mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
Merged V3.2 to HEAD
16662: LDAP sync: improved group association filtering, referential integrity checking, deletion strategy and performance tuning of batch sizes
16648: ETHREEOH-2752: Improved ticket validation fix
- Invalidate user's tickets during person deletion rather than validation or it can mess up chained validation
16647: ETHREEOH-2534: Fixed Sharepoint NTLM authentication
- user details were never getting cached in the session
16579: Small improvement to LDAP error reporting
- Committed errors counted before successes in a logging interval
16515: LDAP sync performance
- Improved full sync strategy - run differential queries to work out required updates/additions and full queries to work out required deletions. Saves updating unchanged nodes.
- Use a TreeSet rather than a HashSet to gather group associations in an attempt to avoid blowing the heap size
16498: More LDAP performance improvements
- Uses thread pool with 4 worker threads and blocking queue to process returned results. The number of worker threads can be controlled by the synchronization.workerThreads property.
- Switched LDAP connection pooling back on again
- Group Associations processsed individually so that errors are collated and we get a better idea of their throughput
- Fixed potential bug. Group membership resolution done with isolated LDAP context to avoid cookies from paging creeping in.
16424: Try switching off LDAP connection pooling to see if it works better with our flaky server.
16414: Further LDAP fault tolerance
- Log causes of group member resolution failures where possible
16413: More fault tolerance for LDAP sync
- Always commit last sync times before overall sync is complete to avoid the 'forgetting' of differential sync information
- DN comparisons should be case insensitive to avoid issues resolving DNs to user and group IDs
16398: Improved monitoring and fault tolerance for LDAP sync
- When the batch is complete a summary of the number of errors and the last error stack trace will be logged at ERROR level
- Each individual error is logged at WARN level and progress information (including % complete) is collated and logged at INFO level after a configurable interval
- In the Enterprise Edition all metrics can be monitored in real time through JMX
- Sanity testing to be performed by Mike!
16319: Merged HEAD to V3.2
16316: ALFCOM-3397: JBoss 5 compatibility fix
- Relative paths used by LDAP subsystem configuration weren't being resolved correctly
- See also https://jira.jboss.org/jira/browse/JBAS-6548 and https://jira.springsource.org/browse/SPR-5120
16272: ETHREEOH-2752: Once more with feeling!
16261: ETHREEOH-2752: Correct exception propagation.
16260: ETHREEOH-2752: Fix ticket validation
- Current ticket was getting forgotten by previous fix
- Person validation in CHECK mode now done AFTER the current user is set, so that the current ticket is remembered
16243: ETHREEOH-2752: Improve ticket validation used by all authentication filters
- Now takes into account whether person actually exists or not
- Tickets for non-nonexistent persons are now considered invalid and cached session information is invalidated
- New BaseAuthenticationFilter superclass for all authentication filters
- Improved fix to ETHREEOH-2839: WebDAV user is cached consistently using a different session attribute from the Web Client
16233: ETHREEOH-2754: Correction to previous checkin.
- relogin for SSO authentication, logout for normal login page
- logout is default
16232: ETHREEOH-2754: Log Out Action outcome passed as a parameter
- relogin for SSO authentication, login for normal login page
- Means the log out link always leads to the correct place, even when the session has expired
- Also lowered ticket validation error logging to DEBUG level to avoid unnecessary noise in the logs from expired sessions
16220: ETHREEOH-2839: Fixed potential ClassCastExceptions when Alfresco accessed via WebDAV and Web Client links in same browser
- WebDAV side no longer directly casts session user to a WebDAVUser
- ContextListener no longer casts session user to web client user
- Web client side will 'promote' session user to a web client User if necessary via AuthenticationHelper
- All authentication filters made to use appropriate AuthenticationHelper methods
16211: ETHREEOH-2835: LDAP sync batches user and group deletions as well as creations
- Also improved logging of sync failures
16197: ETHREEOH-2782: LDAP subsystems now support search-based user DN resolution
- When ldap.authentication.userNameFormat isn't set (now the default) converts a user ID to a DN by running ldap.synchronization.personQuery with an extra condition tacked on the end to find the user by ID
- Structured directories and authentication by attributes not in the DN such as email address now supported
16189: ALFCOM-3283: Prevent errors when user accepts an invite when not logged in
- new isGuest attribute propagated to user object
- header component (used by accept-invite page) needs to avoid calling prefs and site webscripts for guest user
- Conditional stuff in header template changed to use user.isGuest
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16896 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Dave Ward
@@ -191,19 +191,12 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
|
||||
throw new UnsupportedOperationException();
|
||||
}
|
||||
|
||||
public Authentication setCurrentUser(String userName, UserNameValidationMode validationMode)
|
||||
public Authentication setCurrentUser(final String userName) throws AuthenticationException
|
||||
{
|
||||
switch (validationMode)
|
||||
{
|
||||
case NONE:
|
||||
return setCurrentUserImpl(userName);
|
||||
case CHECK_AND_FIX:
|
||||
default:
|
||||
return setCurrentUser(userName);
|
||||
}
|
||||
return setCurrentUser(userName, UserNameValidationMode.CHECK_AND_FIX);
|
||||
}
|
||||
|
||||
public Authentication setCurrentUser(final String userName) throws AuthenticationException
|
||||
public Authentication setCurrentUser(String userName, UserNameValidationMode validationMode)
|
||||
{
|
||||
if (isSystemUserName(userName))
|
||||
{
|
||||
@@ -211,28 +204,32 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
|
||||
}
|
||||
else
|
||||
{
|
||||
SetCurrentUserCallback callback = new SetCurrentUserCallback(userName);
|
||||
Authentication auth;
|
||||
// If the repository is read only, we have to settle for a read only transaction. Auto user creation will
|
||||
// not be possible.
|
||||
CurrentUserCallback callback = validationMode == UserNameValidationMode.CHECK_AND_FIX ? new FixCurrentUserCallback(
|
||||
userName)
|
||||
: new CheckCurrentUserCallback(userName);
|
||||
Authentication authentication;
|
||||
// If the repository is read only, we have to settle for a read only transaction. Auto user creation
|
||||
// will not be possible.
|
||||
if (transactionService.isReadOnly())
|
||||
{
|
||||
auth = transactionService.getRetryingTransactionHelper().doInTransaction(callback, true, false);
|
||||
authentication = transactionService.getRetryingTransactionHelper().doInTransaction(callback, true,
|
||||
false);
|
||||
}
|
||||
// Otherwise, we want a writeable transaction, so if the current transaction is read only we set the
|
||||
// requiresNew flag to true
|
||||
else
|
||||
{
|
||||
auth = transactionService.getRetryingTransactionHelper().doInTransaction(callback, false,
|
||||
authentication = transactionService.getRetryingTransactionHelper().doInTransaction(callback, false,
|
||||
AlfrescoTransactionSupport.getTransactionReadState() == TxnReadState.TXN_READ_ONLY);
|
||||
}
|
||||
if ((auth == null) || (callback.ae != null))
|
||||
if ((authentication == null) || (callback.ae != null))
|
||||
{
|
||||
throw callback.ae;
|
||||
}
|
||||
return auth;
|
||||
return authentication;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Explicitly set the current user to be authenticated.
|
||||
@@ -451,37 +448,87 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
|
||||
authenticationContext.clearCurrentSecurityContext();
|
||||
}
|
||||
|
||||
class SetCurrentUserCallback implements RetryingTransactionHelper.RetryingTransactionCallback<Authentication>
|
||||
abstract class CurrentUserCallback implements RetryingTransactionHelper.RetryingTransactionCallback<Authentication>
|
||||
{
|
||||
AuthenticationException ae = null;
|
||||
|
||||
String userName;
|
||||
|
||||
SetCurrentUserCallback(String userName)
|
||||
CurrentUserCallback(String userName)
|
||||
{
|
||||
this.userName = userName;
|
||||
}
|
||||
}
|
||||
|
||||
class CheckCurrentUserCallback extends CurrentUserCallback
|
||||
{
|
||||
|
||||
CheckCurrentUserCallback(String userName)
|
||||
{
|
||||
super(userName);
|
||||
}
|
||||
|
||||
public Authentication execute() throws Throwable
|
||||
{
|
||||
try
|
||||
{
|
||||
String name = AuthenticationUtil.runAs(new RunAsWork<String>()
|
||||
// We must set full authentication before calling runAs in order to retain tickets
|
||||
Authentication authentication = setCurrentUserImpl(userName);
|
||||
AuthenticationUtil.runAs(new RunAsWork<Object>()
|
||||
{
|
||||
public Object doWork() throws Exception
|
||||
{
|
||||
if (!personService.personExists(userName)
|
||||
|| !nodeService.getProperty(personService.getPerson(userName),
|
||||
ContentModel.PROP_USERNAME).equals(userName))
|
||||
{
|
||||
if (logger.isDebugEnabled())
|
||||
{
|
||||
logger.debug("User \"" + userName
|
||||
+ "\" does not exist in Alfresco. Failing validation.");
|
||||
}
|
||||
throw new AuthenticationException("User \"" + userName + "\" does not exist in Alfresco");
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}, getSystemUserName(getUserDomain(userName)));
|
||||
return authentication;
|
||||
}
|
||||
catch (AuthenticationException ae)
|
||||
{
|
||||
this.ae = ae;
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
class FixCurrentUserCallback extends CurrentUserCallback
|
||||
{
|
||||
FixCurrentUserCallback(String userName)
|
||||
{
|
||||
super(userName);
|
||||
}
|
||||
|
||||
public Authentication execute() throws Throwable
|
||||
{
|
||||
try
|
||||
{
|
||||
return setCurrentUserImpl(AuthenticationUtil.runAs(new RunAsWork<String>()
|
||||
{
|
||||
public String doWork() throws Exception
|
||||
{
|
||||
if (!personService.personExists(userName))
|
||||
{
|
||||
if (logger.isDebugEnabled())
|
||||
if (logger.isDebugEnabled())
|
||||
{
|
||||
logger.debug("User \"" + userName
|
||||
+ "\" does not exist in Alfresco. Attempting to import / create the user.");
|
||||
logger.debug("User \"" + userName
|
||||
+ "\" does not exist in Alfresco. Attempting to import / create the user.");
|
||||
}
|
||||
if (!userRegistrySynchronizer.createMissingPerson(userName))
|
||||
if (!userRegistrySynchronizer.createMissingPerson(userName))
|
||||
{
|
||||
if (logger.isDebugEnabled())
|
||||
{
|
||||
logger.debug("Failed to import / create user \"" + userName + '"');
|
||||
logger.debug("Failed to import / create user \"" + userName + '"');
|
||||
}
|
||||
throw new AuthenticationException("User \"" + userName
|
||||
+ "\" does not exist in Alfresco");
|
||||
@@ -492,9 +539,7 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC
|
||||
// checks
|
||||
return (String) nodeService.getProperty(userNode, ContentModel.PROP_USERNAME);
|
||||
}
|
||||
}, getSystemUserName(getUserDomain(userName)));
|
||||
|
||||
return setCurrentUserImpl(name);
|
||||
}, getSystemUserName(getUserDomain(userName))));
|
||||
}
|
||||
catch (AuthenticationException ae)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user