Merged V2.2 to HEAD

8144: Fix for AR-1850, AR-2046

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@8487 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

config/alfresco/extension/chaining-authentication-context.xml.sample

@@ -16,6 +16,9 @@
         <property name="mutableAuthenticationService">
             <ref bean="authenticationServiceImplAlfresco"/>
         </property>
+        <property name="sysAdminCache">
+            <ref bean="sysAdminCache"/>
+        </property>
     </bean>
     
     <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl">
@@ -41,6 +44,9 @@
         <property name="authenticationComponent">
             <ref bean="authenticationComponentImplAlfresco"/>
         </property>
+        <property name="sysAdminCache">
+            <ref bean="sysAdminCache"/>
+        </property>
     </bean>
     
     <bean id="authenticationDaoAlfresco" class="org.alfresco.repo.security.authentication.RepositoryAuthenticationDao">
@@ -54,7 +60,10 @@
             <ref bean="namespaceService"/>
         </property>
         <property name="searchService">
-            <ref bean="searchService"/>
+            <ref bean="admSearchService"/>
+        </property>
+        <property name="retryingTransactionHelper">
+          <ref bean="retryingTransactionHelper"/>
         </property>
         <property name="userNamesAreCaseSensitive">
             <value>${user.name.caseSensitive}</value>
@@ -74,6 +83,15 @@
         <property name="allowGuestLogin">
             <value>true</value>
         </property>
+        <property name="nodeService">
+            <ref bean="nodeService" />
+        </property>
+        <property name="personService">
+            <ref bean="personService" />
+        </property>
+        <property name="transactionService">
+            <ref bean="transactionService" />
+        </property>
     </bean>
     
     <!-- JAAS -->
@@ -88,6 +106,9 @@
         <property name="authenticationComponent">
             <ref bean="authenticationComponentImplJAAS"/>
         </property>
+        <property name="sysAdminCache">
+            <ref bean="sysAdminCache"/>
+        </property>
     </bean>
     
     <bean id="authenticationComponentImplJAAS" class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
@@ -97,6 +118,15 @@
         <property name="jaasConfigEntryName">
             <value>Alfresco</value>
         </property>
+        <property name="nodeService">
+            <ref bean="nodeService" />
+        </property>
+        <property name="personService">
+            <ref bean="personService" />
+        </property>
+        <property name="transactionService">
+            <ref bean="transactionService" />
+        </property>
     </bean>
     
     <bean id="authenticationDaoJAAS" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao"/>

source/java/org/alfresco/repo/admin/RepoServerMgmt.java

@@ -32,27 +32,32 @@ import java.util.TreeSet;
 
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.linkvalidation.LinkValidationService;
-import org.alfresco.repo.security.authentication.AuthenticationServiceImpl;
+import org.alfresco.repo.security.authentication.AbstractAuthenticationService;
 import org.alfresco.repo.transaction.TransactionServiceImpl;
 import org.alfresco.service.license.LicenseService;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
 
-
+public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAware, InitializingBean
-public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAware
 {
     private static final Log log = LogFactory.getLog(RepoServerMgmt.class);
 
     private ApplicationContext ctx; // to get license component, if installed
 
     private TransactionServiceImpl transactionService;
-	private AuthenticationServiceImpl authenticationService;
+
+    private AbstractAuthenticationService authenticationService;
+
     private LinkValidationService linkValidationService;
 
-	// property key should be the same as the one in core-services-context.xml (to allow repo to start in multi-user mode even if the property is not set)
+    private boolean initialised = false;
+
+    // property key should be the same as the one in core-services-context.xml (to allow repo to start in multi-user
+    // mode even if the property is not set)
     private final static String PROPERTY_KEY_SINGLE_USER_ONLY = "${server.singleuseronly.name}";
 
     public void setTransactionService(TransactionServiceImpl transactionService)
@@ -60,7 +65,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
         this.transactionService = transactionService;
     }
 
-	public void setAuthenticationService(AuthenticationServiceImpl authenticationService) 
+    public void setAuthenticationService(AbstractAuthenticationService authenticationService)
     {
         this.authenticationService = authenticationService;
     }
@@ -78,6 +83,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.repo.admin.RepoServerMgmtMBean#setReadOnly(boolean)
      */
     public void setReadOnly(boolean readOnly)
@@ -99,7 +105,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
             LicenseService licenseService = null;
             try
             {
-				licenseService = (LicenseService)ctx.getBean("org.alfresco.license.LicenseComponent");
+                licenseService = (LicenseService) ctx.getBean("org.alfresco.license.LicenseComponent");
 
                 // verify license, but only if license component is installed
                 licenseService.verifyLicense();
@@ -123,6 +129,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.mbeans.RepoServerMgmtMBean#isReadOnly(java.lang.Boolean)
      */
     public boolean isReadOnly()
@@ -135,6 +142,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.mbeans.RepoServerMgmtMBean#getTicketCountNonExpired()
      */
     public int getTicketCountNonExpired()
@@ -144,6 +152,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.mbeans.RepoServerMgmtMBean#getTicketCountAll()
      */
     public int getTicketCountAll()
@@ -153,6 +162,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.mbeans.RepoServerMgmtMBean#getUserCountNonExpired()
      */
     public int getUserCountNonExpired()
@@ -162,6 +172,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.mbeans.RepoServerMgmtMBean#getUserCountAll()
      */
     public int getUserCountAll()
@@ -169,10 +180,12 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
         return authenticationService.getUsersWithTickets(false).size();
     }
 
-	// Note: implement operations without boolean/Boolean parameter, due to problem with some JMX consoles (e.g. MC4J 1.9 Beta)
+    // Note: implement operations without boolean/Boolean parameter, due to problem with some JMX consoles (e.g. MC4J
+    // 1.9 Beta)
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.repo.admin.RepoServerMgmtMBean#listUserNamesNonExpired()
      */
     public String[] listUserNamesNonExpired()
@@ -184,6 +197,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.repo.admin.RepoServerMgmtMBean#listUserNamesAll()
      */
     public String[] listUserNamesAll()
@@ -195,6 +209,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.mbeans.RepoServerMgmtMBean#invalidateTicketsExpired()
      */
     public int invalidateTicketsExpired()
@@ -206,6 +221,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.mbeans.RepoServerMgmtMBean#invalidateTicketsAll()
      */
     public int invalidateTicketsAll()
@@ -217,6 +233,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.repo.admin.RepoServerMgmtMBean#invalidateUser(java.lang.String)
      */
     public void invalidateUser(String username)
@@ -227,20 +244,23 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.repo.admin.RepoServerMgmtMBean#setSingleUserOnly(java.lang.String)
      */
     public void setSingleUserOnly(String allowedUsername)
     {
-		int maxUsers = getMaxUsers();
 
         List<String> allowedUsers = null;
-		if ((allowedUsername != null) && (! allowedUsername.equals("")))
+        if ((allowedUsername != null) && (!allowedUsername.equals("")))
         {
-			if (! allowedUsername.equals(PROPERTY_KEY_SINGLE_USER_ONLY))
+            if (!allowedUsername.equals(PROPERTY_KEY_SINGLE_USER_ONLY))
             {
                 allowedUsers = new ArrayList<String>(0);
                 allowedUsers.add(allowedUsername);
 
+                if (initialised)
+                {
+                    int maxUsers = getMaxUsers();
                     invalidateTicketsAll();
 
                     if (maxUsers != 0)
@@ -253,8 +273,12 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
                     }
                 }
             }
+        }
         else
         {
+            if (initialised)
+            {
+                int maxUsers = getMaxUsers();
                 if (maxUsers == -1)
                 {
                     log.info("Alfresco set to allow logins (no limit set)");
@@ -268,12 +292,14 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
                     log.info("Alfresco set to allow logins (limit = " + maxUsers + ")");
                 }
             }
+        }
 
         authenticationService.setAllowedUsers(allowedUsers);
     }
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.repo.admin.RepoServerMgmtMBean#getSingleUserOnly()
      */
     public String getSingleUserOnly()
@@ -295,16 +321,19 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.repo.admin.RepoServerMgmtMBean#setMaxUsers(int)
      */
     public void setMaxUsers(int maxUsers)
     {
         authenticationService.setMaxUsers(maxUsers);
 
+        if (initialised)
+        {
             String singleUserOnlyName = getSingleUserOnly();
             if (maxUsers == -1)
             {
-			if ((singleUserOnlyName != null) && (! singleUserOnlyName.equals("")))
+                if ((singleUserOnlyName != null) && (!singleUserOnlyName.equals("")))
                 {
                     log.info("Alfresco set to allow logins (no limit set) - although currently restricted to single-user (" + singleUserOnlyName + ")");
                 }
@@ -319,7 +348,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
             }
             else
             {
-			if ((singleUserOnlyName != null) && (! singleUserOnlyName.equals("")))
+                if ((singleUserOnlyName != null) && (!singleUserOnlyName.equals("")))
                 {
                     log.info("Alfresco set to allow logins (limit = " + maxUsers + ") - although currently restricted to single-user (" + singleUserOnlyName + ")");
                 }
@@ -329,9 +358,11 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
                 }
             }
         }
+    }
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.repo.admin.RepoServerMgmtMBean#getMaxUsers()
      */
     public int getMaxUsers()
@@ -341,6 +372,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.repo.admin.RepoServerMgmtMBean#setLinkValidationDisabled(boolean)
      */
     public void setLinkValidationDisabled(boolean disable)
@@ -364,6 +396,7 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
     /*
      * (non-Javadoc)
+     * 
      * @see org.alfresco.repo.admin.RepoServerMgmtMBean#isLinkValidationDisabled()
      */
     public boolean isLinkValidationDisabled()
@@ -376,4 +409,9 @@ public class RepoServerMgmt implements RepoServerMgmtMBean, ApplicationContextAw
 
         return linkValidationService.isLinkValidationDisabled();
     }
+
+    public void afterPropertiesSet() throws Exception
+    {
+        initialised = true;
+    }
 }

source/java/org/alfresco/repo/search/impl/lucene/ADMLuceneIndexerImpl.java

@@ -814,9 +814,9 @@ public class ADMLuceneIndexerImpl extends AbstractLuceneIndexerImpl<NodeRef> imp
                         if (transformer == null)
                         {
                             // log it
-                            if (s_logger.isDebugEnabled())
+                            if (s_logger.isInfoEnabled())
                             {
-                                s_logger.debug("Not indexed: No transformation: \n" + "   source: " + reader + "\n" + "   target: " + MimetypeMap.MIMETYPE_TEXT_PLAIN);
+                                s_logger.info("Not indexed: No transformation: \n" + "   source: " + reader + "\n" + "   target: " + MimetypeMap.MIMETYPE_TEXT_PLAIN + " at "+nodeService.getPath(nodeRef));
                             }
                             // don't index from the reader
                             readerReady = false;
@@ -853,9 +853,9 @@ public class ADMLuceneIndexerImpl extends AbstractLuceneIndexerImpl<NodeRef> imp
                             catch (ContentIOException e)
                             {
                                 // log it
-                                if (s_logger.isDebugEnabled())
+                                if (s_logger.isInfoEnabled())
                                 {
-                                    s_logger.debug("Not indexed: Transformation failed", e);
+                                    s_logger.info("Not indexed: Transformation failed at "+nodeService.getPath(nodeRef), e);
                                 }
                                 // don't index from the reader
                                 readerReady = false;
@@ -899,10 +899,10 @@ public class ADMLuceneIndexerImpl extends AbstractLuceneIndexerImpl<NodeRef> imp
                 // URL not present (null reader) or no content at the URL (file missing)
                 {
                     // log it
-                    if (s_logger.isDebugEnabled())
+                    if (s_logger.isInfoEnabled())
                     {
-                        s_logger.debug("Not indexed: Content Missing \n"
+                        s_logger.info("Not indexed: Content Missing \n"
-                                + "   node: " + nodeRef + "\n" + "   reader: " + reader + "\n" + "   content exists: "
+                                + "   node: " + nodeRef  + " at "+nodeService.getPath(nodeRef)+ "\n" + "   reader: " + reader + "\n" + "   content exists: "
                                 + (reader == null ? " --- " : Boolean.toString(reader.exists())));
                     }
                     // not indexed: content missing

source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationService.java

@@ -0,0 +1,155 @@
+/*
+ * Copyright (C) 2005-2007 Alfresco Software Limited.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+ * As a special exception to the terms and conditions of version 2.0 of 
+ * the GPL, you may redistribute this Program in connection with Free/Libre 
+ * and Open Source Software ("FLOSS") applications as described in Alfresco's 
+ * FLOSS exception.  You should have recieved a copy of the text describing 
+ * the FLOSS exception, and it is also available here: 
+ * http://www.alfresco.com/legal/licensing"
+ */
+package org.alfresco.repo.security.authentication;
+
+import java.util.List;
+import java.util.Set;
+
+import org.alfresco.repo.cache.SimpleCache;
+import org.alfresco.service.cmr.security.AuthenticationService;
+import org.springframework.beans.factory.InitializingBean;
+
+/**
+ * Common code for authentication services
+ * 
+ * @author andyh
+ */
+public abstract class AbstractAuthenticationService implements AuthenticationService, InitializingBean
+{
+
+    private SimpleCache<String, Object> sysAdminCache;
+
+    private static final String KEY_SYSADMIN_ALLOWED_USERS = "sysAdminCache.authAllowedUsers";
+
+    private static final String KEY_SYSADMIN_MAX_USERS = "sysAdminCache.authMaxUsers";
+
+    private boolean initialised = false;
+
+    private Integer initialMaxUsers = null;
+
+    private List<String> initialAllowedUsers = null;
+
+    public void setSysAdminCache(SimpleCache<String, Object> sysAdminCache)
+    {
+        this.sysAdminCache = sysAdminCache;
+    }
+
+    public void preAuthenticationCheck(String userName) throws AuthenticationException
+    {
+        if (sysAdminCache != null)
+        {
+            List<String> allowedUsers = (List<String>) sysAdminCache.get(KEY_SYSADMIN_ALLOWED_USERS);
+
+            if ((allowedUsers != null) && (!allowedUsers.contains(userName)))
+            {
+                throw new AuthenticationDisallowedException("Username not allowed: " + userName);
+            }
+
+            Integer maxUsers = (Integer) sysAdminCache.get(KEY_SYSADMIN_MAX_USERS);
+
+            if ((maxUsers != null) && (maxUsers != -1) && (getUsersWithTickets(true).size() >= maxUsers))
+            {
+                throw new AuthenticationMaxUsersException("Max users exceeded: " + maxUsers);
+            }
+        }
+    }
+
+    public void setAllowedUsers(List<String> allowedUsers)
+    {
+        if (initialised)
+        {
+            if (sysAdminCache != null)
+            {
+                sysAdminCache.put(KEY_SYSADMIN_ALLOWED_USERS, allowedUsers);
+            }
+        }
+        else
+        {
+            initialAllowedUsers = allowedUsers;
+        }
+
+    }
+
+    @SuppressWarnings("unchecked")
+    public List<String> getAllowedUsers()
+    {
+        if (sysAdminCache != null)
+        {
+            return (List<String>) sysAdminCache.get(KEY_SYSADMIN_ALLOWED_USERS);
+        }
+        else
+        {
+            return null;
+        }
+    }
+
+    public void setMaxUsers(int maxUsers)
+    {
+        if (initialised)
+        {
+            if (sysAdminCache != null)
+            {
+                sysAdminCache.put(KEY_SYSADMIN_MAX_USERS, new Integer(maxUsers));
+            }
+        }
+        else
+        {
+            initialMaxUsers = new Integer(maxUsers);
+        }
+    }
+
+    @SuppressWarnings("unchecked")
+    public int getMaxUsers()
+    {
+        if (sysAdminCache != null)
+        {
+            Integer maxUsers = (Integer) sysAdminCache.get(KEY_SYSADMIN_MAX_USERS);
+            return (maxUsers == null ? -1 : maxUsers.intValue());
+        }
+        else
+        {
+            return -1;
+        }
+    }
+
+    public abstract Set<String> getUsersWithTickets(boolean nonExpiredOnly);
+
+    public abstract int invalidateTickets(boolean nonExpiredOnly);
+
+    public abstract int countTickets(boolean nonExpiredOnly);
+
+    public abstract Set<TicketComponent> getTicketComponents();
+
+    final public void afterPropertiesSet() throws Exception
+    {
+        initialised = true;
+        if (sysAdminCache != null)
+        {
+            sysAdminCache.put(KEY_SYSADMIN_MAX_USERS, initialMaxUsers);
+            sysAdminCache.put(KEY_SYSADMIN_ALLOWED_USERS, initialAllowedUsers);
+        }
+    }
+
+}

source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java

@@ -25,14 +25,11 @@
 package org.alfresco.repo.security.authentication;
 
 import java.util.Collections;
-import java.util.List;
 import java.util.Set;
 
-import org.alfresco.repo.cache.SimpleCache;
-import org.alfresco.service.cmr.security.AuthenticationService;
 import org.alfresco.service.cmr.security.PermissionService;
 
-public class AuthenticationServiceImpl implements AuthenticationService
+public class AuthenticationServiceImpl extends AbstractAuthenticationService
 {
     MutableAuthenticationDao authenticationDao;
 
@@ -48,22 +45,11 @@ public class AuthenticationServiceImpl implements AuthenticationService
     
     private boolean allowsUserPasswordChange = true;
     
-    // SysAdmin cache - used to cluster certain JMX operations
-    private SimpleCache<String, Object> sysAdminCache;
-    private final static String KEY_SYSADMIN_ALLOWED_USERS = "sysAdminCache.authAllowedUsers"; // List<String>
-    private final static String KEY_SYSADMIN_MAX_USERS = "sysAdminCache.authMaxUsers"; // Integer
-
-    
     public AuthenticationServiceImpl()
     {
         super();
     }
     
-    public void setSysAdminCache(SimpleCache<String, Object> sysAdminCache)
-    {
-        this.sysAdminCache = sysAdminCache;
-    }
-
     public void setAuthenticationDao(MutableAuthenticationDao authenticationDao)
     {
         this.authenticationDao = authenticationDao;
@@ -124,22 +110,7 @@ public class AuthenticationServiceImpl implements AuthenticationService
     {
         try
         {
-            // clear context - to avoid MT concurrency issue (causing domain mismatch) - see also 'validate' below
+            preAuthenticationCheck(userName);
-            clearCurrentSecurityContext();
-        	List<String> allowedUsers = (List<String>)sysAdminCache.get(KEY_SYSADMIN_ALLOWED_USERS);
-           
-        	if ((allowedUsers != null) && (! allowedUsers.contains(userName)))
-			{
-				throw new AuthenticationDisallowedException("Username not allowed: " + userName);
-			}
-        	
-        	Integer maxUsers = (Integer)sysAdminCache.get(KEY_SYSADMIN_MAX_USERS);
-        	
-        	if ((maxUsers != null) && (maxUsers != -1) && (ticketComponent.getUsersWithTickets(true).size() >= maxUsers))
-        	{
-        		throw new AuthenticationMaxUsersException("Max users exceeded: " + maxUsers);
-        	}
-        	
         	authenticationComponent.authenticate(userName, password);
         }
         catch(AuthenticationException ae)
@@ -172,29 +143,6 @@ public class AuthenticationServiceImpl implements AuthenticationService
     	return ticketComponent.getUsersWithTickets(nonExpiredOnly);
     }
 
-    public void setAllowedUsers(List<String> allowedUsers)
-    {
-    	sysAdminCache.put(KEY_SYSADMIN_ALLOWED_USERS, allowedUsers);
-    }
-    
-    @SuppressWarnings("unchecked")
-    public List<String> getAllowedUsers()
-    {
-    	return (List<String>)sysAdminCache.get(KEY_SYSADMIN_ALLOWED_USERS);
-    }
-    
-    public void setMaxUsers(int maxUsers)
-    {
-    	sysAdminCache.put(KEY_SYSADMIN_MAX_USERS, new Integer(maxUsers));
-    }
-    
-    @SuppressWarnings("unchecked")
-    public int getMaxUsers()
-    {
-    	Integer maxUsers = (Integer)sysAdminCache.get(KEY_SYSADMIN_MAX_USERS);
-    	return (maxUsers == null ? -1 : maxUsers.intValue());
-    }
-
     public void invalidateTicket(String ticket) throws AuthenticationException
     {
         ticketComponent.invalidateTicketById(ticket);
@@ -250,15 +198,10 @@ public class AuthenticationServiceImpl implements AuthenticationService
     @SuppressWarnings("unchecked")
     public void authenticateAsGuest() throws AuthenticationException
     {
-    	List<String> allowedUsers = (List<String>)sysAdminCache.get(KEY_SYSADMIN_ALLOWED_USERS);
+        preAuthenticationCheck(PermissionService.GUEST_AUTHORITY);
-        
-    	if ((allowedUsers != null) && (! allowedUsers.contains(PermissionService.GUEST_AUTHORITY)))
-		{
-			throw new AuthenticationException("Guest authentication is not allowed");
-		}
-
         authenticationComponent.setGuestUserAsCurrentUser();
         ticketComponent.clearCurrentTicket();
+        ticketComponent.getCurrentTicket(PermissionService.GUEST_AUTHORITY); // to ensure new ticket is created (even if client does not explicitly call getCurrentTicket)
     }
     
     public boolean guestUserAuthenticationAllowed()
@@ -347,7 +290,9 @@ public class AuthenticationServiceImpl implements AuthenticationService
         }
     }
 
-   
+    @Override
-
+    public Set<TicketComponent> getTicketComponents()
-    
+    {
+        return Collections.singleton(ticketComponent);
+    }
 }

source/java/org/alfresco/repo/security/authentication/ChainingAuthenticationServiceImpl.java

@@ -30,6 +30,7 @@ import java.util.List;
 import java.util.Set;
 
 import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.PermissionService;
 
 /**
  * This class implements a simple chaining authentication service.
@@ -51,7 +52,7 @@ import org.alfresco.service.cmr.security.AuthenticationService;
  * 
  * @author Andy Hind
  */
-public class ChainingAuthenticationServiceImpl implements AuthenticationService
+public class ChainingAuthenticationServiceImpl extends AbstractAuthenticationService
 {
 
     private List<AuthenticationService> authenticationServices;
@@ -157,6 +158,7 @@ public class ChainingAuthenticationServiceImpl implements AuthenticationService
 
     public void authenticate(String userName, char[] password) throws AuthenticationException
     {
+        preAuthenticationCheck(userName);
         for (AuthenticationService authService : getUsableAuthenticationServices())
         {
             try
@@ -175,6 +177,7 @@ public class ChainingAuthenticationServiceImpl implements AuthenticationService
 
     public void authenticateAsGuest() throws AuthenticationException
     {
+        preAuthenticationCheck(PermissionService.GUEST_AUTHORITY);
         for (AuthenticationService authService : getUsableAuthenticationServices())
         {
             try
@@ -411,4 +414,57 @@ public class ChainingAuthenticationServiceImpl implements AuthenticationService
         return domains;
     }
 
+    @Override
+    public Set<String> getUsersWithTickets(boolean nonExpiredOnly)
+    {
+        HashSet<String> users = new HashSet<String>();
+        for (AuthenticationService authService : getUsableAuthenticationServices())
+        {
+            if(authService instanceof AbstractAuthenticationService)
+            {
+                users.addAll( ((AbstractAuthenticationService)authService).getUsersWithTickets(nonExpiredOnly));
+            }
+        }
+        return users;
+    }
+
+    @Override
+    public int countTickets(boolean nonExpiredOnly)
+    {
+        int count = 0;
+        for(TicketComponent tc : getTicketComponents())
+        {
+            count += tc.countTickets(nonExpiredOnly);
+        }
+        return count;
+    }
+
+    @Override
+    public int invalidateTickets(boolean nonExpiredOnly)
+    {
+        int count = 0;
+        for (AuthenticationService authService : getUsableAuthenticationServices())
+        {
+            if(authService instanceof AbstractAuthenticationService)
+            {
+                count += ((AbstractAuthenticationService)authService).invalidateTickets(nonExpiredOnly);
+            }
+        }
+        return count;
+    }
+
+    @Override
+    public Set<TicketComponent> getTicketComponents()
+    {
+        Set<TicketComponent> tcs = new HashSet<TicketComponent>();
+        for (AuthenticationService authService : getUsableAuthenticationServices())
+        {
+            if(authService instanceof AbstractAuthenticationService)
+            {
+                tcs.addAll(((AbstractAuthenticationService)authService).getTicketComponents());
+            }
+        }
+        return tcs;
+    }
+
 }

source/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java

@@ -34,6 +34,7 @@ import java.util.zip.CRC32;
 
 import org.alfresco.repo.cache.SimpleCache;
 import org.alfresco.service.cmr.repository.datatype.Duration;
+import org.alfresco.util.GUID;
 import org.apache.commons.codec.binary.Hex;
 import org.safehaus.uuid.UUIDGenerator;
 
@@ -57,6 +58,8 @@ public class InMemoryTicketComponentImpl implements TicketComponent
 
     private boolean oneOff;
     
+    private String guid;
+
     private SimpleCache<String, Ticket> ticketsCache; // Can't use Ticket as it's private
 
     /**
@@ -66,6 +69,7 @@ public class InMemoryTicketComponentImpl implements TicketComponent
     public InMemoryTicketComponentImpl()
     {
         super();
+        guid = GUID.generate();
     }
 
     /**
@@ -234,6 +238,37 @@ public class InMemoryTicketComponentImpl implements TicketComponent
         }
     }
 
+
+    @Override
+    public int hashCode()
+    {
+        final int PRIME = 31;
+        int result = 1;
+        result = PRIME * result + ((guid == null) ? 0 : guid.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj)
+    {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        final InMemoryTicketComponentImpl other = (InMemoryTicketComponentImpl) obj;
+        if (guid == null)
+        {
+            if (other.guid != null)
+                return false;
+        }
+        else if (!guid.equals(other.guid))
+            return false;
+        return true;
+    }
+    
+    
     /**
      * Ticket
      * @author andyh