Merge branch 'master' into feature/AUTH-85-token-auth

pom.xml

@@ -2,7 +2,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>alfresco-remote-api</artifactId>
     <name>Alfresco Remote API</name>
-    <version>6.21-TOKEN-AUTH2-SNAPSHOT</version>
+    <version>6.30-SNAPSHOT</version>
     <packaging>jar</packaging>
 
     <parent>
@@ -35,16 +35,16 @@
         <dir.root>${project.build.directory}/alf_data</dir.root>
         <img.exe>convert</img.exe>
       
-        <dependency.alfresco-repository.version>6.37-TOKEN-AUTH</dependency.alfresco-repository.version>
+        <dependency.alfresco-repository.version>6.45</dependency.alfresco-repository.version>
         <dependency.alfresco-core.version>7.1</dependency.alfresco-core.version>
-        <dependency.alfresco-data-model.version>8.2</dependency.alfresco-data-model.version>
+        <dependency.alfresco-data-model.version>8.5</dependency.alfresco-data-model.version>
         <dependency.alfresco-pdf-renderer.version>1.1</dependency.alfresco-pdf-renderer.version>
-        <dependency.jackson.version>2.8.10</dependency.jackson.version>
+        <dependency.jackson.version>2.8.11</dependency.jackson.version>
 
-        <dependency.webscripts.version>6.13</dependency.webscripts.version>
+        <dependency.webscripts.version>6.16</dependency.webscripts.version>
         <dependency.opencmis.version>1.0.0</dependency.opencmis.version>
         <dependency.spring.version>5.0.4.RELEASE</dependency.spring.version>
-        <dependency.postgresql.version>9.4.1212</dependency.postgresql.version>
+        <dependency.postgresql.version>42.2.1</dependency.postgresql.version>
         <dependency.mysql.version>5.1.40</dependency.mysql.version>
     </properties>
 
@@ -88,7 +88,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>${dependency.jackson.version}</version>
+            <version>2.8.11.1</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
@@ -125,11 +125,6 @@
             <artifactId>commons-csv</artifactId>
             <version>20110211</version>
         </dependency>
-        <dependency>
-            <groupId>javax.portlet</groupId>
-            <artifactId>portlet-api</artifactId>
-            <version>2.0</version>
-        </dependency>
         <dependency>
             <groupId>org.alfresco.surf</groupId>
             <artifactId>spring-webscripts</artifactId>
@@ -237,19 +232,19 @@
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-server</artifactId>
-            <version>7.3.0.v20110203</version>
+            <version>8.2.0.v20160908</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-security</artifactId>
-            <version>7.3.0.v20110203</version>
+            <version>8.2.0.v20160908</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-webapp</artifactId>
-            <version>7.3.0.v20110203</version>
+            <version>8.2.0.v20160908</version>
             <scope>test</scope> 
         </dependency>
     </dependencies>

src/main/java/org/alfresco/repo/web/scripts/portlet/JSR168PortletAuthenticatorFactory.java

@@ -1,186 +0,0 @@
-/*
- * #%L
- * Alfresco Remote API
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software. 
- * If the software was purchased under a paid Alfresco license, the terms of 
- * the paid license agreement will prevail.  Otherwise, the software is 
- * provided under the following open source license terms:
- * 
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- * 
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- * 
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
- * #L%
- */
-package org.alfresco.repo.web.scripts.portlet;
-
-import javax.portlet.RenderRequest;
-import javax.portlet.RenderResponse;
-import javax.servlet.http.HttpServletResponse;
-import javax.transaction.UserTransaction;
-
-import org.alfresco.error.AlfrescoRuntimeException;
-import org.alfresco.repo.security.authentication.AuthenticationUtil;
-import org.alfresco.service.cmr.security.AuthenticationService;
-import org.alfresco.service.transaction.TransactionService;
-import org.springframework.extensions.webscripts.Authenticator;
-import org.springframework.extensions.webscripts.WebScriptException;
-import org.springframework.extensions.webscripts.Description.RequiredAuthentication;
-import org.springframework.extensions.webscripts.portlet.PortletAuthenticatorFactory;
-import org.springframework.extensions.webscripts.portlet.WebScriptPortletRequest;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-
-/**
- * Portlet authenticator
- * 
- * @author davidc
- */
-public class JSR168PortletAuthenticatorFactory implements PortletAuthenticatorFactory
-{
-    // Logger
-    private static final Log logger = LogFactory.getLog(JSR168PortletAuthenticatorFactory.class);
-
-    // dependencies
-    private AuthenticationService unprotAuthenticationService;
-    private TransactionService txnService;    
-    
-    /**
-     * @param authenticationService AuthenticationService
-     */
-    public void setUnprotAuthenticationService(AuthenticationService authenticationService)
-    {
-        this.unprotAuthenticationService = authenticationService;
-    }
-
-    /**
-     * @param transactionService TransactionService
-     */
-    public void setTransactionService(TransactionService transactionService)
-    {
-        this.txnService = transactionService;
-    }
-    
-    /* (non-Javadoc)
-     * @see org.alfresco.web.scripts.portlet.PortletAuthenticatorFactory#create(javax.portlet.RenderRequest, javax.portlet.RenderResponse)
-     */
-    public Authenticator create(RenderRequest req, RenderResponse res)
-    {
-        return new JSR168PortletAuthenticator(req, res);
-    }
-
-    
-    /**
-     * Portlet authenticator
-     * 
-     * @author davidc
-     */
-    public class JSR168PortletAuthenticator implements Authenticator
-    {
-        // dependencies
-        private RenderRequest req;
-        
-        /**
-         * Construct
-         * 
-         * @param req RenderRequest
-         * @param res RenderResponse
-         */
-        public JSR168PortletAuthenticator(RenderRequest req, RenderResponse res)
-        {
-            this.req = req;
-        }
-        
-        /*(non-Javadoc)
-         * @see org.alfresco.web.scripts.Authenticator#authenticate(org.alfresco.web.scripts.Description.RequiredAuthentication, boolean)
-         */
-        public boolean authenticate(RequiredAuthentication required, boolean isGuest)
-        {
-            // first look for the username key in the session - we add this by hand for some portals
-            // when the WebScriptPortletRequest is created
-            String portalUser = (String)req.getPortletSession().getAttribute(WebScriptPortletRequest.ALFPORTLETUSERNAME);
-            if (portalUser == null)
-            {
-                portalUser = req.getRemoteUser();
-            }
-            
-            if (logger.isDebugEnabled())
-            {
-                logger.debug("JSR-168 Remote user: " + portalUser);
-            }
-    
-            if (isGuest || portalUser == null)
-            {
-                if (logger.isDebugEnabled())
-                    logger.debug("Authenticating as Guest");
-                
-                // authenticate as guest
-                AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getGuestUserName());
-            }
-            else
-            {
-                if (logger.isDebugEnabled())
-                    logger.debug("Authenticating as user " + portalUser);
-
-                UserTransaction txn = null;
-                try
-                {
-                	txn = txnService.getUserTransaction();
-                	txn.begin();
-
-                	if (!unprotAuthenticationService.authenticationExists(portalUser))
-                	{
-                		throw new WebScriptException(HttpServletResponse.SC_FORBIDDEN, "User " + portalUser + " is not a known Alfresco user");
-                	}
-                	AuthenticationUtil.setFullyAuthenticatedUser(portalUser);
-                }
-                catch (Throwable err)
-                {
-                	throw new AlfrescoRuntimeException("Error authenticating user: " + portalUser, err);
-                }
-                finally
-                {
-                	try
-                	{
-                		if (txn != null)
-                		{
-                			txn.rollback();
-                		}
-                	}
-                	catch (Exception tex)
-                	{
-                		// nothing useful we can do with this
-                	}
-                }
-            }
-            
-            return true;
-        }
-        
-        /* (non-Javadoc)
-         * @see org.alfresco.web.scripts.Authenticator#emptyCredentials()
-         */
-        public boolean emptyCredentials()
-        {
-            String portalUser = (String)req.getPortletSession().getAttribute(WebScriptPortletRequest.ALFPORTLETUSERNAME);
-            if (portalUser == null)
-            {
-                portalUser = req.getRemoteUser();
-            }
-            return (portalUser == null);
-        }
-    }
-
-}

src/main/java/org/alfresco/web/app/servlet/AlfrescoX509ServletFilter.java

@@ -0,0 +1,82 @@
+/*
+ * #%L
+ * Alfresco Repository WAR Community
+ * %%
+ * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+
+package org.alfresco.web.app.servlet;
+
+import java.io.IOException;
+import java.util.Properties;
+
+import javax.servlet.ServletContext;
+
+import org.alfresco.web.scripts.servlet.X509ServletFilterBase;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.context.support.WebApplicationContextUtils;
+
+/**
+ * The AlfrescoX509ServletFilter implements the checkEnforce method of the X509ServletFilterBase.
+ * This allows the configuration of X509 authentication to be toggled on/off through a
+ * configuration outside of the web.xml.
+ **/
+
+public class AlfrescoX509ServletFilter extends X509ServletFilterBase
+{
+    private static final String BEAN_GLOBAL_PROPERTIES = "global-properties";
+    private static final String SECURE_COMMS = "solr.secureComms";
+
+    private static Log logger = LogFactory.getLog(AlfrescoX509ServletFilter.class);
+
+    @Override
+    protected boolean checkEnforce(ServletContext servletContext) throws IOException
+    {
+        /*
+        * Get the secureComms setting from the global properties bean.
+        */
+
+        WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
+        Properties globalProperties = (Properties) wc.getBean(BEAN_GLOBAL_PROPERTIES);
+        String prop = globalProperties.getProperty(SECURE_COMMS);
+
+        if(logger.isDebugEnabled())
+        {
+            logger.debug("secureComms:"+prop);
+        }
+
+        /*
+         * Return true or false based on the property. This will switch on/off X509 enforcement in the X509ServletFilterBase.
+         */
+
+        if (prop == null || "none".equals(prop))
+        {
+            return false;
+        }
+        else
+        {
+            return true;
+        }
+    }
+}

src/main/java/org/alfresco/web/app/servlet/CmisSecurityContextCleanerFilter.java

@@ -0,0 +1,63 @@
+/*
+ * #%L
+ * Alfresco Repository WAR Community
+ * %%
+ * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.web.app.servlet;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import net.sf.acegisecurity.context.ContextHolder;
+
+/**
+ * Clears security context. It should follow Authentication filters in the chain and should be mapped for CMIS requests only
+ * 
+ * @author Dmitry Velichkevich
+ * @since 4.1.5
+ */
+public class CmisSecurityContextCleanerFilter implements Filter
+{
+    @Override
+    public void destroy()
+    {
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException
+    {
+        ContextHolder.setContext(null);
+        chain.doFilter(servletRequest, servletResponse);
+    }
+
+    @Override
+    public void init(FilterConfig config) throws ServletException
+    {
+    }
+}

src/main/java/org/alfresco/web/app/servlet/GlobalLocalizationFilter.java

@@ -0,0 +1,145 @@
+/*
+ * #%L
+ * Alfresco Repository WAR Community
+ * %%
+ * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.web.app.servlet;
+
+import java.io.IOException;
+import java.util.Locale;
+import java.util.StringTokenizer;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+import org.springframework.extensions.surf.util.I18NUtil;
+
+/**
+ * @author Stas Sokolovsky
+ * 
+ * Servlet filter responsible for setting a fallback default locale for ALL requests. 
+ */
+public class GlobalLocalizationFilter implements Filter
+{
+    /**
+     * Run the filter
+     * 
+     * @param request ServletRequest
+     * @param response ServletResponse
+     * @param chain FilterChain
+     * @exception IOException
+     * @exception ServletException
+     */
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
+    {
+        // Clear content locale from this thread (it may be set later)
+        I18NUtil.setContentLocale(null);
+
+        setLanguageFromRequestHeader((HttpServletRequest) request);        
+
+        // continue filter chaining
+        chain.doFilter(request, new HttpServletResponseWrapper((HttpServletResponse) response){
+
+            /* (non-Javadoc)
+             * @see javax.servlet.ServletResponseWrapper#setContentType(java.lang.String)
+             */
+            @Override
+            public void setContentType(String type)
+            {
+                super.setContentType(type);
+
+                // Parse the parameters of the media type, since some app servers (Websphere) refuse to pay attention if the
+                // character encoding isn't explicitly set
+                int startIndex = type.indexOf(';') + 1;
+                int length = type.length();
+                while (startIndex != 0 && startIndex < length)
+                {
+                  int endIndex = type.indexOf(';', startIndex);
+                  if (endIndex == -1)
+                  {
+                      endIndex = length;
+                  }
+                  String param = type.substring(startIndex, endIndex);
+                  int sepIndex = param.indexOf('=');
+                  if (sepIndex != -1)
+                  {
+                      String name = param.substring(0, sepIndex).trim();
+                      if (name.equalsIgnoreCase("charset"))
+                      {
+                          String charset = param.substring(sepIndex + 1).trim();
+                          if ((null != charset) && ((charset.startsWith("\"") && charset.endsWith("\"")) || (charset.startsWith("'") && charset.endsWith("'"))))
+                          {
+                              charset = charset.substring(1, (charset.length() - 1));
+                          }
+                          setCharacterEncoding(charset);
+                          break;
+                      }
+                  }
+                  startIndex = endIndex + 1;
+                }                        
+            }
+        });
+
+    }
+
+    /**
+     * Apply Client and Repository language locale based on the 'Accept-Language' request header
+     *
+     * @param req HttpServletRequest
+     */
+    public void setLanguageFromRequestHeader(HttpServletRequest req)
+    {
+        Locale locale = null;
+
+        String acceptLang = req.getHeader("Accept-Language");
+        if (acceptLang != null && acceptLang.length() > 0)
+        {
+            StringTokenizer tokenizer = new StringTokenizer(acceptLang, ",; ");
+            // get language and convert to java locale format
+            String language = tokenizer.nextToken().replace('-', '_');
+            locale = I18NUtil.parseLocale(language);
+            I18NUtil.setLocale(locale);
+        }
+        else
+        {
+            I18NUtil.setLocale(Locale.getDefault());
+        }
+    }
+
+    public void init(FilterConfig filterConfig) throws ServletException
+    {
+        // Nothing to do        
+    }
+
+    public void destroy()
+    {
+        // Nothing to do
+    }
+}

src/main/java/org/alfresco/web/app/servlet/KerberosAuthenticationFilter.java

@@ -0,0 +1,120 @@
+/*
+ * #%L
+ * Alfresco Repository WAR Community
+ * %%
+ * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.web.app.servlet;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.alfresco.repo.web.auth.WebCredentials;
+import org.alfresco.repo.webdav.auth.AuthenticationDriver;
+import org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * Kerberos Authentication Filter Class
+ * 
+ * @author GKSpencer
+ */
+public class KerberosAuthenticationFilter extends BaseKerberosAuthenticationFilter
+{
+    // Debug logging
+    
+    private static Log logger = LogFactory.getLog(KerberosAuthenticationFilter.class);
+  
+    
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter#init()
+     */
+    @Override
+    protected void init() throws ServletException
+    {
+        // Call the base Kerberos filter initialization
+        super.init();
+
+        // Use the web client user attribute name
+        setUserAttributeName(AuthenticationDriver.AUTHENTICATION_USER);
+    }
+    
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#onValidateFailed(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession)
+     */
+    @Override
+    protected void onValidateFailed(ServletContext sc, HttpServletRequest req, HttpServletResponse res, HttpSession session, WebCredentials credentials)
+        throws IOException
+    {
+        super.onValidateFailed(sc, req, res, session, credentials);
+        
+        // Redirect to the login page if user validation fails
+    	redirectToLoginPage(req, res);
+    }
+    
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter#onLoginComplete(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+     */
+    @Override
+    protected boolean onLoginComplete(ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean userInit)
+        throws IOException
+    {
+        String requestURI = req.getRequestURI();
+        return true;
+    }
+    
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#writeLoginPageLink(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+     */
+    @Override
+    protected void writeLoginPageLink(ServletContext context, HttpServletRequest req, HttpServletResponse resp)
+            throws IOException
+    {
+        String redirectURL = req.getRequestURI();
+        resp.setContentType("text/html; charset=UTF-8");
+        resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+
+        final PrintWriter out = resp.getWriter();
+        out.println("<html><head>");
+        // Remove the auto refresh to avoid refresh loop, MNT-16931
+//         out.println("<meta http-equiv=\"Refresh\" content=\"0; url=" + redirectURL + "\">");
+        out.println("</head><body><p>Please <a href=\"" + redirectURL + "\">log in</a>.</p>");
+        out.println("</body></html>");
+        out.close();
+    }
+
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter#getLogger()
+     */
+    @Override
+    final protected Log getLogger()
+    {
+        return logger;
+    }
+}

src/main/java/org/alfresco/web/app/servlet/NTLMAuthenticationFilter.java

@@ -0,0 +1,119 @@
+/*
+ * #%L
+ * Alfresco Repository WAR Community
+ * %%
+ * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.web.app.servlet;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.alfresco.repo.web.auth.WebCredentials;
+import org.alfresco.repo.webdav.auth.AuthenticationDriver;
+import org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * Web-client NTLM Authentication Filter Class
+ * 
+ * @author GKSpencer
+ */
+public class NTLMAuthenticationFilter extends BaseNTLMAuthenticationFilter
+{
+    // Debug logging
+    private static Log logger = LogFactory.getLog(NTLMAuthenticationFilter.class);
+
+    
+	/* (non-Javadoc)
+	 * @see org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter#init()
+	 */
+	@Override
+    protected void init() throws ServletException
+    {
+        // Call the base NTLM filter initialization
+        super.init();
+        
+        // Use the web client user attribute name
+        setUserAttributeName(AuthenticationDriver.AUTHENTICATION_USER);
+    }
+    
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#onValidateFailed(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession)
+     */
+    @Override
+    protected void onValidateFailed(ServletContext sc, HttpServletRequest req, HttpServletResponse res, HttpSession session, WebCredentials credentials)
+        throws IOException
+    {
+        super.onValidateFailed(sc, req, res, session, credentials);
+        
+        // Redirect to the login page if user validation fails
+    	redirectToLoginPage(req, res);
+    }
+    
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter#onLoginComplete(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+     */
+    @Override
+    protected boolean onLoginComplete(ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean userInit)
+        throws IOException
+    {
+        String requestURI = req.getRequestURI();
+        return true;
+    }
+
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#writeLoginPageLink(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+     */
+    @Override
+    protected void writeLoginPageLink(ServletContext context, HttpServletRequest req, HttpServletResponse resp)
+            throws IOException
+    {
+        String redirectURL = req.getRequestURI();
+        resp.setContentType("text/html; charset=UTF-8");
+        resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+
+        final PrintWriter out = resp.getWriter();
+        out.println("<html><head>");
+        // Remove the auto refresh to avoid refresh loop, MNT-16931
+//         out.println("<meta http-equiv=\"Refresh\" content=\"0; url=" + redirectURL + "\">");
+        out.println("</head><body><p>Please <a href=\"" + redirectURL + "\">log in</a>.</p>");
+        out.println("</body></html>");
+        out.close();
+    }
+
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter#getLogger()
+     */
+    @Override
+    final protected Log getLogger()
+    {
+        return logger;
+    }
+}

src/main/java/org/alfresco/web/app/servlet/WebScriptSSOAuthenticationFilter.java

@@ -0,0 +1,132 @@
+/*
+ * #%L
+ * Alfresco Repository WAR Community
+ * %%
+ * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.web.app.servlet;
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.alfresco.repo.management.subsystems.ActivateableBean;
+import org.alfresco.repo.web.filter.beans.DependencyInjectedFilter;
+import org.alfresco.repo.webdav.auth.BaseAuthenticationFilter;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.extensions.surf.util.URLDecoder;
+import org.springframework.extensions.webscripts.Description.RequiredAuthentication;
+import org.springframework.extensions.webscripts.Match;
+import org.springframework.extensions.webscripts.RuntimeContainer;
+
+/**
+ * WebScript aware Authentication Filter Class. Takes into account the authentication setting in the descriptor for the
+ * webscript before chaining to the downstream authentication filters. If authentication is not required then chains
+ * with the NO_AUTH_REQUIRED request attribute set, which should cause any downstream authentication filter to bypass
+ * authentication checks.
+ * 
+ * @author Kevin Roast
+ * @author dward
+ */
+public class WebScriptSSOAuthenticationFilter extends BaseAuthenticationFilter implements DependencyInjectedFilter,
+        ActivateableBean
+{
+    private static final Log logger = LogFactory.getLog(WebScriptSSOAuthenticationFilter.class);
+    private RuntimeContainer container;        
+    private boolean isActive = true;
+
+    /**
+     * @param container the container to set
+     */
+    public void setContainer(RuntimeContainer container)
+    {
+        this.container = container;
+    }
+   
+    /**
+     * Activates or deactivates the bean
+     * 
+     * @param active
+     *            <code>true</code> if the bean is active and initialization should complete
+     */
+    public final void setActive(boolean active)
+    {
+        this.isActive = active;
+    }
+
+    /*
+     * (non-Javadoc)
+     * @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive()
+     */
+    public final boolean isActive()
+    {
+        return isActive;
+    }
+
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter#doFilter(javax.servlet.ServletContext, javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
+     */
+    public void doFilter(ServletContext context, ServletRequest sreq, ServletResponse sresp, FilterChain chain)
+            throws IOException, ServletException
+    {
+        // Get the HTTP request/response
+        HttpServletRequest req = (HttpServletRequest)sreq;
+        
+        // find a webscript match for the requested URI
+        String requestURI = req.getRequestURI();
+        String pathInfo = requestURI.substring((req.getContextPath() + req.getServletPath()).length());
+        
+        if (getLogger().isDebugEnabled())
+            getLogger().debug("Processing request: " + requestURI + " SID:" +
+                    (req.getSession(false) != null ? req.getSession().getId() : null));
+        
+        Match match = container.getRegistry().findWebScript(req.getMethod(), URLDecoder.decode(pathInfo));
+        if (match != null && match.getWebScript() != null)
+        {
+            // check the authentication required - if none then we don't want any of
+            // the filters down the chain to require any authentication checks
+            if (RequiredAuthentication.none == match.getWebScript().getDescription().getRequiredAuthentication())
+            {
+                if (getLogger().isDebugEnabled())
+                    getLogger().debug("Found webscript with no authentication - set NO_AUTH_REQUIRED flag.");
+                req.setAttribute(NO_AUTH_REQUIRED, Boolean.TRUE);
+            }
+        }
+
+        chain.doFilter(sreq, sresp);
+    }
+
+    /* (non-Javadoc)
+     * @see org.alfresco.repo.webdav.auth.BaseAuthenticationFilter#getLogger()
+     */
+    @Override
+    protected Log getLogger()
+    {
+        return logger;
+    }
+}

src/main/java/org/alfresco/web/app/servlet/WebscriptCookieAuthenticationFilter.java

@@ -0,0 +1,87 @@
+/*
+ * #%L
+ * Alfresco Repository WAR Community
+ * %%
+ * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.web.app.servlet;
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.alfresco.repo.web.filter.beans.DependencyInjectedFilter;
+import org.alfresco.repo.webdav.auth.AuthenticationDriver;
+import org.alfresco.repo.webdav.auth.BaseAuthenticationFilter;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * WebScript aware Authentication Filter. Directly handles login script calls, allowing Surf to establish a cookie
+ * for a manual login, rather than the usual stateless ticket based logins.
+ * <p>
+ * This functionality has been extracted from the WebScriptSSOAuthenticationFilter so that they can work independently.
+ * 
+ * @author Gethin James
+ */
+public class WebscriptCookieAuthenticationFilter extends BaseAuthenticationFilter implements DependencyInjectedFilter
+{
+    private static final Log logger = LogFactory.getLog(WebscriptCookieAuthenticationFilter.class);
+    private static final String API_LOGIN = "/api/login";
+    
+    public WebscriptCookieAuthenticationFilter()
+    {
+        setUserAttributeName(AuthenticationDriver.AUTHENTICATION_USER);
+    }
+
+    
+    @Override
+    public void doFilter(ServletContext context, ServletRequest sreq, ServletResponse sresp, FilterChain chain) throws IOException, ServletException
+    {
+        // Get the HTTP request/response
+        HttpServletRequest req = (HttpServletRequest)sreq;
+        HttpServletResponse res = (HttpServletResponse)sresp;
+        
+        // Allow propagation of manual logins to the session user
+        if (API_LOGIN.equals(req.getPathInfo()) && req.getMethod().equalsIgnoreCase("POST"))
+        {
+            handleLoginForm(req, res);
+        }
+        else
+        {
+            chain.doFilter(sreq, sresp);
+        }
+    }
+    
+    @Override
+    protected Log getLogger()
+    {
+        return logger;
+    }
+
+}

src/main/resources/alfresco/messages/rest-framework-messages_de.properties

@@ -12,6 +12,6 @@ framework.exception.PermissionDenied=Berechtigung verweigert
 framework.exception.StaleEntity=Versuch, eine gegenstandslose Entity zu aktualisieren
 framework.exception.UnsupportedResourceOperation=Der Vorgang wird nicht unterst\u00fctzt
 framework.exception.DeletedResource=In dieser Version der REST-API wurde die Ressource {0} gel\u00f6scht
-framework.exception.RequestEntityTooLarge=Anfrage-Entity zu gro\u00df
-framework.exception.InsufficientStorage=Content-Speicherkontingent \u00fcberschritten
+framework.exception.RequestEntityTooLarge=Die Datei kann nicht hochgeladen werden da sie die maximale Upload-Gr\u00f6\u00dfe \u00fcberschreitet
+framework.exception.InsufficientStorage=Der Datei-Upload \u00fcberschreitet das erlaubte Speicherkontingent
 framework.no.stacktrace=Aus Sicherheitsgr\u00fcnden wird die Stapelverfolgung nicht mehr angezeigt. Die Eigenschaft wird jedoch f\u00fcr \u00e4ltere Versionen beibehalten

src/main/resources/alfresco/messages/rest-framework-messages_es.properties

@@ -12,6 +12,6 @@ framework.exception.PermissionDenied=Se ha denegado el permiso
 framework.exception.StaleEntity=Intento de actualizar una entidad obsoleta
 framework.exception.UnsupportedResourceOperation=No se admite la operaci\u00f3n
 framework.exception.DeletedResource=En esta versi\u00f3n de la API REST, se ha eliminado el recurso {0}
-framework.exception.RequestEntityTooLarge=Entidad de solicitud demasiado grande
-framework.exception.InsufficientStorage=Se ha excedido la cuota de almacenamiento de contenido
+framework.exception.RequestEntityTooLarge=No se puede cargar el fichero porque excede el tama\u00f1o m\u00e1ximo de carga permitido
+framework.exception.InsufficientStorage=El fichero cargado excede la cuota de almacenamiento de contenido
 framework.no.stacktrace=Por motivos de seguridad, ya no se muestra el seguimiento de la pila, pero se guarda la propiedad para versiones anteriores

src/main/resources/alfresco/messages/rest-framework-messages_fr.properties

@@ -12,6 +12,6 @@ framework.exception.PermissionDenied=Droit d'acc\u00e8s refus\u00e9
 framework.exception.StaleEntity=Tentative de mise \u00e0 jour d'une entit\u00e9 hors service
 framework.exception.UnsupportedResourceOperation=L'op\u00e9ration n'est pas prise en charge
 framework.exception.DeletedResource=Dans cette version de l''API REST, la ressource {0} a \u00e9t\u00e9 supprim\u00e9e
-framework.exception.RequestEntityTooLarge=Entit\u00e9 de requ\u00eate trop volumineuse
-framework.exception.InsufficientStorage=Quota de stockage de contenu d\u00e9pass\u00e9
+framework.exception.RequestEntityTooLarge=Impossible d'importer le fichier car il d\u00e9passe la taille maximale de t\u00e9l\u00e9chargement
+framework.exception.InsufficientStorage=La taille du fichier\u00e0 importer d\u00e9passe la limite de stockage autoris\u00e9e
 framework.no.stacktrace=Pour des raisons de s\u00e9curit\u00e9, le tra\u00e7age de la pile n'est plus affich\u00e9, mais la propri\u00e9t\u00e9 est conserv\u00e9e dans les versions pr\u00e9c\u00e9dente

src/main/resources/alfresco/messages/rest-framework-messages_it.properties

@@ -12,6 +12,6 @@ framework.exception.PermissionDenied=Permesso negato
 framework.exception.StaleEntity=Si \u00e8 tentato di aggiornare un'entit\u00e0 obsoleta
 framework.exception.UnsupportedResourceOperation=Questa operazione non \u00e8 supportata
 framework.exception.DeletedResource={0} \u00e8 stato eliminato in questa versione della risorsa REST API
-framework.exception.RequestEntityTooLarge=Entit\u00e0 della richiesta troppo grande
-framework.exception.InsufficientStorage=Quota di archiviazione dei contenuti superata
+framework.exception.RequestEntityTooLarge=Impossibile caricare il file perch\u00e9 \u00e8 pi\u00f9 grande della dimensione massima consentita
+framework.exception.InsufficientStorage=Il caricamento del file supera la quota massima di archiviazione
 framework.no.stacktrace=Per motivi di sicurezza l'analisi dello stack non viene pi\u00f9 visualizzata, ma viene mantenuta la propriet\u00e0 per le versioni precedenti

src/main/resources/alfresco/messages/rest-framework-messages_ja.properties

@@ -12,6 +12,6 @@ framework.exception.PermissionDenied=\u6a29\u9650\u304c\u62d2\u5426\u3055\u308c\
 framework.exception.StaleEntity=\u53e4\u3044\u30a8\u30f3\u30c6\u30a3\u30c6\u30a3\u3092\u66f4\u65b0\u3057\u3088\u3046\u3068\u3057\u307e\u3057\u305f
 framework.exception.UnsupportedResourceOperation=\u3053\u306e\u64cd\u4f5c\u306f\u30b5\u30dd\u30fc\u30c8\u3055\u308c\u3066\u3044\u307e\u305b\u3093
 framework.exception.DeletedResource=REST API \u30ea\u30bd\u30fc\u30b9 ''{0}'' \u306e\u3053\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306f\u524a\u9664\u3055\u308c\u3066\u3044\u307e\u3059
-framework.exception.RequestEntityTooLarge=\u30ea\u30af\u30a8\u30b9\u30c8\u30a8\u30f3\u30c6\u30a3\u30c6\u30a3\u304c\u5927\u304d\u3059\u304e\u307e\u3059
-framework.exception.InsufficientStorage=\u30b3\u30f3\u30c6\u30f3\u30c4\u30b9\u30c8\u30ec\u30fc\u30b8\u306e\u30af\u30a9\u30fc\u30bf\u304c\u8d85\u3048\u3066\u3044\u307e\u3059
+framework.exception.RequestEntityTooLarge=\u30d5\u30a1\u30a4\u30eb\u304c\u6700\u5927\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u30b5\u30a4\u30ba\u3088\u308a\u5927\u304d\u3044\u305f\u3081\u3001\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3067\u304d\u307e\u305b\u3093
+framework.exception.InsufficientStorage=\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u304c\u3001\u30b3\u30f3\u30c6\u30f3\u30c4\u306e\u30b9\u30c8\u30ec\u30fc\u30b8\u8a31\u5bb9\u7bc4\u56f2\u3092\u8d85\u3048\u3066\u3044\u307e\u3059
 framework.no.stacktrace=\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u306e\u305f\u3081\u30b9\u30bf\u30c3\u30af\u30c8\u30ec\u30fc\u30b9\u306f\u8868\u793a\u3055\u308c\u306a\u304f\u306a\u308a\u307e\u3057\u305f\u304c\u3001\u30d7\u30ed\u30d1\u30c6\u30a3\u306f\u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u305f\u3081\u306b\u6b8b\u3063\u3066\u3044\u307e\u3059

src/main/resources/alfresco/messages/rest-framework-messages_nb.properties

@@ -12,6 +12,6 @@ framework.exception.PermissionDenied=Tillatelse avvist
 framework.exception.StaleEntity=Fors\u00f8ker \u00e5 oppdatere en foreldet enhet
 framework.exception.UnsupportedResourceOperation=Handlingen st\u00f8ttes ikke
 framework.exception.DeletedResource=I denne versjonen av REST har API-ressursen {0} blitt slettet
-framework.exception.RequestEntityTooLarge=Den forespurte enheten er for stor
-framework.exception.InsufficientStorage=Kvoten for innholdslagring er overskredet
+framework.exception.RequestEntityTooLarge=Filen kan ikke lastes opp fordi den er st\u00f8rre enn maksimum opplastingsst\u00f8rrelse
+framework.exception.InsufficientStorage=Filopplastingen overskrider tillatt innholdslagring
 framework.no.stacktrace=Av sikkerhetsmessige \u00e5rsaker vises ikke stakksporing lenger, men egenskapen beholdes for tidlige versjoner

src/main/resources/alfresco/messages/rest-framework-messages_nl.properties

@@ -12,6 +12,6 @@ framework.exception.PermissionDenied=Toegang is geweigerd
 framework.exception.StaleEntity=Poging tot het bijwerken van een oude entiteit
 framework.exception.UnsupportedResourceOperation=De bewerking wordt niet ondersteund
 framework.exception.DeletedResource=De resource {0} is verwijderd uit deze versie van de REST API
-framework.exception.RequestEntityTooLarge=Aanvraag-entiteit te groot
-framework.exception.InsufficientStorage=Limiet contentopslag overschreden
+framework.exception.RequestEntityTooLarge=Het bestand kan niet worden ge\u00fcpload omdat het groter is dan de maximale grootte voor uploads
+framework.exception.InsufficientStorage=Bij het uploaden van het bestand wordt de toegestane contentopslag overschreden
 framework.no.stacktrace=Om veiligheidsredenen wordt de stacktracering niet meer weergegeven, maar de eigenschap wordt bewaard voor vorige versies

src/main/resources/alfresco/messages/rest-framework-messages_pt_BR.properties

@@ -12,6 +12,6 @@ framework.exception.PermissionDenied=Permiss\u00e3o negada
 framework.exception.StaleEntity=Tentativa de atualizar uma entidade obsoleta
 framework.exception.UnsupportedResourceOperation=A opera\u00e7\u00e3o n\u00e3o \u00e9 suportada
 framework.exception.DeletedResource=Nesta vers\u00e3o do recurso REST API, {0} foi exclu\u00eddo
-framework.exception.RequestEntityTooLarge=Entidade de solicita\u00e7\u00e3o muito grande
+framework.exception.RequestEntityTooLarge=O arquivo n\u00e3o pode ser carregado pois \u00e9 maior do que o tamanho m\u00e1ximo permitido para carregamento
 framework.exception.InsufficientStorage=Cota de conte\u00fado de armazenamento excedida
 framework.no.stacktrace=Por motivos de seguran\u00e7a, o rastreamento de pilha n\u00e3o \u00e9 mais exibido, mas a propriedade foi mantida para as vers\u00f5es anteriores

src/main/resources/alfresco/messages/rest-framework-messages_ru.properties

@@ -12,6 +12,6 @@ framework.exception.PermissionDenied=\u0412 \u0440\u0430\u0437\u0440\u0435\u0448
 framework.exception.StaleEntity=\u041f\u043e\u043f\u044b\u0442\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u0443\u0441\u0442\u0430\u0440\u0435\u0432\u0448\u0443\u044e \u0441\u0443\u0449\u043d\u043e\u0441\u0442\u044c
 framework.exception.UnsupportedResourceOperation=\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u044f \u043d\u0435 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0435\u0442\u0441\u044f
 framework.exception.DeletedResource=\u0412 \u044d\u0442\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438 REST API \u0440\u0435\u0441\u0443\u0440\u0441 {0} \u0443\u0434\u0430\u043b\u0435\u043d
-framework.exception.RequestEntityTooLarge=\u0421\u043b\u0438\u0448\u043a\u043e\u043c \u0431\u043e\u043b\u044c\u0448\u043e\u0439 \u0437\u0430\u043f\u0440\u043e\u0441
-framework.exception.InsufficientStorage=\u041f\u0440\u0435\u0432\u044b\u0448\u0435\u043d\u0430 \u043a\u0432\u043e\u0442\u0430 \u043d\u0430 \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u0435 \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0430
+framework.exception.RequestEntityTooLarge=\u041d\u0435\u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e \u0437\u0430\u0433\u0440\u0443\u0437\u0438\u0442\u044c \u0444\u0430\u0439\u043b, \u043f\u043e\u0442\u043e\u043c\u0443 \u0447\u0442\u043e \u043e\u043d \u043f\u0440\u0435\u0432\u044b\u0448\u0430\u0435\u0442 \u043c\u0430\u043a\u0441\u0438\u043c\u0430\u043b\u044c\u043d\u043e \u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u044b\u0439 \u0440\u0430\u0437\u043c\u0435\u0440
+framework.exception.InsufficientStorage=\u0417\u0430\u0433\u0440\u0443\u0436\u0430\u0435\u043c\u044b\u0439 \u0444\u0430\u0439\u043b \u043f\u0440\u0435\u0432\u044b\u0448\u0430\u0435\u0442 \u043a\u0432\u043e\u0442\u0443 \u043d\u0430 \u0440\u0430\u0437\u043c\u0435\u0440 \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0430
 framework.no.stacktrace=\u0418\u0437 \u0441\u043e\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u0438\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0442\u0440\u0430\u0441\u0441\u0438\u0440\u043e\u0432\u043a\u0430 \u043f\u0430\u043a\u0435\u0442\u0430 \u0431\u043e\u043b\u0435\u0435 \u043d\u0435 \u043e\u0442\u043e\u0431\u0440\u0430\u0436\u0430\u0435\u0442\u0441\u044f, \u043d\u043e \u0441\u0432\u043e\u0439\u0441\u0442\u0432\u043e \u0441\u043e\u0445\u0440\u0430\u043d\u0435\u043d\u043e \u0434\u043b\u044f \u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0438\u0445 \u0432\u0435\u0440\u0441\u0438\u0439

src/main/resources/alfresco/messages/rest-framework-messages_zh_CN.properties

@@ -12,6 +12,6 @@ framework.exception.PermissionDenied=\u6743\u9650\u88ab\u62d2\u7edd
 framework.exception.StaleEntity=\u5c1d\u8bd5\u66f4\u65b0\u8fc7\u671f\u7684\u5b9e\u4f53
 framework.exception.UnsupportedResourceOperation=\u4e0d\u652f\u6301\u6b64\u64cd\u4f5c
 framework.exception.DeletedResource=\u5728\u6b64\u7248\u672c\u7684 REST API \u4e2d\uff0c\u5df2\u5220\u9664\u8d44\u6e90 {0}
-framework.exception.RequestEntityTooLarge=\u8bf7\u6c42\u5b9e\u4f53\u592a\u5927
-framework.exception.InsufficientStorage=\u8d85\u8fc7\u5185\u5bb9\u5b58\u50a8\u989d\u5ea6
+framework.exception.RequestEntityTooLarge=\u6587\u4ef6\u65e0\u6cd5\u88ab\u4e0a\u4f20\uff0c\u56e0\u4e3a\u5b83\u8d85\u8fc7\u4e86\u6700\u5927\u53ef\u4e0a\u4f20\u7684\u5927\u5c0f
+framework.exception.InsufficientStorage=\u4e0a\u4f20\u6587\u4ef6\u8d85\u8fc7\u5185\u5bb9\u5b58\u50a8\u9650\u989d
 framework.no.stacktrace=\u51fa\u4e8e\u5b89\u5168\u539f\u56e0\uff0c\u4e0d\u518d\u663e\u793a\u5806\u6808\u8f68\u8ff9\uff0c\u4f46\u4e3a\u5148\u524d\u7248\u672c\u4fdd\u7559\u4e86\u8be5\u5c5e\u6027

src/main/resources/alfresco/subsystems.Authentication/alfrescoNtlm/ntlm-filter-context.xml

@@ -0,0 +1,127 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
+<beans>
+   <!-- NullFilter used for this bean, as we are using the more widely-scoped globalAuthenticationFilter -->
+   <bean id="authenticationFilter" class="org.alfresco.repo.web.filter.beans.NullFilter">
+      <property name="active">
+         <value>${ntlm.authentication.sso.enabled}</value>
+      </property>
+   </bean>
+
+   <bean id="ntlm_SSOFallbackBasicAuthenticationDriver" class="org.alfresco.repo.webdav.auth.SSOFallbackBasicAuthenticationDriver">
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="nodeService"/>
+      </property>
+      <property name="transactionService">
+         <ref bean="transactionService" />
+      </property>
+   </bean>
+
+   <bean id="globalAuthenticationFilter" class="org.alfresco.web.app.servlet.NTLMAuthenticationFilter">
+      <property name="active">
+         <value>${ntlm.authentication.sso.enabled}</value>
+      </property>
+      <property name="ticketLogons">
+         <value>${ntlm.authentication.browser.ticketLogons}</value>
+      </property>
+      <property name="serverConfiguration">
+         <ref bean="fileServerConfiguration" />
+      </property>
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="authenticationComponent">
+         <ref bean="AuthenticationComponent" />
+      </property>
+      <property name="authenticationListener">
+         <ref bean="globalAuthenticationListener"/>
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="NodeService" />
+      </property>
+      <property name="transactionService">
+         <ref bean="TransactionService" />
+      </property>
+      <property name="mapUnknownUserToGuest">
+         <value>${ntlm.authentication.mapUnknownUserToGuest}</value>
+      </property>
+      <property name="remoteUserMapper">
+         <ref bean="RemoteUserMapper" />
+      </property>
+   </bean>
+
+   <bean id="webscriptAuthenticationFilter" class="org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter">
+      <property name="active">
+         <value>${ntlm.authentication.sso.enabled}</value>
+      </property>
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="authenticationComponent">
+         <ref bean="AuthenticationComponent" />
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="NodeService" />
+      </property>
+      <property name="transactionService">
+         <ref bean="TransactionService" />
+      </property>
+      <property name="container">
+         <ref bean="webscripts.container" />
+      </property>
+   </bean>
+
+   <bean id="webDavAuthenticationFilter" class="org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter">
+      <property name="active">
+         <value>${ntlm.authentication.sso.enabled}</value>
+      </property>
+      <property name="ticketLogons">
+         <value>true</value>
+      </property>
+      <property name="serverConfiguration">
+         <ref bean="fileServerConfiguration" />
+      </property>
+      <property name="authenticationListener">
+         <ref bean="webDavAuthenticationListener"/>
+      </property>
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="authenticationComponent">
+         <ref bean="AuthenticationComponent" />
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="NodeService" />
+      </property>
+      <property name="transactionService">
+         <ref bean="TransactionService" />
+      </property>
+      <property name="mapUnknownUserToGuest">
+         <value>${ntlm.authentication.mapUnknownUserToGuest}</value>
+      </property>
+      <property name="remoteUserMapper">
+         <ref bean="RemoteUserMapper" />
+      </property>
+      <property name="fallbackEnabled">
+         <value>${ntlm.authentication.sso.fallback.enabled}</value>
+      </property>
+      <property name="fallback">
+         <ref bean="ntlm_SSOFallbackBasicAuthenticationDriver"/>
+      </property>
+   </bean>
+</beans>

src/main/resources/alfresco/subsystems.Authentication/alfrescoNtlm/ntlm-filter.properties

@@ -0,0 +1,4 @@
+ntlm.authentication.sso.enabled=false
+ntlm.authentication.mapUnknownUserToGuest=false
+ntlm.authentication.browser.ticketLogons=true
+ntlm.authentication.sso.fallback.enabled=true

src/main/resources/alfresco/subsystems.Authentication/external/external-filter-context.xml

@@ -0,0 +1,30 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
+<beans>
+
+   <!-- Enable cookie-based handling of webscript logins. We must assume cookie based client authentication when external auth is in the chain. -->
+   <bean id="webscriptAuthenticationFilter" class="org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter">
+      <property name="active">
+         <value>true</value>
+      </property>
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="authenticationComponent">
+         <ref bean="AuthenticationComponent" />
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="NodeService" />
+      </property>
+      <property name="transactionService">
+         <ref bean="TransactionService" />
+      </property>
+      <property name="container">
+         <ref bean="webscripts.container" />
+      </property>
+   </bean>
+
+</beans>

src/main/resources/alfresco/subsystems.Authentication/kerberos/kerberos-filter-context.xml

@@ -0,0 +1,154 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
+<beans>
+   <!-- NullFilter used for this bean, as we are using the more widely-scoped globalAuthenticationFilter -->
+   <bean id="authenticationFilter" class="org.alfresco.repo.web.filter.beans.NullFilter">
+      <property name="active">
+         <value>${kerberos.authentication.sso.enabled}</value>
+      </property>
+   </bean>
+
+   <bean id="kerberos_SSOFallbackBasicAuthenticationDriver" class="org.alfresco.repo.webdav.auth.SSOFallbackBasicAuthenticationDriver">
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="nodeService"/>
+      </property>
+      <property name="transactionService">
+         <ref bean="transactionService" />
+      </property>
+   </bean>
+
+   <bean id="globalAuthenticationFilter" class="org.alfresco.web.app.servlet.KerberosAuthenticationFilter">
+      <property name="active">
+         <value>${kerberos.authentication.sso.enabled}</value>
+      </property>
+      <property name="ticketLogons">
+         <value>${kerberos.authentication.browser.ticketLogons}</value>
+      </property>
+      <property name="serverConfiguration">
+         <ref bean="fileServerConfiguration" />
+      </property>
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="authenticationComponent">
+         <ref bean="AuthenticationComponent" />
+      </property>
+      <property name="authenticationListener">
+         <ref bean="globalAuthenticationListener"/>
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="NodeService" />
+      </property>
+      <property name="transactionService">
+         <ref bean="TransactionService" />
+      </property>
+      <property name="realm">
+         <value>${kerberos.authentication.realm}</value>
+      </property>
+      <property name="password">
+         <value>${kerberos.authentication.http.password}</value>
+      </property>
+      <property name="jaasConfigEntryName">
+         <value>${kerberos.authentication.http.configEntryName}</value>
+      </property>
+      <property name="stripKerberosUsernameSuffix">
+         <value>${kerberos.authentication.stripUsernameSuffix}</value>
+      </property>
+      <property name="remoteUserMapper">
+         <ref bean="RemoteUserMapper" />
+      </property>
+      <property name="fallbackEnabled">
+         <value>${kerberos.authentication.sso.fallback.enabled}</value>
+      </property>
+      <property name="fallback">
+         <ref bean="kerberos_SSOFallbackBasicAuthenticationDriver"/>
+      </property>
+   </bean>
+
+   <bean id="webscriptAuthenticationFilter" class="org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter">
+      <property name="active">
+         <value>${kerberos.authentication.sso.enabled}</value>
+      </property>
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="authenticationComponent">
+         <ref bean="AuthenticationComponent" />
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="NodeService" />
+      </property>
+      <property name="transactionService">
+         <ref bean="TransactionService" />
+      </property>
+      <property name="container">
+         <ref bean="webscripts.container" />
+      </property>
+   </bean>
+
+   <bean id="webDavAuthenticationFilter" class="org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter">
+      <property name="active">
+         <value>${kerberos.authentication.sso.enabled}</value>
+      </property>
+      <property name="ticketLogons">
+         <value>true</value>
+      </property>
+      <property name="serverConfiguration">
+         <ref bean="fileServerConfiguration" />
+      </property>
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="authenticationComponent">
+         <ref bean="AuthenticationComponent" />
+      </property>
+      <property name="authenticationListener">
+         <ref bean="webDavAuthenticationListener"/>
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="NodeService" />
+      </property>
+      <property name="transactionService">
+         <ref bean="TransactionService" />
+      </property>
+      <property name="realm">
+         <value>${kerberos.authentication.realm}</value>
+      </property>
+      <property name="password">
+         <value>${kerberos.authentication.http.password}</value>
+      </property>
+      <property name="jaasConfigEntryName">
+         <value>${kerberos.authentication.http.configEntryName}</value>
+      </property>
+      <property name="stripKerberosUsernameSuffix">
+         <value>${kerberos.authentication.stripUsernameSuffix}</value>
+      </property>
+      <property name="remoteUserMapper">
+         <ref bean="RemoteUserMapper" />
+      </property>
+      <property name="fallbackEnabled">
+         <value>${kerberos.authentication.sso.fallback.enabled}</value>
+      </property>
+      <property name="fallback">
+         <ref bean="kerberos_SSOFallbackBasicAuthenticationDriver"/>
+      </property>
+      <property name="loginPageLink">
+         <value>${kerberos.authentication.sso.login.page.link}</value>
+      </property>
+   </bean>
+</beans>

src/main/resources/alfresco/subsystems.Authentication/kerberos/kerberos-filter.properties

@@ -0,0 +1,6 @@
+kerberos.authentication.http.configEntryName=AlfrescoHTTP
+kerberos.authentication.http.password=secret
+kerberos.authentication.sso.enabled=true
+kerberos.authentication.browser.ticketLogons=true
+kerberos.authentication.sso.fallback.enabled=true
+kerberos.authentication.sso.login.page.link=/webdav

src/main/resources/alfresco/subsystems.Authentication/passthru/ntlm-filter-context.xml

@@ -0,0 +1,130 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
+<beans>
+   <!-- NullFilter used for this bean, as we are using the more widely-scoped globalAuthenticationFilter -->
+   <bean id="authenticationFilter" class="org.alfresco.repo.web.filter.beans.NullFilter">
+      <property name="active">
+         <value>${ntlm.authentication.sso.enabled}</value>
+      </property>
+   </bean>
+
+   <bean id="passthru_SSOFallbackBasicAuthenticationDriver" class="org.alfresco.repo.webdav.auth.SSOFallbackBasicAuthenticationDriver">
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="nodeService"/>
+      </property>
+      <property name="transactionService">
+         <ref bean="transactionService" />
+      </property>
+   </bean>
+
+   <bean id="globalAuthenticationFilter" class="org.alfresco.web.app.servlet.NTLMAuthenticationFilter">
+      <property name="active">
+         <value>${ntlm.authentication.sso.enabled}</value>
+      </property>
+      <property name="ticketLogons">
+         <value>${ntlm.authentication.browser.ticketLogons}</value>
+      </property>
+      <property name="serverConfiguration">
+         <ref bean="fileServerConfiguration" />
+      </property>
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="authenticationComponent">
+         <ref bean="AuthenticationComponent" />
+      </property>
+      <property name="authenticationListener">
+        <ref bean="globalAuthenticationListener"/>
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="NodeService" />
+      </property>
+      <property name="transactionService">
+         <ref bean="TransactionService" />
+      </property>
+      <property name="mapUnknownUserToGuest">
+         <value>${ntlm.authentication.mapUnknownUserToGuest}</value>
+      </property>
+      <property name="remoteUserMapper">
+         <ref bean="RemoteUserMapper" />
+      </property>
+      <property name="fallbackEnabled">
+         <value>${ntlm.authentication.sso.fallback.enabled}</value>
+      </property>
+      <property name="fallback">
+         <ref bean="passthru_SSOFallbackBasicAuthenticationDriver"/>
+      </property>
+   </bean>
+
+   <bean id="webscriptAuthenticationFilter" class="org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter">
+      <property name="active">
+         <value>${ntlm.authentication.sso.enabled}</value>
+      </property>
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="authenticationComponent">
+         <ref bean="AuthenticationComponent" />
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="NodeService" />
+      </property>
+      <property name="transactionService">
+         <ref bean="TransactionService" />
+      </property>
+      <property name="container">
+         <ref bean="webscripts.container" />
+      </property>
+   </bean>
+
+   <bean id="webDavAuthenticationFilter" class="org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter">
+      <property name="active">
+         <value>${ntlm.authentication.sso.enabled}</value>
+      </property>
+      <property name="ticketLogons">
+         <value>true</value>
+      </property>
+      <property name="serverConfiguration">
+         <ref bean="fileServerConfiguration" />
+      </property>
+      <property name="authenticationService">
+         <ref bean="AuthenticationService" />
+      </property>
+      <property name="authenticationComponent">
+         <ref bean="AuthenticationComponent" />
+      </property>
+      <property name="authenticationListener">
+         <ref bean="webDavAuthenticationListener"/>
+      </property>
+      <property name="personService">
+         <ref bean="personService" />
+      </property>
+      <property name="nodeService">
+         <ref bean="NodeService" />
+      </property>
+      <property name="transactionService">
+         <ref bean="TransactionService" />
+      </property>
+      <property name="mapUnknownUserToGuest">
+         <value>${ntlm.authentication.mapUnknownUserToGuest}</value>
+      </property>
+      <property name="fallbackEnabled">
+         <value>${ntlm.authentication.sso.fallback.enabled}</value>
+      </property>
+      <property name="fallback">
+         <ref bean="passthru_SSOFallbackBasicAuthenticationDriver"/>
+      </property>
+   </bean>
+</beans>

src/main/resources/alfresco/subsystems.Authentication/passthru/ntlm-filter.properties

@@ -0,0 +1,4 @@
+ntlm.authentication.sso.enabled=true
+ntlm.authentication.mapUnknownUserToGuest=false
+ntlm.authentication.browser.ticketLogons=true
+ntlm.authentication.sso.fallback.enabled=true

src/main/resources/alfresco/templates/webscripts/org/alfresco/repository/admin/admin-template.ftl

@@ -617,7 +617,7 @@ Admin.addEventListener(window, 'load', function() {
    </div>
    
    <div class="footer">
-      Alfresco Software, Inc. &copy; 2005-2017 All rights reserved.
+      Alfresco Software, Inc. &copy; 2005-${.now?string('yyyy')} All rights reserved.
    </div>
    
 <#else>

src/main/resources/alfresco/templates/webscripts/org/alfresco/repository/site/roles/roles.get.js

@@ -11,8 +11,15 @@ function main()
    }
    
    // calculate the available "roles" and permissions groups for this site
+   var siteRoles = [];
+   var rolesList = siteService.listSiteRoles();
+   for (var i in rolesList)
+   {
+       siteRoles.push(rolesList[i]);
+   }
    // add the "None" pseudo role 
-   var siteRoles = siteService.listSiteRoles().concat(["None"]);
+   siteRoles.push("None");
+   
    var sitePermissionGroups = site.sitePermissionGroups;
    sitePermissionGroups["everyone"] = "GROUP_EVERYONE";
    

src/main/resources/alfresco/web-scripts-application-context.xml

@@ -218,12 +218,6 @@
       <property name="authenticationListener" ref="webScriptAuthenticationListener"/>
    </bean>
 
-   <!--  JSR-168 Authenticator (Portal based) -->
-   <bean id="webscripts.authenticator.jsr168" class="org.alfresco.repo.web.scripts.portlet.JSR168PortletAuthenticatorFactory" lazy-init="true">
-      <property name="unprotAuthenticationService" ref="authenticationService" />
-      <property name="transactionService" ref="TransactionService" />
-   </bean>
-
 
    <!--            -->
    <!--  API Beans -->