From 822e6c5edb3fa366c8152b9868967b6b4ca2656e Mon Sep 17 00:00:00 2001 From: Dave Ward Date: Wed, 24 Mar 2010 13:49:03 +0000 Subject: [PATCH] Merged V3.2 to HEAD: 19472: ALF-725: Revert to using jTDS JDBC driver for SQL Server in 3.2 SP1, since the Microsoft driver doesn't work with the v3.2.r iBATIS stuff - All example/installer alfresco-global.properties updated - Wiki updated http://wiki.alfresco.com/wiki/Database_Configuration#MS-SQL_Databases - Logged doc bug ALF-2144 and release note bug ALF-2145 19501:Merged DEV/BELARUS/V3.2-2010_02_24 to V3.2 (with corrections) 19243: ALF-757: Cannot start up on JBoss 5.1 due to audit configuration error - Removed getPath() method because it is incompatible with JBoss and other app servers where resources can't be resolved to a file - Now use Spring ResourceLoader instead of creating FileInputStream - getLastModified() still returned where the resource resolves to a file; otherwise the server startup time 19503: (RECORD ONLY) ALF-2100: Merged HEAD to V3.2 19155: ALF-1995: Removed remaining direct dependencies on portlet API from Alfresco Explorer classes - Moved into AlfrescoFacesPortlet - portlet.jar was removed from alfresco.war for Liferay compatibility 19506: Merged PATCHES/V3.1.2 to V3.2 19218: (RECORD ONLY) Created hotfix branch off TAGS/ENTERPRISE/V3.1.2 19229: (RECORD ONLY) Merged V3.1 to V3.1.2 18577: Fix for ETHREEOH-4117, based on CHK-11154 19341: Merged DEV/BELARUS/V3.1-2010_02_05 to PATCHES/V3.1.2 (with corrections) 19156: ALF-1906: splitPersonCleanUpBootstrapBean is not able to remove duplicated users Also - improved detection of 'split' persons - added unit tests for person splitting and deleting - fixed duplicate person caching and sorting problems - prevented onUpdateProperties from firing needlessly in PersonServiceImpl and AuthorityDAOImpl when persons and authorities are created initially 19342: (RECORD ONLY) Incremented version number 19508: Merged PATCHES/V3.2.0 to V3.2 18762: (RECORD ONLY) Created hotfix branch off V3.2.0-ENTERPRISE-FINAL 18789: (RECORD ONLY) Merged BRANCHES/V3.2:r17905,18254,18319 to PATCHES/V3.2.0 r17905 | markr | 2010-01-06 16:55:12 +0000 (Wed, 06 Jan 2010) | 3 lines ETHREEOH-3809 - WCM - First test server deploy fails. added yet another transaction to read the previous snapshot transaction. added a new system test based upon the WCM services. The beginnings of testing against layered authored sandboxes. r18254 | janv | 2010-01-22 18:15:43 +0000 (Fri, 22 Jan 2010) | 1 line WCM/AVM - ETHREEOH-2057 (Submitting WCM Content through WF JSF Error - due to AVM Sync issue) r18319 | royw | 2010-01-27 12:18:27 +0000 (Wed, 27 Jan 2010) | 4 lines Merged BRANCHES/DEV/BELARUS/V3.2-2010_01_11 to V3.2 18273: ETHREEOH-3834: WCM: An extral .xml.html file is created when editing newly created content 18822: (RECORD ONLY) Merged DEV_TEMPORARY to PATCHES/V3.2.0 18478: SAP XForms errors - ACT 15969 18699: ETHREEOH-4171: HTTP 500 when filling in a WCM webform - ACT 15969 18842: (RECORD ONLY) Merged V3.2 to PATCHES/V3.2.0 18701: Merged DEV_TEMPORARY to V3.2 18693 : ETHREEOH-4182: ASR deployer fails to set the contentUrl of documents on the target system - Merged in fix related to closing output streams. - Increased coverage of unit test. 18854: (RECORD ONLY) Merged V3.2 to V3.2.0 18019: ETHREEOH-3770: LDAP sync now supports attribute range retrieval to get around limits imposed by Active Directory on multi-valued attributes - Meant that groups with more than 1000 members were getting truncated in Active Directory - Now switched on in ldap-ad and off in ldap subsystem - Also switched off result set paging in ldap subsystem by default for wider compatibility with non-AD systems 18272: Merged DEV/BELARUS/V3.2-2010_01_11 to V3.2 18257: ETHREEOH-4002: User/Group sync does not handle LDAP communication failures - Merged with corrections 18276: ETHREEOH-4002: Correction to previous checkin - modification dates are only persisted after successful processing of users and groups, so need to delete them on comms failure 18340: ETHREEOH-4069: LDAP sync cannot resolve DNs containing a slash character - Due to JNDI interpreting the slash character as a separator 18403: ETHREEOH-4008: LDAP sync should preserve case of group members - Was incorrectly extracting attributes from lower-cased DN 18846: ETHREEOH-4233: LDAP sync now synchronizes group display names - New ldap.synchronization.groupDisplayNameAttributeName property provides name of LDAP attribute 18877: (RECORD ONLY) Merged /alfresco/BRANCHES/V3.2:r18616 r18616 | markr | 2010-02-12 14:08:52 +0000 (Fri, 12 Feb 2010) | 1 line ETHREEOH-4181 - Access denied exception when deploying via avm deployment receiver 19319: ALF-2043: User ID case sensitivity issues with Sharepoint Connector and External Authentication Subsystem - DefaultRemoteUserMapper and AlfrescoUserGroupServiceHandler should use personService.getUserIdentifier() to 'normalize' a username according to case sensitivity settings - NtlmAuthenticationHandler should also leave the normalization to personService 19320: (RECORD ONLY) Incremented version label 19380: ALF-2043: Revisit user ID case sensitivity in DefaultRemoteUserMapper - Has to use public PersonService in case it is accessed outside of a transaction - Fixed regular expression matching - Added unit tests to try out all the remote user mapper options 19509: Merged PATCHES/V3.2.r to V3.2 18803: (RECORD ONLY) Created hotfix branch off V3.2.r-ENTERPRISE-FINAL 18833: (RECORD ONLY) Turn on Repo Doclib by default 19054: (RECORD ONLY) Merging V3.2 to PATCHES/V3.2.r 18787: MT: fix ETHREEOH-4125 - authority migration / batch processor (when upgrading groups from 3.1 to 3.2) 19358: (RECORD ONLY) Merged DEV/BELARUS/V3.2-2010_01_11 to PATCHES/V3.2.r 18699: ETHREEOH-4171: HTTP 500 when filling in a WCM webform 19447: (RECORD ONLY) Incremented version label 19518: ALF-757: Corrected audit config resource URL so that it resolves inside Tomcat as well as JUnit! 19525: ALF-708: Use BatchProcessor to process duplicate persons in small batches in SplitPersonCleanupBootstrapBean - Even tested in a unit test! git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@19536 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../external/external-filter-context.xml | 3 + .../app/servlet/DefaultRemoteUserMapper.java | 85 +++++++++--- .../servlet/DefaultRemoteUserMapperTest.java | 125 ++++++++++++++++++ .../auth/BasicAuthenticationHandler.java | 8 +- .../auth/ntlm/NtlmAuthenticationHandler.java | 2 +- 5 files changed, 201 insertions(+), 22 deletions(-) create mode 100644 source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapperTest.java diff --git a/config/alfresco/subsystems/Authentication/external/external-filter-context.xml b/config/alfresco/subsystems/Authentication/external/external-filter-context.xml index 2a89b9e61a..40e39cfef2 100644 --- a/config/alfresco/subsystems/Authentication/external/external-filter-context.xml +++ b/config/alfresco/subsystems/Authentication/external/external-filter-context.xml @@ -16,6 +16,9 @@ ${external.authentication.userIdPattern} + + + \ No newline at end of file diff --git a/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapper.java b/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapper.java index 5a0c740a1a..c50f82298f 100644 --- a/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapper.java +++ b/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapper.java @@ -24,14 +24,18 @@ import java.util.regex.Pattern; import javax.servlet.http.HttpServletRequest; import org.alfresco.repo.management.subsystems.ActivateableBean; +import org.alfresco.repo.security.authentication.AuthenticationUtil; +import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; +import org.alfresco.service.cmr.security.PersonService; /** - * A default {@link RemoteUserMapper} implementation. Extracts the user ID using - * {@link HttpServletRequest#getRemoteUser()}. If it matches the configured proxy user name or the configured proxy user - * name is null, it extracts the user ID from the configured proxy request header. Otherwise returns the remote user - * name. An optional regular expression defining how to convert the header to a user ID can be configured using - * {@link #setUserIdPattern(String)}. This allows for the secure proxying of requests from a Surf client such as - * Alfresco Share using SSL client certificates. + * A default {@link RemoteUserMapper} implementation. Extracts a user ID using + * {@link HttpServletRequest#getRemoteUser()} and optionally from a configured request header. If there is no configured + * proxy user name, it returns the request header user name if there is one, or the remote user name otherwise. If there + * is a configured proxy user, then it returns the request header user name if the remote user matches the proxy user, + * or the remote user otherwise. An optional regular expression defining how to convert the header to a user ID can be + * configured using {@link #setUserIdPattern(String)}. This allows for the secure proxying of requests from a Surf + * client such as Alfresco Share using SSL client certificates. * * @author dward */ @@ -49,6 +53,9 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe /** Regular expression for extracting a user ID from the header. */ private Pattern userIdPattern; + /** The person service. */ + private PersonService personService; + /** * Sets the name of the remote user used to 'proxy' requests securely in the name of another user. Typically this * remote identity will be protected by an SSL client certificate. @@ -70,7 +77,7 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe */ public void setProxyHeader(String proxyHeader) { - this.proxyHeader = proxyHeader; + this.proxyHeader = proxyHeader == null || proxyHeader.length() == 0 ? null : proxyHeader; } /** @@ -98,6 +105,17 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe .compile(userIdPattern); } + /** + * Sets the person service. + * + * @param personService + * the person service + */ + public void setPersonService(PersonService personService) + { + this.personService = personService; + } + /* * (non-Javadoc) * @see org.alfresco.web.app.servlet.RemoteUserMapper#getRemoteUser(javax.servlet.http.HttpServletRequest) @@ -108,26 +126,49 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe { return null; } + String remoteUserId = request.getRemoteUser(); + String headerUserId = extractUserFromProxyHeader(request); if (this.proxyUserName == null) { - return extractUserFromProxyHeader(request); + // Normalize the user ID taking into account case sensitivity settings + return normalizeUserId(headerUserId != null ? headerUserId : remoteUserId); + } + else if (remoteUserId == null) + { + return null; } else { - String userId = request.getRemoteUser(); - if (userId == null) - { - return null; - } - if (userId.equals(this.proxyUserName)) - { - userId = extractUserFromProxyHeader(request); - } - return userId; + // Normalize the user ID taking into account case sensitivity settings + return normalizeUserId(remoteUserId.equals(this.proxyUserName) ? headerUserId : remoteUserId); } } - /* (non-Javadoc) + /** + * Normalizes a user id, taking into account existing user accounts and case sensitivity settings. + * + * @param userId + * the user id + * @return the string + */ + private String normalizeUserId(final String userId) + { + if (userId == null) + { + return null; + } + String normalized = AuthenticationUtil.runAs(new RunAsWork() + { + public String doWork() throws Exception + { + return personService.getUserIdentifier(userId); + } + }, AuthenticationUtil.getSystemUserName()); + return normalized == null ? userId : normalized; + } + + /* + * (non-Javadoc) * @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive() */ public boolean isActive() @@ -146,6 +187,10 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe */ private String extractUserFromProxyHeader(HttpServletRequest request) { + if (this.proxyHeader == null) + { + return null; + } String userId = request.getHeader(this.proxyHeader); if (userId == null) { @@ -160,7 +205,7 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe Matcher matcher = this.userIdPattern.matcher(userId); if (matcher.matches()) { - userId = matcher.group().trim(); + userId = matcher.group(1).trim(); } } return userId.length() == 0 ? null : userId; diff --git a/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapperTest.java b/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapperTest.java new file mode 100644 index 0000000000..cb2d0261ca --- /dev/null +++ b/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapperTest.java @@ -0,0 +1,125 @@ +/* + * Copyright (C) 2005-2010 Alfresco Software Limited. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + + * As a special exception to the terms and conditions of version 2.0 of + * the GPL, you may redistribute this Program in connection with Free/Libre + * and Open Source Software ("FLOSS") applications as described in Alfresco's + * FLOSS exception. You should have received a copy of the text describing + * the FLOSS exception, and it is also available here: + * http://www.alfresco.com/legal/licensing" + */ +package org.alfresco.web.app.servlet; + +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import javax.servlet.http.HttpServletRequest; + +import org.alfresco.repo.management.subsystems.AbstractChainedSubsystemTest; +import org.alfresco.repo.management.subsystems.ChildApplicationContextFactory; +import org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager; +import org.alfresco.util.ApplicationContextHelper; +import org.springframework.context.ApplicationContext; + + +/** + * @author dward + * + */ +public class DefaultRemoteUserMapperTest extends AbstractChainedSubsystemTest +{ + ApplicationContext ctx = ApplicationContextHelper.getApplicationContext(); + DefaultChildApplicationContextManager childApplicationContextManager; + ChildApplicationContextFactory childApplicationContextFactory; + + /* (non-Javadoc) + * @see junit.framework.TestCase#setUp() + */ + @Override + protected void setUp() throws Exception + { + childApplicationContextManager = (DefaultChildApplicationContextManager) ctx.getBean("Authentication"); + childApplicationContextManager.stop(); + childApplicationContextManager.setProperty("chain", "external1:external"); + childApplicationContextFactory = getChildApplicationContextFactory(childApplicationContextManager, "external1"); + } + + + /* (non-Javadoc) + * @see junit.framework.TestCase#tearDown() + */ + @Override + protected void tearDown() throws Exception + { + childApplicationContextManager.destroy(); + childApplicationContextManager = null; + childApplicationContextFactory = null; + } + + + public void testUnproxiedHeader() throws Exception + { + // Clear the proxy user name + childApplicationContextFactory.stop(); + childApplicationContextFactory.setProperty("external.authentication.proxyUserName", ""); + + // Mock a request with a username in the header + HttpServletRequest mockRequest = mock(HttpServletRequest.class); + when(mockRequest.getHeader("X-Alfresco-Remote-User")).thenReturn("AdMiN"); + assertEquals("admin", ((RemoteUserMapper) childApplicationContextFactory.getApplicationContext().getBean( + "remoteUserMapper")).getRemoteUser(mockRequest)); + + // Mock an unauthenticated request + when(mockRequest.getHeader("X-Alfresco-Remote-User")).thenReturn(null); + assertNull(((RemoteUserMapper) childApplicationContextFactory.getApplicationContext().getBean( + "remoteUserMapper")).getRemoteUser(mockRequest)); + + // Mock a remote user request + when(mockRequest.getRemoteUser()).thenReturn("ADMIN"); + assertEquals("admin", ((RemoteUserMapper) childApplicationContextFactory.getApplicationContext().getBean( + "remoteUserMapper")).getRemoteUser(mockRequest)); + } + + + public void testProxiedHeader() throws Exception + { + // Set the proxy user name + childApplicationContextFactory.stop(); + childApplicationContextFactory.setProperty("external.authentication.proxyUserName", "bob"); + + // Mock a request with both a user and a header + HttpServletRequest mockRequest = mock(HttpServletRequest.class); + when(mockRequest.getRemoteUser()).thenReturn("bob"); + when(mockRequest.getHeader("X-Alfresco-Remote-User")).thenReturn("AdMiN"); + assertEquals("admin", ((RemoteUserMapper) childApplicationContextFactory.getApplicationContext().getBean( + "remoteUserMapper")).getRemoteUser(mockRequest)); + + // Now try header pattern matching + childApplicationContextFactory.stop(); + childApplicationContextFactory.setProperty("external.authentication.userIdPattern", "abc-(.*)-999"); + when(mockRequest.getHeader("X-Alfresco-Remote-User")).thenReturn("abc-AdMiN-999"); + assertEquals("admin", ((RemoteUserMapper) childApplicationContextFactory.getApplicationContext().getBean( + "remoteUserMapper")).getRemoteUser(mockRequest)); + + // Try a request without the remote user + when(mockRequest.getRemoteUser()).thenReturn(null); + assertNull(((RemoteUserMapper) childApplicationContextFactory.getApplicationContext().getBean( + "remoteUserMapper")).getRemoteUser(mockRequest)); + + } + +} diff --git a/source/java/org/alfresco/web/sharepoint/auth/BasicAuthenticationHandler.java b/source/java/org/alfresco/web/sharepoint/auth/BasicAuthenticationHandler.java index 36a6aa5a9a..dc541bbfea 100644 --- a/source/java/org/alfresco/web/sharepoint/auth/BasicAuthenticationHandler.java +++ b/source/java/org/alfresco/web/sharepoint/auth/BasicAuthenticationHandler.java @@ -67,10 +67,16 @@ public class BasicAuthenticationHandler extends AbstractAuthenticationHandler try { if (logger.isDebugEnabled()) - logger.debug("Authenticate the user '" + username + "'"); + logger.debug("Authenticating user '" + username + "'"); authenticationService.authenticate(username, password.toCharArray()); + // Normalize the user ID taking into account case sensitivity settings + username = authenticationService.getCurrentUserName(); + + if (logger.isDebugEnabled()) + logger.debug("Authenticated user '" + username + "'"); + if (mapper.isSiteMember(request, alfrescoContext, username)) { user = new User(username, authenticationService.getCurrentTicket(session.getId()), personService.getPerson(username)); diff --git a/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java b/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java index 4c263a6f4f..472662bee2 100644 --- a/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java +++ b/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java @@ -417,7 +417,7 @@ public class NtlmAuthenticationHandler extends AbstractAuthenticationHandler imp } // Check if the user has been authenticated, if so then setup the user environment - if (authenticated == true && callback.isSiteMember(request, alfrescoContext, userName.toLowerCase())) + if (authenticated == true && callback.isSiteMember(request, alfrescoContext, userName)) { String uri = request.getRequestURI();