inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged V3.2 to HEAD

Browse Source 
16662: LDAP sync: improved group association filtering, referential integrity checking, deletion strategy and performance tuning of batch sizes
   16648: ETHREEOH-2752: Improved ticket validation fix
      - Invalidate user's tickets during person deletion rather than validation or it can mess up chained validation
   16647: ETHREEOH-2534: Fixed Sharepoint NTLM authentication
      - user details were never getting cached in the session
   16579: Small improvement to LDAP error reporting
      - Committed errors counted before successes in a logging interval
   16515: LDAP sync performance
      - Improved full sync strategy - run differential queries to work out required updates/additions and full queries to work out required deletions. Saves updating unchanged nodes.
      - Use a TreeSet rather than a HashSet to gather group associations in an attempt to avoid blowing the heap size
   16498: More LDAP performance improvements
      - Uses thread pool with 4 worker threads and blocking queue to process returned results. The number of worker threads can be controlled by the synchronization.workerThreads property.
      - Switched LDAP connection pooling back on again
      - Group Associations processsed individually so that errors are collated and we get a better idea of their throughput
      - Fixed potential bug. Group membership resolution done with isolated LDAP context to avoid cookies from paging creeping in.
   16424: Try switching off LDAP connection pooling to see if it works better with our flaky server.
   16414: Further LDAP fault tolerance
      - Log causes of group member resolution failures where possible
   16413: More fault tolerance for LDAP sync
      - Always commit last sync times before overall sync is complete to avoid the 'forgetting' of differential sync information
      - DN comparisons should be case insensitive to avoid issues resolving DNs to user and group IDs
   16398: Improved monitoring and fault tolerance for LDAP sync
      - When the batch is complete a summary of the number of errors and the last error stack trace will be logged at ERROR level
      - Each individual error is logged at WARN level and progress information (including % complete) is collated and logged at INFO level after a configurable interval
      - In the Enterprise Edition all metrics can be monitored in real time through JMX
      - Sanity testing to be performed by Mike!
   16319: Merged HEAD to V3.2
      16316: ALFCOM-3397: JBoss 5 compatibility fix
         - Relative paths used by LDAP subsystem configuration weren't being resolved correctly
         - See also https://jira.jboss.org/jira/browse/JBAS-6548 and https://jira.springsource.org/browse/SPR-5120
   16272: ETHREEOH-2752: Once more with feeling!
   16261: ETHREEOH-2752: Correct exception propagation.
   16260: ETHREEOH-2752: Fix ticket validation
      - Current ticket was getting forgotten by previous fix
      - Person validation in CHECK mode now done AFTER the current user is set, so that the current ticket is remembered
   16243: ETHREEOH-2752: Improve ticket validation used by all authentication filters
      - Now takes into account whether person actually exists or not
      - Tickets for non-nonexistent persons are now considered invalid and cached session information is invalidated
      - New BaseAuthenticationFilter superclass for all authentication filters
      - Improved fix to ETHREEOH-2839: WebDAV user is cached consistently using a different session attribute from the Web Client
   16233: ETHREEOH-2754: Correction to previous checkin.
      - relogin for SSO authentication, logout for normal login page
      - logout is default
   16232: ETHREEOH-2754: Log Out Action outcome passed as a parameter
      - relogin for SSO authentication, login for normal login page
      - Means the log out link always leads to the correct place, even when the session has expired
      - Also lowered ticket validation error logging to DEBUG level to avoid unnecessary noise in the logs from expired sessions
   16220: ETHREEOH-2839: Fixed potential ClassCastExceptions when Alfresco accessed via WebDAV and Web Client links in same browser
      - WebDAV side no longer directly casts session user to a WebDAVUser
      - ContextListener no longer casts session user to web client user
      - Web client side will 'promote' session user to a web client User if necessary via AuthenticationHelper
      - All authentication filters made to use appropriate AuthenticationHelper methods
   16211: ETHREEOH-2835: LDAP sync batches user and group deletions as well as creations
      - Also improved logging of sync failures
   16197: ETHREEOH-2782: LDAP subsystems now support search-based user DN resolution
      - When ldap.authentication.userNameFormat isn't set (now the default) converts a user ID to a DN by running ldap.synchronization.personQuery with an extra condition tacked on the end to find the user by ID
      - Structured directories and authentication by attributes not in the DN such as email address now supported
   16189: ALFCOM-3283: Prevent errors when user accepts an invite when not logged in
      - new isGuest attribute propagated to user object
      - header component (used by accept-invite page) needs to avoid calling prefs and site webscripts for guest user
      - Conditional stuff in header template changed to use user.isGuest


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16896 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Dave Ward
2009-10-14 09:24:13 +00:00
parent d9d774eac0
commit 8ff98a72f5
10 changed files with 189 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
source/java/org/alfresco/repo/web/scripts/portlet/WebClientPortletAuthenticatorFactory.java
View File

@@ -29,6 +29,7 @@ import javax.portlet.RenderRequest;
import javax.portlet.RenderResponse;
import javax.transaction.UserTransaction;
import org.alfresco.repo.SessionUser;
import org.alfresco.repo.model.Repository;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.service.cmr.repository.NodeRef;
@@ -216,7 +217,8 @@ public class WebClientPortletAuthenticatorFactory implements PortletAuthenticato
*/
private User getWebClientUser(PortletSession session)
{
return (User)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER, PortletSession.APPLICATION_SCOPE);
SessionUser user = (SessionUser)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER, PortletSession.APPLICATION_SCOPE);
return user instanceof User ? (User)user : null;
}
}

4
source/java/org/alfresco/web/app/ContextListener.java
View File

@@ -34,6 +34,7 @@ import javax.servlet.http.HttpSessionListener;
import javax.transaction.UserTransaction;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.repo.SessionUser;
import org.alfresco.repo.cache.InternalEhCacheManagerFactoryBean;
import org.alfresco.repo.security.authentication.AuthenticationContext;
import org.alfresco.service.ServiceRegistry;
@@ -46,7 +47,6 @@ import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.transaction.TransactionService;
import org.alfresco.web.app.servlet.AuthenticationHelper;
import org.alfresco.web.bean.repository.Repository;
import org.alfresco.web.bean.repository.User;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.web.context.WebApplicationContext;
@@ -186,7 +186,7 @@ public class ContextListener implements ServletContextListener, HttpSessionListe
}
if (userKey != null)
{
User user = (User)event.getSession().getAttribute(userKey);
SessionUser user = (SessionUser)event.getSession().getAttribute(userKey);
if (user != null)
{
// invalidate ticket and clear the Security context for this thread

7
source/java/org/alfresco/web/app/portlet/AlfrescoFacesPortlet.java
View File

@@ -43,6 +43,7 @@ import javax.portlet.UnavailableException;
import org.alfresco.config.ConfigService;
import org.alfresco.i18n.I18NUtil;
import org.alfresco.repo.SessionUser;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.util.TempFileProvider;
@@ -162,7 +163,8 @@ public class AlfrescoFacesPortlet extends MyFacesGenericPortlet
}
else
{
User user = (User)request.getPortletSession().getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
SessionUser sessionUser = (SessionUser)request.getPortletSession().getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
User user = sessionUser instanceof User ? (User)sessionUser : null;
if (user != null)
{
// setup the authentication context
@@ -267,7 +269,8 @@ public class AlfrescoFacesPortlet extends MyFacesGenericPortlet
String viewId = request.getParameter(VIEW_ID);
// keep track of last view id so we can use it as return page from multi-part requests
request.getPortletSession().setAttribute(SESSION_LAST_VIEW_ID, viewId);
User user = (User)request.getPortletSession().getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
SessionUser sessionUser = (SessionUser)request.getPortletSession().getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
User user = sessionUser instanceof User ? (User)sessionUser : null;
if (user == null && (viewId == null || viewId.equals(getLoginPage()) == false))
{
if (AuthenticationHelper.portalGuestAuthenticate(ctx, session, auth) == AuthenticationStatus.Guest)

218
source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java
View File

@@ -34,16 +34,17 @@ import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.transaction.UserTransaction;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.i18n.I18NUtil;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.SessionUser;
import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.repo.transaction.RetryingTransactionHelper;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.repository.InvalidNodeRefException;
import org.alfresco.service.cmr.repository.NodeRef;
@@ -174,11 +175,11 @@ public final class AuthenticationHelper
ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean forceGuest, boolean allowGuest)
throws IOException
{
HttpSession session = req.getSession();
// retrieve the User object
User user = getUser(sc, req, res);
HttpSession session = req.getSession();
// get the login bean if we're not in the portal
LoginBean loginBean = null;
if (Application.inPortalServer() == false)
@@ -207,7 +208,7 @@ public final class AuthenticationHelper
auth.authenticateAsGuest();
// if we get here then Guest access was allowed and successful
setUser(sc, req, AuthenticationUtil.getGuestUserName(), false);
setUser(sc, req, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket(), false);
// Set up the thread context
setupThread(sc, req, res);
@@ -245,18 +246,7 @@ public final class AuthenticationHelper
return AuthenticationStatus.Failure;
}
else
{
try
{
auth.validate(user.getTicket());
}
catch (AuthenticationException authErr)
{
// expired ticket
session.removeAttribute(AUTHENTICATION_USER);
return AuthenticationStatus.Failure;
}
{
// set last authentication username cookie value
if (loginBean != null)
{
@@ -287,13 +277,11 @@ public final class AuthenticationHelper
{
auth.validate(ticket);
User user = (User)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
if (user == null)
// We may have previously been authenticated via WebDAV so we may need to 'promote' the user object
SessionUser user = (SessionUser)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
if (user == null || !(user instanceof User))
{
// need to create the User instance if not already available
String currentUsername = auth.getCurrentUserName();
setUser(context, httpRequest, currentUsername, false);
setUser(context, httpRequest, auth.getCurrentUserName(), ticket, false);
}
}
catch (AuthenticationException authErr)
@@ -325,90 +313,81 @@ public final class AuthenticationHelper
* the request
* @param currentUsername
* the current user name
* @param ticket
* a validated ticket
* @param externalAuth
* was this user authenticated externally?
* @return the user object
*/
public static User setUser(ServletContext context, HttpServletRequest req, String currentUsername,
boolean externalAuth)
String ticket, boolean externalAuth)
{
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
AuthenticationService auth = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
User user = createUser(wc, auth, currentUsername, externalAuth);
User user = createUser(wc, currentUsername, ticket);
// store the User object in the Session - the authentication servlet will then proceed
HttpSession session = req.getSession(true);
session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user);
if (externalAuth)
{
session.setAttribute(LoginBean.LOGIN_EXTERNAL_AUTH, Boolean.TRUE);
}
setExternalAuth(session, externalAuth);
return user;
}
/**
* Creates an object for an authentication user.
* Sets or clears the external authentication flag on the session
*
* @param wc
* the web application context
* @param auth
* the authentication service
* @param currentUsername
* the current user name
* @param session
* the session
* @param externalAuth
* was this user authenticated externally?
* @return the user object
* was the user authenticated externally?
*/
private static User createUser(WebApplicationContext wc, AuthenticationService auth, String currentUsername,
boolean externalAuth)
private static void setExternalAuth(HttpSession session, boolean externalAuth)
{
UserTransaction tx = null;
ServiceRegistry services = (ServiceRegistry) wc.getBean(ServiceRegistry.SERVICE_REGISTRY);
try
if (externalAuth)
{
tx = services.getTransactionService().getUserTransaction();
tx.begin();
NodeService nodeService = services.getNodeService();
PersonService personService = (PersonService) wc.getBean(PERSON_SERVICE);
NodeRef personRef = personService.getPerson(currentUsername);
User user = new User(currentUsername, auth.getCurrentTicket(), personRef);
NodeRef homeRef = (NodeRef) nodeService.getProperty(personRef, ContentModel.PROP_HOMEFOLDER);
// check that the home space node exists - else Login cannot proceed
if (nodeService.exists(homeRef) == false)
{
throw new InvalidNodeRefException(homeRef);
}
user.setHomeSpaceId(homeRef.getId());
tx.commit();
return user;
session.setAttribute(LoginBean.LOGIN_EXTERNAL_AUTH, Boolean.TRUE);
}
catch (Exception ex)
else
{
logger.error(ex);
try
{
tx.rollback();
}
catch (Exception ex2)
{
logger.error("Failed to rollback transaction", ex2);
}
if (ex instanceof RuntimeException)
{
throw (RuntimeException) ex;
}
else
{
throw new RuntimeException("Failed to set authenticated user", ex);
}
session.removeAttribute(LoginBean.LOGIN_EXTERNAL_AUTH);
}
}
/**
* Creates an object for an authentication user.
*
* @param wc
* the web application context
* @param currentUsername
* the current user name
* @param ticket
* a validated ticket
* @return the user object
*/
private static User createUser(final WebApplicationContext wc, final String currentUsername, final String ticket)
{
final ServiceRegistry services = (ServiceRegistry) wc.getBean(ServiceRegistry.SERVICE_REGISTRY);
return services.getTransactionService().getRetryingTransactionHelper().doInTransaction(
new RetryingTransactionHelper.RetryingTransactionCallback<User>()
{
public User execute() throws Throwable
{
NodeService nodeService = services.getNodeService();
PersonService personService = (PersonService) wc.getBean(PERSON_SERVICE);
NodeRef personRef = personService.getPerson(currentUsername);
User user = new User(currentUsername, ticket, personRef);
NodeRef homeRef = (NodeRef) nodeService.getProperty(personRef, ContentModel.PROP_HOMEFOLDER);
// check that the home space node exists - else Login cannot proceed
if (nodeService.exists(homeRef) == false)
{
throw new InvalidNodeRefException(homeRef);
}
user.setHomeSpaceId(homeRef.getId());
return user;
}
});
}
/**
* For no previous authentication or forced Guest - attempt Guest access
@@ -422,7 +401,7 @@ public final class AuthenticationHelper
{
auth.authenticateAsGuest();
User user = createUser(ctx, auth, AuthenticationUtil.getGuestUserName(), false);
User user = createUser(ctx, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket());
// store the User object in the Session - the authentication servlet will then proceed
session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user);
@@ -461,19 +440,23 @@ public final class AuthenticationHelper
}
/**
* Attempts to retrieve the User object stored in the current session.
*
* @param httpRequest The HTTP request
* @param httpResponse The HTTP response
* @return The User object representing the current user or null if it could not be found
*/
* Attempts to retrieve the User object stored in the current session.
*
* @param sc
* the servlet context
* @param httpRequest
* The HTTP request
* @param httpResponse
* The HTTP response
* @return The User object representing the current user or null if it could not be found
*/
@SuppressWarnings("unchecked")
public static User getUser(ServletContext sc, HttpServletRequest httpRequest, HttpServletResponse httpResponse)
public static User getUser(final ServletContext sc, final HttpServletRequest httpRequest, HttpServletResponse httpResponse)
{
String userId = null;
// If the remote user mapper is configured, we may be able to map in an externally authenticated user
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
final WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
RemoteUserMapper remoteUserMapper = (RemoteUserMapper) wc.getBean(REMOTE_USER_MAPPER);
if (!(remoteUserMapper instanceof ActivateableBean) || ((ActivateableBean) remoteUserMapper).isActive())
{
@@ -484,9 +467,11 @@ public final class AuthenticationHelper
User user = null;
// examine the appropriate session to try and find the User object
SessionUser sessionUser = null;
String sessionUserAttrib = null;
if (Application.inPortalServer() == false)
{
user = (User) session.getAttribute(AUTHENTICATION_USER);
sessionUserAttrib = AUTHENTICATION_USER;
}
else
{
@@ -499,31 +484,62 @@ public final class AuthenticationHelper
String name = enumNames.nextElement();
if (name.endsWith(AUTHENTICATION_USER))
{
user = (User) session.getAttribute(name);
sessionUserAttrib = name;
break;
}
}
}
// Make sure the ticket is valid, the person exists, and the cached user is of the right type (WebDAV users have
// been known to leak in but shouldn't now)
if (sessionUserAttrib != null && (sessionUser = (SessionUser) session.getAttribute(sessionUserAttrib)) != null)
{
AuthenticationService auth = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
try
{
auth.validate(sessionUser.getTicket());
if (sessionUser instanceof User)
{
user = (User)sessionUser;
setExternalAuth(session, userId != null);
}
else
{
user = setUser(sc, httpRequest, sessionUser.getUserName(), sessionUser.getTicket(), userId != null);
}
}
catch (AuthenticationException authErr)
{
session.removeAttribute(sessionUserAttrib);
if (!Application.inPortalServer())
{
session.invalidate();
}
}
}
// If the remote user mapper is configured, we may be able to map in an externally authenticated user
if (userId != null)
{
// We have a previously-cached user with the wrong identity - replace them
if (user != null && !user.getUserName().equals(userId))
{
user = null;
session.removeAttribute(sessionUserAttrib);
if (!Application.inPortalServer())
{
session.invalidate();
}
user = null;
}
if (user == null)
{
// If we have been authenticated by other means, just propagate through the user identity
if (userId != null)
{
AuthenticationComponent authenticationComponent = (AuthenticationComponent) wc
.getBean(AUTHENTICATION_COMPONENT);
authenticationComponent.setCurrentUser(userId);
user = setUser(sc, httpRequest, userId, true);
}
AuthenticationComponent authenticationComponent = (AuthenticationComponent) wc
.getBean(AUTHENTICATION_COMPONENT);
authenticationComponent.setCurrentUser(userId);
AuthenticationService authenticationService = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
user = setUser(sc, httpRequest, userId, authenticationService.getCurrentTicket(), true);
}
}
return user;

11
source/java/org/alfresco/web/app/servlet/HTTPRequestAuthenticationFilter.java
View File

@@ -38,10 +38,10 @@ import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.web.app.Application;
import org.alfresco.web.bean.repository.User;
import org.apache.commons.logging.Log;
@@ -64,6 +64,8 @@ public class HTTPRequestAuthenticationFilter implements Filter
private String loginPage;
private AuthenticationComponent authComponent;
private AuthenticationService authenticationService;
private String httpServletRequestAuthHeaderName;
@@ -97,8 +99,6 @@ public class HTTPRequestAuthenticationFilter implements Filter
HttpServletRequest req = (HttpServletRequest) sreq;
HttpServletResponse resp = (HttpServletResponse) sresp;
HttpSession httpSess = req.getSession(true);
// Check for the auth header
String authHdr = req.getHeader(httpServletRequestAuthHeaderName);
@@ -164,7 +164,7 @@ public class HTTPRequestAuthenticationFilter implements Filter
// See if there is a user in the session and test if it matches
User user = (User) httpSess.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
User user = AuthenticationHelper.getUser(this.context, req, resp);
if (user != null)
{
@@ -236,7 +236,7 @@ public class HTTPRequestAuthenticationFilter implements Filter
authComponent.setCurrentUser(userName);
// Set up the user information
AuthenticationHelper.setUser(context, req, userName, true);
AuthenticationHelper.setUser(context, req, userName, authenticationService.getCurrentTicket(), true);
// Set the locale using the session
AuthenticationHelper.setupThread(this.context, req, res);
@@ -253,6 +253,7 @@ public class HTTPRequestAuthenticationFilter implements Filter
WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
authComponent = (AuthenticationComponent) ctx.getBean("authenticationComponent");
authenticationService = (AuthenticationService) ctx.getBean("AuthenticationService");
httpServletRequestAuthHeaderName = config.getInitParameter("httpServletRequestAuthHeaderName");
if(httpServletRequestAuthHeaderName == null)

18
source/java/org/alfresco/web/app/servlet/KerberosAuthenticationFilter.java
View File

@@ -80,18 +80,22 @@ public class KerberosAuthenticationFilter extends BaseKerberosAuthenticationFilt
{
setLoginPage(clientConfig.getLoginPage());
}
// Use the web client user attribute name
setUserAttributeName(AuthenticationHelper.AUTHENTICATION_USER);
}
/* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*/
@Override
protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, String homeSpace) {
/* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.BaseAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.cmr.repository.NodeRef)
*/
@Override
protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, NodeRef homeSpaceRef)
{
// Create a web client user object
User user = new User( userName, ticket, personNode);
user.setHomeSpaceId( homeSpace);
user.setHomeSpaceId( homeSpaceRef.getId());
return user;
}

16
source/java/org/alfresco/web/app/servlet/NTLMAuthenticationFilter.java
View File

@@ -77,18 +77,22 @@ public class NTLMAuthenticationFilter extends BaseNTLMAuthenticationFilter
{
setLoginPage(clientConfig.getLoginPage());
}
// Use the web client user attribute name
setUserAttributeName(AuthenticationHelper.AUTHENTICATION_USER);
}
/* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*/
@Override
protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, String homeSpace) {
* @see org.alfresco.repo.webdav.auth.BaseAuthenticationFilter#createUserObject(java.lang.String, java.lang.String, org.alfresco.service.cmr.repository.NodeRef, org.alfresco.service.cmr.repository.NodeRef)
*/
@Override
protected SessionUser createUserObject(String userName, String ticket, NodeRef personNode, NodeRef homeSpaceRef)
{
// Create a web client user object
User user = new User( userName, ticket, personNode);
user.setHomeSpaceId( homeSpace);
user.setHomeSpaceId( homeSpaceRef.getId());
return user;
}

43
source/java/org/alfresco/web/bean/LoginBean.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
* Copyright (C) 2005-2009 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -37,6 +37,7 @@ import javax.faces.validator.ValidatorException;
import javax.servlet.http.HttpServletRequest;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.SessionUser;
import org.alfresco.repo.security.authentication.AuthenticationDisallowedException;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationMaxUsersException;
@@ -63,8 +64,20 @@ import org.apache.commons.logging.LogFactory;
*/
public class LoginBean implements Serializable
{
// ------------------------------------------------------------------------------
// Managed bean properties
/**
* The default outcome of the logout action.
*/
private static final String OUTCOME_LOGOUT = "logout";
/**
* The outcome of the logout action when the user has been signed on by SSO.
*/
private static final String OUTCOME_RELOGIN = "relogin";
/**
* The name of the form parameter carrying the outcome to the logout action.
*/
private static final String PARAM_OUTCOME = "outcome";
private static final long serialVersionUID = 7417882503323795282L;
@@ -143,13 +156,13 @@ public class LoginBean implements Serializable
}
/**
* @return true if the default Alfresco authentication process is being used, else false
* @return "logout" if the default Alfresco authentication process is being used, else "relogin"
* if an external authorisation mechanism is present.
*/
public boolean isAlfrescoAuth()
public String getLogoutOutcome()
{
Map session = FacesContext.getCurrentInstance().getExternalContext().getSessionMap();
return (session.get(LOGIN_EXTERNAL_AUTH) == null);
Map<?, ?> session = FacesContext.getCurrentInstance().getExternalContext().getSessionMap();
return session.get(LOGIN_EXTERNAL_AUTH) == null ? OUTCOME_LOGOUT : OUTCOME_RELOGIN;
}
/**
@@ -388,9 +401,15 @@ public class LoginBean implements Serializable
public String logout()
{
FacesContext context = FacesContext.getCurrentInstance();
// need to capture this value before invalidating the session
boolean externalAuth = isAlfrescoAuth();
// The outcome is decided in advance (before session expiry) and included as a parameter
Map<?, ?> params = context.getExternalContext().getRequestParameterMap();
String outcome = (String)params.get(PARAM_OUTCOME);
if (outcome == null)
{
outcome = OUTCOME_LOGOUT;
}
Locale language = Application.getLanguage(context);
// Invalidate Session for this user.
@@ -404,7 +423,7 @@ public class LoginBean implements Serializable
else
{
Map session = context.getExternalContext().getSessionMap();
User user = (User)session.get(AuthenticationHelper.AUTHENTICATION_USER);
SessionUser user = (SessionUser)session.get(AuthenticationHelper.AUTHENTICATION_USER);
if (user != null)
{
// invalidate ticket and clear the Security context for this thread
@@ -428,7 +447,7 @@ public class LoginBean implements Serializable
// set language to last used on the login page
Application.setLanguage(context, language.toString());
return externalAuth ? "logout" : "relogin";
return outcome;
}

1
source/java/org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.java
View File

@@ -436,6 +436,7 @@ public class NtlmAuthenticationHandler extends AbstractAuthenticationHandler imp
if (user == null)
{
user = createUserEnvironment(session, userName);
session.setAttribute(USER_SESSION_ATTRIBUTE, user);
}
else
{

4
source/web/jsp/parts/titlebar.jsp
View File

@@ -102,7 +102,9 @@
<td style="white-space:nowrap;"><a href="http://www.alfresco.com/services/support/issues/" target="new"><h:outputText value="#{msg.raise_issue}" /></a></td>
<td style="width:8px;">&nbsp;</td>
<td style="white-space:nowrap;">
<a:actionLink id="logout" image="/images/icons/logout.gif" value="#{msg.logout} (#{NavigationBean.currentUser.userName})" rendered="#{!NavigationBean.isGuest}" action="#{LoginBean.logout}" immediate="true" />
<a:actionLink id="logout" image="/images/icons/logout.gif" value="#{msg.logout} (#{NavigationBean.currentUser.userName})" rendered="#{!NavigationBean.isGuest}" action="#{LoginBean.logout}" immediate="true">
<f:param name="outcome" value="#{LoginBean.logoutOutcome}" />
</a:actionLink>
<a:actionLink id="login" image="/images/icons/login.gif" value="#{msg.login} (#{NavigationBean.currentUser.userName})" rendered="#{NavigationBean.isGuest}" action="#{LoginBean.logout}" />
</td>
</tr>