Merged V3.2 to HEAD

17475: ETHREEOH-3295: Fix to AuthorityMigrationPatch
      - Forces transaction retry if worker thread reaches child authority before a parent authority
      - Tested on Kev's 3.1.1 repository with ~20,000 bulk loaded users and ~2,000 Share sites
      - Now completes in 5 minutes as opposed to 45
   17461: ETHREEOH-3268: Added MutableAuthenticationService.isAuthenticationCreationAllowed () to allow conditional display of external user invitation UI
   17450: ETHREEOH-2762: Correction to previous fix. Do not generate new name when working copy copied back on check in.
   17440: ETHREEOH-3295: Fixed logging in FixNameCrcValuesPatch
   17439: ETHREEOH-2762: Improved behaviour when a working copy is copied
      - Working copy aspect already removed the working copy aspect on copy
      - Now derives a new name from the node checked out from and a UUID, preserving the extension
   17438: ETHREEOH-2690: Fix sequencing of jgroups system property setting
      - declared dependency between internalEHCacheManager and jgroupsPropertySetter
   17436: ETHREEOH-3295: Further performance improvements to AuthorityMigrationPatch
      - authority created at same time as all its parent associations to save lots of reindexing, as per LDAP sync
      - multi-threaded BatchProcessor (as used by LDAP sync, FixNameCrcValuesPatch) used to process work in 2 threads in batches of 20, report progress every 100 entries and handle transaction retries
      - BatchProcessor now promoted to its own package
   17394: Fix for license issue in local enterprise builds.
      - Replace Community with Enterprise in version.properties during enterprise war building
   17365: ETHREEOH-3229: Visited and fixed all SearchService result set leaks
   17362: ETHREEOH-3254: Eliminate needless ping to LDAP server in LDAPAuthenticationComponentImpl.implementationAllowsGuestLogin()
   17348: ETHREEOH-3003: Fix NPE in Hyperic when LicenseDescriptor has null fields
   17316: Merged V3.1 to V3.2
      17315: ETHREEOH-3092: PersonService won't let you create duplicate persons anymore.
      17314: ETHREEOH-3158: Fix RepoServerMgmt to work with external authentication methods
         - AuthenticationService.getCurrentTicket / getNewTicket now call pre authentication check before issuing a new ticket, thus still allowing ticket enforcement when external authentication is in use.
      17312: ETHREEOH-3219: Enable resolution of JMX server password file path on JBoss 5
      17299: Merged V3.2 to V3.1 (Record only)
         17297: ETHREEOH-1593: Changed name of username cookie and fixed login.jsp to decode it properly
         17248: ETHREEOH-1593: alfUser cookie value should be base 64 encoded to allow for non-ASCII characters
   17297: ETHREEOH-1593: Changed name of username cookie and fixed login.jsp to decode it properly
      - thanks Kev!
   17292: ETHREEOH-1842: Ticket association with HttpSession IDs tracked so that we don't invalidate a ticket in use by multiple sessions prematurely
      - AuthenticationService validate, getCurrentTicket, etc. methods now take optional sessionId arguments
   17269: Fix failing unit test
      - reinstate original behaviour of AbstractChainingAuthenticationService.getAuthenticationEnabled()
   17268: Fix InvitationService
      - Runs as system to do privileged AuthenticationService actions


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@18105 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/repo/web/scripts/TestWebScriptRepoServer.java

@@ -196,7 +196,7 @@ public class TestWebScriptRepoServer extends TestWebScriptServer
                     {
                         public Object execute() throws Exception
                         {
-                            authenticationService.validate(username);
+                            authenticationService.validate(username, null);
                             return null;
                         }
                     });

source/java/org/alfresco/repo/web/scripts/bean/LoginTicket.java

@@ -76,7 +76,7 @@ public class LoginTicket extends DeclarativeWebScript
         
         try
         {
-            String ticketUser = ticketComponent.validateTicket(ticket);
+            String ticketUser = ticketComponent.validateTicket(ticket, null);
             
             String currentUser = AuthenticationUtil.getFullyAuthenticatedUser();
 

source/java/org/alfresco/repo/web/scripts/bean/LoginTicketDelete.java

@@ -86,7 +86,7 @@ public class LoginTicketDelete extends DeclarativeWebScript
         
         try
         {
-            String ticketUser = ticketComponent.validateTicket(ticket);
+            String ticketUser = ticketComponent.validateTicket(ticket, null);
 
             // do not go any further if tickets are different
             if (!AuthenticationUtil.getFullyAuthenticatedUser().equals(ticketUser))
@@ -97,7 +97,7 @@ public class LoginTicketDelete extends DeclarativeWebScript
             else
             {
                 // delete the ticket
-                authenticationService.invalidateTicket(ticket);
+                authenticationService.invalidateTicket(ticket, null);
                 status.setMessage("Deleted Ticket " + ticket);
             }
         }

source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java

@@ -140,7 +140,7 @@ public class BasicHttpAuthenticatorFactory implements ServletAuthenticatorFactor
                         logger.debug("Authenticating (URL argument) ticket " + ticket);
         
                     // assume a ticket has been passed
-                    authenticationService.validate(ticket);
+                    authenticationService.validate(ticket, null);
                     authorized = true;
                 }
                 catch(AuthenticationException e)
@@ -168,7 +168,7 @@ public class BasicHttpAuthenticatorFactory implements ServletAuthenticatorFactor
                             logger.debug("Authenticating (BASIC HTTP) ticket " + parts[0]);
     
                         // assume a ticket has been passed
-                        authenticationService.validate(parts[0]);
+                        authenticationService.validate(parts[0], null);
                         authorized = true;
                     }
                     else

source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java

@@ -34,6 +34,7 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.alfresco.repo.SessionUser;
 import org.alfresco.repo.security.authentication.AuthenticationException;
@@ -115,8 +116,9 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De
                     // Authenticate the user
 
                 	authenticationService.authenticate(username, password.toCharArray());
-                	
+                	HttpSession session = httpReq.getSession();
-                	user = createUserEnvironment(httpReq.getSession(), authenticationService.getCurrentUserName(), authenticationService.getCurrentTicket(), false);                    
+                	user = createUserEnvironment(session, authenticationService.getCurrentUserName(),
+                            authenticationService.getCurrentTicket(session.getId()), false);                    
                 }
                 catch ( AuthenticationException ex)
                 {
@@ -149,13 +151,14 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De
 
                     // Validate the ticket
 
-                    authenticationService.validate(ticket);
+                    HttpSession session = httpReq.getSession();
+                    authenticationService.validate(ticket, session.getId());
 
                     // Need to create the User instance if not already available
 
                     String currentUsername = authenticationService.getCurrentUserName();
 
-                    user = createUserEnvironment(httpReq.getSession(), currentUsername, ticket, false);
+                    user = createUserEnvironment(session, currentUsername, ticket, false);
                 }
             }
 

source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java

@@ -160,7 +160,7 @@ public abstract class BaseAuthenticationFilter
         {
             try
             {
-                authenticationService.validate(sessionUser.getTicket());
+                authenticationService.validate(sessionUser.getTicket(), session.getId());
                 setExternalAuth(session, externalAuth);
             }
             catch (AuthenticationException e)

source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java

@@ -601,7 +601,7 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication
                     catch (AuthenticationException ex)
                     {
                         if (logger.isDebugEnabled())
-                            logger.debug("Failed to validate user " + user.getUserName(), ex);
+                            logger.debug("Failed to validate user " + userName, ex);
 
                         onValidateFailed(req, res, session);
                         return;

source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java

@@ -163,7 +163,7 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
                     public SessionUser execute() throws Throwable
                     {
                         authenticationComponent.setCurrentUser(userName);
-                        return createUserEnvironment(session, userName, authenticationService.getCurrentTicket(), true);
+                        return createUserEnvironment(session, userName, authenticationService.getCurrentTicket(session.getId()), true);
                     }
                 });
     }
@@ -288,8 +288,10 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
 				// If we don't yet have a valid cached user, validate the ticket and create one
                 if ( user == null )
                 {
-                    authenticationService.validate(ticket);
+                    HttpSession session = req.getSession();
-                    user = createUserEnvironment(req.getSession(), authenticationService.getCurrentUserName(), authenticationService.getCurrentTicket(), true);
+                    String sessionId = session.getId();
+                    authenticationService.validate(ticket, sessionId);
+                    user = createUserEnvironment(session, authenticationService.getCurrentUserName(), authenticationService.getCurrentTicket(sessionId), true);
                 }
     		    
     		    // Indicate the ticket parameter was specified, and valid

source/java/org/alfresco/repo/webdav/auth/HTTPRequestAuthenticationFilter.java

@@ -39,6 +39,7 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.alfresco.repo.SessionUser;
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
@@ -219,8 +220,9 @@ public class HTTPRequestAuthenticationFilter extends BaseAuthenticationFilter im
                                     m_authComponent.clearCurrentSecurityContext();
                                     m_authComponent.setCurrentUser(userName);
 
-                                    return createUserEnvironment(httpReq.getSession(), userName, authenticationService
+                                    HttpSession session = httpReq.getSession();
-                                            .getCurrentTicket(), true);
+                                    return createUserEnvironment(session, userName, authenticationService
+                                            .getCurrentTicket(session.getId()), true);
                                 }
                                 catch (AuthenticationException ex)
                                 {
@@ -251,12 +253,12 @@ public class HTTPRequestAuthenticationFilter extends BaseAuthenticationFilter im
 
                     try
                     {
+                        HttpSession session = httpReq.getSession();
                         // Validate the ticket
-                        authenticationService.validate(ticket);
+                        authenticationService.validate(ticket, session.getId());
 
                         // Need to create the User instance if not already available
-                        user = createUserEnvironment(httpReq.getSession(), authenticationService.getCurrentUserName(),
+                        user = createUserEnvironment(session, authenticationService.getCurrentUserName(), ticket, true);
-                                ticket, true);
                     }
                     catch (AuthenticationException authErr)
                     {

source/java/org/alfresco/repo/webservice/authentication/AuthenticationWebService.java

@@ -116,7 +116,7 @@ public class AuthenticationWebService implements AuthenticationServiceSoapPort
                     public Object execute() throws Throwable
                     {
                     	AuthenticationWebService.this.authenticationComponent.setSystemUserAsCurrentUser();
-                    	AuthenticationWebService.this.authenticationService.invalidateTicket(ticket);
+                    	AuthenticationWebService.this.authenticationService.invalidateTicket(ticket, null);
                     	AuthenticationWebService.this.authenticationService.clearCurrentSecurityContext();
     
 		                if (logger.isDebugEnabled())

source/java/org/alfresco/repo/webservice/axis/TicketCallbackHandler.java

@@ -80,7 +80,7 @@ public class TicketCallbackHandler implements CallbackHandler
             // ensure the ticket is valid
             try
             {
-               this.authenticationService.validate(ticket);
+               this.authenticationService.validate(ticket, null);
             }
             catch (AuthenticationException ae)
             {