Merged V3.2 to HEAD:

19472: ALF-725: Revert to using jTDS JDBC driver for SQL Server in 3.2 SP1, since the Microsoft driver doesn't work with the v3.2.r iBATIS stuff - All example/installer alfresco-global.properties updated - Wiki updated http://wiki.alfresco.com/wiki/Database_Configuration#MS-SQL_Databases - Logged doc bug ALF-2144 and release note bug ALF-2145 19501:Merged DEV/BELARUS/V3.2-2010_02_24 to V3.2 (with corrections) 19243: ALF-757: Cannot start up on JBoss 5.1 due to audit configuration error - Removed getPath() method because it is incompatible with JBoss and other app servers where resources can't be resolved to a file - Now use Spring ResourceLoader instead of creating FileInputStream - getLastModified() still returned where the resource resolves to a file; otherwise the server startup time 19503: (RECORD ONLY) ALF-2100: Merged HEAD to V3.2 19155: ALF-1995: Removed remaining direct dependencies on portlet API from Alfresco Explorer classes - Moved into AlfrescoFacesPortlet - portlet.jar was removed from alfresco.war for Liferay compatibility 19506: Merged PATCHES/V3.1.2 to V3.2 19218: (RECORD ONLY) Created hotfix branch off TAGS/ENTERPRISE/V3.1.2 19229: (RECORD ONLY) Merged V3.1 to V3.1.2 18577: Fix for ETHREEOH-4117, based on CHK-11154 19341: Merged DEV/BELARUS/V3.1-2010_02_05 to PATCHES/V3.1.2 (with corrections) 19156: ALF-1906: splitPersonCleanUpBootstrapBean is not able to remove duplicated users Also - improved detection of 'split' persons - added unit tests for person splitting and deleting - fixed duplicate person caching and sorting problems - prevented onUpdateProperties from firing needlessly in PersonServiceImpl and AuthorityDAOImpl when persons and authorities are created initially 19342: (RECORD ONLY) Incremented version number 19508: Merged PATCHES/V3.2.0 to V3.2 18762: (RECORD ONLY) Created hotfix branch off V3.2.0-ENTERPRISE-FINAL 18789: (RECORD ONLY) Merged BRANCHES/V3.2:r17905,18254,18319 to PATCHES/V3.2.0 r17905 | markr | 2010-01-06 16:55:12 +0000 (Wed, 06 Jan 2010) | 3 lines ETHREEOH-3809 - WCM - First test server deploy fails. added yet another transaction to read the previous snapshot transaction. added a new system test based upon the WCM services. The beginnings of testing against layered authored sandboxes. r18254 | janv | 2010-01-22 18:15:43 +0000 (Fri, 22 Jan 2010) | 1 line WCM/AVM - ETHREEOH-2057 (Submitting WCM Content through WF JSF Error - due to AVM Sync issue) r18319 | royw | 2010-01-27 12:18:27 +0000 (Wed, 27 Jan 2010) | 4 lines Merged BRANCHES/DEV/BELARUS/V3.2-2010_01_11 to V3.2 18273: ETHREEOH-3834: WCM: An extral .xml.html file is created when editing newly created content 18822: (RECORD ONLY) Merged DEV_TEMPORARY to PATCHES/V3.2.0 18478: SAP XForms errors - ACT 15969 18699: ETHREEOH-4171: HTTP 500 when filling in a WCM webform - ACT 15969 18842: (RECORD ONLY) Merged V3.2 to PATCHES/V3.2.0 18701: Merged DEV_TEMPORARY to V3.2 18693 : ETHREEOH-4182: ASR deployer fails to set the contentUrl of documents on the target system - Merged in fix related to closing output streams. - Increased coverage of unit test. 18854: (RECORD ONLY) Merged V3.2 to V3.2.0 18019: ETHREEOH-3770: LDAP sync now supports attribute range retrieval to get around limits imposed by Active Directory on multi-valued attributes - Meant that groups with more than 1000 members were getting truncated in Active Directory - Now switched on in ldap-ad and off in ldap subsystem - Also switched off result set paging in ldap subsystem by default for wider compatibility with non-AD systems 18272: Merged DEV/BELARUS/V3.2-2010_01_11 to V3.2 18257: ETHREEOH-4002: User/Group sync does not handle LDAP communication failures - Merged with corrections 18276: ETHREEOH-4002: Correction to previous checkin - modification dates are only persisted after successful processing of users and groups, so need to delete them on comms failure 18340: ETHREEOH-4069: LDAP sync cannot resolve DNs containing a slash character - Due to JNDI interpreting the slash character as a separator 18403: ETHREEOH-4008: LDAP sync should preserve case of group members - Was incorrectly extracting attributes from lower-cased DN 18846: ETHREEOH-4233: LDAP sync now synchronizes group display names - New ldap.synchronization.groupDisplayNameAttributeName property provides name of LDAP attribute 18877: (RECORD ONLY) Merged /alfresco/BRANCHES/V3.2:r18616 r18616 | markr | 2010-02-12 14:08:52 +0000 (Fri, 12 Feb 2010) | 1 line ETHREEOH-4181 - Access denied exception when deploying via avm deployment receiver 19319: ALF-2043: User ID case sensitivity issues with Sharepoint Connector and External Authentication Subsystem - DefaultRemoteUserMapper and AlfrescoUserGroupServiceHandler should use personService.getUserIdentifier() to 'normalize' a username according to case sensitivity settings - NtlmAuthenticationHandler should also leave the normalization to personService 19320: (RECORD ONLY) Incremented version label 19380: ALF-2043: Revisit user ID case sensitivity in DefaultRemoteUserMapper - Has to use public PersonService in case it is accessed outside of a transaction - Fixed regular expression matching - Added unit tests to try out all the remote user mapper options 19509: Merged PATCHES/V3.2.r to V3.2 18803: (RECORD ONLY) Created hotfix branch off V3.2.r-ENTERPRISE-FINAL 18833: (RECORD ONLY) Turn on Repo Doclib by default 19054: (RECORD ONLY) Merging V3.2 to PATCHES/V3.2.r 18787: MT: fix ETHREEOH-4125 - authority migration / batch processor (when upgrading groups from 3.1 to 3.2) 19358: (RECORD ONLY) Merged DEV/BELARUS/V3.2-2010_01_11 to PATCHES/V3.2.r 18699: ETHREEOH-4171: HTTP 500 when filling in a WCM webform 19447: (RECORD ONLY) Incremented version label 19518: ALF-757: Corrected audit config resource URL so that it resolves inside Tomcat as well as JUnit! 19525: ALF-708: Use BatchProcessor to process duplicate persons in small batches in SplitPersonCleanupBootstrapBean - Even tested in a unit test! git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@19536 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2010-03-24 13:49:03 +00:00
parent 769c7481c2
commit 822e6c5edb
5 changed files with 201 additions and 22 deletions
--- a/config/alfresco/subsystems/Authentication/external/external-filter-context.xml
+++ b/config/alfresco/subsystems/Authentication/external/external-filter-context.xml
@@ -16,6 +16,9 @@
      <property name="userIdPattern">
         <value>${external.authentication.userIdPattern}</value>
      </property>
      <property name="personService">
         <ref bean="PersonService" />
      </property>
   </bean>
 </beans>
--- a/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapper.java
+++ b/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapper.java
@@ -24,14 +24,18 @@ import java.util.regex.Pattern;
 import javax.servlet.http.HttpServletRequest;
 import org.alfresco.repo.management.subsystems.ActivateableBean;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
 import org.alfresco.service.cmr.security.PersonService;
 /**
- * A default {@link RemoteUserMapper} implementation. Extracts the user ID using
+ * A default {@link RemoteUserMapper} implementation. Extracts a user ID using
- * {@link HttpServletRequest#getRemoteUser()}. If it matches the configured proxy user name or the configured proxy user
+ * {@link HttpServletRequest#getRemoteUser()} and optionally from a configured request header. If there is no configured
- * name is null, it extracts the user ID from the configured proxy request header. Otherwise returns the remote user
+ * proxy user name, it returns the request header user name if there is one, or the remote user name otherwise. If there
- * name. An optional regular expression defining how to convert the header to a user ID can be configured using
+ * is a configured proxy user, then it returns the request header user name if the remote user matches the proxy user,
- * {@link #setUserIdPattern(String)}. This allows for the secure proxying of requests from a Surf client such as
+ * or the remote user otherwise. An optional regular expression defining how to convert the header to a user ID can be
- * Alfresco Share using SSL client certificates.
+ * configured using {@link #setUserIdPattern(String)}. This allows for the secure proxying of requests from a Surf
 * client such as Alfresco Share using SSL client certificates.
 * 
 * @author dward
 */
@@ -49,6 +53,9 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe
    /** Regular expression for extracting a user ID from the header. */
    private Pattern userIdPattern;
    /** The person service. */
    private PersonService personService;
    /**
     * Sets the name of the remote user used to 'proxy' requests securely in the name of another user. Typically this
     * remote identity will be protected by an SSL client certificate.
@@ -70,7 +77,7 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe
     */
    public void setProxyHeader(String proxyHeader)
    {
-        this.proxyHeader = proxyHeader;
+        this.proxyHeader = proxyHeader == null || proxyHeader.length() == 0 ? null : proxyHeader;
    }
    /**
@@ -98,6 +105,17 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe
                .compile(userIdPattern);
    }
    /**
     * Sets the person service.
     * 
     * @param personService
     *            the person service
     */
    public void setPersonService(PersonService personService)
    {
        this.personService = personService;
    }
    /*
     * (non-Javadoc)
     * @see org.alfresco.web.app.servlet.RemoteUserMapper#getRemoteUser(javax.servlet.http.HttpServletRequest)
@@ -108,26 +126,49 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe
        {
            return null;
        }
        String remoteUserId = request.getRemoteUser();
        String headerUserId = extractUserFromProxyHeader(request);
        if (this.proxyUserName == null)
        {
-            return extractUserFromProxyHeader(request);
+            // Normalize the user ID taking into account case sensitivity settings
            return normalizeUserId(headerUserId != null ? headerUserId : remoteUserId);
        }
        else if (remoteUserId == null)
        {
            return null;
        }
        else
        {
-            String userId = request.getRemoteUser();
+            // Normalize the user ID taking into account case sensitivity settings
            return normalizeUserId(remoteUserId.equals(this.proxyUserName) ? headerUserId : remoteUserId);
        }
    }
    /**
     * Normalizes a user id, taking into account existing user accounts and case sensitivity settings.
     * 
     * @param userId
     *            the user id
     * @return the string
     */
    private String normalizeUserId(final String userId)
    {
        if (userId == null)
        {
            return null;
        }
-            if (userId.equals(this.proxyUserName))
+        String normalized = AuthenticationUtil.runAs(new RunAsWork<String>()
        {
-                userId = extractUserFromProxyHeader(request);
+            public String doWork() throws Exception
-            }
+            {
-            return userId;
+                return personService.getUserIdentifier(userId);
            }
        }, AuthenticationUtil.getSystemUserName());
        return normalized == null ? userId : normalized;
    }
-    /* (non-Javadoc)
+    /*
     * (non-Javadoc)
     * @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive()
     */
    public boolean isActive()
@@ -146,6 +187,10 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe
     */
    private String extractUserFromProxyHeader(HttpServletRequest request)
    {
        if (this.proxyHeader == null)
        {
            return null;
        }
        String userId = request.getHeader(this.proxyHeader);
        if (userId == null)
        {
@@ -160,7 +205,7 @@ public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBe
            Matcher matcher = this.userIdPattern.matcher(userId);
            if (matcher.matches())
            {
-                userId = matcher.group().trim();
+                userId = matcher.group(1).trim();
            }
        }
        return userId.length() == 0 ? null : userId;
--- a/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapperTest.java
+++ b/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapperTest.java
@@ -0,0 +1,125 @@
 /*
 * Copyright (C) 2005-2010 Alfresco Software Limited.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 * As a special exception to the terms and conditions of version 2.0 of 
 * the GPL, you may redistribute this Program in connection with Free/Libre 
 * and Open Source Software ("FLOSS") applications as described in Alfresco's 
 * FLOSS exception.  You should have received a copy of the text describing 
 * the FLOSS exception, and it is also available here: 
 * http://www.alfresco.com/legal/licensing"
 */
 package org.alfresco.web.app.servlet;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import javax.servlet.http.HttpServletRequest;
 import org.alfresco.repo.management.subsystems.AbstractChainedSubsystemTest;
 import org.alfresco.repo.management.subsystems.ChildApplicationContextFactory;
 import org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager;
 import org.alfresco.util.ApplicationContextHelper;
 import org.springframework.context.ApplicationContext;
 /**
 * @author dward
 *
 */
 public class DefaultRemoteUserMapperTest extends AbstractChainedSubsystemTest
 {
    ApplicationContext ctx = ApplicationContextHelper.getApplicationContext();
    DefaultChildApplicationContextManager childApplicationContextManager;
    ChildApplicationContextFactory childApplicationContextFactory;    
    /* (non-Javadoc)
     * @see junit.framework.TestCase#setUp()
     */
    @Override
    protected void setUp() throws Exception
    {
        childApplicationContextManager = (DefaultChildApplicationContextManager) ctx.getBean("Authentication");
        childApplicationContextManager.stop();
        childApplicationContextManager.setProperty("chain", "external1:external");
        childApplicationContextFactory = getChildApplicationContextFactory(childApplicationContextManager, "external1");
    }
    /* (non-Javadoc)
     * @see junit.framework.TestCase#tearDown()
     */
    @Override
    protected void tearDown() throws Exception
    {
        childApplicationContextManager.destroy();
        childApplicationContextManager = null;
        childApplicationContextFactory = null;
    }
    public void testUnproxiedHeader() throws Exception
    {
        // Clear the proxy user name
        childApplicationContextFactory.stop();
        childApplicationContextFactory.setProperty("external.authentication.proxyUserName", "");
        // Mock a request with a username in the header
        HttpServletRequest mockRequest = mock(HttpServletRequest.class);
        when(mockRequest.getHeader("X-Alfresco-Remote-User")).thenReturn("AdMiN");
        assertEquals("admin", ((RemoteUserMapper) childApplicationContextFactory.getApplicationContext().getBean(
                "remoteUserMapper")).getRemoteUser(mockRequest));
        // Mock an unauthenticated request
        when(mockRequest.getHeader("X-Alfresco-Remote-User")).thenReturn(null);
        assertNull(((RemoteUserMapper) childApplicationContextFactory.getApplicationContext().getBean(
        "remoteUserMapper")).getRemoteUser(mockRequest)); 
        // Mock a remote user request
        when(mockRequest.getRemoteUser()).thenReturn("ADMIN");
        assertEquals("admin", ((RemoteUserMapper) childApplicationContextFactory.getApplicationContext().getBean(
                "remoteUserMapper")).getRemoteUser(mockRequest));
    }
    public void testProxiedHeader() throws Exception
    {
        // Set the proxy user name
        childApplicationContextFactory.stop();
        childApplicationContextFactory.setProperty("external.authentication.proxyUserName", "bob");
        // Mock a request with both a user and a header
        HttpServletRequest mockRequest = mock(HttpServletRequest.class);
        when(mockRequest.getRemoteUser()).thenReturn("bob");
        when(mockRequest.getHeader("X-Alfresco-Remote-User")).thenReturn("AdMiN");
        assertEquals("admin", ((RemoteUserMapper) childApplicationContextFactory.getApplicationContext().getBean(
                "remoteUserMapper")).getRemoteUser(mockRequest));
        // Now try header pattern matching
        childApplicationContextFactory.stop();
        childApplicationContextFactory.setProperty("external.authentication.userIdPattern", "abc-(.*)-999");
        when(mockRequest.getHeader("X-Alfresco-Remote-User")).thenReturn("abc-AdMiN-999");
        assertEquals("admin", ((RemoteUserMapper) childApplicationContextFactory.getApplicationContext().getBean(
        "remoteUserMapper")).getRemoteUser(mockRequest));
        // Try a request without the remote user
        when(mockRequest.getRemoteUser()).thenReturn(null);
        assertNull(((RemoteUserMapper) childApplicationContextFactory.getApplicationContext().getBean(
        "remoteUserMapper")).getRemoteUser(mockRequest));
    }        
 }
--- a/source/java/org/alfresco/web/sharepoint/auth/BasicAuthenticationHandler.java
+++ b/source/java/org/alfresco/web/sharepoint/auth/BasicAuthenticationHandler.java
@@ -67,10 +67,16 @@ public class BasicAuthenticationHandler extends AbstractAuthenticationHandler
            try
            {
                if (logger.isDebugEnabled())
-                    logger.debug("Authenticate the user '" + username + "'");
+                    logger.debug("Authenticating user '" + username + "'");
                authenticationService.authenticate(username, password.toCharArray());
                // Normalize the user ID taking into account case sensitivity settings
                username = authenticationService.getCurrentUserName();
                if (logger.isDebugEnabled())
                    logger.debug("Authenticated user '" + username + "'");
                if (mapper.isSiteMember(request, alfrescoContext, username))
                {
                    user = new User(username, authenticationService.getCurrentTicket(session.getId()), personService.getPerson(username));
--- a/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java
+++ b/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java
@@ -417,7 +417,7 @@ public class NtlmAuthenticationHandler extends AbstractAuthenticationHandler imp
        }
        // Check if the user has been authenticated, if so then setup the user environment
-        if (authenticated == true && callback.isSiteMember(request, alfrescoContext, userName.toLowerCase()))
+        if (authenticated == true && callback.isSiteMember(request, alfrescoContext, userName))
        {
            String uri = request.getRequestURI();