mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-24 17:32:48 +00:00
Moved repository master into its own directory
This commit is contained in:
Chris Shields
165
repository/docs/identity-provider/authentication/README.md
Normal file
165
repository/docs/identity-provider/authentication/README.md
Normal file
@@ -0,0 +1,165 @@
|
||||
## Authentication
|
||||
|
||||
|
||||
|
||||
### Purpose
|
||||
|
||||
The purpose of this sub-component is to authenticate users.
|
||||
***
|
||||
|
||||
### Overview
|
||||
|
||||
In order to use any service in Alfresco, a user must be authenticated.
|
||||
|
||||
Alfresco provides a default Authentication implementation that uses userid's and passwored
|
||||
managed by Alfresco. But, importantly, Alfresco also allows the customer
|
||||
to integrate with a number of external Authentication providers including
|
||||
* Active Directory
|
||||
* Kerberos
|
||||
* LDAP
|
||||
|
||||
***
|
||||
|
||||
### Artifacts and Guidance
|
||||
|
||||
* Source Code Links:
|
||||
* https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root/enterpriseprojects/repository/source/java/
|
||||
* https://github.com/Alfresco/alfresco-data-model/tree/master/src/main/java/org/alfresco/repo/security/authentication
|
||||
* License: LGPL
|
||||
* Issue Tracker Link: https://issues.alfresco.com/jira/issues/?jql=project%3DREPO
|
||||
* Documentation Link: http://docs.alfresco.com/5.2/concepts/auth-intro.html
|
||||
* Contribution Model: Alfresco Open Source
|
||||
***
|
||||
|
||||
|
||||
### Prerequisite Knowledge
|
||||
|
||||
* [Acegi](http://springinpractice.com/2008/02/26/acegi-overview)
|
||||
* [CAS](https://en.wikipedia.org/wiki/Central_Authentication_Service)
|
||||
* [JAAS](http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html)
|
||||
* [Kerberos](https://msdn.microsoft.com/en-us/library/bb742516.aspx)
|
||||
* [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)
|
||||
***
|
||||
|
||||
### Design
|
||||
|
||||
#### Default Authentication
|
||||
|
||||
In order to use any service in Alfresco, a user or client must be authenticated.
|
||||
|
||||
There is a default implementation provided that authenticates users based on a userid and password, where the userid's and passwords
|
||||
are stored in the Alfresco repository.
|
||||
|
||||
#### Chaining
|
||||
|
||||
Most production systems that use Alfresco will rely upon more secure approaches, so Alfresco also allows the
|
||||
customer to integrate a choice of existing authentication providers, including *Active Directory*, *Kerberos* and *LDAP*.
|
||||
|
||||
The implementation of each such Authorization provider is delivered as a separate Alfresco Subsystem.
|
||||
The Subsystems are chained together as an ordered list of providers each of which, in turn, will be given
|
||||
a chance to authenticate the user, until the user is authenticated or there are no providers, in
|
||||
which case the authentication of the user fails.
|
||||
|
||||
|
||||
#### Component Model
|
||||
|
||||
#### Data Model
|
||||
|
||||
|
||||
#### Data Dictionary
|
||||
|
||||
#### Flows
|
||||
|
||||
##### Login Flow
|
||||
|
||||
##### Default Authentication Login Flow
|
||||
This flow starts when the Login Post request
|
||||
depicted in [Client Login](../../../share/share-app/resource/sequence/client-login-sequence.png) reaches the repository tier.
|
||||
|
||||
|
||||
##### Default Authentication Logoff Flow
|
||||
|
||||
|
||||
##### Kerberos Authentication Login Flow
|
||||
|
||||
|
||||
#### Class Diagram
|
||||
|
||||
|
||||
|
||||
### APIs and Interfaces
|
||||
|
||||
#### Java
|
||||
|
||||
The sub-component provides a definition and implementation of the following
|
||||
Java interfaces.
|
||||
|
||||
* **Authentication Service**
|
||||
**Note**: This service is part of the Public API
|
||||
* authenticate using a user name and password
|
||||
* authenticate using a ticket
|
||||
* create, update and delete authentication information
|
||||
* clear the current authentication
|
||||
* invalidate a ticket
|
||||
* get the username for who is currently authenticated
|
||||
* get a ticket for subsequent re-authentication
|
||||
* determine if the current user is 'the system user
|
||||
* **MutableAuthenticationService*
|
||||
|
||||
In addition, there are a number of related interfaces that provide
|
||||
a way to manage users and groups and permissions
|
||||
|
||||
*This information should probably move to the Identity sub-component after the content already there (future design thoughts)
|
||||
is relocated*
|
||||
|
||||
* **Authority Service**
|
||||
**Note**: This service is part of the Public API
|
||||
* create authority identifiers
|
||||
* query for authority identifiers
|
||||
* delete authority identifiers
|
||||
* organize authority identifiers into hierarchies
|
||||
* query against authority identifiers hierarchies
|
||||
* find all the authorties that apply to the current authenticated user
|
||||
* determine if the current authenticated user has admin rights
|
||||
* **Ownable Service**
|
||||
**Note**: This service is **not** part of the Public API
|
||||
* determine the owner of a node;
|
||||
* set the owner of a node;
|
||||
* determine if a node has an owner
|
||||
* allow the current user to take ownership of a node
|
||||
* **Person Service**
|
||||
**Note**: This service is part of the Public API
|
||||
* obtain a reference to the Person node for a given user name
|
||||
* determine if a person entry exists for a user
|
||||
* create missing people entries, with default settings, on demand
|
||||
* supply a list of mutable properties for each person
|
||||
* create, delete and update personal information
|
||||
***
|
||||
#### REST
|
||||
|
||||
The sub-component provides the following REST API
|
||||
* https://api-explorer.alfresco.com/api-explorer/#/authentication
|
||||
|
||||
### Configuration
|
||||
***
|
||||
|
||||
### Performance Considerations
|
||||
|
||||
Describe Caching of tickets
|
||||
As mentioned in the *Security Considerations* section, Bcrypt can be used to encrypt passwords. Note that is
|
||||
is much slower than MD4 or SHA-256.
|
||||
***
|
||||
|
||||
### Security Considerations
|
||||
***
|
||||
In the case of the default Authentication provider, Alfresco is responsible for storing
|
||||
userid's and passwords. The passwords are stored as hashed values. The default hashing
|
||||
algorithm used is MD4, but the customer can also elect to use more secure hashing algorithms
|
||||
include SHA-256 and Bcrypt. The system property *system.preferred.password.encoding* is used
|
||||
to select which algorithm is used.
|
||||
|
||||
### Cloud Considerations
|
||||
|
||||
|
||||
Describe OAuth2 for protection of Cloud REST API's.
|
||||
***
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 180 KiB |
@@ -0,0 +1,117 @@
|
||||
@startuml
|
||||
|
||||
Title: Default Authentication Login Flow
|
||||
|
||||
participant "Repository\nContainer" as W
|
||||
participant "LoginPost\nbean" as LB
|
||||
participant "SubsystemChaining\nAuthenticationService" as SCAS
|
||||
participant "MutableAuthentication\nServiceImpl" as AS
|
||||
participant "Authentication\nComponentImpl" as AC
|
||||
participant "PersonServiceImpl" as PS
|
||||
participant "NodeService" as NS
|
||||
participant "Authentication\nContextImpl" as ACX
|
||||
participant "Authentication\nUtil" as AU
|
||||
participant "InMemoryTicketComponentImpl" as ITC
|
||||
participant "AuthorityServiceImpl" as AUS
|
||||
participant "RepositoryAuthenticatedUser" as RAU
|
||||
participant "RepositoryAuthenticationDao" as RAD
|
||||
participant "MD4PasswordEncoderImpl" as MPE
|
||||
participant "RepositoryAuthenticationProvider" as RAP
|
||||
participant "CompositePasswordEncoder" as CPE
|
||||
|
||||
activate W
|
||||
W->LB: login request <username> <password>
|
||||
LB->LB: login <username> <password>
|
||||
LB->SCAS:authenticate <username> <password>
|
||||
note right of SCAS
|
||||
allowedUsers and maxUsers check
|
||||
end note
|
||||
SCAS->SCAS: preAuthenticationCheck
|
||||
note right of SCAS
|
||||
get list of usableAuthenticationServices
|
||||
and iterates over this list. In
|
||||
this default case there is a single
|
||||
service 'alfrescoNtlm'
|
||||
end note
|
||||
SCAS->AS: authenticate\n<username> <password>
|
||||
AS->AC:clearCurrentSecurityContext
|
||||
AC->ACX:clearCurrentSecurityContext
|
||||
ACX->AU:clearCurrentSecurityContext
|
||||
AU->ACX: done
|
||||
ACX->AC: done
|
||||
AC->AS: done
|
||||
AS->ITC:clearCurrentTicket
|
||||
ITC->AS: done
|
||||
note right of AS
|
||||
allowedUsers and maxUsers check
|
||||
end note
|
||||
AS->AS: preAuthenticationCheck
|
||||
note right of AS
|
||||
Checks cache to detect
|
||||
Brute Force attack
|
||||
end note
|
||||
AS->AS: isUserProtected <username>
|
||||
AS->AC: authenticate\n<username> <password>
|
||||
AC->PS:getUserIdentifier <username>
|
||||
PS->PS:getPersonOrNullImpl
|
||||
PS->PS:looks for Person\nin Cache
|
||||
PS->NS:get properties of Person\nand checks if\nneeds to add to cache
|
||||
PS->AC: username
|
||||
note right of AC
|
||||
Checks for guest
|
||||
end note
|
||||
AC->AC:isGuestUserName
|
||||
AC->AC: authenticateImpl <username> <password>
|
||||
AC->AU: getUserTenant
|
||||
AU->AC: tenant
|
||||
group Retrying Transaction
|
||||
AC->RAD: loadUserByUsername <username>
|
||||
RAD->RAU: constructor <username> <hashedpassword>
|
||||
RAD->AC: user details
|
||||
AC->RAP: isPasswordCorrect\n(UsernamePasswordAuthenticationToken, user details)
|
||||
RAP->CPE: matches
|
||||
CPE->MPE:isPasswordValid
|
||||
MPE->MPE:encodeInternal
|
||||
MPE->MPE: true
|
||||
MPE->RAP: true
|
||||
RAP->AC: true
|
||||
AC->AUS: isAdminAuthority
|
||||
AUS->AC: false
|
||||
AC->PS:getPersonOrNullImpl
|
||||
PS->PS:looks for Person\nin Cache
|
||||
PS->NS:get properties of Person\nand checks if\nneeds to add to cache
|
||||
NS->PS: properties
|
||||
PS->AC: username
|
||||
end
|
||||
group setCurrentUser <username>
|
||||
AC->ACX: isSystemUserName <username>
|
||||
ACX->AC: false
|
||||
AC->AC: setUserDetails (role=<b>ROLE_AUTHENTICATED</b>)
|
||||
end
|
||||
note right of AC
|
||||
Increment numberSuccessfulAuthentications
|
||||
end note
|
||||
AC->AC: onAuthenticate
|
||||
AC->AS: succeeded
|
||||
AS->ITC: clearCurrentTicket
|
||||
ITC->AS: done
|
||||
AS->ITC: getCurrentTicket (auto create off)
|
||||
ITC->AS
|
||||
AS->AS: getNewTicket
|
||||
AS->AS: preAuthenticationCheck
|
||||
AS->ITC: getNewTicket
|
||||
AS->SCAS
|
||||
SCAS->LB
|
||||
note right of LB
|
||||
Put ticket into the model
|
||||
end note
|
||||
LB->AS: getCurrentTicket
|
||||
AS->LB: ticket
|
||||
LB->W: Login Request Response
|
||||
note right of W
|
||||
Authentication TICKET
|
||||
returned in model
|
||||
end note
|
||||
deactivate W
|
||||
|
||||
@enduml
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 383 KiB |
@@ -0,0 +1,310 @@
|
||||
@startuml
|
||||
|
||||
' Generated using https://github.com/juanmf/Java2PlantUML
|
||||
|
||||
left to right direction
|
||||
' Participants
|
||||
|
||||
interface org.alfresco.repo.security.authentication.AlfrescoSecureContext {
|
||||
--
|
||||
+ getEffectiveAuthentication() : Authentication
|
||||
+ getRealAuthentication() : Authentication
|
||||
+ setEffectiveAuthentication(i Authentication) : void
|
||||
+ setRealAuthentication(i Authentication) : void
|
||||
|
||||
}
|
||||
interface net.sf.acegisecurity.context.security.SecureContext {
|
||||
--
|
||||
+ getAuthentication() : Authentication
|
||||
+ setAuthentication(i Authentication) : void
|
||||
|
||||
}
|
||||
class org.alfresco.repo.security.authentication.AuthenticationUtil$ThreadLocalStack {
|
||||
--
|
||||
~ AuthenticationUtil$ThreadLocalStack()
|
||||
# initialValue() : Stack
|
||||
|
||||
}
|
||||
class org.alfresco.repo.security.authentication.TicketExpiredException {
|
||||
- serialVersionUID : long
|
||||
--
|
||||
+ TicketExpiredException(c String)
|
||||
+ TicketExpiredException(c String, c Throwable)
|
||||
|
||||
}
|
||||
class org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl$Ticket {
|
||||
- expires : c InMemoryTicketComponentImpl$ExpiryMode
|
||||
- expiryDate : c Date
|
||||
- serialVersionUID : long
|
||||
- testDuration : c Duration
|
||||
- ticketId : c String
|
||||
- userName : c String
|
||||
- validDuration : c Duration
|
||||
--
|
||||
- InMemoryTicketComponentImpl$Ticket(c InMemoryTicketComponentImpl$ExpiryMode, c Date, c String, c Duration, c String)
|
||||
~ InMemoryTicketComponentImpl$Ticket(c InMemoryTicketComponentImpl$ExpiryMode, c Date, c String, c Duration)
|
||||
# getExpires() : InMemoryTicketComponentImpl$ExpiryMode
|
||||
# getExpiryDate() : Date
|
||||
# getTicketId() : String
|
||||
# getUserName() : String
|
||||
+ equals(c Object) : boolean
|
||||
+ hashCode() : int
|
||||
~ getNewEntry() : InMemoryTicketComponentImpl$Ticket
|
||||
~ hasExpired(c Date) : boolean
|
||||
|
||||
}
|
||||
class org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl {
|
||||
+ GRANTED_AUTHORITY_TICKET_PREFIX : c String
|
||||
- currentTicket : ThreadLocal< String>
|
||||
- expiryMode : c InMemoryTicketComponentImpl$ExpiryMode
|
||||
- guid : c String
|
||||
- oneOff : boolean
|
||||
- ticketsCache : SimpleCache< String, InMemoryTicketComponentImpl$Ticket>
|
||||
- ticketsExpire : boolean
|
||||
- useSingleTicketPerUser : boolean
|
||||
- validDuration : c Duration
|
||||
--
|
||||
+ InMemoryTicketComponentImpl()
|
||||
+ clearCurrentSecurityContext() : void
|
||||
+ clearCurrentTicket() : void
|
||||
+ countTickets(boolean) : int
|
||||
+ equals(c Object) : boolean
|
||||
+ getAuthorityForTicket(c String) : String
|
||||
+ getCurrentTicket(c String, boolean) : String
|
||||
+ getNewTicket(c String) : String
|
||||
+ getUseSingleTicketPerUser() : boolean
|
||||
+ getUsersWithTickets(boolean) : Set
|
||||
+ hashCode() : int
|
||||
+ invalidateTicketById(c String) : void
|
||||
+ invalidateTicketByUser(c String) : void
|
||||
+ invalidateTickets(boolean) : int
|
||||
+ setExpiryMode(c String) : void
|
||||
+ setOneOff(boolean) : void
|
||||
+ setTicketsCache( SimpleCache< String, InMemoryTicketComponentImpl$Ticket>) : void
|
||||
+ setTicketsExpire(boolean) : void
|
||||
+ setUseSingleTicketPerUser(boolean) : void
|
||||
+ setValidDuration(c String) : void
|
||||
+ validateTicket(c String) : String
|
||||
- findNonExpiredUserTicket(c String) : InMemoryTicketComponentImpl$Ticket
|
||||
- getTicketByTicketString(c String) : InMemoryTicketComponentImpl$Ticket
|
||||
- getTicketKey(c String) : String
|
||||
|
||||
}
|
||||
interface org.springframework.beans.factory.InitializingBean {
|
||||
--
|
||||
+ afterPropertiesSet() : void
|
||||
|
||||
}
|
||||
interface org.alfresco.repo.security.authentication.AuthenticationStep {
|
||||
--
|
||||
+ getArgs() : Object;
|
||||
+ getKey() : String
|
||||
+ getMessage() : String
|
||||
+ isSuccess() : boolean
|
||||
|
||||
}
|
||||
interface org.alfresco.repo.security.authentication.AuthenticationUtil$RunAsWork <Result extends c Object> {
|
||||
--
|
||||
+ doWork() : Object
|
||||
|
||||
}
|
||||
class org.alfresco.repo.security.authentication.AuthenticationUtil {
|
||||
+ SYSTEM_USER_NAME : c String
|
||||
- defaultAdminUserName : c String
|
||||
- defaultGuestUserName : c String
|
||||
- initialized : boolean
|
||||
- mtEnabled : boolean
|
||||
- threadLocalFullAuthenticationStack : ThreadLocal< Stack< Authentication>>
|
||||
- threadLocalRunAsAuthenticationStack : ThreadLocal< Stack< Authentication>>
|
||||
- threadLocalTenantDomainStack : ThreadLocal< Stack< String>>
|
||||
~ s_logger : i Log
|
||||
--
|
||||
+ AuthenticationUtil()
|
||||
+ afterPropertiesSet() : void
|
||||
+ clearCurrentSecurityContext() : void
|
||||
+ getAdminRoleName() : String
|
||||
+ getAdminUserName() : String
|
||||
+ getFullAuthentication() : Authentication
|
||||
+ getFullyAuthenticatedUser() : String
|
||||
+ getGuestRoleName() : String
|
||||
+ getGuestUserName() : String
|
||||
+ getRunAsAuthentication() : Authentication
|
||||
+ getRunAsUser() : String
|
||||
+ getSystemUserName() : String
|
||||
+ getUserTenant(c String) : Pair
|
||||
+ isMtEnabled() : boolean
|
||||
+ isRunAsUserTheSystemUser() : boolean
|
||||
+ logAuthenticatedUsers() : void
|
||||
+ logNDC(c String) : void
|
||||
+ popAuthentication() : void
|
||||
+ pushAuthentication() : void
|
||||
+ runAs( AuthenticationUtil$RunAsWork<R>, c String) : Object
|
||||
+ runAsSystem( AuthenticationUtil$RunAsWork<R>) : Object
|
||||
+ setAdminUserAsFullyAuthenticatedUser() : Authentication
|
||||
+ setDefaultAdminUserName(c String) : void
|
||||
+ setDefaultGuestUserName(c String) : void
|
||||
+ setFullAuthentication(i Authentication) : Authentication
|
||||
+ setFullyAuthenticatedUser(c String) : Authentication
|
||||
+ setMtEnabled(boolean) : void
|
||||
+ setRunAsUser(c String) : Authentication
|
||||
+ setRunAsUserSystem() : Authentication
|
||||
- getAuthenticationToken(c String, i UserDetails) : UsernamePasswordAuthenticationToken
|
||||
- getDefaultUserDetails(c String) : UserDetails
|
||||
- getUserName(i Authentication) : String
|
||||
- setFullyAuthenticatedUser(c String, i UserDetails) : Authentication
|
||||
~ setRunAsAuthentication(i Authentication) : Authentication
|
||||
~ setRunAsUser(c String, i UserDetails) : Authentication
|
||||
|
||||
}
|
||||
class org.alfresco.repo.security.authentication.AuthenticationException {
|
||||
- serialVersionUID : long
|
||||
~ diagnostic : c AuthenticationDiagnostic
|
||||
--
|
||||
+ AuthenticationException(c String)
|
||||
+ AuthenticationException(c String, c AuthenticationDiagnostic)
|
||||
+ AuthenticationException(c String, c AuthenticationDiagnostic, c Object;, c Throwable)
|
||||
+ AuthenticationException(c String, c AuthenticationDiagnostic, c Throwable)
|
||||
+ AuthenticationException(c String, c Object;)
|
||||
+ AuthenticationException(c String, c Object;, c AuthenticationDiagnostic)
|
||||
+ AuthenticationException(c String, c Object;, c Throwable)
|
||||
+ AuthenticationException(c String, c Throwable)
|
||||
+ getDiagnostic() : AuthenticationDiagnostic
|
||||
|
||||
}
|
||||
class org.alfresco.error.AlfrescoRuntimeException {
|
||||
- MESSAGE_DELIMITER : c String
|
||||
- errorCounter : c AtomicInteger
|
||||
- msgId : c String
|
||||
- msgParams : c Object;
|
||||
- serialVersionUID : long
|
||||
--
|
||||
+ AlfrescoRuntimeException(c String)
|
||||
+ AlfrescoRuntimeException(c String, c Object;)
|
||||
+ AlfrescoRuntimeException(c String, c Object;, c Throwable)
|
||||
+ AlfrescoRuntimeException(c String, c Throwable)
|
||||
+ create(c String, c Object;) : AlfrescoRuntimeException
|
||||
+ create(c Throwable, c String, c Object;) : AlfrescoRuntimeException
|
||||
+ getMsgId() : String
|
||||
+ getMsgParams() : Object;
|
||||
+ getNumericalId() : String
|
||||
+ getRootCause() : Throwable
|
||||
+ makeRuntimeException(c Throwable, c String, c Object;) : RuntimeException
|
||||
- buildErrorLogNumber(c String) : String
|
||||
- padInt(c StringBuilder, int, int) : void
|
||||
- resolveMessage(c String, c Object;) : String
|
||||
|
||||
}
|
||||
class org.alfresco.repo.security.authentication.AuthenticationDiagnostic {
|
||||
+ STEP_KEY_LDAP_AUTHENTICATION : c String
|
||||
+ STEP_KEY_LDAP_CONNECTED : c String
|
||||
+ STEP_KEY_LDAP_CONNECTING : c String
|
||||
+ STEP_KEY_LDAP_FORMAT_USER : c String
|
||||
+ STEP_KEY_LDAP_LOOKEDUP_USER : c String
|
||||
+ STEP_KEY_LDAP_LOOKUP_USER : c String
|
||||
+ STEP_KEY_LDAP_SEARCH : c String
|
||||
+ STEP_KEY_VALIDATION : c String
|
||||
+ STEP_KEY_VALIDATION_AUTHENTICATOR_NOT_ACTIVE : c String
|
||||
+ STEP_KEY_VALIDATION_AUTHENTICATOR_NOT_FOUND : c String
|
||||
- serialVersionUID : long
|
||||
- steps : List< AuthenticationStep>
|
||||
--
|
||||
+ AuthenticationDiagnostic()
|
||||
+ addStep(c String, boolean) : void
|
||||
+ addStep(c String, boolean, c Object;) : void
|
||||
+ addStep(i AuthenticationStep) : void
|
||||
+ getSteps() : List
|
||||
|
||||
}
|
||||
class org.alfresco.repo.security.authentication.AuthenticationStepImpl {
|
||||
- serialVersionUID : long
|
||||
~ args : c Object;
|
||||
~ key : c String
|
||||
~ success : boolean
|
||||
--
|
||||
+ AuthenticationStepImpl(c String)
|
||||
+ getArgs() : Object;
|
||||
+ getKey() : String
|
||||
+ getMessage() : String
|
||||
+ isSuccess() : boolean
|
||||
+ toString() : String
|
||||
|
||||
}
|
||||
interface net.sf.acegisecurity.context.Context {
|
||||
--
|
||||
+ validate() : void
|
||||
|
||||
}
|
||||
class org.alfresco.repo.security.authentication.AlfrescoSecureContextImpl {
|
||||
- effectiveAuthentication : i Authentication
|
||||
- realAuthentication : i Authentication
|
||||
- serialVersionUID : long
|
||||
--
|
||||
+ AlfrescoSecureContextImpl()
|
||||
+ equals(c Object) : boolean
|
||||
+ getAuthentication() : Authentication
|
||||
+ getEffectiveAuthentication() : Authentication
|
||||
+ getRealAuthentication() : Authentication
|
||||
+ hashCode() : int
|
||||
+ setAuthentication(i Authentication) : void
|
||||
+ setEffectiveAuthentication(i Authentication) : void
|
||||
+ setRealAuthentication(i Authentication) : void
|
||||
+ toString() : String
|
||||
+ validate() : void
|
||||
|
||||
}
|
||||
enum org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl$ExpiryMode {
|
||||
+ AFTER_FIXED_TIME : c InMemoryTicketComponentImpl$ExpiryMode
|
||||
+ AFTER_INACTIVITY : c InMemoryTicketComponentImpl$ExpiryMode
|
||||
+ DO_NOT_EXPIRE : c InMemoryTicketComponentImpl$ExpiryMode
|
||||
--
|
||||
- InMemoryTicketComponentImpl$ExpiryMode()
|
||||
+ valueOf(c String) : InMemoryTicketComponentImpl$ExpiryMode
|
||||
+ values() : InMemoryTicketComponentImpl$ExpiryMode;
|
||||
|
||||
}
|
||||
interface org.alfresco.repo.security.authentication.TicketComponent {
|
||||
--
|
||||
+ clearCurrentTicket() : void
|
||||
+ countTickets(boolean) : int
|
||||
+ getAuthorityForTicket(c String) : String
|
||||
+ getCurrentTicket(c String, boolean) : String
|
||||
+ getNewTicket(c String) : String
|
||||
+ getUseSingleTicketPerUser() : boolean
|
||||
+ getUsersWithTickets(boolean) : Set
|
||||
+ invalidateTicketById(c String) : void
|
||||
+ invalidateTicketByUser(c String) : void
|
||||
+ invalidateTickets(boolean) : int
|
||||
+ validateTicket(c String) : String
|
||||
|
||||
}
|
||||
|
||||
' Relations
|
||||
|
||||
org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl "1" o-left- "1" org.alfresco.repo.cache.SimpleCache : ticketsCache: SimpleCache< String, InMemoryTicketComponentImpl$Ticket>
|
||||
org.alfresco.repo.security.authentication.AlfrescoSecureContextImpl "1" o-left- "1" net.sf.acegisecurity.Authentication : realAuthentication: i Authentication
|
||||
org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl$Ticket "1" o-left- "1" org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl$ExpiryMode : expires: c InMemoryTicketComponentImpl$ExpiryMode
|
||||
org.alfresco.error.AlfrescoRuntimeException "1" o-left- "1" java.util.concurrent.atomic.AtomicInteger : errorCounter: c AtomicInteger
|
||||
org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl$Ticket "1" o-left- "1" org.alfresco.service.cmr.repository.datatype.Duration : testDuration: c Duration
|
||||
org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl$Ticket "1" o-left- "1" org.alfresco.service.cmr.repository.datatype.Duration : validDuration: c Duration
|
||||
org.alfresco.repo.security.authentication.AuthenticationUtil "1" o-left- "1" org.apache.commons.logging.Log : s_logger: i Log
|
||||
org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl "1" o-left- "1" org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl$ExpiryMode : expiryMode: c InMemoryTicketComponentImpl$ExpiryMode
|
||||
org.alfresco.repo.security.authentication.AuthenticationException "1" o-left- "1" org.alfresco.repo.security.authentication.AuthenticationDiagnostic : diagnostic: c AuthenticationDiagnostic
|
||||
org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl$Ticket "1" o-left- "1" java.util.Date : expiryDate: c Date
|
||||
org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl "1" o-left- "1" org.alfresco.service.cmr.repository.datatype.Duration : validDuration: c Duration
|
||||
org.alfresco.repo.security.authentication.AlfrescoSecureContextImpl "1" o-left- "1" net.sf.acegisecurity.Authentication : effectiveAuthentication: i Authentication
|
||||
org.alfresco.repo.security.authentication.AuthenticationException -up|> org.alfresco.error.AlfrescoRuntimeException
|
||||
org.alfresco.repo.security.authentication.TicketExpiredException -up|> org.alfresco.repo.security.authentication.AuthenticationException
|
||||
"net.sf.acegisecurity.context.Context" -() Serializable
|
||||
"org.alfresco.repo.security.authentication.AuthenticationStepImpl" -() Serializable
|
||||
org.alfresco.repo.security.authentication.AlfrescoSecureContext ..up|> net.sf.acegisecurity.context.security.SecureContext
|
||||
org.alfresco.repo.security.authentication.AuthenticationStepImpl ..up|> org.alfresco.repo.security.authentication.AuthenticationStep
|
||||
org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl ..up|> org.alfresco.repo.security.authentication.TicketComponent
|
||||
net.sf.acegisecurity.context.security.SecureContext ..up|> net.sf.acegisecurity.context.Context
|
||||
"org.alfresco.repo.security.authentication.AuthenticationDiagnostic" -() Serializable
|
||||
"org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl$Ticket" -() Serializable
|
||||
org.alfresco.repo.security.authentication.AlfrescoSecureContextImpl ..up|> org.alfresco.repo.security.authentication.AlfrescoSecureContext
|
||||
org.alfresco.repo.security.authentication.AuthenticationUtil ..up|> org.springframework.beans.factory.InitializingBean
|
||||
|
||||
' Notes
|
||||
|
||||
@enduml
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 369 KiB |
@@ -0,0 +1,344 @@
|
||||
@startuml
|
||||
|
||||
left to right direction
|
||||
|
||||
' Generated using https://github.com/juanmf/Java2PlantUML
|
||||
|
||||
' Participants
|
||||
|
||||
class org.alfresco.error.AlfrescoRuntimeException {
|
||||
- MESSAGE_DELIMITER : c String
|
||||
- errorCounter : c AtomicInteger
|
||||
- msgId : c String
|
||||
- msgParams : c Object;
|
||||
- serialVersionUID : long
|
||||
--
|
||||
+ AlfrescoRuntimeException(c String)
|
||||
+ AlfrescoRuntimeException(c String, c Object;)
|
||||
+ AlfrescoRuntimeException(c String, c Object;, c Throwable)
|
||||
+ AlfrescoRuntimeException(c String, c Throwable)
|
||||
+ create(c String, c Object;) : AlfrescoRuntimeException
|
||||
+ create(c Throwable, c String, c Object;) : AlfrescoRuntimeException
|
||||
+ getMsgId() : String
|
||||
+ getMsgParams() : Object;
|
||||
+ getNumericalId() : String
|
||||
+ getRootCause() : Throwable
|
||||
+ makeRuntimeException(c Throwable, c String, c Object;) : RuntimeException
|
||||
- buildErrorLogNumber(c String) : String
|
||||
- padInt(c StringBuilder, int, int) : void
|
||||
- resolveMessage(c String, c Object;) : String
|
||||
|
||||
}
|
||||
class org.alfresco.service.cmr.security.NoSuchPersonException {
|
||||
- serialVersionUID : long
|
||||
- userName : c String
|
||||
--
|
||||
+ NoSuchPersonException(c String)
|
||||
+ getUserName() : String
|
||||
|
||||
}
|
||||
interface org.alfresco.service.cmr.security.OwnableService {
|
||||
+ NO_OWNER : c String
|
||||
--
|
||||
+ getOwner(c NodeRef) : String
|
||||
+ hasOwner(c NodeRef) : boolean
|
||||
+ setOwner(c NodeRef, c String) : void
|
||||
+ takeOwnership(c NodeRef) : void
|
||||
|
||||
}
|
||||
class org.alfresco.service.cmr.security.PersonService$PersonInfo {
|
||||
- firstName : c String
|
||||
- lastName : c String
|
||||
- nodeRef : c NodeRef
|
||||
- userName : c String
|
||||
--
|
||||
+ PersonService$PersonInfo(c NodeRef, c String, c String, c String)
|
||||
+ getFirstName() : String
|
||||
+ getLastName() : String
|
||||
+ getNodeRef() : NodeRef
|
||||
+ getUserName() : String
|
||||
|
||||
}
|
||||
enum org.alfresco.service.cmr.security.AccessStatus {
|
||||
+ ALLOWED : c AccessStatus
|
||||
+ DENIED : c AccessStatus
|
||||
+ UNDETERMINED : c AccessStatus
|
||||
--
|
||||
- AccessStatus()
|
||||
+ valueOf(c String) : AccessStatus
|
||||
+ values() : AccessStatus;
|
||||
|
||||
}
|
||||
interface org.alfresco.service.cmr.security.AuthenticationService {
|
||||
--
|
||||
+ authenticate(c String, class [C) : void
|
||||
+ authenticateAsGuest() : void
|
||||
+ authenticationExists(c String) : boolean
|
||||
+ clearCurrentSecurityContext() : void
|
||||
+ getAuthenticationEnabled(c String) : boolean
|
||||
+ getCurrentTicket() : String
|
||||
+ getCurrentUserName() : String
|
||||
+ getDefaultAdministratorUserNames() : Set
|
||||
+ getDefaultGuestUserNames() : Set
|
||||
+ getDomains() : Set
|
||||
+ getDomainsThatAllowUserCreation() : Set
|
||||
+ getDomainsThatAllowUserDeletion() : Set
|
||||
+ getDomiansThatAllowUserPasswordChanges() : Set
|
||||
+ getNewTicket() : String
|
||||
+ guestUserAuthenticationAllowed() : boolean
|
||||
+ invalidateTicket(c String) : void
|
||||
+ invalidateUserSession(c String) : void
|
||||
+ isCurrentUserTheSystemUser() : boolean
|
||||
+ validate(c String) : void
|
||||
|
||||
}
|
||||
interface org.alfresco.service.cmr.security.AuthorityService {
|
||||
+ ZONE_APP_DEFAULT : c String
|
||||
+ ZONE_APP_SHARE : c String
|
||||
+ ZONE_AUTH_ALFRESCO : c String
|
||||
+ ZONE_AUTH_EXT_PREFIX : c String
|
||||
--
|
||||
+ addAuthority( Collection< String>, c String) : void
|
||||
+ addAuthority(c String, c String) : void
|
||||
+ addAuthorityToZones(c String, Set< String>) : void
|
||||
+ authorityExists(c String) : boolean
|
||||
+ countGroups() : long
|
||||
+ countUsers() : long
|
||||
+ createAuthority(c AuthorityType, c String) : String
|
||||
+ createAuthority(c AuthorityType, c String, c String, Set< String>) : String
|
||||
+ deleteAuthority(c String) : void
|
||||
+ deleteAuthority(c String, boolean) : void
|
||||
+ findAuthorities(c AuthorityType, c String, boolean, c String, c String) : Set
|
||||
+ getAllAuthorities(c AuthorityType) : Set
|
||||
+ getAllAuthoritiesInZone(c String, c AuthorityType) : Set
|
||||
+ getAllRootAuthorities(c AuthorityType) : Set
|
||||
+ getAllRootAuthoritiesInZone(c String, c AuthorityType) : Set
|
||||
+ getAuthorities() : Set
|
||||
+ getAuthorities(c AuthorityType, c String, c String, boolean, boolean, c PagingRequest) : PagingResults
|
||||
+ getAuthoritiesForUser(c String) : Set
|
||||
+ getAuthoritiesInfo(c AuthorityType, c String, c String, c String, boolean, c PagingRequest) : PagingResults
|
||||
+ getAuthorityDisplayName(c String) : String
|
||||
+ getAuthorityNodeRef(c String) : NodeRef
|
||||
+ getAuthorityZones(c String) : Set
|
||||
+ getContainedAuthorities(c AuthorityType, c String, boolean) : Set
|
||||
+ getContainingAuthorities(c AuthorityType, c String, boolean) : Set
|
||||
+ getContainingAuthoritiesInZone(c AuthorityType, c String, c String, i AuthorityService$AuthorityFilter, int) : Set
|
||||
+ getDefaultZones() : Set
|
||||
+ getName(c AuthorityType, c String) : String
|
||||
+ getOrCreateZone(c String) : NodeRef
|
||||
+ getShortName(c String) : String
|
||||
+ getZone(c String) : NodeRef
|
||||
+ hasAdminAuthority() : boolean
|
||||
+ hasGuestAuthority() : boolean
|
||||
+ isAdminAuthority(c String) : boolean
|
||||
+ isGuestAuthority(c String) : boolean
|
||||
+ removeAuthority(c String, c String) : void
|
||||
+ removeAuthorityFromZones(c String, Set< String>) : void
|
||||
+ setAuthorityDisplayName(c String, c String) : void
|
||||
|
||||
}
|
||||
enum org.alfresco.service.cmr.security.AuthorityType {
|
||||
+ ADMIN : c AuthorityType
|
||||
+ EVERYONE : c AuthorityType
|
||||
+ GROUP : c AuthorityType
|
||||
+ GUEST : c AuthorityType
|
||||
+ OWNER : c AuthorityType
|
||||
+ ROLE : c AuthorityType
|
||||
+ USER : c AuthorityType
|
||||
+ WILDCARD : c AuthorityType
|
||||
--
|
||||
- AuthorityType()
|
||||
+ equals(c String) : boolean
|
||||
+ getAuthorityType(c String) : AuthorityType
|
||||
+ getFixedString() : String
|
||||
+ getOrderPosition() : int
|
||||
+ getPrefixString() : String
|
||||
+ isFixedString() : boolean
|
||||
+ isPrefixed() : boolean
|
||||
+ valueOf(c String) : AuthorityType
|
||||
+ values() : AuthorityType;
|
||||
|
||||
}
|
||||
interface org.alfresco.service.cmr.security.PersonService {
|
||||
--
|
||||
+ countPeople() : int
|
||||
+ createMissingPeople() : boolean
|
||||
+ createPerson( Map< QName, Serializable>) : NodeRef
|
||||
+ createPerson( Map< QName, Serializable>, Set< String>) : NodeRef
|
||||
+ deletePerson(c NodeRef) : void
|
||||
+ deletePerson(c NodeRef, boolean) : void
|
||||
+ deletePerson(c String) : void
|
||||
+ getAllPeople() : Set
|
||||
+ getMutableProperties() : Set
|
||||
+ getPeople( List< Pair< QName, String>>, boolean, List< Pair< QName, Boolean>>, c PagingRequest) : PagingResults
|
||||
+ getPeople(c String, List< QName>, List< Pair< QName, Boolean>>, c PagingRequest) : PagingResults
|
||||
+ getPeople(c String, List< QName>, Set< QName>, Set< QName>, boolean, List< Pair< QName, Boolean>>, c PagingRequest) : PagingResults
|
||||
+ getPeopleContainer() : NodeRef
|
||||
+ getPeopleFilteredByProperty(c QName, i Serializable, int) : Set
|
||||
+ getPerson(c NodeRef) : PersonService$PersonInfo
|
||||
+ getPerson(c String) : NodeRef
|
||||
+ getPerson(c String, boolean) : NodeRef
|
||||
+ getPersonOrNull(c String) : NodeRef
|
||||
+ getUserIdentifier(c String) : String
|
||||
+ getUserNamesAreCaseSensitive() : boolean
|
||||
+ isEnabled(c String) : boolean
|
||||
+ isMutable() : boolean
|
||||
+ notifyPerson(c String, c String) : void
|
||||
+ personExists(c String) : boolean
|
||||
+ setCreateMissingPeople(boolean) : void
|
||||
+ setPersonProperties(c String, Map< QName, Serializable>) : void
|
||||
+ setPersonProperties(c String, Map< QName, Serializable>, boolean) : void
|
||||
|
||||
}
|
||||
interface org.alfresco.service.cmr.security.PublicServiceAccessService {
|
||||
--
|
||||
+ hasAccess(c String, c String, c Object;) : AccessStatus
|
||||
|
||||
}
|
||||
interface org.alfresco.service.cmr.security.MutableAuthenticationService {
|
||||
--
|
||||
+ createAuthentication(c String, class [C) : void
|
||||
+ deleteAuthentication(c String) : void
|
||||
+ isAuthenticationCreationAllowed() : boolean
|
||||
+ isAuthenticationMutable(c String) : boolean
|
||||
+ setAuthentication(c String, class [C) : void
|
||||
+ setAuthenticationEnabled(c String, boolean) : void
|
||||
+ updateAuthentication(c String, class [C, class [C) : void
|
||||
|
||||
}
|
||||
class org.alfresco.service.cmr.security.PermissionContext {
|
||||
- additionalContext : Map< String, Object>
|
||||
- aspects : HashSet< QName>
|
||||
- dynamicAuthorityAssignment : Map< String, Set< String>>
|
||||
- properties : Map< QName, Serializable>
|
||||
- storeAcl : c Long
|
||||
- type : c QName
|
||||
--
|
||||
+ PermissionContext(c QName)
|
||||
+ addDynamicAuthorityAssignment(c String, c String) : void
|
||||
+ getAdditionalContext() : Map
|
||||
+ getAspects() : HashSet
|
||||
+ getDynamicAuthorityAssignment() : Map
|
||||
+ getProperties() : Map
|
||||
+ getStoreAcl() : Long
|
||||
+ getType() : QName
|
||||
+ setStoreAcl(c Long) : void
|
||||
|
||||
}
|
||||
interface org.alfresco.repo.security.permissions.PermissionCheckValue {
|
||||
--
|
||||
+ getNodeRef() : NodeRef
|
||||
|
||||
}
|
||||
interface org.alfresco.service.cmr.security.PermissionService {
|
||||
+ ADD_CHILDREN : c String
|
||||
+ ADMINISTRATOR_AUTHORITY : c String
|
||||
+ ALL_AUTHORITIES : c String
|
||||
+ ALL_PERMISSIONS : c String
|
||||
+ ASPECTS : c String
|
||||
+ CANCEL_CHECK_OUT : c String
|
||||
+ CHANGE_PERMISSIONS : c String
|
||||
+ CHECK_IN : c String
|
||||
+ CHECK_OUT : c String
|
||||
+ CONSUMER : c String
|
||||
+ CONTRIBUTOR : c String
|
||||
+ COORDINATOR : c String
|
||||
+ CREATE_ASSOCIATIONS : c String
|
||||
+ CREATE_CHILDREN : c String
|
||||
+ DELETE : c String
|
||||
+ DELETE_ASSOCIATIONS : c String
|
||||
+ DELETE_CHILDREN : c String
|
||||
+ DELETE_NODE : c String
|
||||
+ EDITOR : c String
|
||||
+ EXECUTE : c String
|
||||
+ EXECUTE_CONTENT : c String
|
||||
+ FULL_CONTROL : c String
|
||||
+ GROUP_PREFIX : c String
|
||||
+ GUEST_AUTHORITY : c String
|
||||
+ LINK_CHILDREN : c String
|
||||
+ LOCK : c String
|
||||
+ LOCK_OWNER_AUTHORITY : c String
|
||||
+ OWNER_AUTHORITY : c String
|
||||
+ PROPERTIES : c String
|
||||
+ READ : c String
|
||||
+ READ_ASSOCIATIONS : c String
|
||||
+ READ_CHILDREN : c String
|
||||
+ READ_CONTENT : c String
|
||||
+ READ_PERMISSIONS : c String
|
||||
+ READ_PROPERTIES : c String
|
||||
+ ROLE_PREFIX : c String
|
||||
+ SET_OWNER : c String
|
||||
+ TAKE_OWNERSHIP : c String
|
||||
+ UNLOCK : c String
|
||||
+ WRITE : c String
|
||||
+ WRITE_CONTENT : c String
|
||||
+ WRITE_PROPERTIES : c String
|
||||
--
|
||||
+ clearPermission(c NodeRef, c String) : void
|
||||
+ clearPermission(c StoreRef, c String) : void
|
||||
+ deletePermission(c NodeRef, c String, c String) : void
|
||||
+ deletePermission(c StoreRef, c String, c String) : void
|
||||
+ deletePermissions(c NodeRef) : void
|
||||
+ deletePermissions(c StoreRef) : void
|
||||
+ getAllAuthorities() : String
|
||||
+ getAllPermission() : String
|
||||
+ getAllSetPermissions(c NodeRef) : Set
|
||||
+ getAllSetPermissions(c StoreRef) : Set
|
||||
+ getAuthorisations() : Set
|
||||
+ getInheritParentPermissions(c NodeRef) : boolean
|
||||
+ getOwnerAuthority() : String
|
||||
+ getPermissions(c NodeRef) : Set
|
||||
+ getReaders(c Long) : Set
|
||||
+ getReadersDenied(c Long) : Set
|
||||
+ getSettablePermissions(c NodeRef) : Set
|
||||
+ getSettablePermissions(c QName) : Set
|
||||
+ hasPermission(c Long, c PermissionContext, c String) : AccessStatus
|
||||
+ hasPermission(c NodeRef, c String) : AccessStatus
|
||||
+ hasReadPermission(c NodeRef) : AccessStatus
|
||||
+ setInheritParentPermissions(c NodeRef, boolean) : void
|
||||
+ setInheritParentPermissions(c NodeRef, boolean, boolean) : void
|
||||
+ setPermission(c NodeRef, c String, c String, boolean) : void
|
||||
+ setPermission(c StoreRef, c String, c String, boolean) : void
|
||||
|
||||
}
|
||||
interface org.alfresco.service.cmr.security.AuthorityService$AuthorityFilter {
|
||||
--
|
||||
+ includeAuthority(c String) : boolean
|
||||
|
||||
}
|
||||
interface org.alfresco.service.cmr.security.AccessPermission {
|
||||
--
|
||||
+ getAccessStatus() : AccessStatus
|
||||
+ getAuthority() : String
|
||||
+ getAuthorityType() : AuthorityType
|
||||
+ getPermission() : String
|
||||
+ getPosition() : int
|
||||
+ isInherited() : boolean
|
||||
+ isSetDirectly() : boolean
|
||||
|
||||
}
|
||||
class org.alfresco.repo.security.person.PersonException {
|
||||
- serialVersionUID : long
|
||||
--
|
||||
+ PersonException(c String)
|
||||
+ PersonException(c String, c Object;)
|
||||
+ PersonException(c String, c Object;, c Throwable)
|
||||
+ PersonException(c String, c Throwable)
|
||||
|
||||
}
|
||||
|
||||
' Relations
|
||||
|
||||
org.alfresco.service.cmr.security.PersonService$PersonInfo "1" o-left- "1" org.alfresco.service.cmr.repository.NodeRef : nodeRef: c NodeRef
|
||||
org.alfresco.error.AlfrescoRuntimeException "1" o-left- "1" java.util.concurrent.atomic.AtomicInteger : errorCounter: c AtomicInteger
|
||||
org.alfresco.service.cmr.security.PermissionContext "1" o-left- "*" org.alfresco.service.namespace.QName : aspects: HashSet< QName>
|
||||
org.alfresco.service.cmr.security.PermissionContext "1" o-left- "1" org.alfresco.service.namespace.QName : type: c QName
|
||||
org.alfresco.service.cmr.security.PermissionContext "1" o-left- "*" org.alfresco.service.namespace.QName : properties: Map< QName, Serializable>
|
||||
org.alfresco.repo.security.person.PersonException -up|> org.alfresco.error.AlfrescoRuntimeException
|
||||
org.alfresco.service.cmr.security.NoSuchPersonException -up|> org.alfresco.repo.security.person.PersonException
|
||||
org.alfresco.service.cmr.security.MutableAuthenticationService ..up|> org.alfresco.service.cmr.security.AuthenticationService
|
||||
org.alfresco.service.cmr.security.PersonService$PersonInfo ..up|> org.alfresco.repo.security.permissions.PermissionCheckValue
|
||||
|
||||
' Notes
|
||||
|
||||
@enduml
|
||||
Reference in New Issue
Block a user