in 5 minutes as opposed to 45 17461: ETHREEOH-3268: Added MutableAuthenticationService.isAuthenticationCreationAllowed () to allow conditional display of external user invitation UI 17450: ETHREEOH-2762: Correction to previous fix. Do not generate new name when working copy copied back on check in. 17440: ETHREEOH-3295: Fixed logging in FixNameCrcValuesPatch 17439: ETHREEOH-2762: Improved behaviour when a working copy is copied - Working copy aspect already removed the working copy aspect on copy - Now derives a new name from the node checked out from and a UUID, preserving the extension 17438: ETHREEOH-2690: Fix sequencing of jgroups system property setting - declared dependency between internalEHCacheManager and jgroupsPropertySetter 17436: ETHREEOH-3295: Further performance improvements to AuthorityMigrationPatch - authority created at same time as all its parent associations to save lots of reindexing, as per LDAP sync - multi-threaded BatchProcessor (as used by LDAP sync, FixNameCrcValuesPatch) used to process work in 2 threads in batches of 20, report progress every 100 entries and handle transaction retries - BatchProcessor now promoted to its own package 17394: Fix for license issue in local enterprise builds. - Replace Community with Enterprise in version.properties during enterprise war building 17365: ETHREEOH-3229: Visited and fixed all SearchService result set leaks 17362: ETHREEOH-3254: Eliminate needless ping to LDAP server in LDAPAuthenticationComponentImpl.implementationAllowsGuestLogin() 17348: ETHREEOH-3003: Fix NPE in Hyperic when LicenseDescriptor has null fields 17316: Merged V3.1 to V3.2 17315: ETHREEOH-3092: PersonService won't let you create duplicate persons anymore. 17314: ETHREEOH-3158: Fix RepoServerMgmt to work with external authentication methods - AuthenticationService.getCurrentTicket / getNewTicket now call pre authentication check before issuing a new ticket, thus still allowing ticket enforcement when external authentication is in use. 17312: ETHREEOH-3219: Enable resolution of JMX server password file path on JBoss 5 17299: Merged V3.2 to V3.1 (Record only) 17297: ETHREEOH-1593: Changed name of username cookie and fixed login.jsp to decode it properly 17248: ETHREEOH-1593: alfUser cookie value should be base 64 encoded to allow for non-ASCII characters 17297: ETHREEOH-1593: Changed name of username cookie and fixed login.jsp to decode it properly - thanks Kev! 17292: ETHREEOH-1842: Ticket association with HttpSession IDs tracked so that we don't invalidate a ticket in use by multiple sessions prematurely - AuthenticationService validate, getCurrentTicket, etc. methods now take optional sessionId arguments 17269: Fix failing unit test - reinstate original behaviour of AbstractChainingAuthenticationService.getAuthenticationEnabled() 17268: Fix InvitationService - Runs as system to do privileged AuthenticationService actions git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@18105 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../repo/web/scripts/TestWebScriptRepoServer.java | 2 +- .../alfresco/repo/web/scripts/bean/LoginTicket.java | 2 +- .../repo/web/scripts/bean/LoginTicketDelete.java | 4 ++-- .../servlet/BasicHttpAuthenticatorFactory.java | 4 ++-- .../repo/webdav/auth/AuthenticationFilter.java | 11 +++++++---- .../repo/webdav/auth/BaseAuthenticationFilter.java | 2 +- .../webdav/auth/BaseNTLMAuthenticationFilter.java | 2 +- .../webdav/auth/BaseSSOAuthenticationFilter.java | 8 +++++--- .../webdav/auth/HTTPRequestAuthenticationFilter.java | 12 +++++++----- .../authentication/AuthenticationWebService.java | 2 +- .../repo/webservice/axis/TicketCallbackHandler.java | 2 +- 11 files changed, 29 insertions(+), 22 deletions(-) diff --git a/source/java/org/alfresco/repo/web/scripts/TestWebScriptRepoServer.java b/source/java/org/alfresco/repo/web/scripts/TestWebScriptRepoServer.java index 44523d42ba..0c0063f662 100644 --- a/source/java/org/alfresco/repo/web/scripts/TestWebScriptRepoServer.java +++ b/source/java/org/alfresco/repo/web/scripts/TestWebScriptRepoServer.java @@ -196,7 +196,7 @@ public class TestWebScriptRepoServer extends TestWebScriptServer { public Object execute() throws Exception { - authenticationService.validate(username); + authenticationService.validate(username, null); return null; } }); diff --git a/source/java/org/alfresco/repo/web/scripts/bean/LoginTicket.java b/source/java/org/alfresco/repo/web/scripts/bean/LoginTicket.java index 9620d956f1..9698763a7d 100644 --- a/source/java/org/alfresco/repo/web/scripts/bean/LoginTicket.java +++ b/source/java/org/alfresco/repo/web/scripts/bean/LoginTicket.java @@ -76,7 +76,7 @@ public class LoginTicket extends DeclarativeWebScript try { - String ticketUser = ticketComponent.validateTicket(ticket); + String ticketUser = ticketComponent.validateTicket(ticket, null); String currentUser = AuthenticationUtil.getFullyAuthenticatedUser(); diff --git a/source/java/org/alfresco/repo/web/scripts/bean/LoginTicketDelete.java b/source/java/org/alfresco/repo/web/scripts/bean/LoginTicketDelete.java index d3049e9412..3262f72c49 100644 --- a/source/java/org/alfresco/repo/web/scripts/bean/LoginTicketDelete.java +++ b/source/java/org/alfresco/repo/web/scripts/bean/LoginTicketDelete.java @@ -86,7 +86,7 @@ public class LoginTicketDelete extends DeclarativeWebScript try { - String ticketUser = ticketComponent.validateTicket(ticket); + String ticketUser = ticketComponent.validateTicket(ticket, null); // do not go any further if tickets are different if (!AuthenticationUtil.getFullyAuthenticatedUser().equals(ticketUser)) @@ -97,7 +97,7 @@ public class LoginTicketDelete extends DeclarativeWebScript else { // delete the ticket - authenticationService.invalidateTicket(ticket); + authenticationService.invalidateTicket(ticket, null); status.setMessage("Deleted Ticket " + ticket); } } diff --git a/source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java b/source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java index ce3286c7c5..ee8ab10813 100644 --- a/source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java +++ b/source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java @@ -140,7 +140,7 @@ public class BasicHttpAuthenticatorFactory implements ServletAuthenticatorFactor logger.debug("Authenticating (URL argument) ticket " + ticket); // assume a ticket has been passed - authenticationService.validate(ticket); + authenticationService.validate(ticket, null); authorized = true; } catch(AuthenticationException e) @@ -168,7 +168,7 @@ public class BasicHttpAuthenticatorFactory implements ServletAuthenticatorFactor logger.debug("Authenticating (BASIC HTTP) ticket " + parts[0]); // assume a ticket has been passed - authenticationService.validate(parts[0]); + authenticationService.validate(parts[0], null); authorized = true; } else diff --git a/source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java index f79fb3aa83..8feb746d6d 100644 --- a/source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java @@ -34,6 +34,7 @@ import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.alfresco.repo.SessionUser; import org.alfresco.repo.security.authentication.AuthenticationException; @@ -115,8 +116,9 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De // Authenticate the user authenticationService.authenticate(username, password.toCharArray()); - - user = createUserEnvironment(httpReq.getSession(), authenticationService.getCurrentUserName(), authenticationService.getCurrentTicket(), false); + HttpSession session = httpReq.getSession(); + user = createUserEnvironment(session, authenticationService.getCurrentUserName(), + authenticationService.getCurrentTicket(session.getId()), false); } catch ( AuthenticationException ex) { @@ -149,13 +151,14 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De // Validate the ticket - authenticationService.validate(ticket); + HttpSession session = httpReq.getSession(); + authenticationService.validate(ticket, session.getId()); // Need to create the User instance if not already available String currentUsername = authenticationService.getCurrentUserName(); - user = createUserEnvironment(httpReq.getSession(), currentUsername, ticket, false); + user = createUserEnvironment(session, currentUsername, ticket, false); } } diff --git a/source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java index 98b63061e2..f2c730986f 100644 --- a/source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java @@ -160,7 +160,7 @@ public abstract class BaseAuthenticationFilter { try { - authenticationService.validate(sessionUser.getTicket()); + authenticationService.validate(sessionUser.getTicket(), session.getId()); setExternalAuth(session, externalAuth); } catch (AuthenticationException e) diff --git a/source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java index 22ca9e432f..e960b23b98 100644 --- a/source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java @@ -601,7 +601,7 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication catch (AuthenticationException ex) { if (logger.isDebugEnabled()) - logger.debug("Failed to validate user " + user.getUserName(), ex); + logger.debug("Failed to validate user " + userName, ex); onValidateFailed(req, res, session); return; diff --git a/source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java index 25653f91a5..aac3039e1b 100644 --- a/source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java @@ -163,7 +163,7 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt public SessionUser execute() throws Throwable { authenticationComponent.setCurrentUser(userName); - return createUserEnvironment(session, userName, authenticationService.getCurrentTicket(), true); + return createUserEnvironment(session, userName, authenticationService.getCurrentTicket(session.getId()), true); } }); } @@ -288,8 +288,10 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt // If we don't yet have a valid cached user, validate the ticket and create one if ( user == null ) { - authenticationService.validate(ticket); - user = createUserEnvironment(req.getSession(), authenticationService.getCurrentUserName(), authenticationService.getCurrentTicket(), true); + HttpSession session = req.getSession(); + String sessionId = session.getId(); + authenticationService.validate(ticket, sessionId); + user = createUserEnvironment(session, authenticationService.getCurrentUserName(), authenticationService.getCurrentTicket(sessionId), true); } // Indicate the ticket parameter was specified, and valid diff --git a/source/java/org/alfresco/repo/webdav/auth/HTTPRequestAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/HTTPRequestAuthenticationFilter.java index 08d6d80362..a2d591055e 100644 --- a/source/java/org/alfresco/repo/webdav/auth/HTTPRequestAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/HTTPRequestAuthenticationFilter.java @@ -39,6 +39,7 @@ import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.alfresco.repo.SessionUser; import org.alfresco.repo.security.authentication.AuthenticationComponent; @@ -219,8 +220,9 @@ public class HTTPRequestAuthenticationFilter extends BaseAuthenticationFilter im m_authComponent.clearCurrentSecurityContext(); m_authComponent.setCurrentUser(userName); - return createUserEnvironment(httpReq.getSession(), userName, authenticationService - .getCurrentTicket(), true); + HttpSession session = httpReq.getSession(); + return createUserEnvironment(session, userName, authenticationService + .getCurrentTicket(session.getId()), true); } catch (AuthenticationException ex) { @@ -251,12 +253,12 @@ public class HTTPRequestAuthenticationFilter extends BaseAuthenticationFilter im try { + HttpSession session = httpReq.getSession(); // Validate the ticket - authenticationService.validate(ticket); + authenticationService.validate(ticket, session.getId()); // Need to create the User instance if not already available - user = createUserEnvironment(httpReq.getSession(), authenticationService.getCurrentUserName(), - ticket, true); + user = createUserEnvironment(session, authenticationService.getCurrentUserName(), ticket, true); } catch (AuthenticationException authErr) { diff --git a/source/java/org/alfresco/repo/webservice/authentication/AuthenticationWebService.java b/source/java/org/alfresco/repo/webservice/authentication/AuthenticationWebService.java index a5aff690e0..07d8a93cd8 100644 --- a/source/java/org/alfresco/repo/webservice/authentication/AuthenticationWebService.java +++ b/source/java/org/alfresco/repo/webservice/authentication/AuthenticationWebService.java @@ -116,7 +116,7 @@ public class AuthenticationWebService implements AuthenticationServiceSoapPort public Object execute() throws Throwable { AuthenticationWebService.this.authenticationComponent.setSystemUserAsCurrentUser(); - AuthenticationWebService.this.authenticationService.invalidateTicket(ticket); + AuthenticationWebService.this.authenticationService.invalidateTicket(ticket, null); AuthenticationWebService.this.authenticationService.clearCurrentSecurityContext(); if (logger.isDebugEnabled()) diff --git a/source/java/org/alfresco/repo/webservice/axis/TicketCallbackHandler.java b/source/java/org/alfresco/repo/webservice/axis/TicketCallbackHandler.java index 44f6cc5f64..1d740dd1dc 100644 --- a/source/java/org/alfresco/repo/webservice/axis/TicketCallbackHandler.java +++ b/source/java/org/alfresco/repo/webservice/axis/TicketCallbackHandler.java @@ -80,7 +80,7 @@ public class TicketCallbackHandler implements CallbackHandler // ensure the ticket is valid try { - this.authenticationService.validate(ticket); + this.authenticationService.validate(ticket, null); } catch (AuthenticationException ae) {