mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
Merged V3.2 to HEAD
16662: LDAP sync: improved group association filtering, referential integrity checking, deletion strategy and performance tuning of batch sizes
16648: ETHREEOH-2752: Improved ticket validation fix
- Invalidate user's tickets during person deletion rather than validation or it can mess up chained validation
16647: ETHREEOH-2534: Fixed Sharepoint NTLM authentication
- user details were never getting cached in the session
16579: Small improvement to LDAP error reporting
- Committed errors counted before successes in a logging interval
16515: LDAP sync performance
- Improved full sync strategy - run differential queries to work out required updates/additions and full queries to work out required deletions. Saves updating unchanged nodes.
- Use a TreeSet rather than a HashSet to gather group associations in an attempt to avoid blowing the heap size
16498: More LDAP performance improvements
- Uses thread pool with 4 worker threads and blocking queue to process returned results. The number of worker threads can be controlled by the synchronization.workerThreads property.
- Switched LDAP connection pooling back on again
- Group Associations processsed individually so that errors are collated and we get a better idea of their throughput
- Fixed potential bug. Group membership resolution done with isolated LDAP context to avoid cookies from paging creeping in.
16424: Try switching off LDAP connection pooling to see if it works better with our flaky server.
16414: Further LDAP fault tolerance
- Log causes of group member resolution failures where possible
16413: More fault tolerance for LDAP sync
- Always commit last sync times before overall sync is complete to avoid the 'forgetting' of differential sync information
- DN comparisons should be case insensitive to avoid issues resolving DNs to user and group IDs
16398: Improved monitoring and fault tolerance for LDAP sync
- When the batch is complete a summary of the number of errors and the last error stack trace will be logged at ERROR level
- Each individual error is logged at WARN level and progress information (including % complete) is collated and logged at INFO level after a configurable interval
- In the Enterprise Edition all metrics can be monitored in real time through JMX
- Sanity testing to be performed by Mike!
16319: Merged HEAD to V3.2
16316: ALFCOM-3397: JBoss 5 compatibility fix
- Relative paths used by LDAP subsystem configuration weren't being resolved correctly
- See also https://jira.jboss.org/jira/browse/JBAS-6548 and https://jira.springsource.org/browse/SPR-5120
16272: ETHREEOH-2752: Once more with feeling!
16261: ETHREEOH-2752: Correct exception propagation.
16260: ETHREEOH-2752: Fix ticket validation
- Current ticket was getting forgotten by previous fix
- Person validation in CHECK mode now done AFTER the current user is set, so that the current ticket is remembered
16243: ETHREEOH-2752: Improve ticket validation used by all authentication filters
- Now takes into account whether person actually exists or not
- Tickets for non-nonexistent persons are now considered invalid and cached session information is invalidated
- New BaseAuthenticationFilter superclass for all authentication filters
- Improved fix to ETHREEOH-2839: WebDAV user is cached consistently using a different session attribute from the Web Client
16233: ETHREEOH-2754: Correction to previous checkin.
- relogin for SSO authentication, logout for normal login page
- logout is default
16232: ETHREEOH-2754: Log Out Action outcome passed as a parameter
- relogin for SSO authentication, login for normal login page
- Means the log out link always leads to the correct place, even when the session has expired
- Also lowered ticket validation error logging to DEBUG level to avoid unnecessary noise in the logs from expired sessions
16220: ETHREEOH-2839: Fixed potential ClassCastExceptions when Alfresco accessed via WebDAV and Web Client links in same browser
- WebDAV side no longer directly casts session user to a WebDAVUser
- ContextListener no longer casts session user to web client user
- Web client side will 'promote' session user to a web client User if necessary via AuthenticationHelper
- All authentication filters made to use appropriate AuthenticationHelper methods
16211: ETHREEOH-2835: LDAP sync batches user and group deletions as well as creations
- Also improved logging of sync failures
16197: ETHREEOH-2782: LDAP subsystems now support search-based user DN resolution
- When ldap.authentication.userNameFormat isn't set (now the default) converts a user ID to a DN by running ldap.synchronization.personQuery with an extra condition tacked on the end to find the user by ID
- Structured directories and authentication by attributes not in the DN such as email address now supported
16189: ALFCOM-3283: Prevent errors when user accepts an invite when not logged in
- new isGuest attribute propagated to user object
- header component (used by accept-invite page) needs to avoid calling prefs and site webscripts for guest user
- Conditional stuff in header template changed to use user.isGuest
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16896 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Dave Ward
@@ -30,13 +30,17 @@ import javax.naming.directory.InitialDirContext;
|
||||
import org.alfresco.repo.management.subsystems.ActivateableBean;
|
||||
import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationException;
|
||||
import org.alfresco.repo.security.sync.ldap.LDAPNameResolver;
|
||||
import org.springframework.beans.factory.InitializingBean;
|
||||
|
||||
/**
|
||||
* Currently expects the cn name of the user which is in a fixed location.
|
||||
* Authenticates a user by LDAP. To convert the user name to an LDAP DN, it uses the fixed format in
|
||||
* <code>userNameFormat</code> if set, or calls the {@link LDAPNameResolver} otherwise.
|
||||
*
|
||||
* @author Andy Hind
|
||||
*/
|
||||
public class LDAPAuthenticationComponentImpl extends AbstractAuthenticationComponent implements ActivateableBean
|
||||
public class LDAPAuthenticationComponentImpl extends AbstractAuthenticationComponent implements InitializingBean,
|
||||
ActivateableBean
|
||||
{
|
||||
private boolean escapeCommasInBind = false;
|
||||
|
||||
@@ -45,6 +49,8 @@ public class LDAPAuthenticationComponentImpl extends AbstractAuthenticationCompo
|
||||
private boolean active = true;
|
||||
|
||||
private String userNameFormat;
|
||||
|
||||
private LDAPNameResolver ldapNameResolver;
|
||||
|
||||
private LDAPInitialDirContextFactory ldapInitialContextFactory;
|
||||
|
||||
@@ -60,9 +66,14 @@ public class LDAPAuthenticationComponentImpl extends AbstractAuthenticationCompo
|
||||
|
||||
public void setUserNameFormat(String userNameFormat)
|
||||
{
|
||||
this.userNameFormat = userNameFormat;
|
||||
this.userNameFormat = userNameFormat == null || userNameFormat.length() == 0 ? null : userNameFormat;
|
||||
}
|
||||
|
||||
|
||||
public void setLdapNameResolver(LDAPNameResolver ldapNameResolver)
|
||||
{
|
||||
this.ldapNameResolver = ldapNameResolver;
|
||||
}
|
||||
|
||||
public void setEscapeCommasInBind(boolean escapeCommasInBind)
|
||||
{
|
||||
this.escapeCommasInBind = escapeCommasInBind;
|
||||
@@ -85,6 +96,18 @@ public class LDAPAuthenticationComponentImpl extends AbstractAuthenticationCompo
|
||||
public boolean isActive()
|
||||
{
|
||||
return this.active;
|
||||
}
|
||||
|
||||
/*
|
||||
* (non-Javadoc)
|
||||
* @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
|
||||
*/
|
||||
public void afterPropertiesSet() throws Exception
|
||||
{
|
||||
if (this.ldapNameResolver == null && this.userNameFormat == null)
|
||||
{
|
||||
throw new IllegalStateException("At least one of ldapNameResolver and userNameFormat must be set");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -92,10 +115,17 @@ public class LDAPAuthenticationComponentImpl extends AbstractAuthenticationCompo
|
||||
*/
|
||||
protected void authenticateImpl(String userName, char[] password) throws AuthenticationException
|
||||
{
|
||||
// If we aren't using a fixed name format, do a search to resolve the user DN
|
||||
String userDN = userNameFormat == null ? ldapNameResolver.resolveDistinguishedName(userName) : String.format(
|
||||
userNameFormat, new Object[]
|
||||
{
|
||||
escapeUserName(userName, escapeCommasInBind)
|
||||
});
|
||||
|
||||
InitialDirContext ctx = null;
|
||||
try
|
||||
{
|
||||
ctx = ldapInitialContextFactory.getInitialDirContext(String.format(userNameFormat, new Object[] { escapeUserName(userName, escapeCommasInBind) }), new String(password));
|
||||
ctx = ldapInitialContextFactory.getInitialDirContext(userDN, new String(password));
|
||||
|
||||
// Authentication has been successful.
|
||||
// Set the current user, they are now authenticated.
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (C) 2005-2007 Alfresco Software Limited.
|
||||
* Copyright (C) 2005-2009 Alfresco Software Limited.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
@@ -87,6 +87,7 @@ public class LDAPInitialDirContextFactoryImpl implements LDAPInitialDirContextFa
|
||||
Hashtable<String, String> env = new Hashtable<String, String>(initialDirContextEnvironment.size());
|
||||
env.putAll(initialDirContextEnvironment);
|
||||
env.put("javax.security.auth.useSubjectCredsOnly", "false");
|
||||
env.put("com.sun.jndi.ldap.connect.pool", "true"); // Pool the default connection
|
||||
return buildInitialDirContext(env, pageSize);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user