From a289049b41d0eac41edda8a309df874ba95cc60b Mon Sep 17 00:00:00 2001 From: Dave Ward Date: Tue, 27 Apr 2010 14:14:48 +0000 Subject: [PATCH] Merged V2.2 to HEAD 19977: (RECORD ONLY) Merged PATCHES/V2.2.7 to V2.2 19778: (RECORD ONLY) Incremented version label 19976: Merged PATCHES/V2.2.7 to V2.2 19776: ALF-2011: Audit doesn't take into account CIFS authentication - Now that we've backported the ticket granting auditing, converted the Alfresco CIFS authenticators to use ticket-based authentication, rather than directly manipulating ACEGI - Needs thorough testing with password, NTLM, Passthru and Kerberos 19891: ALF-2011: Audit doesn't take into account CIFS authentication Since each child of the CifsAuthenticator is not a Spring configured bean it has no Transaction interceptor. The Transaction wrapping functionality was added into the CifsAuthenticator.setCurrentUser() to fix a Transaction Synchronization issue after successful authentication of the user. Several little corrections added into the InMemoryTicketComponentImpl to allow "Null user". "Missing ticket for null" exceptions will be thrown instead of the NullPointerException 19903: ALF-2011: Minor cleanup/formatting only 19975: (RECORD ONLY) Merged PATCHES/V2.2.7 to V2.2 19769: ALF-2011: Backported dependencies ALF-2360: Merged V3.1 to PATCHES/V2.2.7 17314: ETHREEOH-3158: Fix RepoServerMgmt to work with external authentication methods - AuthenticationService.getCurrentTicket / getNewTicket now call pre authentication check before issuing a new ticket, thus still allowing ticket enforcement when external authentication is in use. ALF-2361: Merged V3.2 to PATCHES/V2.2.7 17456: Fix for: ETHREEOH-1465: It's impossible to get the login history for a given user (Audit) - all authentication routes (SSO and password) can now audit getting a new ticket for a session. SSO does not authenticate via the alfresco AuthenticationService API - you can now use auditing to track new sessions for users. 19834: (RECORD ONLY) Increment version (from 2.2.7 to 2.2.8) 19833: (RECORD ONLY) Merged PATCHES/V2.2.7 to BRANCHES/V2.2: 19832: Merged BRANCHES/V3.1 to PATCHES/V2.2.7: 17255: Fixed ETHREEOH-3180: Error appears when trying to search resources on Manage Task page 19578: (RECORD ONLY) Merged V3.0 to V2.2 19574: Merged V3.1 to V3.0 19573: Merged V3.2 to V3.1 19539: Merged HEAD to V3.2 19538: Build fix - fix build speed git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@20011 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../default/file-servers-context.xml | 20 ++-- .../filesys/alfresco/AlfrescoClientInfo.java | 36 ------ .../auth/cifs/AlfrescoCifsAuthenticator.java | 59 +++++---- .../auth/cifs/CifsAuthenticatorBase.java | 112 +++++++++++------- .../cifs/EnterpriseCifsAuthenticator.java | 91 +++++++++++--- .../auth/cifs/PassthruCifsAuthenticator.java | 16 ++- .../auth/ftp/AlfrescoFtpAuthenticator.java | 8 +- .../auth/ftp/PassthruFtpAuthenticator.java | 11 +- .../auth/nfs/AlfrescoRpcAuthenticator.java | 24 +++- .../InMemoryTicketComponentImpl.java | 7 +- 10 files changed, 237 insertions(+), 147 deletions(-) diff --git a/config/alfresco/subsystems/fileServers/default/file-servers-context.xml b/config/alfresco/subsystems/fileServers/default/file-servers-context.xml index 7f327c9828..f344bce6de 100644 --- a/config/alfresco/subsystems/fileServers/default/file-servers-context.xml +++ b/config/alfresco/subsystems/fileServers/default/file-servers-context.xml @@ -276,14 +276,18 @@ - - - - - - - - + + + + + + + + + + + + diff --git a/source/java/org/alfresco/filesys/alfresco/AlfrescoClientInfo.java b/source/java/org/alfresco/filesys/alfresco/AlfrescoClientInfo.java index 6badc4119e..e662d235e0 100644 --- a/source/java/org/alfresco/filesys/alfresco/AlfrescoClientInfo.java +++ b/source/java/org/alfresco/filesys/alfresco/AlfrescoClientInfo.java @@ -1,7 +1,5 @@ package org.alfresco.filesys.alfresco; -import net.sf.acegisecurity.Authentication; - import org.alfresco.jlan.server.auth.ClientInfo; import org.alfresco.service.cmr.repository.NodeRef; @@ -31,10 +29,6 @@ import org.alfresco.service.cmr.repository.NodeRef; */ public class AlfrescoClientInfo extends ClientInfo { - // Authentication token - - private Authentication m_authToken; - // Authentication ticket, used for web access without having to re-authenticate private String m_authTicket; @@ -62,26 +56,6 @@ public class AlfrescoClientInfo extends ClientInfo { super(user, pwd); } - /** - * Check if the client has an authentication token - * - * @return boolean - */ - public final boolean hasAuthenticationToken() - { - return m_authToken != null ? true : false; - } - - /** - * Return the authentication token - * - * @return Authentication - */ - public final Authentication getAuthenticationToken() - { - return m_authToken; - } - /** * Check if the client has an authentication ticket * @@ -122,16 +96,6 @@ public class AlfrescoClientInfo extends ClientInfo { return m_homeNode; } - /** - * Set the authentication toekn - * - * @param token Authentication - */ - public final void setAuthenticationToken(Authentication token) - { - m_authToken = token; - } - /** * Set the authentication ticket * diff --git a/source/java/org/alfresco/filesys/auth/cifs/AlfrescoCifsAuthenticator.java b/source/java/org/alfresco/filesys/auth/cifs/AlfrescoCifsAuthenticator.java index 8a1377778d..f6cffc57b9 100644 --- a/source/java/org/alfresco/filesys/auth/cifs/AlfrescoCifsAuthenticator.java +++ b/source/java/org/alfresco/filesys/auth/cifs/AlfrescoCifsAuthenticator.java @@ -20,8 +20,6 @@ package org.alfresco.filesys.auth.cifs; import java.security.NoSuchAlgorithmException; -import net.sf.acegisecurity.Authentication; - import org.alfresco.filesys.alfresco.AlfrescoClientInfo; import org.alfresco.jlan.server.SrvSession; import org.alfresco.jlan.server.auth.AuthContext; @@ -31,6 +29,7 @@ import org.alfresco.jlan.server.auth.NTLanManAuthContext; import org.alfresco.jlan.server.core.SharedDevice; import org.alfresco.jlan.smb.server.SMBSrvSession; import org.alfresco.jlan.util.HexDump; +import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.repo.security.authentication.NTLMMode; import org.alfresco.repo.security.authentication.ntlm.NTLMPassthruToken; import org.alfresco.repo.transaction.RetryingTransactionHelper; @@ -111,20 +110,28 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase // Check if the client is already authenticated, and it is not a null logon - if ( alfClient.getAuthenticationToken() != null && client.getLogonType() != ClientInfo.LogonNull) + try { - // Use the existing authentication token - - getAuthenticationComponent().setCurrentUser(client.getUserName()); - - // Debug - - if ( logger.isDebugEnabled()) - logger.debug("Re-using existing authentication token"); - - // Return the authentication status - - return client.getLogonType() != ClientInfo.LogonGuest ? AUTH_ALLOW : AUTH_GUEST; + if ( alfClient.hasAuthenticationTicket() && client.getLogonType() != ClientInfo.LogonNull) + { + // Use the existing authentication token + + getAuthenticationService().validate(alfClient.getAuthenticationTicket(), null); + + // Debug + + if ( logger.isDebugEnabled()) + logger.debug("Re-using existing authentication token"); + + // Return the authentication status + + return client.getLogonType() != ClientInfo.LogonGuest ? AUTH_ALLOW : AUTH_GUEST; + } + } + catch (AuthenticationException ex) + { + // Ticket no longer valid or maximum tickets exceeded + alfClient.setAuthenticationTicket(null); } // Check if this is a guest logon @@ -379,7 +386,8 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase // Set the current user to be authenticated, save the authentication token AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser(client.getUserName())); + getAuthenticationComponent().setCurrentUser(client.getUserName()); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // Get the users home folder node, if available @@ -393,6 +401,10 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase return ICifsAuthenticator.AUTH_ALLOW; } + catch (AuthenticationException ex) + { + // Ticket no longer valid or maximum tickets exceeded + } catch (NoSuchAlgorithmException ex) { } @@ -461,13 +473,14 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase // Authenticate the user - Authentication genAuthToken = null; + String ticket = null; try { // Run the second stage of the passthru authentication - genAuthToken = getNTLMAuthenticator().authenticate( authToken); + getNTLMAuthenticator().authenticate( authToken); + ticket = getAuthenticationService().getCurrentTicket(); // Check if the user has been logged on as a guest @@ -500,10 +513,10 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase client.setLogonType( ClientInfo.LogonNormal); } - // Set the current user to be authenticated, save the authentication token + // Set the current user to be authenticated, save the authentication ticket AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( genAuthToken); + alfClient.setAuthenticationTicket(ticket); // Get the users home folder node, if available @@ -512,7 +525,11 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase // DEBUG if ( logger.isDebugEnabled()) - logger.debug("Auth token " + genAuthToken); + logger.debug("Auth ticket " + ticket); + } + catch (AuthenticationException ex) + { + // Ticket no longer valid or maximum tickets exceeded } catch ( Exception ex) { diff --git a/source/java/org/alfresco/filesys/auth/cifs/CifsAuthenticatorBase.java b/source/java/org/alfresco/filesys/auth/cifs/CifsAuthenticatorBase.java index 9e3170b1fd..05c9f7d88f 100644 --- a/source/java/org/alfresco/filesys/auth/cifs/CifsAuthenticatorBase.java +++ b/source/java/org/alfresco/filesys/auth/cifs/CifsAuthenticatorBase.java @@ -18,9 +18,6 @@ */ package org.alfresco.filesys.auth.cifs; -import net.sf.acegisecurity.Authentication; - -import org.springframework.extensions.config.ConfigElement; import org.alfresco.filesys.AlfrescoConfigSection; import org.alfresco.filesys.alfresco.AlfrescoClientInfo; import org.alfresco.filesys.repo.ContentContext; @@ -37,6 +34,8 @@ import org.alfresco.jlan.server.filesys.SrvDiskInfo; import org.alfresco.model.ContentModel; import org.alfresco.repo.management.subsystems.ActivateableBean; import org.alfresco.repo.security.authentication.AuthenticationComponent; +import org.alfresco.repo.security.authentication.AuthenticationException; +import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.MD4PasswordEncoder; import org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl; import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator; @@ -51,6 +50,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.beans.factory.DisposableBean; import org.springframework.beans.factory.InitializingBean; +import org.springframework.extensions.config.ConfigElement; /** * CIFS Authenticator Base Class @@ -309,9 +309,9 @@ public abstract class CifsAuthenticatorBase extends CifsAuthenticator implements // Get a guest authentication token getAuthenticationService().authenticateAsGuest(); - Authentication authToken = getAuthenticationComponent().getCurrentAuthentication(); + String ticket = getAuthenticationService().getCurrentTicket(); - alfClient.setAuthenticationToken( authToken); + alfClient.setAuthenticationTicket(ticket); // Set the home folder for the guest user @@ -374,27 +374,34 @@ public abstract class CifsAuthenticatorBase extends CifsAuthenticator implements */ protected final String mapUserNameToPerson(final String userName) { - return doInTransaction(new RetryingTransactionHelper.RetryingTransactionCallback() + // Do the lookup as the system user + return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork() { - - public String execute() throws Throwable + public String doWork() throws Exception { - // Get the home folder for the user - - String personName = getPersonService().getUserIdentifier(userName); - - // Check if the person exists - - if (personName == null) + return doInTransaction(new RetryingTransactionHelper.RetryingTransactionCallback() { - // Force creation of a person if possible - getPersonService().getPerson(userName); - personName = getPersonService().getUserIdentifier(userName); - return personName == null ? userName : personName; - } - return personName; + + public String execute() throws Throwable + { + // Get the home folder for the user + + String personName = getPersonService().getUserIdentifier(userName); + + // Check if the person exists + + if (personName == null) + { + // Force creation of a person if possible + getPersonService().getPerson(userName); + personName = getPersonService().getUserIdentifier(userName); + return personName == null ? userName : personName; + } + return personName; + } + }); } - }); + }, AuthenticationUtil.getSystemUserName()); } /** @@ -403,29 +410,52 @@ public abstract class CifsAuthenticatorBase extends CifsAuthenticator implements * @param client * ClientInfo */ - public void setCurrentUser(ClientInfo client) { + public void setCurrentUser(final ClientInfo client) { // Check the account type and setup the authentication context - if (client == null || client.isNullSession()) + doInTransaction(new RetryingTransactionHelper.RetryingTransactionCallback() { - // Clear the authentication, null user should not be allowed to do any service calls - - getAuthenticationComponent().clearCurrentSecurityContext(); - } - else if (client.isGuest() == false && client instanceof AlfrescoClientInfo) - { - // Set the authentication context for the request - - AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - getAuthenticationComponent().setCurrentAuthentication(alfClient.getAuthenticationToken()); - } - else - { - // Enable guest access for the request - - getAuthenticationComponent().setGuestUserAsCurrentUser(); - } + public Object execute() throws Throwable + { + if (client == null || client.isNullSession()) + { + // Clear the authentication, null user should not be allowed to do any service calls + + getAuthenticationComponent().clearCurrentSecurityContext(); + } + else if (client.isGuest() == false && client instanceof AlfrescoClientInfo) + { + // Set the authentication context for the request + + AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; + if (alfClient.hasAuthenticationTicket()) + { + try + { + getAuthenticationService().validate(alfClient.getAuthenticationTicket(), null); + } + catch (AuthenticationException e) + { + // Ticket no longer valid or maximum tickets exceeded + alfClient.setAuthenticationTicket(null); + getAuthenticationComponent().clearCurrentSecurityContext(); + } + } + else + { + getAuthenticationComponent().clearCurrentSecurityContext(); + } + } + else + { + // Enable guest access for the request + + getAuthenticationComponent().setGuestUserAsCurrentUser(); + } + return null; + } + }); } /** diff --git a/source/java/org/alfresco/filesys/auth/cifs/EnterpriseCifsAuthenticator.java b/source/java/org/alfresco/filesys/auth/cifs/EnterpriseCifsAuthenticator.java index eab0353ea7..3e99340bc7 100644 --- a/source/java/org/alfresco/filesys/auth/cifs/EnterpriseCifsAuthenticator.java +++ b/source/java/org/alfresco/filesys/auth/cifs/EnterpriseCifsAuthenticator.java @@ -36,7 +36,6 @@ import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import javax.security.sasl.RealmCallback; -import org.springframework.extensions.config.ConfigElement; import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.filesys.alfresco.AlfrescoClientInfo; import org.alfresco.jlan.debug.Debug; @@ -70,10 +69,12 @@ import org.alfresco.jlan.smb.server.SMBSrvSession; import org.alfresco.jlan.smb.server.VirtualCircuit; import org.alfresco.jlan.util.DataPacker; import org.alfresco.jlan.util.HexDump; +import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.repo.security.authentication.NTLMMode; import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator; import org.alfresco.repo.transaction.RetryingTransactionHelper; import org.ietf.jgss.Oid; +import org.springframework.extensions.config.ConfigElement; /** * Enterprise CIFS Authenticator Class @@ -1491,14 +1492,21 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement } else { - // Use the system user to do the user name lookup - - getAuthenticationComponent().setSystemUserAsCurrentUser(); - // Set the current user to be authenticated, save the authentication token - - AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(krbDetails.getUserName()))); + + try + { + AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; + getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(krbDetails.getUserName())); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket() ); + } + catch (AuthenticationException e) + { + // Invalid user or max tickets exceeded. Return a logon failure status + + throw new SMBSrvException( SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied); + + } // Store the full user name in the client information, indicate that this is not a guest logon @@ -1654,8 +1662,18 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement // Setup the Acegi authenticated user - AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(userName))); + try + { + AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; + getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(userName)); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); + } + catch (AuthenticationException e) + { + // Invalid user or max tickets exceeded. Return a logon failure status + + throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied); + } // Store the full user name in the client information, indicate that this is not a guest logon @@ -1787,9 +1805,18 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement // Setup the Acegi authenticated user - AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( client.getUserName()))); - + try + { + AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; + getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(client.getUserName())); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); + } + catch (AuthenticationException e) + { + // Invalid user or max tickets exceeded. Return a logon failure status + + throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied); + } // Store the full user name in the client information, indicate that this is not a guest logon client.setGuest( false); @@ -1900,7 +1927,8 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement // Setup the Acegi authenticated user AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( userName))); + getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( userName)); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // Store the full user name in the client information, indicate that this is not a guest logon @@ -1915,7 +1943,14 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement { // Log the error - logger.error(ex); + if (ex instanceof AuthenticationException) + { + logger.debug(ex); + } + else + { + logger.error(ex); + } // Return a logon failure @@ -2024,7 +2059,8 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement // Setup the Acegi authenticated user AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( client.getUserName()))); + getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( client.getUserName())); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // Store the full user name in the client information, indicate that this is not a guest logon @@ -2038,7 +2074,14 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement { // Log the error - logger.error(ex); + if (ex instanceof AuthenticationException) + { + logger.debug(ex); + } + else + { + logger.error(ex); + } // Return a logon failure @@ -2187,8 +2230,18 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement // Setup the Acegi authenticated user - AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( userName))); + try + { + AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; + getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( userName)); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); + } + catch (AuthenticationException e) + { + // Invalid user or max tickets exceeded. Return a logon failure status + + throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied); + } // Store the full user name in the client information, indicate that this is not a guest logon diff --git a/source/java/org/alfresco/filesys/auth/cifs/PassthruCifsAuthenticator.java b/source/java/org/alfresco/filesys/auth/cifs/PassthruCifsAuthenticator.java index 0006b51d8f..90de086fa5 100644 --- a/source/java/org/alfresco/filesys/auth/cifs/PassthruCifsAuthenticator.java +++ b/source/java/org/alfresco/filesys/auth/cifs/PassthruCifsAuthenticator.java @@ -22,7 +22,6 @@ import java.util.ArrayList; import java.util.Hashtable; import java.util.List; -import org.springframework.extensions.config.ConfigElement; import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.filesys.alfresco.AlfrescoClientInfo; import org.alfresco.filesys.auth.PassthruServerFactory; @@ -57,12 +56,14 @@ import org.alfresco.jlan.util.DataPacker; import org.alfresco.jlan.util.HexDump; import org.alfresco.model.ContentModel; import org.alfresco.repo.security.authentication.AuthenticationComponent; +import org.alfresco.repo.security.authentication.AuthenticationException; import org.alfresco.repo.security.authentication.NTLMMode; import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator; import org.alfresco.repo.transaction.RetryingTransactionHelper; import org.alfresco.service.cmr.repository.NodeRef; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.springframework.extensions.config.ConfigElement; /** * Passthru Authenticator Class @@ -183,11 +184,11 @@ public class PassthruCifsAuthenticator extends CifsAuthenticatorBase implements { // Check if the client is already authenticated, and it is not a null logon - if ( alfClient.getAuthenticationToken() != null && client.getLogonType() != ClientInfo.LogonNull) + if ( alfClient.hasAuthenticationTicket() && client.getLogonType() != ClientInfo.LogonNull) { // Use the existing authentication token - getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( client.getUserName())); + getAuthenticationService().validate(alfClient.getAuthenticationTicket(), null); // Debug @@ -276,7 +277,8 @@ public class PassthruCifsAuthenticator extends CifsAuthenticatorBase implements { // Use the person name as the current user - alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser(personName)); + getAuthenticationComponent().setCurrentUser(personName); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // DEBUG @@ -296,6 +298,10 @@ public class PassthruCifsAuthenticator extends CifsAuthenticatorBase implements logger.debug("Failed to find person matching user " + username); } } + catch (AuthenticationException ex) + { + logger.debug("User invalid or max tickets exceeded", ex); + } catch (Exception ex) { @@ -1018,7 +1024,7 @@ public class PassthruCifsAuthenticator extends CifsAuthenticatorBase implements // Get the authentication token and store AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken(getAuthenticationComponent().getCurrentAuthentication()); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // Indicate that the client is logged on diff --git a/source/java/org/alfresco/filesys/auth/ftp/AlfrescoFtpAuthenticator.java b/source/java/org/alfresco/filesys/auth/ftp/AlfrescoFtpAuthenticator.java index aa93d5bc9b..aa33999603 100644 --- a/source/java/org/alfresco/filesys/auth/ftp/AlfrescoFtpAuthenticator.java +++ b/source/java/org/alfresco/filesys/auth/ftp/AlfrescoFtpAuthenticator.java @@ -21,8 +21,6 @@ package org.alfresco.filesys.auth.ftp; import javax.transaction.Status; import javax.transaction.UserTransaction; -import net.sf.acegisecurity.Authentication; - import org.alfresco.filesys.alfresco.AlfrescoClientInfo; import org.alfresco.jlan.ftp.FTPSrvSession; import org.alfresco.jlan.server.SrvSession; @@ -178,12 +176,12 @@ public class AlfrescoFtpAuthenticator extends FTPAuthenticatorBase { */ protected void doGuestLogon( AlfrescoClientInfo client, SrvSession sess) { - // Get a guest authentication token + // Get a guest authentication ticket getAuthenticationService().authenticateAsGuest(); - Authentication authToken = getAuthenticationComponent().getCurrentAuthentication(); + String ticket = getAuthenticationService().getCurrentTicket(); - client.setAuthenticationToken( authToken); + client.setAuthenticationTicket( ticket); // Mark the client as being a guest logon diff --git a/source/java/org/alfresco/filesys/auth/ftp/PassthruFtpAuthenticator.java b/source/java/org/alfresco/filesys/auth/ftp/PassthruFtpAuthenticator.java index 5ad81e8190..747be9f0d6 100644 --- a/source/java/org/alfresco/filesys/auth/ftp/PassthruFtpAuthenticator.java +++ b/source/java/org/alfresco/filesys/auth/ftp/PassthruFtpAuthenticator.java @@ -24,9 +24,6 @@ import java.net.InetAddress; import javax.transaction.Status; import javax.transaction.UserTransaction; -import net.sf.acegisecurity.Authentication; - -import org.springframework.extensions.config.ConfigElement; import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.filesys.ExtendedServerConfigurationAccessor; import org.alfresco.filesys.alfresco.AlfrescoClientInfo; @@ -45,6 +42,7 @@ import org.alfresco.jlan.util.IPAddress; import org.alfresco.repo.security.authentication.AuthenticationComponent; import org.alfresco.repo.security.authentication.NTLMMode; import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator; +import org.springframework.extensions.config.ConfigElement; /** * Passthru FTP Authenticator Class @@ -331,9 +329,9 @@ public class PassthruFtpAuthenticator extends FTPAuthenticatorBase { // Get a guest authentication token getAuthenticationService().authenticateAsGuest(); - Authentication authToken = getAuthenticationComponent().getCurrentAuthentication(); + String ticket = getAuthenticationService().getCurrentTicket(); - client.setAuthenticationToken(authToken); + client.setAuthenticationTicket(ticket); // Mark the client as being a guest logon @@ -395,7 +393,8 @@ public class PassthruFtpAuthenticator extends FTPAuthenticatorBase { // Set the current user to be authenticated, save the authentication token AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client; - alfClient.setAuthenticationToken(getAuthenticationComponent().setCurrentUser(client.getUserName())); + getAuthenticationComponent().setCurrentUser(client.getUserName()); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // Passwords match, grant access diff --git a/source/java/org/alfresco/filesys/auth/nfs/AlfrescoRpcAuthenticator.java b/source/java/org/alfresco/filesys/auth/nfs/AlfrescoRpcAuthenticator.java index f1255bedd7..f67f53feb6 100644 --- a/source/java/org/alfresco/filesys/auth/nfs/AlfrescoRpcAuthenticator.java +++ b/source/java/org/alfresco/filesys/auth/nfs/AlfrescoRpcAuthenticator.java @@ -39,6 +39,7 @@ import org.alfresco.jlan.server.auth.ClientInfo; import org.alfresco.jlan.server.config.InvalidConfigurationException; import org.alfresco.jlan.server.config.ServerConfiguration; import org.alfresco.repo.security.authentication.AuthenticationComponent; +import org.alfresco.service.cmr.security.AuthenticationService; import org.alfresco.service.transaction.TransactionService; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -68,6 +69,8 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB private List userMappings; private AuthenticationComponent authenticationComponent; + + private AuthenticationService authenticationService; private TransactionService transactionService; @@ -81,6 +84,11 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB this.authenticationComponent = authenticationComponent; } + public void setAuthenticationService (AuthenticationService authenticationService) + { + this.authenticationService = authenticationService; + } + public void setTransactionService(TransactionService transactionService) { this.transactionService = transactionService; @@ -289,28 +297,28 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB // Check if the authentication token has been set for the client - if ( alfClient.hasAuthenticationToken() == false) + if ( !alfClient.hasAuthenticationTicket() ) { // Set the current user and retrieve the authentication token getAuthenticationComponent().setCurrentUser( client.getUserName()); - alfClient.setAuthenticationToken( getAuthenticationComponent().getCurrentAuthentication()); + alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket()); // DEBUG if ( logger.isDebugEnabled()) - logger.debug("Set user name=" + client.getUserName() + ", token=" + alfClient.getAuthenticationToken()); + logger.debug("Set user name=" + client.getUserName() + ", ticket=" + alfClient.getAuthenticationTicket()); } else { // Set the authentication context for the request - getAuthenticationComponent().setCurrentAuthentication( alfClient.getAuthenticationToken()); + getAuthenticationService().validate(alfClient.getAuthenticationTicket(), null); // DEBUG if ( logger.isDebugEnabled()) - logger.debug("Set user using auth token, token=" + alfClient.getAuthenticationToken()); + logger.debug("Set user using auth ticket, ticket=" + alfClient.getAuthenticationTicket()); } } else @@ -375,6 +383,7 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB // Copy over relevant bean properties for backward compatibility setAuthenticationComponent(alfrescoConfig.getAuthenticationComponent()); + setAuthenticationService(alfrescoConfig.getAuthenticationService()); setTransactionService(alfrescoConfig.getTransactionService()); // Check for the user mappings @@ -524,6 +533,11 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB return this.authenticationComponent; } + protected AuthenticationService getAuthenticationService() + { + return this.authenticationService; + } + protected TransactionService getTransactionService() { return this.transactionService; diff --git a/source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java b/source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java index a911ecb9d0..bdaa4acd43 100644 --- a/source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java +++ b/source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java @@ -145,10 +145,15 @@ public class InMemoryTicketComponentImpl implements TicketComponent */ private String getTicketKey(String ticketString) { - if (ticketString.length() < GRANTED_AUTHORITY_TICKET_PREFIX.length()) + if (ticketString == null) + { + return null; + } + else if (ticketString.length() < GRANTED_AUTHORITY_TICKET_PREFIX.length()) { throw new AuthenticationException(ticketString + " is an invalid ticket format"); } + String key = ticketString.substring(GRANTED_AUTHORITY_TICKET_PREFIX.length()); return key; }