inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged V3.2 to HEAD

Browse Source 
16662: LDAP sync: improved group association filtering, referential integrity checking, deletion strategy and performance tuning of batch sizes
   16648: ETHREEOH-2752: Improved ticket validation fix
      - Invalidate user's tickets during person deletion rather than validation or it can mess up chained validation
   16647: ETHREEOH-2534: Fixed Sharepoint NTLM authentication
      - user details were never getting cached in the session
   16579: Small improvement to LDAP error reporting
      - Committed errors counted before successes in a logging interval
   16515: LDAP sync performance
      - Improved full sync strategy - run differential queries to work out required updates/additions and full queries to work out required deletions. Saves updating unchanged nodes.
      - Use a TreeSet rather than a HashSet to gather group associations in an attempt to avoid blowing the heap size
   16498: More LDAP performance improvements
      - Uses thread pool with 4 worker threads and blocking queue to process returned results. The number of worker threads can be controlled by the synchronization.workerThreads property.
      - Switched LDAP connection pooling back on again
      - Group Associations processsed individually so that errors are collated and we get a better idea of their throughput
      - Fixed potential bug. Group membership resolution done with isolated LDAP context to avoid cookies from paging creeping in.
   16424: Try switching off LDAP connection pooling to see if it works better with our flaky server.
   16414: Further LDAP fault tolerance
      - Log causes of group member resolution failures where possible
   16413: More fault tolerance for LDAP sync
      - Always commit last sync times before overall sync is complete to avoid the 'forgetting' of differential sync information
      - DN comparisons should be case insensitive to avoid issues resolving DNs to user and group IDs
   16398: Improved monitoring and fault tolerance for LDAP sync
      - When the batch is complete a summary of the number of errors and the last error stack trace will be logged at ERROR level
      - Each individual error is logged at WARN level and progress information (including % complete) is collated and logged at INFO level after a configurable interval
      - In the Enterprise Edition all metrics can be monitored in real time through JMX
      - Sanity testing to be performed by Mike!
   16319: Merged HEAD to V3.2
      16316: ALFCOM-3397: JBoss 5 compatibility fix
         - Relative paths used by LDAP subsystem configuration weren't being resolved correctly
         - See also https://jira.jboss.org/jira/browse/JBAS-6548 and https://jira.springsource.org/browse/SPR-5120
   16272: ETHREEOH-2752: Once more with feeling!
   16261: ETHREEOH-2752: Correct exception propagation.
   16260: ETHREEOH-2752: Fix ticket validation
      - Current ticket was getting forgotten by previous fix
      - Person validation in CHECK mode now done AFTER the current user is set, so that the current ticket is remembered
   16243: ETHREEOH-2752: Improve ticket validation used by all authentication filters
      - Now takes into account whether person actually exists or not
      - Tickets for non-nonexistent persons are now considered invalid and cached session information is invalidated
      - New BaseAuthenticationFilter superclass for all authentication filters
      - Improved fix to ETHREEOH-2839: WebDAV user is cached consistently using a different session attribute from the Web Client
   16233: ETHREEOH-2754: Correction to previous checkin.
      - relogin for SSO authentication, logout for normal login page
      - logout is default
   16232: ETHREEOH-2754: Log Out Action outcome passed as a parameter
      - relogin for SSO authentication, login for normal login page
      - Means the log out link always leads to the correct place, even when the session has expired
      - Also lowered ticket validation error logging to DEBUG level to avoid unnecessary noise in the logs from expired sessions
   16220: ETHREEOH-2839: Fixed potential ClassCastExceptions when Alfresco accessed via WebDAV and Web Client links in same browser
      - WebDAV side no longer directly casts session user to a WebDAVUser
      - ContextListener no longer casts session user to web client user
      - Web client side will 'promote' session user to a web client User if necessary via AuthenticationHelper
      - All authentication filters made to use appropriate AuthenticationHelper methods
   16211: ETHREEOH-2835: LDAP sync batches user and group deletions as well as creations
      - Also improved logging of sync failures
   16197: ETHREEOH-2782: LDAP subsystems now support search-based user DN resolution
      - When ldap.authentication.userNameFormat isn't set (now the default) converts a user ID to a DN by running ldap.synchronization.personQuery with an extra condition tacked on the end to find the user by ID
      - Structured directories and authentication by attributes not in the DN such as email address now supported
   16189: ALFCOM-3283: Prevent errors when user accepts an invite when not logged in
      - new isGuest attribute propagated to user object
      - header component (used by accept-invite page) needs to avoid calling prefs and site webscripts for guest user
      - Conditional stuff in header template changed to use user.isGuest


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16896 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Dave Ward
2009-10-14 09:24:13 +00:00
parent e096d59076
commit 85c1b71826
24 changed files with 2372 additions and 809 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java
View File

@@ -191,19 +191,12 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
throw new UnsupportedOperationException();
}
public Authentication setCurrentUser(String userName, UserNameValidationMode validationMode)
public Authentication setCurrentUser(final String userName) throws AuthenticationException
{
switch (validationMode)
{
case NONE:
return setCurrentUserImpl(userName);
case CHECK_AND_FIX:
default:
return setCurrentUser(userName);
}
return setCurrentUser(userName, UserNameValidationMode.CHECK_AND_FIX);
}
public Authentication setCurrentUser(final String userName) throws AuthenticationException
public Authentication setCurrentUser(String userName, UserNameValidationMode validationMode)
{
if (isSystemUserName(userName))
{
@@ -211,28 +204,32 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
}
else
{
SetCurrentUserCallback callback = new SetCurrentUserCallback(userName);
Authentication auth;
// If the repository is read only, we have to settle for a read only transaction. Auto user creation will
// not be possible.
CurrentUserCallback callback = validationMode == UserNameValidationMode.CHECK_AND_FIX ? new FixCurrentUserCallback(
userName)
: new CheckCurrentUserCallback(userName);
Authentication authentication;
// If the repository is read only, we have to settle for a read only transaction. Auto user creation
// will not be possible.
if (transactionService.isReadOnly())
{
auth = transactionService.getRetryingTransactionHelper().doInTransaction(callback, true, false);
authentication = transactionService.getRetryingTransactionHelper().doInTransaction(callback, true,
false);
}
// Otherwise, we want a writeable transaction, so if the current transaction is read only we set the
// requiresNew flag to true
else
{
auth = transactionService.getRetryingTransactionHelper().doInTransaction(callback, false,
authentication = transactionService.getRetryingTransactionHelper().doInTransaction(callback, false,
AlfrescoTransactionSupport.getTransactionReadState() == TxnReadState.TXN_READ_ONLY);
}
if ((auth == null) || (callback.ae != null))
if ((authentication == null) || (callback.ae != null))
{
throw callback.ae;
}
return auth;
return authentication;
}
}
/**
* Explicitly set the current user to be authenticated.
@@ -451,37 +448,87 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
authenticationContext.clearCurrentSecurityContext();
}
class SetCurrentUserCallback implements RetryingTransactionHelper.RetryingTransactionCallback<Authentication>
abstract class CurrentUserCallback implements RetryingTransactionHelper.RetryingTransactionCallback<Authentication>
{
AuthenticationException ae = null;
String userName;
SetCurrentUserCallback(String userName)
CurrentUserCallback(String userName)
{
this.userName = userName;
}
}
class CheckCurrentUserCallback extends CurrentUserCallback
{
CheckCurrentUserCallback(String userName)
{
super(userName);
}
public Authentication execute() throws Throwable
{
try
{
String name = AuthenticationUtil.runAs(new RunAsWork<String>()
// We must set full authentication before calling runAs in order to retain tickets
Authentication authentication = setCurrentUserImpl(userName);
AuthenticationUtil.runAs(new RunAsWork<Object>()
{
public Object doWork() throws Exception
{
if (!personService.personExists(userName)
|| !nodeService.getProperty(personService.getPerson(userName),
ContentModel.PROP_USERNAME).equals(userName))
{
if (logger.isDebugEnabled())
{
logger.debug("User \"" + userName
+ "\" does not exist in Alfresco. Failing validation.");
}
throw new AuthenticationException("User \"" + userName + "\" does not exist in Alfresco");
}
return null;
}
}, getSystemUserName(getUserDomain(userName)));
return authentication;
}
catch (AuthenticationException ae)
{
this.ae = ae;
return null;
}
}
}
class FixCurrentUserCallback extends CurrentUserCallback
{
FixCurrentUserCallback(String userName)
{
super(userName);
}
public Authentication execute() throws Throwable
{
try
{
return setCurrentUserImpl(AuthenticationUtil.runAs(new RunAsWork<String>()
{
public String doWork() throws Exception
{
if (!personService.personExists(userName))
{
if (logger.isDebugEnabled())
if (logger.isDebugEnabled())
{
logger.debug("User \"" + userName
+ "\" does not exist in Alfresco. Attempting to import / create the user.");
logger.debug("User \"" + userName
+ "\" does not exist in Alfresco. Attempting to import / create the user.");
}
if (!userRegistrySynchronizer.createMissingPerson(userName))
if (!userRegistrySynchronizer.createMissingPerson(userName))
{
if (logger.isDebugEnabled())
{
logger.debug("Failed to import / create user \"" + userName + '"');
logger.debug("Failed to import / create user \"" + userName + '"');
}
throw new AuthenticationException("User \"" + userName
+ "\" does not exist in Alfresco");
@@ -492,9 +539,7 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
// checks
return (String) nodeService.getProperty(userNode, ContentModel.PROP_USERNAME);
}
}, getSystemUserName(getUserDomain(userName)));
return setCurrentUserImpl(name);
}, getSystemUserName(getUserDomain(userName))));
}
catch (AuthenticationException ae)
{

2
source/java/org/alfresco/repo/security/authentication/AuthenticationComponent.java
View File

@@ -32,7 +32,7 @@ public interface AuthenticationComponent extends AuthenticationContext
{
public enum UserNameValidationMode
{
NONE, CHECK_AND_FIX;
CHECK, CHECK_AND_FIX;
}
/**

12
source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
View File

@@ -174,18 +174,20 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
public void validate(String ticket) throws AuthenticationException
{
String currentUser = null;
try
{
// clear context - to avoid MT concurrency issue (causing domain mismatch) - see also 'authenticate' above
clearCurrentSecurityContext();
authenticationComponent.setCurrentUser(ticketComponent.validateTicket(ticket), UserNameValidationMode.NONE);
// clear context - to avoid MT concurrency issue (causing domain mismatch) - see also 'authenticate' above
clearCurrentSecurityContext();
currentUser = ticketComponent.validateTicket(ticket);
authenticationComponent.setCurrentUser(currentUser, UserNameValidationMode.CHECK);
}
catch(AuthenticationException ae)
catch (AuthenticationException ae)
{
clearCurrentSecurityContext();
throw ae;
}
}
}
public String getCurrentTicket()

40
source/java/org/alfresco/repo/security/authentication/ldap/LDAPAuthenticationComponentImpl.java
View File

@@ -30,13 +30,17 @@ import javax.naming.directory.InitialDirContext;
import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.sync.ldap.LDAPNameResolver;
import org.springframework.beans.factory.InitializingBean;
/**
* Currently expects the cn name of the user which is in a fixed location.
* Authenticates a user by LDAP. To convert the user name to an LDAP DN, it uses the fixed format in
* <code>userNameFormat</code> if set, or calls the {@link LDAPNameResolver} otherwise.
*
* @author Andy Hind
*/
public class LDAPAuthenticationComponentImpl extends AbstractAuthenticationComponent implements ActivateableBean
public class LDAPAuthenticationComponentImpl extends AbstractAuthenticationComponent implements InitializingBean,
ActivateableBean
{
private boolean escapeCommasInBind = false;
@@ -45,6 +49,8 @@ public class LDAPAuthenticationComponentImpl extends AbstractAuthenticationCompo
private boolean active = true;
private String userNameFormat;
private LDAPNameResolver ldapNameResolver;
private LDAPInitialDirContextFactory ldapInitialContextFactory;
@@ -60,9 +66,14 @@ public class LDAPAuthenticationComponentImpl extends AbstractAuthenticationCompo
public void setUserNameFormat(String userNameFormat)
{
this.userNameFormat = userNameFormat;
this.userNameFormat = userNameFormat == null || userNameFormat.length() == 0 ? null : userNameFormat;
}
public void setLdapNameResolver(LDAPNameResolver ldapNameResolver)
{
this.ldapNameResolver = ldapNameResolver;
}
public void setEscapeCommasInBind(boolean escapeCommasInBind)
{
this.escapeCommasInBind = escapeCommasInBind;
@@ -85,6 +96,18 @@ public class LDAPAuthenticationComponentImpl extends AbstractAuthenticationCompo
public boolean isActive()
{
return this.active;
}
/*
* (non-Javadoc)
* @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
*/
public void afterPropertiesSet() throws Exception
{
if (this.ldapNameResolver == null && this.userNameFormat == null)
{
throw new IllegalStateException("At least one of ldapNameResolver and userNameFormat must be set");
}
}
/**
@@ -92,10 +115,17 @@ public class LDAPAuthenticationComponentImpl extends AbstractAuthenticationCompo
*/
protected void authenticateImpl(String userName, char[] password) throws AuthenticationException
{
// If we aren't using a fixed name format, do a search to resolve the user DN
String userDN = userNameFormat == null ? ldapNameResolver.resolveDistinguishedName(userName) : String.format(
userNameFormat, new Object[]
{
escapeUserName(userName, escapeCommasInBind)
});
InitialDirContext ctx = null;
try
{
ctx = ldapInitialContextFactory.getInitialDirContext(String.format(userNameFormat, new Object[] { escapeUserName(userName, escapeCommasInBind) }), new String(password));
ctx = ldapInitialContextFactory.getInitialDirContext(userDN, new String(password));
// Authentication has been successful.
// Set the current user, they are now authenticated.

3
source/java/org/alfresco/repo/security/authentication/ldap/LDAPInitialDirContextFactoryImpl.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
* Copyright (C) 2005-2009 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -87,6 +87,7 @@ public class LDAPInitialDirContextFactoryImpl implements LDAPInitialDirContextFa
Hashtable<String, String> env = new Hashtable<String, String>(initialDirContextEnvironment.size());
env.putAll(initialDirContextEnvironment);
env.put("javax.security.auth.useSubjectCredsOnly", "false");
env.put("com.sun.jndi.ldap.connect.pool", "true"); // Pool the default connection
return buildInitialDirContext(env, pageSize);
}