Merged V3.2 to HEAD:

19472: ALF-725: Revert to using jTDS JDBC driver for SQL Server in 3.2 SP1, since the Microsoft driver doesn't work with the v3.2.r iBATIS stuff - All example/installer alfresco-global.properties updated - Wiki updated http://wiki.alfresco.com/wiki/Database_Configuration#MS-SQL_Databases - Logged doc bug ALF-2144 and release note bug ALF-2145 19501:Merged DEV/BELARUS/V3.2-2010_02_24 to V3.2 (with corrections) 19243: ALF-757: Cannot start up on JBoss 5.1 due to audit configuration error - Removed getPath() method because it is incompatible with JBoss and other app servers where resources can't be resolved to a file - Now use Spring ResourceLoader instead of creating FileInputStream - getLastModified() still returned where the resource resolves to a file; otherwise the server startup time 19503: (RECORD ONLY) ALF-2100: Merged HEAD to V3.2 19155: ALF-1995: Removed remaining direct dependencies on portlet API from Alfresco Explorer classes - Moved into AlfrescoFacesPortlet - portlet.jar was removed from alfresco.war for Liferay compatibility 19506: Merged PATCHES/V3.1.2 to V3.2 19218: (RECORD ONLY) Created hotfix branch off TAGS/ENTERPRISE/V3.1.2 19229: (RECORD ONLY) Merged V3.1 to V3.1.2 18577: Fix for ETHREEOH-4117, based on CHK-11154 19341: Merged DEV/BELARUS/V3.1-2010_02_05 to PATCHES/V3.1.2 (with corrections) 19156: ALF-1906: splitPersonCleanUpBootstrapBean is not able to remove duplicated users Also - improved detection of 'split' persons - added unit tests for person splitting and deleting - fixed duplicate person caching and sorting problems - prevented onUpdateProperties from firing needlessly in PersonServiceImpl and AuthorityDAOImpl when persons and authorities are created initially 19342: (RECORD ONLY) Incremented version number 19508: Merged PATCHES/V3.2.0 to V3.2 18762: (RECORD ONLY) Created hotfix branch off V3.2.0-ENTERPRISE-FINAL 18789: (RECORD ONLY) Merged BRANCHES/V3.2:r17905,18254,18319 to PATCHES/V3.2.0 r17905 | markr | 2010-01-06 16:55:12 +0000 (Wed, 06 Jan 2010) | 3 lines ETHREEOH-3809 - WCM - First test server deploy fails. added yet another transaction to read the previous snapshot transaction. added a new system test based upon the WCM services. The beginnings of testing against layered authored sandboxes. r18254 | janv | 2010-01-22 18:15:43 +0000 (Fri, 22 Jan 2010) | 1 line WCM/AVM - ETHREEOH-2057 (Submitting WCM Content through WF JSF Error - due to AVM Sync issue) r18319 | royw | 2010-01-27 12:18:27 +0000 (Wed, 27 Jan 2010) | 4 lines Merged BRANCHES/DEV/BELARUS/V3.2-2010_01_11 to V3.2 18273: ETHREEOH-3834: WCM: An extral .xml.html file is created when editing newly created content 18822: (RECORD ONLY) Merged DEV_TEMPORARY to PATCHES/V3.2.0 18478: SAP XForms errors - ACT 15969 18699: ETHREEOH-4171: HTTP 500 when filling in a WCM webform - ACT 15969 18842: (RECORD ONLY) Merged V3.2 to PATCHES/V3.2.0 18701: Merged DEV_TEMPORARY to V3.2 18693 : ETHREEOH-4182: ASR deployer fails to set the contentUrl of documents on the target system - Merged in fix related to closing output streams. - Increased coverage of unit test. 18854: (RECORD ONLY) Merged V3.2 to V3.2.0 18019: ETHREEOH-3770: LDAP sync now supports attribute range retrieval to get around limits imposed by Active Directory on multi-valued attributes - Meant that groups with more than 1000 members were getting truncated in Active Directory - Now switched on in ldap-ad and off in ldap subsystem - Also switched off result set paging in ldap subsystem by default for wider compatibility with non-AD systems 18272: Merged DEV/BELARUS/V3.2-2010_01_11 to V3.2 18257: ETHREEOH-4002: User/Group sync does not handle LDAP communication failures - Merged with corrections 18276: ETHREEOH-4002: Correction to previous checkin - modification dates are only persisted after successful processing of users and groups, so need to delete them on comms failure 18340: ETHREEOH-4069: LDAP sync cannot resolve DNs containing a slash character - Due to JNDI interpreting the slash character as a separator 18403: ETHREEOH-4008: LDAP sync should preserve case of group members - Was incorrectly extracting attributes from lower-cased DN 18846: ETHREEOH-4233: LDAP sync now synchronizes group display names - New ldap.synchronization.groupDisplayNameAttributeName property provides name of LDAP attribute 18877: (RECORD ONLY) Merged /alfresco/BRANCHES/V3.2:r18616 r18616 | markr | 2010-02-12 14:08:52 +0000 (Fri, 12 Feb 2010) | 1 line ETHREEOH-4181 - Access denied exception when deploying via avm deployment receiver 19319: ALF-2043: User ID case sensitivity issues with Sharepoint Connector and External Authentication Subsystem - DefaultRemoteUserMapper and AlfrescoUserGroupServiceHandler should use personService.getUserIdentifier() to 'normalize' a username according to case sensitivity settings - NtlmAuthenticationHandler should also leave the normalization to personService 19320: (RECORD ONLY) Incremented version label 19380: ALF-2043: Revisit user ID case sensitivity in DefaultRemoteUserMapper - Has to use public PersonService in case it is accessed outside of a transaction - Fixed regular expression matching - Added unit tests to try out all the remote user mapper options 19509: Merged PATCHES/V3.2.r to V3.2 18803: (RECORD ONLY) Created hotfix branch off V3.2.r-ENTERPRISE-FINAL 18833: (RECORD ONLY) Turn on Repo Doclib by default 19054: (RECORD ONLY) Merging V3.2 to PATCHES/V3.2.r 18787: MT: fix ETHREEOH-4125 - authority migration / batch processor (when upgrading groups from 3.1 to 3.2) 19358: (RECORD ONLY) Merged DEV/BELARUS/V3.2-2010_01_11 to PATCHES/V3.2.r 18699: ETHREEOH-4171: HTTP 500 when filling in a WCM webform 19447: (RECORD ONLY) Incremented version label 19518: ALF-757: Corrected audit config resource URL so that it resolves inside Tomcat as well as JUnit! 19525: ALF-708: Use BatchProcessor to process duplicate persons in small batches in SplitPersonCleanupBootstrapBean - Even tested in a unit test! git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@19536 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2010-03-24 13:49:03 +00:00
parent 769c7481c2
commit 822e6c5edb
5 changed files with 201 additions and 22 deletions
--- a/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapper.java
+++ b/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapper.java
@@ -24,14 +24,18 @@ import java.util.regex.Pattern;
 import javax.servlet.http.HttpServletRequest;

 import org.alfresco.repo.management.subsystems.ActivateableBean;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
+import org.alfresco.service.cmr.security.PersonService;

 /**
- * A default {@link RemoteUserMapper} implementation. Extracts the user ID using
- * {@link HttpServletRequest#getRemoteUser()}. If it matches the configured proxy user name or the configured proxy user
- * name is null, it extracts the user ID from the configured proxy request header. Otherwise returns the remote user
- * name. An optional regular expression defining how to convert the header to a user ID can be configured using
- * {@link #setUserIdPattern(String)}. This allows for the secure proxying of requests from a Surf client such as
- * Alfresco Share using SSL client certificates.
+ * A default {@link RemoteUserMapper} implementation. Extracts a user ID using
+ * {@link HttpServletRequest#getRemoteUser()} and optionally from a configured request header. If there is no configured
+ * proxy user name, it returns the request header user name if there is one, or the remote user name otherwise. If there
+ * is a configured proxy user, then it returns the request header user name if the remote user matches the proxy user,
+ * or the remote user otherwise. An optional regular expression defining how to convert the header to a user ID can be
+ * configured using {@link #setUserIdPattern(String)}. This allows for the secure proxying of requests from a Surf
+ * client such as Alfresco Share using SSL client certificates.
 * 
 * @author dward
 */
@@ -49,6 +53,9 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe
    /** Regular expression for extracting a user ID from the header. */
    private Pattern userIdPattern;

+    /** The person service. */
+    private PersonService personService;
+
    /**
     * Sets the name of the remote user used to 'proxy' requests securely in the name of another user. Typically this
     * remote identity will be protected by an SSL client certificate.
@@ -70,7 +77,7 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe
     */
    public void setProxyHeader(String proxyHeader)
    {
-        this.proxyHeader = proxyHeader;
+        this.proxyHeader = proxyHeader == null || proxyHeader.length() == 0 ? null : proxyHeader;
    }

    /**
@@ -98,6 +105,17 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe
                .compile(userIdPattern);
    }

+    /**
+     * Sets the person service.
+     * 
+     * @param personService
+     *            the person service
+     */
+    public void setPersonService(PersonService personService)
+    {
+        this.personService = personService;
+    }
+
    /*
     * (non-Javadoc)
     * @see org.alfresco.web.app.servlet.RemoteUserMapper#getRemoteUser(javax.servlet.http.HttpServletRequest)
@@ -108,26 +126,49 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe
        {
            return null;
        }
+        String remoteUserId = request.getRemoteUser();
+        String headerUserId = extractUserFromProxyHeader(request);
        if (this.proxyUserName == null)
        {
-            return extractUserFromProxyHeader(request);
+            // Normalize the user ID taking into account case sensitivity settings
+            return normalizeUserId(headerUserId != null ? headerUserId : remoteUserId);
+        }
+        else if (remoteUserId == null)
+        {
+            return null;
        }
        else
        {
-            String userId = request.getRemoteUser();
-            if (userId == null)
-            {
-                return null;
-            }
-            if (userId.equals(this.proxyUserName))
-            {
-                userId = extractUserFromProxyHeader(request);
-            }
-            return userId;
+            // Normalize the user ID taking into account case sensitivity settings
+            return normalizeUserId(remoteUserId.equals(this.proxyUserName) ? headerUserId : remoteUserId);
        }
    }

-    /* (non-Javadoc)
+    /**
+     * Normalizes a user id, taking into account existing user accounts and case sensitivity settings.
+     * 
+     * @param userId
+     *            the user id
+     * @return the string
+     */
+    private String normalizeUserId(final String userId)
+    {
+        if (userId == null)
+        {
+            return null;
+        }
+        String normalized = AuthenticationUtil.runAs(new RunAsWork<String>()
+        {
+            public String doWork() throws Exception
+            {
+                return personService.getUserIdentifier(userId);
+            }
+        }, AuthenticationUtil.getSystemUserName());
+        return normalized == null ? userId : normalized;
+    }
+
+    /*
+     * (non-Javadoc)
     * @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive()
     */
    public boolean isActive()
@@ -146,6 +187,10 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe
     */
    private String extractUserFromProxyHeader(HttpServletRequest request)
    {
+        if (this.proxyHeader == null)
+        {
+            return null;
+        }
        String userId = request.getHeader(this.proxyHeader);
        if (userId == null)
        {
@@ -160,7 +205,7 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe
            Matcher matcher = this.userIdPattern.matcher(userId);
            if (matcher.matches())
            {
-                userId = matcher.group().trim();
+                userId = matcher.group(1).trim();
            }
        }
        return userId.length() == 0 ? null : userId;