From 8ff98a72f5428cc69be7253f2b0c6f2112edef48 Mon Sep 17 00:00:00 2001 From: Dave Ward Date: Wed, 14 Oct 2009 09:24:13 +0000 Subject: [PATCH] Merged V3.2 to HEAD 16662: LDAP sync: improved group association filtering, referential integrity checking, deletion strategy and performance tuning of batch sizes 16648: ETHREEOH-2752: Improved ticket validation fix - Invalidate user's tickets during person deletion rather than validation or it can mess up chained validation 16647: ETHREEOH-2534: Fixed Sharepoint NTLM authentication - user details were never getting cached in the session 16579: Small improvement to LDAP error reporting - Committed errors counted before successes in a logging interval 16515: LDAP sync performance - Improved full sync strategy - run differential queries to work out required updates/additions and full queries to work out required deletions. Saves updating unchanged nodes. - Use a TreeSet rather than a HashSet to gather group associations in an attempt to avoid blowing the heap size 16498: More LDAP performance improvements - Uses thread pool with 4 worker threads and blocking queue to process returned results. The number of worker threads can be controlled by the synchronization.workerThreads property. - Switched LDAP connection pooling back on again - Group Associations processsed individually so that errors are collated and we get a better idea of their throughput - Fixed potential bug. Group membership resolution done with isolated LDAP context to avoid cookies from paging creeping in. 16424: Try switching off LDAP connection pooling to see if it works better with our flaky server. 16414: Further LDAP fault tolerance - Log causes of group member resolution failures where possible 16413: More fault tolerance for LDAP sync - Always commit last sync times before overall sync is complete to avoid the 'forgetting' of differential sync information - DN comparisons should be case insensitive to avoid issues resolving DNs to user and group IDs 16398: Improved monitoring and fault tolerance for LDAP sync - When the batch is complete a summary of the number of errors and the last error stack trace will be logged at ERROR level - Each individual error is logged at WARN level and progress information (including % complete) is collated and logged at INFO level after a configurable interval - In the Enterprise Edition all metrics can be monitored in real time through JMX - Sanity testing to be performed by Mike! 16319: Merged HEAD to V3.2 16316: ALFCOM-3397: JBoss 5 compatibility fix - Relative paths used by LDAP subsystem configuration weren't being resolved correctly - See also https://jira.jboss.org/jira/browse/JBAS-6548 and https://jira.springsource.org/browse/SPR-5120 16272: ETHREEOH-2752: Once more with feeling! 16261: ETHREEOH-2752: Correct exception propagation. 16260: ETHREEOH-2752: Fix ticket validation - Current ticket was getting forgotten by previous fix - Person validation in CHECK mode now done AFTER the current user is set, so that the current ticket is remembered 16243: ETHREEOH-2752: Improve ticket validation used by all authentication filters - Now takes into account whether person actually exists or not - Tickets for non-nonexistent persons are now considered invalid and cached session information is invalidated - New BaseAuthenticationFilter superclass for all authentication filters - Improved fix to ETHREEOH-2839: WebDAV user is cached consistently using a different session attribute from the Web Client 16233: ETHREEOH-2754: Correction to previous checkin. - relogin for SSO authentication, logout for normal login page - logout is default 16232: ETHREEOH-2754: Log Out Action outcome passed as a parameter - relogin for SSO authentication, login for normal login page - Means the log out link always leads to the correct place, even when the session has expired - Also lowered ticket validation error logging to DEBUG level to avoid unnecessary noise in the logs from expired sessions 16220: ETHREEOH-2839: Fixed potential ClassCastExceptions when Alfresco accessed via WebDAV and Web Client links in same browser - WebDAV side no longer directly casts session user to a WebDAVUser - ContextListener no longer casts session user to web client user - Web client side will 'promote' session user to a web client User if necessary via AuthenticationHelper - All authentication filters made to use appropriate AuthenticationHelper methods 16211: ETHREEOH-2835: LDAP sync batches user and group deletions as well as creations - Also improved logging of sync failures 16197: ETHREEOH-2782: LDAP subsystems now support search-based user DN resolution - When ldap.authentication.userNameFormat isn't set (now the default) converts a user ID to a DN by running ldap.synchronization.personQuery with an extra condition tacked on the end to find the user by ID - Structured directories and authentication by attributes not in the DN such as email address now supported 16189: ALFCOM-3283: Prevent errors when user accepts an invite when not logged in - new isGuest attribute propagated to user object - header component (used by accept-invite page) needs to avoid calling prefs and site webscripts for guest user - Conditional stuff in header template changed to use user.isGuest git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16896 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../WebClientPortletAuthenticatorFactory.java | 4 +- .../org/alfresco/web/app/ContextListener.java | 4 +- .../web/app/portlet/AlfrescoFacesPortlet.java | 7 +- .../web/app/servlet/AuthenticationHelper.java | 218 ++++++++++-------- .../HTTPRequestAuthenticationFilter.java | 11 +- .../servlet/KerberosAuthenticationFilter.java | 18 +- .../app/servlet/NTLMAuthenticationFilter.java | 16 +- .../java/org/alfresco/web/bean/LoginBean.java | 43 +++- .../auth/ntlm/NtlmAuthenticationHandler.java | 1 + source/web/jsp/parts/titlebar.jsp | 4 +- 10 files changed, 189 insertions(+), 137 deletions(-) diff --git a/source/java/org/alfresco/repo/web/scripts/portlet/WebClientPortletAuthenticatorFactory.java b/source/java/org/alfresco/repo/web/scripts/portlet/WebClientPortletAuthenticatorFactory.java index 24e312c518..2fd8a91279 100644 --- a/source/java/org/alfresco/repo/web/scripts/portlet/WebClientPortletAuthenticatorFactory.java +++ b/source/java/org/alfresco/repo/web/scripts/portlet/WebClientPortletAuthenticatorFactory.java @@ -29,6 +29,7 @@ import javax.portlet.RenderRequest; import javax.portlet.RenderResponse; import javax.transaction.UserTransaction; +import org.alfresco.repo.SessionUser; import org.alfresco.repo.model.Repository; import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.service.cmr.repository.NodeRef; @@ -216,7 +217,8 @@ public class WebClientPortletAuthenticatorFactory implements PortletAuthenticato */ private User getWebClientUser(PortletSession session) { - return (User)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER, PortletSession.APPLICATION_SCOPE); + SessionUser user = (SessionUser)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER, PortletSession.APPLICATION_SCOPE); + return user instanceof User ? (User)user : null; } } diff --git a/source/java/org/alfresco/web/app/ContextListener.java b/source/java/org/alfresco/web/app/ContextListener.java index 80619e6203..bc509447b2 100644 --- a/source/java/org/alfresco/web/app/ContextListener.java +++ b/source/java/org/alfresco/web/app/ContextListener.java @@ -34,6 +34,7 @@ import javax.servlet.http.HttpSessionListener; import javax.transaction.UserTransaction; import org.alfresco.error.AlfrescoRuntimeException; +import org.alfresco.repo.SessionUser; import org.alfresco.repo.cache.InternalEhCacheManagerFactoryBean; import org.alfresco.repo.security.authentication.AuthenticationContext; import org.alfresco.service.ServiceRegistry; @@ -46,7 +47,6 @@ import org.alfresco.service.namespace.NamespaceService; import org.alfresco.service.transaction.TransactionService; import org.alfresco.web.app.servlet.AuthenticationHelper; import org.alfresco.web.bean.repository.Repository; -import org.alfresco.web.bean.repository.User; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.web.context.WebApplicationContext; @@ -186,7 +186,7 @@ public class ContextListener implements ServletContextListener, HttpSessionListe } if (userKey != null) { - User user = (User)event.getSession().getAttribute(userKey); + SessionUser user = (SessionUser)event.getSession().getAttribute(userKey); if (user != null) { // invalidate ticket and clear the Security context for this thread diff --git a/source/java/org/alfresco/web/app/portlet/AlfrescoFacesPortlet.java b/source/java/org/alfresco/web/app/portlet/AlfrescoFacesPortlet.java index 87a6c7c124..26c2ef082f 100644 --- a/source/java/org/alfresco/web/app/portlet/AlfrescoFacesPortlet.java +++ b/source/java/org/alfresco/web/app/portlet/AlfrescoFacesPortlet.java @@ -43,6 +43,7 @@ import javax.portlet.UnavailableException; import org.alfresco.config.ConfigService; import org.alfresco.i18n.I18NUtil; +import org.alfresco.repo.SessionUser; import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.service.cmr.security.AuthenticationService; import org.alfresco.util.TempFileProvider; @@ -162,7 +163,8 @@ public class AlfrescoFacesPortlet extends MyFacesGenericPortlet } else { - User user = (User)request.getPortletSession().getAttribute(AuthenticationHelper.AUTHENTICATION_USER); + SessionUser sessionUser = (SessionUser)request.getPortletSession().getAttribute(AuthenticationHelper.AUTHENTICATION_USER); + User user = sessionUser instanceof User ? (User)sessionUser : null; if (user != null) { // setup the authentication context @@ -267,7 +269,8 @@ public class AlfrescoFacesPortlet extends MyFacesGenericPortlet String viewId = request.getParameter(VIEW_ID); // keep track of last view id so we can use it as return page from multi-part requests request.getPortletSession().setAttribute(SESSION_LAST_VIEW_ID, viewId); - User user = (User)request.getPortletSession().getAttribute(AuthenticationHelper.AUTHENTICATION_USER); + SessionUser sessionUser = (SessionUser)request.getPortletSession().getAttribute(AuthenticationHelper.AUTHENTICATION_USER); + User user = sessionUser instanceof User ? (User)sessionUser : null; if (user == null && (viewId == null || viewId.equals(getLoginPage()) == false)) { if (AuthenticationHelper.portalGuestAuthenticate(ctx, session, auth) == AuthenticationStatus.Guest) diff --git a/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java b/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java index ad66ea56ed..2f75780f98 100644 --- a/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java +++ b/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java @@ -34,16 +34,17 @@ import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; -import javax.transaction.UserTransaction; import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.i18n.I18NUtil; import org.alfresco.model.ContentModel; +import org.alfresco.repo.SessionUser; import org.alfresco.repo.management.subsystems.ActivateableBean; import org.alfresco.repo.security.authentication.AuthenticationComponent; import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.permissions.AccessDeniedException; +import org.alfresco.repo.transaction.RetryingTransactionHelper; import org.alfresco.service.ServiceRegistry; import org.alfresco.service.cmr.repository.InvalidNodeRefException; import org.alfresco.service.cmr.repository.NodeRef; @@ -174,11 +175,11 @@ public final class AuthenticationHelper ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean forceGuest, boolean allowGuest) throws IOException { - HttpSession session = req.getSession(); - // retrieve the User object User user = getUser(sc, req, res); + HttpSession session = req.getSession(); + // get the login bean if we're not in the portal LoginBean loginBean = null; if (Application.inPortalServer() == false) @@ -207,7 +208,7 @@ public final class AuthenticationHelper auth.authenticateAsGuest(); // if we get here then Guest access was allowed and successful - setUser(sc, req, AuthenticationUtil.getGuestUserName(), false); + setUser(sc, req, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket(), false); // Set up the thread context setupThread(sc, req, res); @@ -245,18 +246,7 @@ public final class AuthenticationHelper return AuthenticationStatus.Failure; } else - { - try - { - auth.validate(user.getTicket()); - } - catch (AuthenticationException authErr) - { - // expired ticket - session.removeAttribute(AUTHENTICATION_USER); - return AuthenticationStatus.Failure; - } - + { // set last authentication username cookie value if (loginBean != null) { @@ -287,13 +277,11 @@ public final class AuthenticationHelper { auth.validate(ticket); - User user = (User)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER); - if (user == null) + // We may have previously been authenticated via WebDAV so we may need to 'promote' the user object + SessionUser user = (SessionUser)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER); + if (user == null || !(user instanceof User)) { - // need to create the User instance if not already available - String currentUsername = auth.getCurrentUserName(); - - setUser(context, httpRequest, currentUsername, false); + setUser(context, httpRequest, auth.getCurrentUserName(), ticket, false); } } catch (AuthenticationException authErr) @@ -325,90 +313,81 @@ public final class AuthenticationHelper * the request * @param currentUsername * the current user name + * @param ticket + * a validated ticket * @param externalAuth * was this user authenticated externally? * @return the user object */ public static User setUser(ServletContext context, HttpServletRequest req, String currentUsername, - boolean externalAuth) + String ticket, boolean externalAuth) { WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context); - AuthenticationService auth = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE); - User user = createUser(wc, auth, currentUsername, externalAuth); + User user = createUser(wc, currentUsername, ticket); // store the User object in the Session - the authentication servlet will then proceed HttpSession session = req.getSession(true); session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user); - if (externalAuth) - { - session.setAttribute(LoginBean.LOGIN_EXTERNAL_AUTH, Boolean.TRUE); - } + setExternalAuth(session, externalAuth); return user; } /** - * Creates an object for an authentication user. + * Sets or clears the external authentication flag on the session * - * @param wc - * the web application context - * @param auth - * the authentication service - * @param currentUsername - * the current user name + * @param session + * the session * @param externalAuth - * was this user authenticated externally? - * @return the user object + * was the user authenticated externally? */ - private static User createUser(WebApplicationContext wc, AuthenticationService auth, String currentUsername, - boolean externalAuth) + private static void setExternalAuth(HttpSession session, boolean externalAuth) { - UserTransaction tx = null; - ServiceRegistry services = (ServiceRegistry) wc.getBean(ServiceRegistry.SERVICE_REGISTRY); - try + if (externalAuth) { - tx = services.getTransactionService().getUserTransaction(); - tx.begin(); - - NodeService nodeService = services.getNodeService(); - PersonService personService = (PersonService) wc.getBean(PERSON_SERVICE); - NodeRef personRef = personService.getPerson(currentUsername); - User user = new User(currentUsername, auth.getCurrentTicket(), personRef); - NodeRef homeRef = (NodeRef) nodeService.getProperty(personRef, ContentModel.PROP_HOMEFOLDER); - - // check that the home space node exists - else Login cannot proceed - if (nodeService.exists(homeRef) == false) - { - throw new InvalidNodeRefException(homeRef); - } - user.setHomeSpaceId(homeRef.getId()); - - tx.commit(); - - return user; + session.setAttribute(LoginBean.LOGIN_EXTERNAL_AUTH, Boolean.TRUE); } - catch (Exception ex) + else { - logger.error(ex); - - try - { - tx.rollback(); - } - catch (Exception ex2) - { - logger.error("Failed to rollback transaction", ex2); - } - - if (ex instanceof RuntimeException) - { - throw (RuntimeException) ex; - } - else - { - throw new RuntimeException("Failed to set authenticated user", ex); - } + session.removeAttribute(LoginBean.LOGIN_EXTERNAL_AUTH); } } + + /** + * Creates an object for an authentication user. + * + * @param wc + * the web application context + * @param currentUsername + * the current user name + * @param ticket + * a validated ticket + * @return the user object + */ + private static User createUser(final WebApplicationContext wc, final String currentUsername, final String ticket) + { + final ServiceRegistry services = (ServiceRegistry) wc.getBean(ServiceRegistry.SERVICE_REGISTRY); + return services.getTransactionService().getRetryingTransactionHelper().doInTransaction( + new RetryingTransactionHelper.RetryingTransactionCallback() + { + + public User execute() throws Throwable + { + NodeService nodeService = services.getNodeService(); + PersonService personService = (PersonService) wc.getBean(PERSON_SERVICE); + NodeRef personRef = personService.getPerson(currentUsername); + User user = new User(currentUsername, ticket, personRef); + NodeRef homeRef = (NodeRef) nodeService.getProperty(personRef, ContentModel.PROP_HOMEFOLDER); + + // check that the home space node exists - else Login cannot proceed + if (nodeService.exists(homeRef) == false) + { + throw new InvalidNodeRefException(homeRef); + } + user.setHomeSpaceId(homeRef.getId()); + return user; + } + }); + } /** * For no previous authentication or forced Guest - attempt Guest access @@ -422,7 +401,7 @@ public final class AuthenticationHelper { auth.authenticateAsGuest(); - User user = createUser(ctx, auth, AuthenticationUtil.getGuestUserName(), false); + User user = createUser(ctx, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket()); // store the User object in the Session - the authentication servlet will then proceed session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user); @@ -461,19 +440,23 @@ public final class AuthenticationHelper } /** - * Attempts to retrieve the User object stored in the current session. - * - * @param httpRequest The HTTP request - * @param httpResponse The HTTP response - * @return The User object representing the current user or null if it could not be found - */ + * Attempts to retrieve the User object stored in the current session. + * + * @param sc + * the servlet context + * @param httpRequest + * The HTTP request + * @param httpResponse + * The HTTP response + * @return The User object representing the current user or null if it could not be found + */ @SuppressWarnings("unchecked") - public static User getUser(ServletContext sc, HttpServletRequest httpRequest, HttpServletResponse httpResponse) + public static User getUser(final ServletContext sc, final HttpServletRequest httpRequest, HttpServletResponse httpResponse) { String userId = null; // If the remote user mapper is configured, we may be able to map in an externally authenticated user - WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc); + final WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc); RemoteUserMapper remoteUserMapper = (RemoteUserMapper) wc.getBean(REMOTE_USER_MAPPER); if (!(remoteUserMapper instanceof ActivateableBean) || ((ActivateableBean) remoteUserMapper).isActive()) { @@ -484,9 +467,11 @@ public final class AuthenticationHelper User user = null; // examine the appropriate session to try and find the User object + SessionUser sessionUser = null; + String sessionUserAttrib = null; if (Application.inPortalServer() == false) { - user = (User) session.getAttribute(AUTHENTICATION_USER); + sessionUserAttrib = AUTHENTICATION_USER; } else { @@ -499,31 +484,62 @@ public final class AuthenticationHelper String name = enumNames.nextElement(); if (name.endsWith(AUTHENTICATION_USER)) { - user = (User) session.getAttribute(name); + sessionUserAttrib = name; break; } } } + // Make sure the ticket is valid, the person exists, and the cached user is of the right type (WebDAV users have + // been known to leak in but shouldn't now) + if (sessionUserAttrib != null && (sessionUser = (SessionUser) session.getAttribute(sessionUserAttrib)) != null) + { + AuthenticationService auth = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE); + try + { + auth.validate(sessionUser.getTicket()); + if (sessionUser instanceof User) + { + user = (User)sessionUser; + setExternalAuth(session, userId != null); + } + else + { + user = setUser(sc, httpRequest, sessionUser.getUserName(), sessionUser.getTicket(), userId != null); + } + } + catch (AuthenticationException authErr) + { + session.removeAttribute(sessionUserAttrib); + if (!Application.inPortalServer()) + { + session.invalidate(); + } + } + } + // If the remote user mapper is configured, we may be able to map in an externally authenticated user if (userId != null) { // We have a previously-cached user with the wrong identity - replace them if (user != null && !user.getUserName().equals(userId)) { - user = null; + session.removeAttribute(sessionUserAttrib); + if (!Application.inPortalServer()) + { + session.invalidate(); + } + user = null; } if (user == null) { // If we have been authenticated by other means, just propagate through the user identity - if (userId != null) - { - AuthenticationComponent authenticationComponent = (AuthenticationComponent) wc - .getBean(AUTHENTICATION_COMPONENT); - authenticationComponent.setCurrentUser(userId); - user = setUser(sc, httpRequest, userId, true); - } + AuthenticationComponent authenticationComponent = (AuthenticationComponent) wc + .getBean(AUTHENTICATION_COMPONENT); + authenticationComponent.setCurrentUser(userId); + AuthenticationService authenticationService = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE); + user = setUser(sc, httpRequest, userId, authenticationService.getCurrentTicket(), true); } } return user; diff --git a/source/java/org/alfresco/web/app/servlet/HTTPRequestAuthenticationFilter.java b/source/java/org/alfresco/web/app/servlet/HTTPRequestAuthenticationFilter.java index 5491b6d482..7b0e4dae3b 100644 --- a/source/java/org/alfresco/web/app/servlet/HTTPRequestAuthenticationFilter.java +++ b/source/java/org/alfresco/web/app/servlet/HTTPRequestAuthenticationFilter.java @@ -38,10 +38,10 @@ import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; import org.alfresco.repo.security.authentication.AuthenticationComponent; import org.alfresco.repo.security.authentication.AuthenticationException; +import org.alfresco.service.cmr.security.AuthenticationService; import org.alfresco.web.app.Application; import org.alfresco.web.bean.repository.User; import org.apache.commons.logging.Log; @@ -64,6 +64,8 @@ public class HTTPRequestAuthenticationFilter implements Filter private String loginPage; private AuthenticationComponent authComponent; + + private AuthenticationService authenticationService; private String httpServletRequestAuthHeaderName; @@ -97,8 +99,6 @@ public class HTTPRequestAuthenticationFilter implements Filter HttpServletRequest req = (HttpServletRequest) sreq; HttpServletResponse resp = (HttpServletResponse) sresp; - HttpSession httpSess = req.getSession(true); - // Check for the auth header String authHdr = req.getHeader(httpServletRequestAuthHeaderName); @@ -164,7 +164,7 @@ public class HTTPRequestAuthenticationFilter implements Filter // See if there is a user in the session and test if it matches - User user = (User) httpSess.getAttribute(AuthenticationHelper.AUTHENTICATION_USER); + User user = AuthenticationHelper.getUser(this.context, req, resp); if (user != null) { @@ -236,7 +236,7 @@ public class HTTPRequestAuthenticationFilter implements Filter authComponent.setCurrentUser(userName); // Set up the user information - AuthenticationHelper.setUser(context, req, userName, true); + AuthenticationHelper.setUser(context, req, userName, authenticationService.getCurrentTicket(), true); // Set the locale using the session AuthenticationHelper.setupThread(this.context, req, res); @@ -253,6 +253,7 @@ public class HTTPRequestAuthenticationFilter implements Filter WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(context); authComponent = (AuthenticationComponent) ctx.getBean("authenticationComponent"); + authenticationService = (AuthenticationService) ctx.getBean("AuthenticationService"); httpServletRequestAuthHeaderName = config.getInitParameter("httpServletRequestAuthHeaderName"); if(httpServletRequestAuthHeaderName == null) diff --git a/source/java/org/alfresco/web/app/servlet/KerberosAuthenticationFilter.java b/source/java/org/alfresco/web/app/servlet/KerberosAuthenticationFilter.java index 4a10a8e110..8ce848d7f5 100644 --- a/source/java/org/alfresco/web/app/servlet/KerberosAuthenticationFilter.java +++ b/source/java/org/alfresco/web/app/servlet/KerberosAuthenticationFilter.java @@ -80,18 +80,22 @@ public class KerberosAuthenticationFilter extends BaseKerberosAuthenticationFilt { setLoginPage(clientConfig.getLoginPage()); } + + // Use the web client user attribute name + setUserAttributeName(AuthenticationHelper.AUTHENTICATION_USER); } - /* (non-Javadoc) - * @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, java.lang.String) - */ - @Override - protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, String homeSpace) { - + + /* (non-Javadoc) + * @see org.alfresco.repo.webdav.auth.BaseAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.cmr.repository.NodeRef) + */ + @Override + protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, NodeRef homeSpaceRef) + { // Create a web client user object User user = new User( userName, ticket, personNode); - user.setHomeSpaceId( homeSpace); + user.setHomeSpaceId( homeSpaceRef.getId()); return user; } diff --git a/source/java/org/alfresco/web/app/servlet/NTLMAuthenticationFilter.java b/source/java/org/alfresco/web/app/servlet/NTLMAuthenticationFilter.java index 669f992c92..b85cad5722 100644 --- a/source/java/org/alfresco/web/app/servlet/NTLMAuthenticationFilter.java +++ b/source/java/org/alfresco/web/app/servlet/NTLMAuthenticationFilter.java @@ -77,18 +77,22 @@ public class NTLMAuthenticationFilter extends BaseNTLMAuthenticationFilter { setLoginPage(clientConfig.getLoginPage()); } + + // Use the web client user attribute name + setUserAttributeName(AuthenticationHelper.AUTHENTICATION_USER); } + /* (non-Javadoc) - * @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, java.lang.String) - */ - @Override - protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, String homeSpace) { - + * @see org.alfresco.repo.webdav.auth.BaseAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.cmr.repository.NodeRef) + */ + @Override + protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, NodeRef homeSpaceRef) + { // Create a web client user object User user = new User( userName, ticket, personNode); - user.setHomeSpaceId( homeSpace); + user.setHomeSpaceId( homeSpaceRef.getId()); return user; } diff --git a/source/java/org/alfresco/web/bean/LoginBean.java b/source/java/org/alfresco/web/bean/LoginBean.java index 7c4df32930..be17e78fd4 100644 --- a/source/java/org/alfresco/web/bean/LoginBean.java +++ b/source/java/org/alfresco/web/bean/LoginBean.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005-2007 Alfresco Software Limited. + * Copyright (C) 2005-2009 Alfresco Software Limited. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -37,6 +37,7 @@ import javax.faces.validator.ValidatorException; import javax.servlet.http.HttpServletRequest; import org.alfresco.model.ContentModel; +import org.alfresco.repo.SessionUser; import org.alfresco.repo.security.authentication.AuthenticationDisallowedException; import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.repo.security.authentication.AuthenticationMaxUsersException; @@ -63,8 +64,20 @@ import org.apache.commons.logging.LogFactory; */ public class LoginBean implements Serializable { - // ------------------------------------------------------------------------------ - // Managed bean properties + /** + * The default outcome of the logout action. + */ + private static final String OUTCOME_LOGOUT = "logout"; + + /** + * The outcome of the logout action when the user has been signed on by SSO. + */ + private static final String OUTCOME_RELOGIN = "relogin"; + + /** + * The name of the form parameter carrying the outcome to the logout action. + */ + private static final String PARAM_OUTCOME = "outcome"; private static final long serialVersionUID = 7417882503323795282L; @@ -143,13 +156,13 @@ public class LoginBean implements Serializable } /** - * @return true if the default Alfresco authentication process is being used, else false + * @return "logout" if the default Alfresco authentication process is being used, else "relogin" * if an external authorisation mechanism is present. */ - public boolean isAlfrescoAuth() + public String getLogoutOutcome() { - Map session = FacesContext.getCurrentInstance().getExternalContext().getSessionMap(); - return (session.get(LOGIN_EXTERNAL_AUTH) == null); + Map session = FacesContext.getCurrentInstance().getExternalContext().getSessionMap(); + return session.get(LOGIN_EXTERNAL_AUTH) == null ? OUTCOME_LOGOUT : OUTCOME_RELOGIN; } /** @@ -388,9 +401,15 @@ public class LoginBean implements Serializable public String logout() { FacesContext context = FacesContext.getCurrentInstance(); - - // need to capture this value before invalidating the session - boolean externalAuth = isAlfrescoAuth(); + + // The outcome is decided in advance (before session expiry) and included as a parameter + Map params = context.getExternalContext().getRequestParameterMap(); + String outcome = (String)params.get(PARAM_OUTCOME); + if (outcome == null) + { + outcome = OUTCOME_LOGOUT; + } + Locale language = Application.getLanguage(context); // Invalidate Session for this user. @@ -404,7 +423,7 @@ public class LoginBean implements Serializable else { Map session = context.getExternalContext().getSessionMap(); - User user = (User)session.get(AuthenticationHelper.AUTHENTICATION_USER); + SessionUser user = (SessionUser)session.get(AuthenticationHelper.AUTHENTICATION_USER); if (user != null) { // invalidate ticket and clear the Security context for this thread @@ -428,7 +447,7 @@ public class LoginBean implements Serializable // set language to last used on the login page Application.setLanguage(context, language.toString()); - return externalAuth ? "logout" : "relogin"; + return outcome; } diff --git a/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java b/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java index 9c53ea80d2..dda8a35b5d 100644 --- a/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java +++ b/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java @@ -436,6 +436,7 @@ public class NtlmAuthenticationHandler extends AbstractAuthenticationHandler imp if (user == null) { user = createUserEnvironment(session, userName); + session.setAttribute(USER_SESSION_ATTRIBUTE, user); } else { diff --git a/source/web/jsp/parts/titlebar.jsp b/source/web/jsp/parts/titlebar.jsp index 3f57e709cd..84ed01ab0a 100644 --- a/source/web/jsp/parts/titlebar.jsp +++ b/source/web/jsp/parts/titlebar.jsp @@ -102,7 +102,9 @@   - + + +