Community profiling - repository container WebScript auth txn improvements:

- Fix to return null when a ROLE_ authority is requested from AuthorityDAO - was making needless query to DB that always returned empty and missing caches due to null return value
 - RepositoryContainer improvements - reduce number of txns required during init from 2 to 1, optimized code path when runAs() user is the same as currently authenticated user
 - Optimized code paths through hot Dictionary/Namespace methods when MT is disabled
 - Javadoc corrections
 - small measurable difference to large scale Share test
 - notable improvement to “short” webscript tests – round trip time for a single low impact WebScript request improved

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@41585 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/repo/web/scripts/RepositoryContainer.java

@@ -253,22 +253,18 @@ public class RepositoryContainer extends AbstractRuntimeContainer implements Ten
     /* (non-Javadoc)
      * @see org.alfresco.web.scripts.RuntimeContainer#executeScript(org.alfresco.web.scripts.WebScriptRequest, org.alfresco.web.scripts.WebScriptResponse, org.alfresco.web.scripts.Authenticator)
      */
-    public void executeScript(WebScriptRequest scriptReq, WebScriptResponse scriptRes, Authenticator auth)
+    public void executeScript(WebScriptRequest scriptReq, WebScriptResponse scriptRes, final Authenticator auth)
         throws IOException
     {
-        WebScript script = scriptReq.getServiceMatch().getWebScript();
-        Description desc = script.getDescription();
+        final boolean debug = logger.isDebugEnabled();
+        final WebScript script = scriptReq.getServiceMatch().getWebScript();
+        final Description desc = script.getDescription();
         
         // Escalate the webscript declared level of authentication to the container required authentication
         // eg. must be guest if MT is enabled unless credentials are empty
-        RequiredAuthentication required = desc.getRequiredAuthentication();
         RequiredAuthentication containerRequiredAuthentication = getRequiredAuthentication();
-        
-        if ((required.compareTo(containerRequiredAuthentication) < 0) && (! auth.emptyCredentials()))
-        {
-            required = containerRequiredAuthentication;
-        }
-        boolean isGuest = scriptReq.isGuest();
+        final RequiredAuthentication required = (desc.getRequiredAuthentication().compareTo(containerRequiredAuthentication) < 0 && !auth.emptyCredentials() ? containerRequiredAuthentication : desc.getRequiredAuthentication());
+        final boolean isGuest = scriptReq.isGuest();
         
         if (required == RequiredAuthentication.none)
         {
@@ -283,17 +279,16 @@ public class RepositoryContainer extends AbstractRuntimeContainer implements Ten
         }
         else
         {
-            String currentUser = null;
-
             try
             {
                 AuthenticationUtil.pushAuthentication();
+                
                 //
                 // Determine if user already authenticated
                 //
-                currentUser = AuthenticationUtil.getFullyAuthenticatedUser();
-                if (logger.isDebugEnabled())
+                if (debug)
                 {
+                    String currentUser = AuthenticationUtil.getFullyAuthenticatedUser();
                     logger.debug("Current authentication: " + (currentUser == null ? "unauthenticated" : "authenticated as " + currentUser));
                     logger.debug("Authentication required: " + required);
                     logger.debug("Guest login requested: " + isGuest);
@@ -302,6 +297,10 @@ public class RepositoryContainer extends AbstractRuntimeContainer implements Ten
                 //
                 // Apply appropriate authentication to Web Script invocation
                 //
+                RetryingTransactionCallback<Boolean> authWork = new RetryingTransactionCallback<Boolean>()
+                {
+                    public Boolean execute() throws Exception
+                    {
                         if (auth == null || auth.authenticate(required, isGuest))
                         {
                             // The user will now have been authenticated, based on HTTP Auth, Ticket etc
@@ -311,7 +310,11 @@ public class RepositoryContainer extends AbstractRuntimeContainer implements Ten
                             if (required == RequiredAuthentication.user || required == RequiredAuthentication.admin)
                             {
                                 String authenticatedUser = AuthenticationUtil.getFullyAuthenticatedUser();
-                        if (authenticatedUser == null || authorityService.isGuestAuthority(authenticatedUser))
+                                String runAsUser = AuthenticationUtil.getRunAsUser();
+                                
+                                if ( (authenticatedUser == null) ||
+                                     (authenticatedUser.equals(runAsUser) && authorityService.hasGuestAuthority()) ||
+                                     (!authenticatedUser.equals(runAsUser) && authorityService.isGuestAuthority(authenticatedUser)) )
                                 {
                                     throw new WebScriptException(HttpServletResponse.SC_UNAUTHORIZED, "Web Script " + desc.getId() + " requires user authentication; however, a guest has attempted access.");
                                 }
@@ -323,13 +326,22 @@ public class RepositoryContainer extends AbstractRuntimeContainer implements Ten
                                 throw new WebScriptException(HttpServletResponse.SC_UNAUTHORIZED, "Web Script " + desc.getId() + " requires admin authentication; however, a non-admin has attempted access.");
                             }
                             
-                    if (logger.isDebugEnabled())
+                            if (debug)
                             {
-                    	currentUser = AuthenticationUtil.getFullyAuthenticatedUser();
+                                String currentUser = AuthenticationUtil.getFullyAuthenticatedUser();
                                 logger.debug("Authentication: " + (currentUser == null ? "unauthenticated" : "authenticated as " + currentUser));
                             }
                             
-                    // Execute Web Script
+                            return true;
+                        }
+                        return false;
+                    }        
+                };
+                
+                if (retryingTransactionHelper.doInTransaction(authWork, true))
+                {
+                    // Execute Web Script if authentication passed
+                    // The Web Script has its own txn management with potential runAs() user
                     transactionedExecuteAs(script, scriptReq, scriptRes);
                 }
             }
@@ -340,10 +352,10 @@ public class RepositoryContainer extends AbstractRuntimeContainer implements Ten
                 //
                 AuthenticationUtil.popAuthentication();
                 
-                if (logger.isDebugEnabled())
+                if (debug)
                 {
-                    String user = AuthenticationUtil.getFullyAuthenticatedUser();
-                    logger.debug("Authentication reset: " + (user == null ? "unauthenticated" : "authenticated as " + user));
+                    String currentUser = AuthenticationUtil.getFullyAuthenticatedUser();
+                    logger.debug("Authentication reset: " + (currentUser == null ? "unauthenticated" : "authenticated as " + currentUser));
                 }
             }
         }