Merged V3.2 to HEAD

16662: LDAP sync: improved group association filtering, referential integrity checking, deletion strategy and performance tuning of batch sizes 16648: ETHREEOH-2752: Improved ticket validation fix - Invalidate user's tickets during person deletion rather than validation or it can mess up chained validation 16647: ETHREEOH-2534: Fixed Sharepoint NTLM authentication - user details were never getting cached in the session 16579: Small improvement to LDAP error reporting - Committed errors counted before successes in a logging interval 16515: LDAP sync performance - Improved full sync strategy - run differential queries to work out required updates/additions and full queries to work out required deletions. Saves updating unchanged nodes. - Use a TreeSet rather than a HashSet to gather group associations in an attempt to avoid blowing the heap size 16498: More LDAP performance improvements - Uses thread pool with 4 worker threads and blocking queue to process returned results. The number of worker threads can be controlled by the synchronization.workerThreads property. - Switched LDAP connection pooling back on again - Group Associations processsed individually so that errors are collated and we get a better idea of their throughput - Fixed potential bug. Group membership resolution done with isolated LDAP context to avoid cookies from paging creeping in. 16424: Try switching off LDAP connection pooling to see if it works better with our flaky server. 16414: Further LDAP fault tolerance - Log causes of group member resolution failures where possible 16413: More fault tolerance for LDAP sync - Always commit last sync times before overall sync is complete to avoid the 'forgetting' of differential sync information - DN comparisons should be case insensitive to avoid issues resolving DNs to user and group IDs 16398: Improved monitoring and fault tolerance for LDAP sync - When the batch is complete a summary of the number of errors and the last error stack trace will be logged at ERROR level - Each individual error is logged at WARN level and progress information (including % complete) is collated and logged at INFO level after a configurable interval - In the Enterprise Edition all metrics can be monitored in real time through JMX - Sanity testing to be performed by Mike! 16319: Merged HEAD to V3.2 16316: ALFCOM-3397: JBoss 5 compatibility fix - Relative paths used by LDAP subsystem configuration weren't being resolved correctly - See also https://jira.jboss.org/jira/browse/JBAS-6548 and https://jira.springsource.org/browse/SPR-5120 16272: ETHREEOH-2752: Once more with feeling! 16261: ETHREEOH-2752: Correct exception propagation. 16260: ETHREEOH-2752: Fix ticket validation - Current ticket was getting forgotten by previous fix - Person validation in CHECK mode now done AFTER the current user is set, so that the current ticket is remembered 16243: ETHREEOH-2752: Improve ticket validation used by all authentication filters - Now takes into account whether person actually exists or not - Tickets for non-nonexistent persons are now considered invalid and cached session information is invalidated - New BaseAuthenticationFilter superclass for all authentication filters - Improved fix to ETHREEOH-2839: WebDAV user is cached consistently using a different session attribute from the Web Client 16233: ETHREEOH-2754: Correction to previous checkin. - relogin for SSO authentication, logout for normal login page - logout is default 16232: ETHREEOH-2754: Log Out Action outcome passed as a parameter - relogin for SSO authentication, login for normal login page - Means the log out link always leads to the correct place, even when the session has expired - Also lowered ticket validation error logging to DEBUG level to avoid unnecessary noise in the logs from expired sessions 16220: ETHREEOH-2839: Fixed potential ClassCastExceptions when Alfresco accessed via WebDAV and Web Client links in same browser - WebDAV side no longer directly casts session user to a WebDAVUser - ContextListener no longer casts session user to web client user - Web client side will 'promote' session user to a web client User if necessary via AuthenticationHelper - All authentication filters made to use appropriate AuthenticationHelper methods 16211: ETHREEOH-2835: LDAP sync batches user and group deletions as well as creations - Also improved logging of sync failures 16197: ETHREEOH-2782: LDAP subsystems now support search-based user DN resolution - When ldap.authentication.userNameFormat isn't set (now the default) converts a user ID to a DN by running ldap.synchronization.personQuery with an extra condition tacked on the end to find the user by ID - Structured directories and authentication by attributes not in the DN such as email address now supported 16189: ALFCOM-3283: Prevent errors when user accepts an invite when not logged in - new isGuest attribute propagated to user object - header component (used by accept-invite page) needs to avoid calling prefs and site webscripts for guest user - Conditional stuff in header template changed to use user.isGuest git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16896 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2009-10-14 09:24:13 +00:00
parent d9d774eac0
commit 8ff98a72f5
10 changed files with 189 additions and 137 deletions
--- a/source/java/org/alfresco/repo/web/scripts/portlet/WebClientPortletAuthenticatorFactory.java
+++ b/source/java/org/alfresco/repo/web/scripts/portlet/WebClientPortletAuthenticatorFactory.java
@@ -29,6 +29,7 @@ import javax.portlet.RenderRequest;
 import javax.portlet.RenderResponse;
 import javax.transaction.UserTransaction;
 import org.alfresco.repo.SessionUser;
 import org.alfresco.repo.model.Repository;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.service.cmr.repository.NodeRef;
@@ -216,7 +217,8 @@ public class WebClientPortletAuthenticatorFactory implements PortletAuthenticato
         */
        private User getWebClientUser(PortletSession session)
        {
-            return (User)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER, PortletSession.APPLICATION_SCOPE);
+            SessionUser user = (SessionUser)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER, PortletSession.APPLICATION_SCOPE);
            return user instanceof User ? (User)user : null;
        }
    }
--- a/source/java/org/alfresco/web/app/ContextListener.java
+++ b/source/java/org/alfresco/web/app/ContextListener.java
@@ -34,6 +34,7 @@ import javax.servlet.http.HttpSessionListener;
 import javax.transaction.UserTransaction;
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.repo.SessionUser;
 import org.alfresco.repo.cache.InternalEhCacheManagerFactoryBean;
 import org.alfresco.repo.security.authentication.AuthenticationContext;
 import org.alfresco.service.ServiceRegistry;
@@ -46,7 +47,6 @@ import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.web.app.servlet.AuthenticationHelper;
 import org.alfresco.web.bean.repository.Repository;
 import org.alfresco.web.bean.repository.User;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.web.context.WebApplicationContext;
@@ -186,7 +186,7 @@ public class ContextListener implements ServletContextListener, HttpSessionListe
      }
      if (userKey != null)
      {
-         User user = (User)event.getSession().getAttribute(userKey);
+         SessionUser user = (SessionUser)event.getSession().getAttribute(userKey);
         if (user != null)
         {
            // invalidate ticket and clear the Security context for this thread
--- a/source/java/org/alfresco/web/app/portlet/AlfrescoFacesPortlet.java
+++ b/source/java/org/alfresco/web/app/portlet/AlfrescoFacesPortlet.java
@@ -43,6 +43,7 @@ import javax.portlet.UnavailableException;
 import org.alfresco.config.ConfigService;
 import org.alfresco.i18n.I18NUtil;
 import org.alfresco.repo.SessionUser;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.util.TempFileProvider;
@@ -162,7 +163,8 @@ public class AlfrescoFacesPortlet extends MyFacesGenericPortlet
         }
         else
         {
-            User user = (User)request.getPortletSession().getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
+            SessionUser sessionUser = (SessionUser)request.getPortletSession().getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
            User user = sessionUser instanceof User ? (User)sessionUser : null;
            if (user != null)
            {
               // setup the authentication context
@@ -267,7 +269,8 @@ public class AlfrescoFacesPortlet extends MyFacesGenericPortlet
         String viewId = request.getParameter(VIEW_ID);
         // keep track of last view id so we can use it as return page from multi-part requests
         request.getPortletSession().setAttribute(SESSION_LAST_VIEW_ID, viewId);
-         User user = (User)request.getPortletSession().getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
+         SessionUser sessionUser = (SessionUser)request.getPortletSession().getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
         User user = sessionUser instanceof User ? (User)sessionUser : null;
         if (user == null && (viewId == null || viewId.equals(getLoginPage()) == false))
         {
            if (AuthenticationHelper.portalGuestAuthenticate(ctx, session, auth) == AuthenticationStatus.Guest)
--- a/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java
+++ b/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java
@@ -34,16 +34,17 @@ import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import javax.transaction.UserTransaction;
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.i18n.I18NUtil;
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.SessionUser;
 import org.alfresco.repo.management.subsystems.ActivateableBean;
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.permissions.AccessDeniedException;
 import org.alfresco.repo.transaction.RetryingTransactionHelper;
 import org.alfresco.service.ServiceRegistry;
 import org.alfresco.service.cmr.repository.InvalidNodeRefException;
 import org.alfresco.service.cmr.repository.NodeRef;
@@ -174,11 +175,11 @@ public final class AuthenticationHelper
         ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean forceGuest, boolean allowGuest)
         throws IOException
   {
      HttpSession session = req.getSession();
      // retrieve the User object
      User user = getUser(sc, req, res);
      HttpSession session = req.getSession();
      // get the login bean if we're not in the portal
      LoginBean loginBean = null;
      if (Application.inPortalServer() == false)
@@ -207,7 +208,7 @@ public final class AuthenticationHelper
                  auth.authenticateAsGuest();
                  // if we get here then Guest access was allowed and successful
-                  setUser(sc, req, AuthenticationUtil.getGuestUserName(), false);
+                  setUser(sc, req, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket(), false);
                  // Set up the thread context
                  setupThread(sc, req, res);
@@ -246,17 +247,6 @@ public final class AuthenticationHelper
      }
      else
      {         
         try
         {
            auth.validate(user.getTicket());
         }
         catch (AuthenticationException authErr)
         {
            // expired ticket
            session.removeAttribute(AUTHENTICATION_USER);
            return AuthenticationStatus.Failure;
         }
         // set last authentication username cookie value
         if (loginBean != null)
         {
@@ -287,13 +277,11 @@ public final class AuthenticationHelper
      {
         auth.validate(ticket);
-         User user = (User)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
+         // We may have previously been authenticated via WebDAV so we may need to 'promote' the user object
-         if (user == null)
+         SessionUser user = (SessionUser)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
         if (user == null || !(user instanceof User))
         {
-            // need to create the User instance if not already available
+            setUser(context, httpRequest, auth.getCurrentUserName(), ticket, false);
            String currentUsername = auth.getCurrentUserName();
            setUser(context, httpRequest, currentUsername, false);
         }
      }
      catch (AuthenticationException authErr)
@@ -325,91 +313,82 @@ public final class AuthenticationHelper
     *            the request
     * @param currentUsername
     *            the current user name
     * @param ticket
     *            a validated ticket
     * @param externalAuth
     *            was this user authenticated externally?
     * @return the user object
     */
    public static User setUser(ServletContext context, HttpServletRequest req, String currentUsername,
-            boolean externalAuth)
+            String ticket, boolean externalAuth)
    {
        WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
        AuthenticationService auth = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
-        User user = createUser(wc, auth, currentUsername, externalAuth);
+        User user = createUser(wc, currentUsername, ticket);
        // store the User object in the Session - the authentication servlet will then proceed
        HttpSession session = req.getSession(true);
        session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user);
-        if (externalAuth)
+        setExternalAuth(session, externalAuth);
        {
            session.setAttribute(LoginBean.LOGIN_EXTERNAL_AUTH, Boolean.TRUE);
        }
        return user;
    }
    /**
-     * Creates an object for an authentication user.
+     * Sets or clears the external authentication flag on the session
     * 
-     * @param wc
+     * @param session
-     *            the web application context
+     *            the session
     * @param auth
     *            the authentication service
     * @param currentUsername
     *            the current user name
     * @param externalAuth
-     *            was this user authenticated externally?
+     *            was the user authenticated externally?
     * @return the user object
     */
-    private static User createUser(WebApplicationContext wc, AuthenticationService auth, String currentUsername,
+    private static void setExternalAuth(HttpSession session, boolean externalAuth)
            boolean externalAuth)
    {
-        UserTransaction tx = null;
+        if (externalAuth)
        ServiceRegistry services = (ServiceRegistry) wc.getBean(ServiceRegistry.SERVICE_REGISTRY);
        try
        {
-            tx = services.getTransactionService().getUserTransaction();
+            session.setAttribute(LoginBean.LOGIN_EXTERNAL_AUTH, Boolean.TRUE);
            tx.begin();
            NodeService nodeService = services.getNodeService();
            PersonService personService = (PersonService) wc.getBean(PERSON_SERVICE);
            NodeRef personRef = personService.getPerson(currentUsername);
            User user = new User(currentUsername, auth.getCurrentTicket(), personRef);
            NodeRef homeRef = (NodeRef) nodeService.getProperty(personRef, ContentModel.PROP_HOMEFOLDER);
            // check that the home space node exists - else Login cannot proceed
            if (nodeService.exists(homeRef) == false)
            {
                throw new InvalidNodeRefException(homeRef);
            }
            user.setHomeSpaceId(homeRef.getId());
            tx.commit();
            return user;
        }
-        catch (Exception ex)
+        else
        {
-            logger.error(ex);
+            session.removeAttribute(LoginBean.LOGIN_EXTERNAL_AUTH);
            try
            {
                tx.rollback();
            }
            catch (Exception ex2)
            {
                logger.error("Failed to rollback transaction", ex2);
            }
            if (ex instanceof RuntimeException)
            {
                throw (RuntimeException) ex;
            }
            else
            {
                throw new RuntimeException("Failed to set authenticated user", ex);
            }
        }
    }
   /**
    * Creates an object for an authentication user.
    * 
    * @param wc
    *           the web application context
    * @param currentUsername
    *           the current user name
    * @param ticket
    *           a validated ticket
    * @return the user object
    */
   private static User createUser(final WebApplicationContext wc, final String currentUsername, final String ticket)
   {
      final ServiceRegistry services = (ServiceRegistry) wc.getBean(ServiceRegistry.SERVICE_REGISTRY);
      return services.getTransactionService().getRetryingTransactionHelper().doInTransaction(
            new RetryingTransactionHelper.RetryingTransactionCallback<User>()
            {
               public User execute() throws Throwable
               {
                  NodeService nodeService = services.getNodeService();
                  PersonService personService = (PersonService) wc.getBean(PERSON_SERVICE);
                  NodeRef personRef = personService.getPerson(currentUsername);
                  User user = new User(currentUsername, ticket, personRef);
                  NodeRef homeRef = (NodeRef) nodeService.getProperty(personRef, ContentModel.PROP_HOMEFOLDER);
                  // check that the home space node exists - else Login cannot proceed
                  if (nodeService.exists(homeRef) == false)
                  {
                     throw new InvalidNodeRefException(homeRef);
                  }
                  user.setHomeSpaceId(homeRef.getId());
                  return user;
               }
            });
   }
   /**
    * For no previous authentication or forced Guest - attempt Guest access
    * 
@@ -422,7 +401,7 @@ public final class AuthenticationHelper
      {
         auth.authenticateAsGuest();
-         User user = createUser(ctx, auth, AuthenticationUtil.getGuestUserName(), false);
+         User user = createUser(ctx, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket());
         // store the User object in the Session - the authentication servlet will then proceed
         session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user);
@@ -461,19 +440,23 @@ public final class AuthenticationHelper
   }
   /**
-    * Attempts to retrieve the User object stored in the current session.
+     * Attempts to retrieve the User object stored in the current session.
-    * 
+     * 
-    * @param httpRequest The HTTP request
+     * @param sc
-    * @param httpResponse The HTTP response
+     *            the servlet context
-    * @return The User object representing the current user or null if it could not be found
+     * @param httpRequest
-    */
+     *            The HTTP request
     * @param httpResponse
     *            The HTTP response
     * @return The User object representing the current user or null if it could not be found
     */
   @SuppressWarnings("unchecked")
-   public static User getUser(ServletContext sc, HttpServletRequest httpRequest, HttpServletResponse httpResponse)
+   public static User getUser(final ServletContext sc, final HttpServletRequest httpRequest, HttpServletResponse httpResponse)
   {
      String userId = null;
      // If the remote user mapper is configured, we may be able to map in an externally authenticated user
-      WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
+      final WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
      RemoteUserMapper remoteUserMapper = (RemoteUserMapper) wc.getBean(REMOTE_USER_MAPPER);
      if (!(remoteUserMapper instanceof ActivateableBean) || ((ActivateableBean) remoteUserMapper).isActive())
      {
@@ -484,9 +467,11 @@ public final class AuthenticationHelper
      User user = null;
      // examine the appropriate session to try and find the User object
      SessionUser sessionUser = null;
      String sessionUserAttrib = null;
      if (Application.inPortalServer() == false)
      {
-         user = (User) session.getAttribute(AUTHENTICATION_USER);
+         sessionUserAttrib = AUTHENTICATION_USER;
      }
      else
      {
@@ -499,31 +484,62 @@ public final class AuthenticationHelper
            String name = enumNames.nextElement();
            if (name.endsWith(AUTHENTICATION_USER))
            {
-               user = (User) session.getAttribute(name);
+               sessionUserAttrib = name;
               break;
            }
         }
      }
      // Make sure the ticket is valid, the person exists, and the cached user is of the right type (WebDAV users have
      // been known to leak in but shouldn't now)
      if (sessionUserAttrib != null && (sessionUser = (SessionUser) session.getAttribute(sessionUserAttrib)) != null)
      {
         AuthenticationService auth = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
         try
         {
            auth.validate(sessionUser.getTicket());
            if (sessionUser instanceof User)
            {
               user = (User)sessionUser;
               setExternalAuth(session, userId != null);                  
            }
            else
            {
               user = setUser(sc, httpRequest, sessionUser.getUserName(), sessionUser.getTicket(), userId != null);
            }
         }
         catch (AuthenticationException authErr)
         {
            session.removeAttribute(sessionUserAttrib);
            if (!Application.inPortalServer())
            {
               session.invalidate();
            }
         }
      }
      // If the remote user mapper is configured, we may be able to map in an externally authenticated user
      if (userId != null)
      {
         // We have a previously-cached user with the wrong identity - replace them
         if (user != null && !user.getUserName().equals(userId))
         {
-            user = null;
+             session.removeAttribute(sessionUserAttrib);
             if (!Application.inPortalServer())
             {
                session.invalidate();
             }
             user = null;
         }
         if (user == null)
         {
            // If we have been authenticated by other means, just propagate through the user identity
-            if (userId != null)
+            AuthenticationComponent authenticationComponent = (AuthenticationComponent) wc
-            {
+                  .getBean(AUTHENTICATION_COMPONENT);
-               AuthenticationComponent authenticationComponent = (AuthenticationComponent) wc
+            authenticationComponent.setCurrentUser(userId);
-                     .getBean(AUTHENTICATION_COMPONENT);
+            AuthenticationService authenticationService = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
-               authenticationComponent.setCurrentUser(userId);
+            user = setUser(sc, httpRequest, userId, authenticationService.getCurrentTicket(), true);
               user = setUser(sc, httpRequest, userId, true);
            }
         }
      }
      return user;
--- a/source/java/org/alfresco/web/app/servlet/HTTPRequestAuthenticationFilter.java
+++ b/source/java/org/alfresco/web/app/servlet/HTTPRequestAuthenticationFilter.java
@@ -38,10 +38,10 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.web.app.Application;
 import org.alfresco.web.bean.repository.User;
 import org.apache.commons.logging.Log;
@@ -65,6 +65,8 @@ public class HTTPRequestAuthenticationFilter implements Filter
    private AuthenticationComponent authComponent;
    private AuthenticationService authenticationService;
    private String httpServletRequestAuthHeaderName;
    // By default match everything if this is not set
@@ -97,8 +99,6 @@ public class HTTPRequestAuthenticationFilter implements Filter
        HttpServletRequest req = (HttpServletRequest) sreq;
        HttpServletResponse resp = (HttpServletResponse) sresp;
        HttpSession httpSess = req.getSession(true);
        // Check for the auth header
        String authHdr = req.getHeader(httpServletRequestAuthHeaderName);
@@ -164,7 +164,7 @@ public class HTTPRequestAuthenticationFilter implements Filter
        // See if there is a user in the session and test if it matches
-        User user = (User) httpSess.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
+        User user = AuthenticationHelper.getUser(this.context, req, resp);
        if (user != null)
        {
@@ -236,7 +236,7 @@ public class HTTPRequestAuthenticationFilter implements Filter
        authComponent.setCurrentUser(userName);
        // Set up the user information
-        AuthenticationHelper.setUser(context, req, userName, true);
+        AuthenticationHelper.setUser(context, req, userName, authenticationService.getCurrentTicket(), true);
        // Set the locale using the session
        AuthenticationHelper.setupThread(this.context, req, res);
@@ -253,6 +253,7 @@ public class HTTPRequestAuthenticationFilter implements Filter
        WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
        authComponent = (AuthenticationComponent) ctx.getBean("authenticationComponent");
        authenticationService = (AuthenticationService) ctx.getBean("AuthenticationService");
        httpServletRequestAuthHeaderName = config.getInitParameter("httpServletRequestAuthHeaderName");
        if(httpServletRequestAuthHeaderName == null)
--- a/source/java/org/alfresco/web/app/servlet/KerberosAuthenticationFilter.java
+++ b/source/java/org/alfresco/web/app/servlet/KerberosAuthenticationFilter.java
@@ -80,18 +80,22 @@ public class KerberosAuthenticationFilter extends BaseKerberosAuthenticationFilt
        {
            setLoginPage(clientConfig.getLoginPage());
        }
        // Use the web client user attribute name
        setUserAttributeName(AuthenticationHelper.AUTHENTICATION_USER);
    }
 	/* (non-Javadoc)
 	 * @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
 	 */
 	@Override
 	protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, String homeSpace) {
    /* (non-Javadoc)
     * @see org.alfresco.repo.webdav.auth.BaseAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.cmr.repository.NodeRef)
     */
    @Override
    protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, NodeRef homeSpaceRef)
    {
 		// Create a web client user object
 		User user = new User( userName, ticket, personNode);
-		user.setHomeSpaceId( homeSpace);
+		user.setHomeSpaceId( homeSpaceRef.getId());
 		return user;
 	}
--- a/source/java/org/alfresco/web/app/servlet/NTLMAuthenticationFilter.java
+++ b/source/java/org/alfresco/web/app/servlet/NTLMAuthenticationFilter.java
@@ -77,18 +77,22 @@ public class NTLMAuthenticationFilter extends BaseNTLMAuthenticationFilter
        {
            setLoginPage(clientConfig.getLoginPage());
        }
        // Use the web client user attribute name
        setUserAttributeName(AuthenticationHelper.AUTHENTICATION_USER);        
    }
    /* (non-Javadoc)
 	 * @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
 	 */
 	@Override
 	protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, String homeSpace) {
    /* (non-Javadoc)
     * @see org.alfresco.repo.webdav.auth.BaseAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.cmr.repository.NodeRef)
     */
    @Override
    protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, NodeRef homeSpaceRef)
    {
 		// Create a web client user object
 		User user = new User( userName, ticket, personNode);
-		user.setHomeSpaceId( homeSpace);
+		user.setHomeSpaceId( homeSpaceRef.getId());
 		return user;
 	}
--- a/source/java/org/alfresco/web/bean/LoginBean.java
+++ b/source/java/org/alfresco/web/bean/LoginBean.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007 Alfresco Software Limited.
+ * Copyright (C) 2005-2009 Alfresco Software Limited.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
@@ -37,6 +37,7 @@ import javax.faces.validator.ValidatorException;
 import javax.servlet.http.HttpServletRequest;
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.SessionUser;
 import org.alfresco.repo.security.authentication.AuthenticationDisallowedException;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.AuthenticationMaxUsersException;
@@ -63,8 +64,20 @@ import org.apache.commons.logging.LogFactory;
 */ 
 public class LoginBean implements Serializable
 {
-   // ------------------------------------------------------------------------------
+   /**
-   // Managed bean properties
+    * The default outcome of the logout action.
    */
   private static final String OUTCOME_LOGOUT = "logout";
   /**
    * The outcome of the logout action when the user has been signed on by SSO.
    */
   private static final String OUTCOME_RELOGIN = "relogin";
   /**
    * The name of the form parameter carrying the outcome to the logout action.
    */
   private static final String PARAM_OUTCOME = "outcome";
   private static final long serialVersionUID = 7417882503323795282L;
@@ -143,13 +156,13 @@ public class LoginBean implements Serializable
   }
   /**
-    * @return true if the default Alfresco authentication process is being used, else false
+    * @return "logout" if the default Alfresco authentication process is being used, else "relogin"
    *         if an external authorisation mechanism is present.
    */
-   public boolean isAlfrescoAuth()
+   public String getLogoutOutcome()
   {
-      Map session = FacesContext.getCurrentInstance().getExternalContext().getSessionMap();
+       Map<?, ?> session = FacesContext.getCurrentInstance().getExternalContext().getSessionMap();
-      return (session.get(LOGIN_EXTERNAL_AUTH) == null);
+       return session.get(LOGIN_EXTERNAL_AUTH) == null ? OUTCOME_LOGOUT : OUTCOME_RELOGIN;
   }
   /**
@@ -389,8 +402,14 @@ public class LoginBean implements Serializable
   {
      FacesContext context = FacesContext.getCurrentInstance();
-      // need to capture this value before invalidating the session
+      // The outcome is decided in advance (before session expiry) and included as a parameter
-      boolean externalAuth = isAlfrescoAuth();
+      Map<?, ?> params = context.getExternalContext().getRequestParameterMap();
      String outcome = (String)params.get(PARAM_OUTCOME);
      if (outcome == null)
      {
          outcome = OUTCOME_LOGOUT;
      }
      Locale language = Application.getLanguage(context);
      // Invalidate Session for this user.
@@ -404,7 +423,7 @@ public class LoginBean implements Serializable
      else
      {
         Map session = context.getExternalContext().getSessionMap();
-         User user = (User)session.get(AuthenticationHelper.AUTHENTICATION_USER);
+         SessionUser user = (SessionUser)session.get(AuthenticationHelper.AUTHENTICATION_USER);
         if (user != null)
         {
            // invalidate ticket and clear the Security context for this thread
@@ -428,7 +447,7 @@ public class LoginBean implements Serializable
      // set language to last used on the login page
      Application.setLanguage(context, language.toString());
-      return externalAuth ? "logout" : "relogin";
+      return outcome;
   }
--- a/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java
+++ b/source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java
@@ -436,6 +436,7 @@ public class NtlmAuthenticationHandler extends AbstractAuthenticationHandler imp
            if (user == null)
            {
                user = createUserEnvironment(session, userName);
                session.setAttribute(USER_SESSION_ATTRIBUTE, user);
            }
            else
            {
--- a/source/web/jsp/parts/titlebar.jsp
+++ b/source/web/jsp/parts/titlebar.jsp
@@ -102,7 +102,9 @@
               <td style="white-space:nowrap;"><a href="http://www.alfresco.com/services/support/issues/" target="new"><h:outputText value="#{msg.raise_issue}" /></a></td>
               <td style="width:8px;">&nbsp;</td>
               <td style="white-space:nowrap;">
-                  <a:actionLink id="logout" image="/images/icons/logout.gif" value="#{msg.logout} (#{NavigationBean.currentUser.userName})" rendered="#{!NavigationBean.isGuest}" action="#{LoginBean.logout}" immediate="true" />
+                  <a:actionLink id="logout" image="/images/icons/logout.gif" value="#{msg.logout} (#{NavigationBean.currentUser.userName})" rendered="#{!NavigationBean.isGuest}" action="#{LoginBean.logout}" immediate="true">
                     <f:param name="outcome" value="#{LoginBean.logoutOutcome}" />
                  </a:actionLink>
                  <a:actionLink id="login" image="/images/icons/login.gif" value="#{msg.login} (#{NavigationBean.currentUser.userName})" rendered="#{NavigationBean.isGuest}" action="#{LoginBean.logout}" />
               </td>
            </tr>