Merged V2.2 to HEAD

19977: (RECORD ONLY) Merged PATCHES/V2.2.7 to V2.2 19778: (RECORD ONLY) Incremented version label 19976: Merged PATCHES/V2.2.7 to V2.2 19776: ALF-2011: Audit doesn't take into account CIFS authentication - Now that we've backported the ticket granting auditing, converted the Alfresco CIFS authenticators to use ticket-based authentication, rather than directly manipulating ACEGI - Needs thorough testing with password, NTLM, Passthru and Kerberos 19891: ALF-2011: Audit doesn't take into account CIFS authentication Since each child of the CifsAuthenticator is not a Spring configured bean it has no Transaction interceptor. The Transaction wrapping functionality was added into the CifsAuthenticator.setCurrentUser() to fix a Transaction Synchronization issue after successful authentication of the user. Several little corrections added into the InMemoryTicketComponentImpl to allow "Null user". "Missing ticket for null" exceptions will be thrown instead of the NullPointerException 19903: ALF-2011: Minor cleanup/formatting only 19975: (RECORD ONLY) Merged PATCHES/V2.2.7 to V2.2 19769: ALF-2011: Backported dependencies ALF-2360: Merged V3.1 to PATCHES/V2.2.7 17314: ETHREEOH-3158: Fix RepoServerMgmt to work with external authentication methods - AuthenticationService.getCurrentTicket / getNewTicket now call pre authentication check before issuing a new ticket, thus still allowing ticket enforcement when external authentication is in use. ALF-2361: Merged V3.2 to PATCHES/V2.2.7 17456: Fix for: ETHREEOH-1465: It's impossible to get the login history for a given user (Audit) - all authentication routes (SSO and password) can now audit getting a new ticket for a session. SSO does not authenticate via the alfresco AuthenticationService API - you can now use auditing to track new sessions for users. 19834: (RECORD ONLY) Increment version (from 2.2.7 to 2.2.8) 19833: (RECORD ONLY) Merged PATCHES/V2.2.7 to BRANCHES/V2.2: 19832: Merged BRANCHES/V3.1 to PATCHES/V2.2.7: 17255: Fixed ETHREEOH-3180: Error appears when trying to search resources on Manage Task page 19578: (RECORD ONLY) Merged V3.0 to V2.2 19574: Merged V3.1 to V3.0 19573: Merged V3.2 to V3.1 19539: Merged HEAD to V3.2 19538: Build fix - fix build speed git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@20011 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2010-04-27 14:14:48 +00:00
parent 7aba799ed8
commit a289049b41
10 changed files with 237 additions and 147 deletions
--- a/config/alfresco/subsystems/fileServers/default/file-servers-context.xml
+++ b/config/alfresco/subsystems/fileServers/default/file-servers-context.xml
@@ -278,11 +278,15 @@
            </property>
            <property name="transactionService">
-				<ref bean="transactionService"/>
+               <ref bean="transactionService" />
            </property>
            <property name="authenticationComponent">
-				<ref bean="authenticationComponent"/>
+               <ref bean="authenticationComponent" />
            </property>
            <property name="authenticationService">
               <ref bean="authenticationService" />
            </property>
         </bean>
      </property>
--- a/source/java/org/alfresco/filesys/alfresco/AlfrescoClientInfo.java
+++ b/source/java/org/alfresco/filesys/alfresco/AlfrescoClientInfo.java
@@ -1,7 +1,5 @@
 package org.alfresco.filesys.alfresco;
 import net.sf.acegisecurity.Authentication;
 import org.alfresco.jlan.server.auth.ClientInfo;
 import org.alfresco.service.cmr.repository.NodeRef;
@@ -31,10 +29,6 @@ import org.alfresco.service.cmr.repository.NodeRef;
 */
 public class AlfrescoClientInfo extends ClientInfo {
  // Authentication token
  private Authentication m_authToken;
  // Authentication ticket, used for web access without having to re-authenticate
  private String m_authTicket;
@@ -62,26 +56,6 @@ public class AlfrescoClientInfo extends ClientInfo {
    super(user, pwd);
  }
  /**
   * Check if the client has an authentication token
   * 
   * @return boolean
   */
  public final boolean hasAuthenticationToken()
  {
      return m_authToken != null ? true : false;
  }
  /**
   * Return the authentication token
   * 
   * @return Authentication
   */
  public final Authentication getAuthenticationToken()
  {
      return m_authToken;
  }
  /**
   * Check if the client has an authentication ticket
   * 
@@ -122,16 +96,6 @@ public class AlfrescoClientInfo extends ClientInfo {
      return m_homeNode;
  }
  /**
   * Set the authentication toekn
   * 
   * @param token Authentication
   */
  public final void setAuthenticationToken(Authentication token)
  {
      m_authToken = token;
  }
  /**
   * Set the authentication ticket
   * 
--- a/source/java/org/alfresco/filesys/auth/cifs/AlfrescoCifsAuthenticator.java
+++ b/source/java/org/alfresco/filesys/auth/cifs/AlfrescoCifsAuthenticator.java
@@ -20,8 +20,6 @@ package org.alfresco.filesys.auth.cifs;
 import java.security.NoSuchAlgorithmException;
 import net.sf.acegisecurity.Authentication;
 import org.alfresco.filesys.alfresco.AlfrescoClientInfo;
 import org.alfresco.jlan.server.SrvSession;
 import org.alfresco.jlan.server.auth.AuthContext;
@@ -31,6 +29,7 @@ import org.alfresco.jlan.server.auth.NTLanManAuthContext;
 import org.alfresco.jlan.server.core.SharedDevice;
 import org.alfresco.jlan.smb.server.SMBSrvSession;
 import org.alfresco.jlan.util.HexDump;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.NTLMMode;
 import org.alfresco.repo.security.authentication.ntlm.NTLMPassthruToken;
 import org.alfresco.repo.transaction.RetryingTransactionHelper;
@@ -111,11 +110,13 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase
        // Check if the client is already authenticated, and it is not a null logon
-        if ( alfClient.getAuthenticationToken() != null && client.getLogonType() != ClientInfo.LogonNull)
+        try
        {
            if ( alfClient.hasAuthenticationTicket() && client.getLogonType() != ClientInfo.LogonNull)
            {
                // Use the existing authentication token
-            getAuthenticationComponent().setCurrentUser(client.getUserName());
+                getAuthenticationService().validate(alfClient.getAuthenticationTicket(), null);
                // Debug
@@ -126,6 +127,12 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase
                return client.getLogonType() != ClientInfo.LogonGuest ? AUTH_ALLOW : AUTH_GUEST; 
            }
        }
        catch (AuthenticationException ex)
        {
            // Ticket no longer valid or maximum tickets exceeded
            alfClient.setAuthenticationTicket(null);
        }
        // Check if this is a guest logon
@@ -379,7 +386,8 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase
                // Set the current user to be authenticated, save the authentication token
                AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
-                alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser(client.getUserName()));
+                getAuthenticationComponent().setCurrentUser(client.getUserName());
                alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket());
                // Get the users home folder node, if available
@@ -393,6 +401,10 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase
                return ICifsAuthenticator.AUTH_ALLOW;
            }
            catch (AuthenticationException ex)
            {
                // Ticket no longer valid or maximum tickets exceeded
            }
            catch (NoSuchAlgorithmException ex)
            {
            }
@@ -461,13 +473,14 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase
        // Authenticate the user
-        Authentication genAuthToken = null;
+        String ticket = null;
        try
        {
            // Run the second stage of the passthru authentication
-            genAuthToken = getNTLMAuthenticator().authenticate( authToken);
+            getNTLMAuthenticator().authenticate( authToken);
            ticket = getAuthenticationService().getCurrentTicket();
            // Check if the user has been logged on as a guest
@@ -500,10 +513,10 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase
                client.setLogonType( ClientInfo.LogonNormal);
            }
-            // Set the current user to be authenticated, save the authentication token
+            // Set the current user to be authenticated, save the authentication ticket
            AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
-            alfClient.setAuthenticationToken( genAuthToken);
+            alfClient.setAuthenticationTicket(ticket);
            // Get the users home folder node, if available
@@ -512,7 +525,11 @@ public class AlfrescoCifsAuthenticator extends CifsAuthenticatorBase
            // DEBUG
            if ( logger.isDebugEnabled())
-                logger.debug("Auth token " + genAuthToken);
+                logger.debug("Auth ticket " + ticket);
        }
        catch (AuthenticationException ex)
        {
            // Ticket no longer valid or maximum tickets exceeded
        }
        catch ( Exception ex)
        {
--- a/source/java/org/alfresco/filesys/auth/cifs/CifsAuthenticatorBase.java
+++ b/source/java/org/alfresco/filesys/auth/cifs/CifsAuthenticatorBase.java
@@ -18,9 +18,6 @@
 */
 package org.alfresco.filesys.auth.cifs;
 import net.sf.acegisecurity.Authentication;
 import org.springframework.extensions.config.ConfigElement;
 import org.alfresco.filesys.AlfrescoConfigSection;
 import org.alfresco.filesys.alfresco.AlfrescoClientInfo;
 import org.alfresco.filesys.repo.ContentContext;
@@ -37,6 +34,8 @@ import org.alfresco.jlan.server.filesys.SrvDiskInfo;
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.management.subsystems.ActivateableBean;
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.authentication.MD4PasswordEncoder;
 import org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl;
 import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
@@ -51,6 +50,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.DisposableBean;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.extensions.config.ConfigElement;
 /**
 * CIFS Authenticator Base Class
@@ -309,9 +309,9 @@ public abstract class CifsAuthenticatorBase extends CifsAuthenticator implements
        //  Get a guest authentication token
        getAuthenticationService().authenticateAsGuest();
-        Authentication authToken = getAuthenticationComponent().getCurrentAuthentication();
+        String ticket = getAuthenticationService().getCurrentTicket();
-        alfClient.setAuthenticationToken( authToken);
+        alfClient.setAuthenticationTicket(ticket);
        // Set the home folder for the guest user
@@ -373,6 +373,11 @@ public abstract class CifsAuthenticatorBase extends CifsAuthenticator implements
     * @return String
     */
    protected final String mapUserNameToPerson(final String userName)
    {
        // Do the lookup as the system user
        return AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<String>()
        {
            public String doWork() throws Exception
            {
                return doInTransaction(new RetryingTransactionHelper.RetryingTransactionCallback<String>()
                {
@@ -396,6 +401,8 @@ public abstract class CifsAuthenticatorBase extends CifsAuthenticator implements
                    }
                });
            }
        }, AuthenticationUtil.getSystemUserName());
    }
    /**
     * Set the current authenticated user context for this thread.
@@ -403,10 +410,14 @@ public abstract class CifsAuthenticatorBase extends CifsAuthenticator implements
     * @param client
     *            ClientInfo
     */
-    public void setCurrentUser(ClientInfo client) {
+    public void setCurrentUser(final ClientInfo client) {
        // Check the account type and setup the authentication context
        doInTransaction(new RetryingTransactionHelper.RetryingTransactionCallback<Object>()
        {
            public Object execute() throws Throwable
            {
                if (client == null || client.isNullSession())
                {
                    // Clear the authentication, null user should not be allowed to do any service calls
@@ -418,7 +429,23 @@ public abstract class CifsAuthenticatorBase extends CifsAuthenticator implements
                    // Set the authentication context for the request
                    AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
-            getAuthenticationComponent().setCurrentAuthentication(alfClient.getAuthenticationToken());
+                    if (alfClient.hasAuthenticationTicket())
                    {
                        try
                        {
                            getAuthenticationService().validate(alfClient.getAuthenticationTicket(), null);
                        }
                        catch (AuthenticationException e)
                        {
                            // Ticket no longer valid or maximum tickets exceeded
                            alfClient.setAuthenticationTicket(null);
                            getAuthenticationComponent().clearCurrentSecurityContext();
                        }
                    }
                    else
                    {
                        getAuthenticationComponent().clearCurrentSecurityContext();
                    }
                }
                else
                {
@@ -426,6 +453,9 @@ public abstract class CifsAuthenticatorBase extends CifsAuthenticator implements
                    getAuthenticationComponent().setGuestUserAsCurrentUser();
                }
                return null;
            }
        });
    }
    /**
--- a/source/java/org/alfresco/filesys/auth/cifs/EnterpriseCifsAuthenticator.java
+++ b/source/java/org/alfresco/filesys/auth/cifs/EnterpriseCifsAuthenticator.java
@@ -36,7 +36,6 @@ import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
 import javax.security.sasl.RealmCallback;
 import org.springframework.extensions.config.ConfigElement;
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.filesys.alfresco.AlfrescoClientInfo;
 import org.alfresco.jlan.debug.Debug;
@@ -70,10 +69,12 @@ import org.alfresco.jlan.smb.server.SMBSrvSession;
 import org.alfresco.jlan.smb.server.VirtualCircuit;
 import org.alfresco.jlan.util.DataPacker;
 import org.alfresco.jlan.util.HexDump;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.NTLMMode;
 import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
 import org.alfresco.repo.transaction.RetryingTransactionHelper;
 import org.ietf.jgss.Oid;
 import org.springframework.extensions.config.ConfigElement;
 /**
 * Enterprise CIFS Authenticator Class
@@ -1491,14 +1492,21 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement
            		}
            		else
            		{
                        // Use the system user to do the user name lookup
                        getAuthenticationComponent().setSystemUserAsCurrentUser();
                        // Set the current user to be authenticated, save the authentication token
            		    try
            		    {
                            AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
-                        alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(krbDetails.getUserName())));
+                            getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(krbDetails.getUserName()));
                            alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket() );
                        }
                        catch (AuthenticationException e)
                        {
                            // Invalid user or max tickets exceeded. Return a logon failure status
                            throw new SMBSrvException( SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied);
                        }
                        // Store the full user name in the client information, indicate that this is not a guest logon
@@ -1654,8 +1662,18 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement
                // Setup the Acegi authenticated user
                try
                {
                    AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
-                alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(userName)));
+                    getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(userName));                
                    alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket());
                }
                catch (AuthenticationException e)
                {
                    // Invalid user or max tickets exceeded. Return a logon failure status
                    throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied);
                }
                // Store the full user name in the client information, indicate that this is not a guest logon
@@ -1787,9 +1805,18 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement
                // Setup the Acegi authenticated user
                try
                {
                    AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
-                alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( client.getUserName())));
+                    getAuthenticationComponent().setCurrentUser( mapUserNameToPerson(client.getUserName()));                
                    alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket());
                }
                catch (AuthenticationException e)
                {
                    // Invalid user or max tickets exceeded. Return a logon failure status
                    throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied);
                }
                // Store the full user name in the client information, indicate that this is not a guest logon
                client.setGuest( false);
@@ -1900,7 +1927,8 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement
                    // Setup the Acegi authenticated user
                    AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
-                    alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( userName)));
+                    getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( userName));                
                    alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket());
                    // Store the full user name in the client information, indicate that this is not a guest logon
@@ -1915,7 +1943,14 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement
                {
                    // Log the error
                    if (ex instanceof AuthenticationException)
                    {
                        logger.debug(ex);
                    }
                    else
                    {
                        logger.error(ex);                        
                    }
                    //  Return a logon failure
@@ -2024,7 +2059,8 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement
                    // Setup the Acegi authenticated user
                    AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
-                    alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( client.getUserName())));
+                    getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( client.getUserName()));                
                    alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket());
                    // Store the full user name in the client information, indicate that this is not a guest logon
@@ -2038,7 +2074,14 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement
                {
                    // Log the error
                    if (ex instanceof AuthenticationException)
                    {
                        logger.debug(ex);
                    }
                    else
                    {
                        logger.error(ex);                        
                    }
                    //  Return a logon failure
@@ -2187,8 +2230,18 @@ public class EnterpriseCifsAuthenticator extends CifsAuthenticatorBase implement
                // Setup the Acegi authenticated user
                try
                {
                    AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
-                alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( userName)));
+                    getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( userName));                
                    alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket());
                }
                catch (AuthenticationException e)
                {
                    // Invalid user or max tickets exceeded. Return a logon failure status
                    throw new SMBSrvException(SMBStatus.NTLogonFailure, SMBStatus.ErrDos, SMBStatus.DOSAccessDenied);
                }
                // Store the full user name in the client information, indicate that this is not a guest logon
--- a/source/java/org/alfresco/filesys/auth/cifs/PassthruCifsAuthenticator.java
+++ b/source/java/org/alfresco/filesys/auth/cifs/PassthruCifsAuthenticator.java
@@ -22,7 +22,6 @@ import java.util.ArrayList;
 import java.util.Hashtable;
 import java.util.List;
 import org.springframework.extensions.config.ConfigElement;
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.filesys.alfresco.AlfrescoClientInfo;
 import org.alfresco.filesys.auth.PassthruServerFactory;
@@ -57,12 +56,14 @@ import org.alfresco.jlan.util.DataPacker;
 import org.alfresco.jlan.util.HexDump;
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
 import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.NTLMMode;
 import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
 import org.alfresco.repo.transaction.RetryingTransactionHelper;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.extensions.config.ConfigElement;
 /**
 * Passthru Authenticator Class
@@ -183,11 +184,11 @@ public class PassthruCifsAuthenticator extends CifsAuthenticatorBase implements
                {
                    // Check if the client is already authenticated, and it is not a null logon
-                    if ( alfClient.getAuthenticationToken() != null && client.getLogonType() != ClientInfo.LogonNull)
+                    if ( alfClient.hasAuthenticationTicket() && client.getLogonType() != ClientInfo.LogonNull)
                    {
                        // Use the existing authentication token
-                        getAuthenticationComponent().setCurrentUser( mapUserNameToPerson( client.getUserName()));
+                        getAuthenticationService().validate(alfClient.getAuthenticationTicket(), null);
                        // Debug
@@ -276,7 +277,8 @@ public class PassthruCifsAuthenticator extends CifsAuthenticatorBase implements
                                {
                                    // Use the person name as the current user
-                                    alfClient.setAuthenticationToken( getAuthenticationComponent().setCurrentUser(personName));
+                                    getAuthenticationComponent().setCurrentUser(personName);
                                    alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket());
                                    // DEBUG
@@ -296,6 +298,10 @@ public class PassthruCifsAuthenticator extends CifsAuthenticatorBase implements
                                    logger.debug("Failed to find person matching user " + username);
                            }
                        }
                        catch (AuthenticationException ex)
                        {
                            logger.debug("User invalid or max tickets exceeded", ex);                
                        }
                        catch (Exception ex)
                        {
@@ -1018,7 +1024,7 @@ public class PassthruCifsAuthenticator extends CifsAuthenticatorBase implements
                            // Get the authentication token and store
                            AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
-                            alfClient.setAuthenticationToken(getAuthenticationComponent().getCurrentAuthentication());
+                            alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket());
                            // Indicate that the client is logged on
--- a/source/java/org/alfresco/filesys/auth/ftp/AlfrescoFtpAuthenticator.java
+++ b/source/java/org/alfresco/filesys/auth/ftp/AlfrescoFtpAuthenticator.java
@@ -21,8 +21,6 @@ package org.alfresco.filesys.auth.ftp;
 import javax.transaction.Status;
 import javax.transaction.UserTransaction;
 import net.sf.acegisecurity.Authentication;
 import org.alfresco.filesys.alfresco.AlfrescoClientInfo;
 import org.alfresco.jlan.ftp.FTPSrvSession;
 import org.alfresco.jlan.server.SrvSession;
@@ -178,12 +176,12 @@ public class AlfrescoFtpAuthenticator extends FTPAuthenticatorBase {
   */
  protected void doGuestLogon( AlfrescoClientInfo client, SrvSession sess)
  {
-      //  Get a guest authentication token
+      //  Get a guest authentication ticket
      getAuthenticationService().authenticateAsGuest();
-      Authentication authToken = getAuthenticationComponent().getCurrentAuthentication();
+      String ticket = getAuthenticationService().getCurrentTicket();
-      client.setAuthenticationToken( authToken);
+      client.setAuthenticationTicket( ticket);
      // Mark the client as being a guest logon
--- a/source/java/org/alfresco/filesys/auth/ftp/PassthruFtpAuthenticator.java
+++ b/source/java/org/alfresco/filesys/auth/ftp/PassthruFtpAuthenticator.java
@@ -24,9 +24,6 @@ import java.net.InetAddress;
 import javax.transaction.Status;
 import javax.transaction.UserTransaction;
 import net.sf.acegisecurity.Authentication;
 import org.springframework.extensions.config.ConfigElement;
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.filesys.ExtendedServerConfigurationAccessor;
 import org.alfresco.filesys.alfresco.AlfrescoClientInfo;
@@ -45,6 +42,7 @@ import org.alfresco.jlan.util.IPAddress;
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
 import org.alfresco.repo.security.authentication.NTLMMode;
 import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
 import org.springframework.extensions.config.ConfigElement;
 /**
 * Passthru FTP Authenticator Class
@@ -331,9 +329,9 @@ public class PassthruFtpAuthenticator extends FTPAuthenticatorBase {
        // Get a guest authentication token
        getAuthenticationService().authenticateAsGuest();
-        Authentication authToken = getAuthenticationComponent().getCurrentAuthentication();
+        String ticket = getAuthenticationService().getCurrentTicket();
-        client.setAuthenticationToken(authToken);
+        client.setAuthenticationTicket(ticket);
        // Mark the client as being a guest logon
@@ -395,7 +393,8 @@ public class PassthruFtpAuthenticator extends FTPAuthenticatorBase {
                    // Set the current user to be authenticated, save the authentication token
                    AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
-                    alfClient.setAuthenticationToken(getAuthenticationComponent().setCurrentUser(client.getUserName()));
+                    getAuthenticationComponent().setCurrentUser(client.getUserName());                   
                    alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket());
                    // Passwords match, grant access
--- a/source/java/org/alfresco/filesys/auth/nfs/AlfrescoRpcAuthenticator.java
+++ b/source/java/org/alfresco/filesys/auth/nfs/AlfrescoRpcAuthenticator.java
@@ -39,6 +39,7 @@ import org.alfresco.jlan.server.auth.ClientInfo;
 import org.alfresco.jlan.server.config.InvalidConfigurationException;
 import org.alfresco.jlan.server.config.ServerConfiguration;
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
 import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.transaction.TransactionService;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -69,6 +70,8 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB
    private AuthenticationComponent authenticationComponent;
    private AuthenticationService authenticationService;
    private TransactionService transactionService;
    public void setUserMappings(List<UserMapping> userMappings)
@@ -81,6 +84,11 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB
        this.authenticationComponent = authenticationComponent;
    }
    public void setAuthenticationService (AuthenticationService authenticationService)
    {
        this.authenticationService = authenticationService;
    }
    public void setTransactionService(TransactionService transactionService)
    {
        this.transactionService = transactionService;
@@ -289,28 +297,28 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB
            // Check if the authentication token has been set for the client
-            if ( alfClient.hasAuthenticationToken() == false)
+            if ( !alfClient.hasAuthenticationTicket() )
            {
                // Set the current user and retrieve the authentication token
                getAuthenticationComponent().setCurrentUser( client.getUserName());
-                alfClient.setAuthenticationToken( getAuthenticationComponent().getCurrentAuthentication());
+                alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket());
                // DEBUG
                if ( logger.isDebugEnabled())
-                    logger.debug("Set user name=" + client.getUserName() + ", token=" + alfClient.getAuthenticationToken());
+                    logger.debug("Set user name=" + client.getUserName() + ", ticket=" + alfClient.getAuthenticationTicket());
            }
            else
            {
                // Set the authentication context for the request
-              getAuthenticationComponent().setCurrentAuthentication( alfClient.getAuthenticationToken());
+                getAuthenticationService().validate(alfClient.getAuthenticationTicket(), null);
                // DEBUG
                if ( logger.isDebugEnabled())
-                    logger.debug("Set user using auth token, token=" + alfClient.getAuthenticationToken());
+                    logger.debug("Set user using auth ticket, ticket=" + alfClient.getAuthenticationTicket());
            }
        }
        else
@@ -375,6 +383,7 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB
        // Copy over relevant bean properties for backward compatibility
        setAuthenticationComponent(alfrescoConfig.getAuthenticationComponent());
        setAuthenticationService(alfrescoConfig.getAuthenticationService());
        setTransactionService(alfrescoConfig.getTransactionService());
        // Check for the user mappings
@@ -524,6 +533,11 @@ public class AlfrescoRpcAuthenticator implements RpcAuthenticator, InitializingB
        return this.authenticationComponent;
    }
    protected AuthenticationService getAuthenticationService()
    {
        return this.authenticationService;
    }
    protected TransactionService getTransactionService()
    {
        return this.transactionService;
--- a/source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java
+++ b/source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java
@@ -145,10 +145,15 @@ public class InMemoryTicketComponentImpl implements TicketComponent
     */
    private String getTicketKey(String ticketString)
    {
-        if (ticketString.length() < GRANTED_AUTHORITY_TICKET_PREFIX.length())
+        if (ticketString == null)
        {
            return null;
        }
        else if (ticketString.length() < GRANTED_AUTHORITY_TICKET_PREFIX.length())
        {
            throw new AuthenticationException(ticketString + " is an invalid ticket format");
        }
        String key = ticketString.substring(GRANTED_AUTHORITY_TICKET_PREFIX.length());
        return key;
    }