From 879796355c9c20aa1e58e2ed4b7c09287be5a500 Mon Sep 17 00:00:00 2001
From: Dave Ward <left@alfresco.com>
Date: Thu, 3 Sep 2009 11:16:02 +0000
Subject: [PATCH] Merged V3.2 to HEAD    16062: ETHREEOH-2792: Support login
 via external SSO systems (such as CAS) in Alfresco Share       - In Alfresco,
 new "external" authentication subsystem maps user identity from
 HttpServletRequest.getRemoteUser() or configured header       - In Share, the
 UserFactory also recognizes HttpServletRequest.getRemoteUser() - no special
 filters required       - User ID propagated to Alfresco through
 X-Alfresco-Remote-User HTTP header       - This can be done securely via the
 use of an SSL client certificate that identifies the Share application to
 Alfresco as a special 'proxy' user       - New <keystore> section added to
 webscript-framework-config that allows specification of the keystore holding
 the client certificate and trusted CAs       - Support for SSL authentication
 and propagation of Cookies through redirects added to RemoteClient so that
 initial redirects through sign on pages are supported       - TODO: Wiki

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16065 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../external-authentication-context.xml       | 63 +++++++++++++++++++
 .../external-authentication.properties        |  1 +
 ...rRejectAllAuthenticationComponentImpl.java | 16 +++--
 3 files changed, 75 insertions(+), 5 deletions(-)
 create mode 100644 config/alfresco/subsystems/Authentication/external/external-authentication-context.xml
 create mode 100644 config/alfresco/subsystems/Authentication/external/external-authentication.properties

diff --git a/config/alfresco/subsystems/Authentication/external/external-authentication-context.xml b/config/alfresco/subsystems/Authentication/external/external-authentication-context.xml
new file mode 100644
index 0000000000..3de4e66109
--- /dev/null
+++ b/config/alfresco/subsystems/Authentication/external/external-authentication-context.xml
@@ -0,0 +1,63 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
+<beans>
+   <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.SimpleAcceptOrRejectAllAuthenticationComponentImpl"
+      parent="authenticationComponentBase">
+      <property name="nodeService">
+         <ref bean="nodeService" />
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="transactionService">
+         <ref bean="transactionService" />
+      </property>
+      <property name="defaultAdministratorUserNameList">
+         <value>${external.authentication.defaultAdministratorUserNames}</value>
+      </property>
+   </bean>
+
+   <!-- Wrapped version to be used within subsystem -->
+   <bean id="AuthenticationComponent" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
+      <property name="proxyInterfaces">
+         <list>
+            <value>org.alfresco.repo.security.authentication.AuthenticationComponent</value>
+         </list>
+      </property>
+      <property name="transactionManager">
+         <ref bean="transactionManager" />
+      </property>
+      <property name="target">
+         <ref bean="authenticationComponent" />
+      </property>
+      <property name="transactionAttributes">
+         <props>
+            <prop key="*">${server.transaction.mode.default}</prop>
+         </props>
+      </property>
+   </bean>
+
+   <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao">
+      <property name="allowSetEnabled" value="true" />
+      <property name="allowGetEnabled" value="true" />
+      <property name="allowDeleteUser" value="true" />
+      <property name="allowCreateUser" value="true" />
+   </bean>
+
+   <!-- Authentication service for chaining -->
+   <bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
+      <property name="authenticationDao">
+         <ref bean="authenticationDao" />
+      </property>
+      <property name="ticketComponent">
+         <ref bean="ticketComponent" />
+      </property>
+      <property name="authenticationComponent">
+         <ref bean="authenticationComponent" />
+      </property>
+      <property name="sysAdminParams">
+         <ref bean="sysAdminParams" />
+      </property>
+   </bean>
+
+</beans>
\ No newline at end of file
diff --git a/config/alfresco/subsystems/Authentication/external/external-authentication.properties b/config/alfresco/subsystems/Authentication/external/external-authentication.properties
new file mode 100644
index 0000000000..8a7bdf3b1d
--- /dev/null
+++ b/config/alfresco/subsystems/Authentication/external/external-authentication.properties
@@ -0,0 +1 @@
+external.authentication.defaultAdministratorUserNames=
diff --git a/source/java/org/alfresco/repo/security/authentication/SimpleAcceptOrRejectAllAuthenticationComponentImpl.java b/source/java/org/alfresco/repo/security/authentication/SimpleAcceptOrRejectAllAuthenticationComponentImpl.java
index be6b7deee1..5346ca1bf8 100644
--- a/source/java/org/alfresco/repo/security/authentication/SimpleAcceptOrRejectAllAuthenticationComponentImpl.java
+++ b/source/java/org/alfresco/repo/security/authentication/SimpleAcceptOrRejectAllAuthenticationComponentImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007 Alfresco Software Limited.
+ * Copyright (C) 2005-2009 Alfresco Software Limited.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -18,7 +18,7 @@
  * As a special exception to the terms and conditions of version 2.0 of 
  * the GPL, you may redistribute this Program in connection with Free/Libre 
  * and Open Source Software ("FLOSS") applications as described in Alfresco's 
- * FLOSS exception.  You should have recieved a copy of the text describing 
+ * FLOSS exception.  You should have received a copy of the text describing 
  * the FLOSS exception, and it is also available here: 
  * http://www.alfresco.com/legal/licensing"
  */
@@ -45,6 +45,7 @@ import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
 public class SimpleAcceptOrRejectAllAuthenticationComponentImpl extends AbstractAuthenticationComponent implements NLTMAuthenticator
 {
     private boolean accept = false;
+    private boolean supportNtlm = false;
 
     public SimpleAcceptOrRejectAllAuthenticationComponentImpl()
     {
@@ -55,8 +56,13 @@ public class SimpleAcceptOrRejectAllAuthenticationComponentImpl extends Abstract
     {
         this.accept = accept;
     }
-    
-    public void authenticateImpl(String userName, char[] password) throws AuthenticationException
+            
+    public void setSupportNtlm(boolean supportNtlm)
+    {
+        this.supportNtlm = supportNtlm;
+    }
+
+   public void authenticateImpl(String userName, char[] password) throws AuthenticationException
     {
         if(accept)
         {
@@ -89,7 +95,7 @@ public class SimpleAcceptOrRejectAllAuthenticationComponentImpl extends Abstract
 
     public NTLMMode getNTLMMode()
     {
-        return NTLMMode.MD4_PROVIDER;
+        return supportNtlm ? NTLMMode.MD4_PROVIDER : NTLMMode.NONE;
     }
     
     /**