Merged V3.3-BUG-FIX to HEAD

21132: ALF-3855: Refactored repository authentication filters so that same code is re-used for Web Client, Web Script, Web DAV and Sharepoint authentication
      - 'Uber Filter' part 3
      - Means we now support Kerberos Authentication for Sharepoint
      - Threw away a lot of duplicated code
      - New common AuthenticationDriver interface created and now implemented by core authentication code
      - Sharepoint and BaseSSOAuthenticationFilter now both use AuthenticationDrivers
      - Needs regression testing
   21137: ALF-3841: Alfresco Explorer SSO Authentication Filters now accept ticket parameters too
      - Can be turned back off with ntlm.authentication.browser.ticketLogons=false or kerberos.authentication.browser.ticketLogons=false
      - Wiki updated
   21141: ALF-3855: Fixed wiring
   21146: ALF-2879: 'xamconnector' module behaviour for xam:archived
      - Application of xam:archived recurses and locks both files and folders
      - cm:content nodes also have the store selector applied for the XAMContentStore
      - TODO: Archive properties
   21165: Fixed ALF-3867: SQL format error when re-instating orphaned content URL
      - Parameter was not bounded with #
      - Added unit test to ensure SQL generated is correct
   21169: Merged V3.3 to V3.3-BUG-FIX
      21168: (RECORD ONLY Merged PATCHES/V3.2.1 to V3.3
         21166: Merged V3.3-BUG-FIX to PATCHES/V3.2.1
            21165: Fixed ALF-3867: SQL format error when re-instating orphaned content URL
               - Parameter was not bounded with #
               - Added unit test to ensure SQL generated is correct
      21118: Latest SpringSurf libs:
         - Fix for missing read of "keystore" in Remote config
         - Session Fixation attack mitigation improvements:
         - A Surf application no longer generates a Session (and therefore no JSESSIONID) until a user is authenticated - simply visiting a login page or similar will no longer generate a Session
         - Existing Sessions are always invalidated and destroyed if found when a user is authenticated via the LoginController (i.e. due to a JSESSIONID captured via an XSS attack)

         Merged HEAD to V3.3
            21111: Fix to encode form parameter on Share login template - prevents its potential use as an reflected XSS attack vector
            21117: Session Fixation mitigation:
               - Removed Session creation from Share index.jsp

         Merged V3.3-BUG-FIX-2010_06_24 to V3.3
            21096: Fix for ALF-3718 - JSF client login page input validator is too aggressive ("Login" button is disabled if username contains forward slash)
      21088: Latest SpringSurf libs


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@21170 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/web/sharepoint/auth/BasicAuthenticationHandler.java

@@ -18,12 +18,17 @@
  */
 package org.alfresco.web.sharepoint.auth;
 
+import java.io.IOException;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
 import org.alfresco.repo.SessionUser;
 import org.alfresco.repo.security.authentication.AuthenticationException;
+import org.alfresco.repo.webdav.auth.SharepointConstants;
 import org.alfresco.web.bean.repository.User;
 import org.apache.commons.codec.binary.Base64;
 
@@ -33,19 +38,20 @@ import org.apache.commons.codec.binary.Base64;
  * @author PavelYur
  *
  */
-public class BasicAuthenticationHandler extends AbstractAuthenticationHandler
+public class BasicAuthenticationHandler extends AbstractAuthenticationHandler implements SharepointConstants
 {
+    private final static String HEADER_AUTHORIZATION = "Authorization";
+
+    private final static String BASIC_START = "BASIC";
+
+    
     /* (non-Javadoc)
-     * @see org.alfresco.web.vti.auth.AuthenticationHandler#authenticateRequest(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.alfresco.web.vti.auth.SiteMemberMapper, java.lang.String)
+     * @see org.alfresco.repo.webdav.auth.SharepointAuthenticationHandler#authenticateRequest(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
      */
-    public SessionUser authenticateRequest(HttpServletRequest request, HttpServletResponse response,
-            SiteMemberMapper mapper, String alfrescoContext)
+    public boolean authenticateRequest(ServletContext context, HttpServletRequest request, HttpServletResponse response)
+            throws IOException, ServletException
     {
-        SessionUser user = null;
-        
         String authHdr = request.getHeader(HEADER_AUTHORIZATION);
-        HttpSession session = request.getSession();
-        
         if (authHdr != null && authHdr.length() > 5 && authHdr.substring(0, 5).equalsIgnoreCase(BASIC_START))
         {
             String basicAuth = new String(Base64.decodeBase64(authHdr.substring(5).getBytes()));
@@ -76,21 +82,42 @@ public class BasicAuthenticationHandler extends AbstractAuthenticationHandler
                 
                 if (logger.isDebugEnabled())
                     logger.debug("Authenticated user '" + username + "'");
-
-                if (mapper.isSiteMember(request, alfrescoContext, username))
-                {
-                    user = new User(username, authenticationService.getCurrentTicket(), personService.getPerson(username));
-                    if (session != null)
-                        session.setAttribute(USER_SESSION_ATTRIBUTE, user);
-                }
+                
+                request.getSession().setAttribute(USER_SESSION_ATTRIBUTE, new User(username, authenticationService.getCurrentTicket(), personService.getPerson(username)));                
+                
+                return true;
             }
             catch (AuthenticationException ex)
             {
                 // Do nothing, user object will be null
             }
         }
+        else
+        {
+            HttpSession session = request.getSession(false);
+            if (session == null)
+            {
+                return false;
+            }
 
-        return user;
+            SessionUser user = (SessionUser) session
+                    .getAttribute(USER_SESSION_ATTRIBUTE);
+            if (user == null)
+            {
+                return false;
+            }
+            try
+            {
+                authenticationService.validate(user.getTicket());
+                return true;
+            }
+            catch (AuthenticationException ex)
+            {
+                session.invalidate();
+            }                        
+        }
+
+        return false;
     }