Merged V3.2 to HEAD

16062: ETHREEOH-2792: Support login via external SSO systems (such as CAS) in Alfresco Share - In Alfresco, new "external" authentication subsystem maps user identity from HttpServletRequest.getRemoteUser() or configured header - In Share, the UserFactory also recognizes HttpServletRequest.getRemoteUser() - no special filters required - User ID propagated to Alfresco through X-Alfresco-Remote-User HTTP header - This can be done securely via the use of an SSL client certificate that identifies the Share application to Alfresco as a special 'proxy' user - New <keystore> section added to webscript-framework-config that allows specification of the keystore holding the client certificate and trusted CAs - Support for SSL authentication and propagation of Cookies through redirects added to RemoteClient so that initial redirects through sign on pages are supported - TODO: Wiki git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16065 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2009-09-03 11:16:02 +00:00
parent 44e72700aa
commit 9c9c31ca83
7 changed files with 304 additions and 9 deletions
--- a/config/alfresco/subsystems/Authentication/external/external-filter-context.xml
+++ b/config/alfresco/subsystems/Authentication/external/external-filter-context.xml
@@ -0,0 +1,21 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
+<beans>
+
+   <!-- Enable control over mapping between request and user ID -->
+   <bean id="remoteUserMapper" class="org.alfresco.web.app.servlet.DefaultRemoteUserMapper">
+      <property name="proxyUserName">
+         <value>${external.authentication.proxyUserName}</value>
+      </property>
+      <property name="proxyHeader">
+         <value>${external.authentication.proxyHeader}</value>
+      </property>
+      <property name="active">
+         <value>${external.authentication.enabled}</value>
+      </property>
+      <property name="userIdPattern">
+         <value>${external.authentication.userIdPattern}</value>
+      </property>
+   </bean>
+
+</beans>
--- a/config/alfresco/subsystems/Authentication/external/external-filter.properties
+++ b/config/alfresco/subsystems/Authentication/external/external-filter.properties
@@ -0,0 +1,4 @@
+external.authentication.proxyUserName=alfresco-system
+external.authentication.proxyHeader=X-Alfresco-Remote-User
+external.authentication.enabled=true
+external.authentication.userIdPattern=
--- a/config/alfresco/web-client-application-context.xml
+++ b/config/alfresco/web-client-application-context.xml
@@ -170,6 +170,21 @@
      <property name="transactionService" ref="TransactionService" />
   </bean>

+   <bean id="remoteUserMapper" class="org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory">
+      <property name="applicationContextManager">
+         <ref bean="Authentication" />
+      </property>
+      <property name="interfaces">
+         <list>
+            <value>org.alfresco.web.app.servlet.RemoteUserMapper</value>
+            <value>org.alfresco.repo.management.subsystems.ActivateableBean</value>
+         </list>
+      </property>
+      <property name="sourceBeanName">
+         <value>remoteUserMapper</value>
+      </property>
+   </bean>
+
   <bean id="AuthenticationFilter" class="org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory">
      <property name="applicationContextManager">
         <ref bean="Authentication" />
--- a/source/java/org/alfresco/web/app/servlet/AdminAuthenticationFilter.java
+++ b/source/java/org/alfresco/web/app/servlet/AdminAuthenticationFilter.java
@@ -48,6 +48,8 @@ import org.apache.commons.logging.LogFactory;
 public class AdminAuthenticationFilter implements Filter
 {
   private static final Log logger = LogFactory.getLog(AdminAuthenticationFilter.class);
+   
+   private FilterConfig config;

   /**
    * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
@@ -66,7 +68,7 @@ public class AdminAuthenticationFilter implements Filter
         logger.debug("Authorising request for protected resource: " + httpRequest.getRequestURI());
      
      // there should be a user at this point so retrieve it
-      User user = AuthenticationHelper.getUser(httpRequest, httpResponse);
+      User user = AuthenticationHelper.getUser(this.config.getServletContext(), httpRequest, httpResponse);
      
      // if the user is present check to see whether it is an admin user
      boolean isAdmin = (user != null && user.isAdmin());
@@ -105,7 +107,7 @@ public class AdminAuthenticationFilter implements Filter
    */
   public void init(FilterConfig config) throws ServletException
   {
-      // nothing to do
+      this.config = config;
   }
   
   /**
--- a/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java
+++ b/source/java/org/alfresco/web/app/servlet/AuthenticationHelper.java
@@ -39,6 +39,8 @@ import javax.transaction.UserTransaction;
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.i18n.I18NUtil;
 import org.alfresco.model.ContentModel;
+import org.alfresco.repo.management.subsystems.ActivateableBean;
+import org.alfresco.repo.security.authentication.AuthenticationComponent;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.permissions.AccessDeniedException;
 import org.alfresco.service.ServiceRegistry;
@@ -46,7 +48,6 @@ import org.alfresco.service.cmr.repository.InvalidNodeRefException;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.AuthenticationService;
-import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.web.app.Application;
 import org.alfresco.web.bean.LoginBean;
@@ -82,6 +83,8 @@ public final class AuthenticationHelper
   
   /** public service bean IDs **/
   private static final String AUTHENTICATION_SERVICE = "AuthenticationService";
+   private static final String AUTHENTICATION_COMPONENT = "AuthenticationComponent";
+   private static final String REMOTE_USER_MAPPER = "remoteUserMapper";
   private static final String UNPROTECTED_AUTH_SERVICE = "authenticationService";
   private static final String PERSON_SERVICE = "personService";
   
@@ -172,7 +175,7 @@ public final class AuthenticationHelper
      HttpSession session = req.getSession();
      
      // retrieve the User object
-      User user = getUser(req, res);
+      User user = getUser(sc, req, res);
      
      // get the login bean if we're not in the portal
      LoginBean loginBean = null;
@@ -462,15 +465,25 @@ public final class AuthenticationHelper
    * @param httpResponse The HTTP response
    * @return The User object representing the current user or null if it could not be found
    */
-   public static User getUser(HttpServletRequest httpRequest, HttpServletResponse httpResponse)
+   public static User getUser(ServletContext sc, HttpServletRequest httpRequest, HttpServletResponse httpResponse)
   {
+      String userId = null;
+
+      // If the remote user mapper is configured, we may be able to map in an externally authenticated user
+      WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
+      RemoteUserMapper remoteUserMapper = (RemoteUserMapper) wc.getBean(REMOTE_USER_MAPPER);
+      if (!(remoteUserMapper instanceof ActivateableBean) || ((ActivateableBean) remoteUserMapper).isActive())
+      {
+         userId = remoteUserMapper.getRemoteUser(httpRequest);
+      }
+
      HttpSession session = httpRequest.getSession();
      User user = null;
-      
+
      // examine the appropriate session to try and find the User object
      if (Application.inPortalServer() == false)
      {
-         user = (User)session.getAttribute(AUTHENTICATION_USER);
+         user = (User) session.getAttribute(AUTHENTICATION_USER);
      }
      else
      {
@@ -483,12 +496,33 @@ public final class AuthenticationHelper
            String name = (String)enumNames.nextElement();
            if (name.endsWith(AUTHENTICATION_USER))
            {
-               user = (User)session.getAttribute(name);
+               user = (User) session.getAttribute(name);
               break;
            }
         }
      }
-      
+
+      // If the remote user mapper is configured, we may be able to map in an externally authenticated user
+      if (userId != null)
+      {
+         // We have a previously-cached user with the wrong identity - replace them
+         if (user != null && !user.getUserName().equals(userId))
+         {
+            user = null;
+         }
+
+         if (user == null)
+         {
+            // If we have been authenticated by other means, just propagate through the user identity
+            if (userId != null)
+            {
+               AuthenticationComponent authenticationComponent = (AuthenticationComponent) wc
+                     .getBean(AUTHENTICATION_COMPONENT);
+               authenticationComponent.setCurrentUser(userId);
+               user = setUser(sc, httpRequest, userId, true);
+            }
+         }
+      }
      return user;
   }
   
--- a/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapper.java
+++ b/source/java/org/alfresco/web/app/servlet/DefaultRemoteUserMapper.java
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2005-2009 Alfresco Software Limited.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+ * As a special exception to the terms and conditions of version 2.0 of 
+ * the GPL, you may redistribute this Program in connection with Free/Libre 
+ * and Open Source Software ("FLOSS") applications as described in Alfresco's 
+ * FLOSS exception.  You should have received a copy of the text describing 
+ * the FLOSS exception, and it is also available here: 
+ * http://www.alfresco.com/legal/licensing"
+ */
+package org.alfresco.web.app.servlet;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.alfresco.repo.management.subsystems.ActivateableBean;
+
+/**
+ * A default {@link RemoteUserMapper} implementation. Extracts the user ID using
+ * {@link HttpServletRequest#getRemoteUser()}. If it matches the configured proxy user name or the configured proxy user
+ * name is null, it extracts the user ID from the configured proxy request header. Otherwise returns the remote user
+ * name. An optional regular expression defining how to convert the header to a user ID can be configured using
+ * {@link #setUserIdPattern(String)}. This allows for the secure proxying of requests from a Surf client such as
+ * Alfresco Share using SSL client certificates.
+ * 
+ * @author dward
+ */
+public class DefaultRemoteUserMapper implements RemoteUserMapper, ActivateableBean
+{
+    /** The remote identity used to 'proxy' requests securely in the name of another user. */
+    private String proxyUserName = "alfresco-system";
+
+    /** The header containing the ID of a proxied user. */
+    private String proxyHeader = "X-Alfresco-Remote-User";
+
+    /** Is this mapper enabled? */
+    private boolean isEnabled;
+
+    /** Regular expression for extracting a user ID from the header. */
+    private Pattern userIdPattern;
+
+    /**
+     * Sets the name of the remote user used to 'proxy' requests securely in the name of another user. Typically this
+     * remote identity will be protected by an SSL client certificate.
+     * 
+     * @param proxyUserName
+     *            the proxy user name. If <code>null</code> or empty, then the header will be checked regardless of
+     *            remote user identity.
+     */
+    public void setProxyUserName(String proxyUserName)
+    {
+        this.proxyUserName = proxyUserName == null || proxyUserName.length() == 0 ? null : proxyUserName;
+    }
+
+    /**
+     * Sets the name of the header containing the ID of a proxied user.
+     * 
+     * @param proxyHeader
+     *            the proxy header name
+     */
+    public void setProxyHeader(String proxyHeader)
+    {
+        this.proxyHeader = proxyHeader;
+    }
+
+    /**
+     * Controls whether the mapper is enabled. When disabled {@link #getRemoteUser(HttpServletRequest)} will always
+     * return <code>null</code>
+     * 
+     * @param isEnabled
+     *            Is this mapper enabled?
+     */
+    public void setActive(boolean isEnabled)
+    {
+        this.isEnabled = isEnabled;
+    }
+
+    /**
+     * Sets a regular expression for extracting a user ID from the header. If this is not set, then the entire contents
+     * of the header will be used as the user ID.
+     * 
+     * @param userIdPattern
+     *            the regular expression
+     */
+    public void setUserIdPattern(String userIdPattern)
+    {
+        this.userIdPattern = userIdPattern == null || userIdPattern.length() == 0 ? null : Pattern
+                .compile(userIdPattern);
+    }
+
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.web.app.servlet.RemoteUserMapper#getRemoteUser(javax.servlet.http.HttpServletRequest)
+     */
+    public String getRemoteUser(HttpServletRequest request)
+    {
+        if (!this.isEnabled)
+        {
+            return null;
+        }
+        if (this.proxyUserName == null)
+        {
+            return extractUserFromProxyHeader(request);
+        }
+        else
+        {
+            String userId = request.getRemoteUser();
+            if (userId == null)
+            {
+                return null;
+            }
+            if (userId.equals(this.proxyUserName))
+            {
+                userId = extractUserFromProxyHeader(request);
+            }
+            return userId;
+        }
+    }
+
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive()
+     */
+    public boolean isActive()
+    {
+        return this.isEnabled;
+    }
+
+    /**
+     * Extracts a user ID from the proxy header. If a user ID pattern has been configured returns the contents of the
+     * first matching regular expression group or <code>null</code>. Otherwise returns the trimmed header contents or
+     * <code>null</code>.
+     * 
+     * @param request
+     *            the request
+     * @return the user ID
+     */
+    private String extractUserFromProxyHeader(HttpServletRequest request)
+    {
+        String userId = request.getHeader(this.proxyHeader);
+        if (userId == null)
+        {
+            return null;
+        }
+        if (this.userIdPattern == null)
+        {
+            userId = userId.trim();
+        }
+        else
+        {
+            Matcher matcher = this.userIdPattern.matcher(userId);
+            if (matcher.matches())
+            {
+                userId = matcher.group().trim();
+            }
+        }
+        return userId.length() == 0 ? null : userId;
+    }
+
+}
--- a/source/java/org/alfresco/web/app/servlet/RemoteUserMapper.java
+++ b/source/java/org/alfresco/web/app/servlet/RemoteUserMapper.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2005-2009 Alfresco Software Limited.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+ * As a special exception to the terms and conditions of version 2.0 of 
+ * the GPL, you may redistribute this Program in connection with Free/Libre 
+ * and Open Source Software ("FLOSS") applications as described in Alfresco's 
+ * FLOSS exception.  You should have received a copy of the text describing 
+ * the FLOSS exception, and it is also available here: 
+ * http://www.alfresco.com/legal/licensing"
+ */
+package org.alfresco.web.app.servlet;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * An interface for objects capable of extracting an externally authenticated user ID from an HTTP request.
+ * 
+ * @author dward
+ */
+public interface RemoteUserMapper
+{
+   /**
+    * Gets an externally authenticated user ID from an HTTP request.
+    * 
+    * @param request
+    *           the request
+    * @return the user ID or <code>null</code> if the user is unauthenticated
+    */
+   public String getRemoteUser(HttpServletRequest request);
+}