diff --git a/config/alfresco/subsystems/fileServers/default/file-servers-context.xml b/config/alfresco/subsystems/fileServers/default/file-servers-context.xml index 7f327c9828..f344bce6de 100644 --- a/config/alfresco/subsystems/fileServers/default/file-servers-context.xml +++ b/config/alfresco/subsystems/fileServers/default/file-servers-context.xml @@ -276,14 +276,18 @@ - - - - - - - - + + + + + + + + + + + + diff --git a/source/java/org/alfresco/filesys/alfresco/AlfrescoClientInfo.java b/source/java/org/alfresco/filesys/alfresco/AlfrescoClientInfo.java index 6badc4119e..e662d235e0 100644 --- a/source/java/org/alfresco/filesys/alfresco/AlfrescoClientInfo.java +++ b/source/java/org/alfresco/filesys/alfresco/AlfrescoClientInfo.java @@ -1,7 +1,5 @@ package org.alfresco.filesys.alfresco; -import net.sf.acegisecurity.Authentication; - import org.alfresco.jlan.server.auth.ClientInfo; import org.alfresco.service.cmr.repository.NodeRef; @@ -31,10 +29,6 @@ import org.alfresco.service.cmr.repository.NodeRef; */ public class AlfrescoClientInfo extends ClientInfo { - // Authentication token - - private Authentication m_authToken; - // Authentication ticket, used for web access without having to re-authenticate private String m_authTicket; @@ -62,26 +56,6 @@ public class AlfrescoClientInfo extends ClientInfo { super(user, pwd); } - /** - * Check if the client has an authentication token - * - * @return boolean - */ - public final boolean hasAuthenticationToken() - { - return m_authToken != null ? true : false; - } - - /** - * Return the authentication token - * - * @return Authentication - */ - public final Authentication getAuthenticationToken() - { - return m_authToken; - } - /** * Check if the client has an authentication ticket * @@ -122,16 +96,6 @@ public class AlfrescoClientInfo extends ClientInfo { return m_homeNode; } - /** - * Set the authentication toekn - * - * @param token Authentication - */ - public final void setAuthenticationToken(Authentication token) - { - m_authToken = token; - } - /** * Set the authentication ticket * diff --git a/source/java/org/alfresco/filesys/auth/cifs/AlfrescoCifsAuthenticator.java b/source/java/org/alfresco/filesys/auth/cifs/AlfrescoCifsAuthenticator.java index 8a1377778d..f6cffc57b9 100644 --- a/source/java/org/alfresco/filesys/auth/cifs/AlfrescoCifsAuthenticator.java +++ b/source/java/org/alfresco/filesys/auth/cifs/AlfrescoCifsAuthenticator.java @@ -20,8 +20,6 @@ package org.alfresco.filesys.auth.cifs; import java.security.NoSuchAlgorithmException; -import net.sf.acegisecurity.Authentication; - import org.alfresco.filesys.alfresco.AlfrescoClientInfo; import org.alfresco.jlan.server.SrvSession; import org.alfresco.jlan.server.auth.AuthContext; @@ -31,6 +29,7 @@ import org.alfresco.jlan.server.auth.NTLanManAuthContext; import org.alfresco.jlan.server.core.SharedDevice; import org.alfresco.jlan.smb.server.SMBSrvSession; import org.alfresco.jlan.util.HexDump; +import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.repo.security.authentication.NTLMMode; import org.alfresco.repo.security.authentication.ntlm.NTLMPassthruToken; import org.alfresco.repo.transaction.RetryingTransactionHelper; @@ -111,20 +110,28 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase // Check if the client is already authenticated, and it is not a null logon - if ( alfClient.getAuthenticationToken() != null && client.getLogonType() != ClientInfo.LogonNull) + try { - // Use the existing authentication token - - getAuthenticationComponent().setCurrentUser(client.getUserName()); - - // Debug - - if ( logger.isDebugEnabled()) - logger.debug("Re-using existing authentication token"); - - // Return the authentication status - - return client.getLogonType() != ClientInfo.LogonGuest ? AUTH_ALLOW : AUTH_GUEST; + if ( alfClient.hasAuthenticationTicket() && client.getLogonType() != ClientInfo.LogonNull) + { + // Use the existing authentication token + + getAuthenticationService().validate(alfClient.getAuthenticationTicket(), null); + + // Debug + + if ( logger.isDebugEnabled()) + logger.debug("Re-using existing authentication token"); + + // Return the authentication status + + return client.getLogonType() != ClientInfo.LogonGuest ? AUTH_ALLOW : AUTH_GUEST; + } + } + catch (AuthenticationException ex) + { + // Ticket no longer valid or maximum tickets exceeded + alfClient.setAuthenticationTicket(null); } // Check if this is a guest logon @@ -379,7 +386,8 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase // Set the current user to be authenticated, save the authentication token AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser(client.getUserName())); + getAuthenticationComponent().setCurrentUser(client.getUserName()); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // Get the users home folder node, if available @@ -393,6 +401,10 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase return ICifsAuthenticator.AUTH_ALLOW; } + catch (AuthenticationException ex) + { + // Ticket no longer valid or maximum tickets exceeded + } catch (NoSuchAlgorithmException ex) { } @@ -461,13 +473,14 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase // Authenticate the user - Authentication genAuthToken = null; + String ticket = null; try { // Run the second stage of the passthru authentication - genAuthToken = getNTLMAuthenticator().authenticate( authToken); + getNTLMAuthenticator().authenticate( authToken); + ticket = getAuthenticationService().getCurrentTicket(); // Check if the user has been logged on as a guest @@ -500,10 +513,10 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase client.setLogonType( ClientInfo.LogonNormal); } - // Set the current user to be authenticated, save the authentication token + // Set the current user to be authenticated, save the authentication ticket AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( genAuthToken); + alfClient.setAuthenticationTicket(ticket); // Get the users home folder node, if available @@ -512,7 +525,11 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase // DEBUG if ( logger.isDebugEnabled()) - logger.debug("Auth token " + genAuthToken); + logger.debug("Auth ticket " + ticket); + } + catch (AuthenticationException ex) + { + // Ticket no longer valid or maximum tickets exceeded } catch ( Exception ex) { diff --git a/source/java/org/alfresco/filesys/auth/cifs/CifsAuthenticatorBase.java b/source/java/org/alfresco/filesys/auth/cifs/CifsAuthenticatorBase.java index 9e3170b1fd..05c9f7d88f 100644 --- a/source/java/org/alfresco/filesys/auth/cifs/CifsAuthenticatorBase.java +++ b/source/java/org/alfresco/filesys/auth/cifs/CifsAuthenticatorBase.java @@ -18,9 +18,6 @@ */ package org.alfresco.filesys.auth.cifs; -import net.sf.acegisecurity.Authentication; - -import org.springframework.extensions.config.ConfigElement; import org.alfresco.filesys.AlfrescoConfigSection; import org.alfresco.filesys.alfresco.AlfrescoClientInfo; import org.alfresco.filesys.repo.ContentContext; @@ -37,6 +34,8 @@ import org.alfresco.jlan.server.filesys.SrvDiskInfo; import org.alfresco.model.ContentModel; import org.alfresco.repo.management.subsystems.ActivateableBean; import org.alfresco.repo.security.authentication.AuthenticationComponent; +import org.alfresco.repo.security.authentication.AuthenticationException; +import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.MD4PasswordEncoder; import org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl; import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator; @@ -51,6 +50,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.beans.factory.DisposableBean; import org.springframework.beans.factory.InitializingBean; +import org.springframework.extensions.config.ConfigElement; /** * CIFS Authenticator Base Class @@ -309,9 +309,9 @@ public abstract class CifsAuthenticatorBase extends CifsAuthenticator implements // Get a guest authentication token getAuthenticationService().authenticateAsGuest(); - Authentication authToken = getAuthenticationComponent().getCurrentAuthentication(); + String ticket = getAuthenticationService().getCurrentTicket(); - alfClient.setAuthenticationToken( authToken); + alfClient.setAuthenticationTicket(ticket); // Set the home folder for the guest user @@ -374,27 +374,34 @@ public abstract class CifsAuthenticatorBase extends CifsAuthenticator implements */ protected final String mapUserNameToPerson(final String userName) { - return doInTransaction(new RetryingTransactionHelper.RetryingTransactionCallback() + // Do the lookup as the system user + return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork() { - - public String execute() throws Throwable + public String doWork() throws Exception { - // Get the home folder for the user - - String personName = getPersonService().getUserIdentifier(userName); - - // Check if the person exists - - if (personName == null) + return doInTransaction(new RetryingTransactionHelper.RetryingTransactionCallback() { - // Force creation of a person if possible - getPersonService().getPerson(userName); - personName = getPersonService().getUserIdentifier(userName); - return personName == null ? userName : personName; - } - return personName; + + public String execute() throws Throwable + { + // Get the home folder for the user + + String personName = getPersonService().getUserIdentifier(userName); + + // Check if the person exists + + if (personName == null) + { + // Force creation of a person if possible + getPersonService().getPerson(userName); + personName = getPersonService().getUserIdentifier(userName); + return personName == null ? userName : personName; + } + return personName; + } + }); } - }); + }, AuthenticationUtil.getSystemUserName()); } /** @@ -403,29 +410,52 @@ public abstract class CifsAuthenticatorBase extends CifsAuthenticator implements * @param client * ClientInfo */ - public void setCurrentUser(ClientInfo client) { + public void setCurrentUser(final ClientInfo client) { // Check the account type and setup the authentication context - if (client == null || client.isNullSession()) + doInTransaction(new RetryingTransactionHelper.RetryingTransactionCallback() { - // Clear the authentication, null user should not be allowed to do any service calls - - getAuthenticationComponent().clearCurrentSecurityContext(); - } - else if (client.isGuest() == false && client instanceof AlfrescoClientInfo) - { - // Set the authentication context for the request - - AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - getAuthenticationComponent().setCurrentAuthentication(alfClient.getAuthenticationToken()); - } - else - { - // Enable guest access for the request - - getAuthenticationComponent().setGuestUserAsCurrentUser(); - } + public Object execute() throws Throwable + { + if (client == null || client.isNullSession()) + { + // Clear the authentication, null user should not be allowed to do any service calls + + getAuthenticationComponent().clearCurrentSecurityContext(); + } + else if (client.isGuest() == false && client instanceof AlfrescoClientInfo) + { + // Set the authentication context for the request + + AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; + if (alfClient.hasAuthenticationTicket()) + { + try + { + getAuthenticationService().validate(alfClient.getAuthenticationTicket(), null); + } + catch (AuthenticationException e) + { + // Ticket no longer valid or maximum tickets exceeded + alfClient.setAuthenticationTicket(null); + getAuthenticationComponent().clearCurrentSecurityContext(); + } + } + else + { + getAuthenticationComponent().clearCurrentSecurityContext(); + } + } + else + { + // Enable guest access for the request + + getAuthenticationComponent().setGuestUserAsCurrentUser(); + } + return null; + } + }); } /** diff --git a/source/java/org/alfresco/filesys/auth/cifs/EnterpriseCifsAuthenticator.java b/source/java/org/alfresco/filesys/auth/cifs/EnterpriseCifsAuthenticator.java index eab0353ea7..3e99340bc7 100644 --- a/source/java/org/alfresco/filesys/auth/cifs/EnterpriseCifsAuthenticator.java +++ b/source/java/org/alfresco/filesys/auth/cifs/EnterpriseCifsAuthenticator.java @@ -36,7 +36,6 @@ import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import javax.security.sasl.RealmCallback; -import org.springframework.extensions.config.ConfigElement; import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.filesys.alfresco.AlfrescoClientInfo; import org.alfresco.jlan.debug.Debug; @@ -70,10 +69,12 @@ import org.alfresco.jlan.smb.server.SMBSrvSession; import org.alfresco.jlan.smb.server.VirtualCircuit; import org.alfresco.jlan.util.DataPacker; import org.alfresco.jlan.util.HexDump; +import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.repo.security.authentication.NTLMMode; import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator; import org.alfresco.repo.transaction.RetryingTransactionHelper; import org.ietf.jgss.Oid; +import org.springframework.extensions.config.ConfigElement; /** * Enterprise CIFS Authenticator Class @@ -1491,14 +1492,21 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement } else { - // Use the system user to do the user name lookup - - getAuthenticationComponent().setSystemUserAsCurrentUser(); - // Set the current user to be authenticated, save the authentication token - - AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(krbDetails.getUserName()))); + + try + { + AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; + getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(krbDetails.getUserName())); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket() ); + } + catch (AuthenticationException e) + { + // Invalid user or max tickets exceeded. Return a logon failure status + + throw new SMBSrvException( SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied); + + } // Store the full user name in the client information, indicate that this is not a guest logon @@ -1654,8 +1662,18 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement // Setup the Acegi authenticated user - AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(userName))); + try + { + AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; + getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(userName)); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); + } + catch (AuthenticationException e) + { + // Invalid user or max tickets exceeded. Return a logon failure status + + throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied); + } // Store the full user name in the client information, indicate that this is not a guest logon @@ -1787,9 +1805,18 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement // Setup the Acegi authenticated user - AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( client.getUserName()))); - + try + { + AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; + getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(client.getUserName())); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); + } + catch (AuthenticationException e) + { + // Invalid user or max tickets exceeded. Return a logon failure status + + throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied); + } // Store the full user name in the client information, indicate that this is not a guest logon client.setGuest( false); @@ -1900,7 +1927,8 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement // Setup the Acegi authenticated user AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( userName))); + getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( userName)); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // Store the full user name in the client information, indicate that this is not a guest logon @@ -1915,7 +1943,14 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement { // Log the error - logger.error(ex); + if (ex instanceof AuthenticationException) + { + logger.debug(ex); + } + else + { + logger.error(ex); + } // Return a logon failure @@ -2024,7 +2059,8 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement // Setup the Acegi authenticated user AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( client.getUserName()))); + getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( client.getUserName())); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // Store the full user name in the client information, indicate that this is not a guest logon @@ -2038,7 +2074,14 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement { // Log the error - logger.error(ex); + if (ex instanceof AuthenticationException) + { + logger.debug(ex); + } + else + { + logger.error(ex); + } // Return a logon failure @@ -2187,8 +2230,18 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement // Setup the Acegi authenticated user - AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( userName))); + try + { + AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; + getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( userName)); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); + } + catch (AuthenticationException e) + { + // Invalid user or max tickets exceeded. Return a logon failure status + + throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied); + } // Store the full user name in the client information, indicate that this is not a guest logon diff --git a/source/java/org/alfresco/filesys/auth/cifs/PassthruCifsAuthenticator.java b/source/java/org/alfresco/filesys/auth/cifs/PassthruCifsAuthenticator.java index 0006b51d8f..90de086fa5 100644 --- a/source/java/org/alfresco/filesys/auth/cifs/PassthruCifsAuthenticator.java +++ b/source/java/org/alfresco/filesys/auth/cifs/PassthruCifsAuthenticator.java @@ -22,7 +22,6 @@ import java.util.ArrayList; import java.util.Hashtable; import java.util.List; -import org.springframework.extensions.config.ConfigElement; import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.filesys.alfresco.AlfrescoClientInfo; import org.alfresco.filesys.auth.PassthruServerFactory; @@ -57,12 +56,14 @@ import org.alfresco.jlan.util.DataPacker; import org.alfresco.jlan.util.HexDump; import org.alfresco.model.ContentModel; import org.alfresco.repo.security.authentication.AuthenticationComponent; +import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.repo.security.authentication.NTLMMode; import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator; import org.alfresco.repo.transaction.RetryingTransactionHelper; import org.alfresco.service.cmr.repository.NodeRef; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.springframework.extensions.config.ConfigElement; /** * Passthru Authenticator Class @@ -183,11 +184,11 @@ public class PassthruCifsAuthenticator extends CifsAuthenticatorBase implements { // Check if the client is already authenticated, and it is not a null logon - if ( alfClient.getAuthenticationToken() != null && client.getLogonType() != ClientInfo.LogonNull) + if ( alfClient.hasAuthenticationTicket() && client.getLogonType() != ClientInfo.LogonNull) { // Use the existing authentication token - getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( client.getUserName())); + getAuthenticationService().validate(alfClient.getAuthenticationTicket(), null); // Debug @@ -276,7 +277,8 @@ public class PassthruCifsAuthenticator extends CifsAuthenticatorBase implements { // Use the person name as the current user - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser(personName)); + getAuthenticationComponent().setCurrentUser(personName); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // DEBUG @@ -296,6 +298,10 @@ public class PassthruCifsAuthenticator extends CifsAuthenticatorBase implements logger.debug("Failed to find person matching user " + username); } } + catch (AuthenticationException ex) + { + logger.debug("User invalid or max tickets exceeded", ex); + } catch (Exception ex) { @@ -1018,7 +1024,7 @@ public class PassthruCifsAuthenticator extends CifsAuthenticatorBase implements // Get the authentication token and store AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken(getAuthenticationComponent().getCurrentAuthentication()); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // Indicate that the client is logged on diff --git a/source/java/org/alfresco/filesys/auth/ftp/AlfrescoFtpAuthenticator.java b/source/java/org/alfresco/filesys/auth/ftp/AlfrescoFtpAuthenticator.java index aa93d5bc9b..aa33999603 100644 --- a/source/java/org/alfresco/filesys/auth/ftp/AlfrescoFtpAuthenticator.java +++ b/source/java/org/alfresco/filesys/auth/ftp/AlfrescoFtpAuthenticator.java @@ -21,8 +21,6 @@ package org.alfresco.filesys.auth.ftp; import javax.transaction.Status; import javax.transaction.UserTransaction; -import net.sf.acegisecurity.Authentication; - import org.alfresco.filesys.alfresco.AlfrescoClientInfo; import org.alfresco.jlan.ftp.FTPSrvSession; import org.alfresco.jlan.server.SrvSession; @@ -178,12 +176,12 @@ public class AlfrescoFtpAuthenticator extends FTPAuthenticatorBase { */ protected void doGuestLogon( AlfrescoClientInfo client, SrvSession sess) { - // Get a guest authentication token + // Get a guest authentication ticket getAuthenticationService().authenticateAsGuest(); - Authentication authToken = getAuthenticationComponent().getCurrentAuthentication(); + String ticket = getAuthenticationService().getCurrentTicket(); - client.setAuthenticationToken( authToken); + client.setAuthenticationTicket( ticket); // Mark the client as being a guest logon diff --git a/source/java/org/alfresco/filesys/auth/ftp/PassthruFtpAuthenticator.java b/source/java/org/alfresco/filesys/auth/ftp/PassthruFtpAuthenticator.java index 5ad81e8190..747be9f0d6 100644 --- a/source/java/org/alfresco/filesys/auth/ftp/PassthruFtpAuthenticator.java +++ b/source/java/org/alfresco/filesys/auth/ftp/PassthruFtpAuthenticator.java @@ -24,9 +24,6 @@ import java.net.InetAddress; import javax.transaction.Status; import javax.transaction.UserTransaction; -import net.sf.acegisecurity.Authentication; - -import org.springframework.extensions.config.ConfigElement; import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.filesys.ExtendedServerConfigurationAccessor; import org.alfresco.filesys.alfresco.AlfrescoClientInfo; @@ -45,6 +42,7 @@ import org.alfresco.jlan.util.IPAddress; import org.alfresco.repo.security.authentication.AuthenticationComponent; import org.alfresco.repo.security.authentication.NTLMMode; import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator; +import org.springframework.extensions.config.ConfigElement; /** * Passthru FTP Authenticator Class @@ -331,9 +329,9 @@ public class PassthruFtpAuthenticator extends FTPAuthenticatorBase { // Get a guest authentication token getAuthenticationService().authenticateAsGuest(); - Authentication authToken = getAuthenticationComponent().getCurrentAuthentication(); + String ticket = getAuthenticationService().getCurrentTicket(); - client.setAuthenticationToken(authToken); + client.setAuthenticationTicket(ticket); // Mark the client as being a guest logon @@ -395,7 +393,8 @@ public class PassthruFtpAuthenticator extends FTPAuthenticatorBase { // Set the current user to be authenticated, save the authentication token AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken(getAuthenticationComponent().setCurrentUser(client.getUserName())); + getAuthenticationComponent().setCurrentUser(client.getUserName()); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // Passwords match, grant access diff --git a/source/java/org/alfresco/filesys/auth/nfs/AlfrescoRpcAuthenticator.java b/source/java/org/alfresco/filesys/auth/nfs/AlfrescoRpcAuthenticator.java index f1255bedd7..f67f53feb6 100644 --- a/source/java/org/alfresco/filesys/auth/nfs/AlfrescoRpcAuthenticator.java +++ b/source/java/org/alfresco/filesys/auth/nfs/AlfrescoRpcAuthenticator.java @@ -39,6 +39,7 @@ import org.alfresco.jlan.server.auth.ClientInfo; import org.alfresco.jlan.server.config.InvalidConfigurationException; import org.alfresco.jlan.server.config.ServerConfiguration; import org.alfresco.repo.security.authentication.AuthenticationComponent; +import org.alfresco.service.cmr.security.AuthenticationService; import org.alfresco.service.transaction.TransactionService; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -68,6 +69,8 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB private List userMappings; private AuthenticationComponent authenticationComponent; + + private AuthenticationService authenticationService; private TransactionService transactionService; @@ -81,6 +84,11 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB this.authenticationComponent = authenticationComponent; } + public void setAuthenticationService (AuthenticationService authenticationService) + { + this.authenticationService = authenticationService; + } + public void setTransactionService(TransactionService transactionService) { this.transactionService = transactionService; @@ -289,28 +297,28 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB // Check if the authentication token has been set for the client - if ( alfClient.hasAuthenticationToken() == false) + if ( !alfClient.hasAuthenticationTicket() ) { // Set the current user and retrieve the authentication token getAuthenticationComponent().setCurrentUser( client.getUserName()); - alfClient.setAuthenticationToken( getAuthenticationComponent().getCurrentAuthentication()); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // DEBUG if ( logger.isDebugEnabled()) - logger.debug("Set user name=" + client.getUserName() + ", token=" + alfClient.getAuthenticationToken()); + logger.debug("Set user name=" + client.getUserName() + ", ticket=" + alfClient.getAuthenticationTicket()); } else { // Set the authentication context for the request - getAuthenticationComponent().setCurrentAuthentication( alfClient.getAuthenticationToken()); + getAuthenticationService().validate(alfClient.getAuthenticationTicket(), null); // DEBUG if ( logger.isDebugEnabled()) - logger.debug("Set user using auth token, token=" + alfClient.getAuthenticationToken()); + logger.debug("Set user using auth ticket, ticket=" + alfClient.getAuthenticationTicket()); } } else @@ -375,6 +383,7 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB // Copy over relevant bean properties for backward compatibility setAuthenticationComponent(alfrescoConfig.getAuthenticationComponent()); + setAuthenticationService(alfrescoConfig.getAuthenticationService()); setTransactionService(alfrescoConfig.getTransactionService()); // Check for the user mappings @@ -524,6 +533,11 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB return this.authenticationComponent; } + protected AuthenticationService getAuthenticationService() + { + return this.authenticationService; + } + protected TransactionService getTransactionService() { return this.transactionService; diff --git a/source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java b/source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java index a911ecb9d0..bdaa4acd43 100644 --- a/source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java +++ b/source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java @@ -145,10 +145,15 @@ public class InMemoryTicketComponentImpl implements TicketComponent */ private String getTicketKey(String ticketString) { - if (ticketString.length() < GRANTED_AUTHORITY_TICKET_PREFIX.length()) + if (ticketString == null) + { + return null; + } + else if (ticketString.length() < GRANTED_AUTHORITY_TICKET_PREFIX.length()) { throw new AuthenticationException(ticketString + " is an invalid ticket format"); } + String key = ticketString.substring(GRANTED_AUTHORITY_TICKET_PREFIX.length()); return key; }