inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged V3.0 to HEAD

Browse Source 
12145: Merged V2.2 to V3.0 (AuthenticationUtil)
    12109: AuthenticationUtil and AuthenticationComponent refactor
  12152: Removed Lucene usage from lookup of 'sites' root folder
  12153: Fix InviteServiceTest by cleaning up leaking authentications
  12159: Fix for broken usage pattern of the Threadlocal values in recent AuthenticationUtil refactor.


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@12508 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Jan Vonka
2008-12-19 12:15:59 +00:00
parent 21bb599e20
commit cd09266213
74 changed files with 870 additions and 997 deletions
Download Patch File Download Diff File Expand all files Collapse all files

659
source/java/org/alfresco/repo/security/authentication/AuthenticationUtil.java
View File

@@ -24,6 +24,8 @@
*/
package org.alfresco.repo.security.authentication;
import java.util.Stack;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.GrantedAuthorityImpl;
@@ -35,6 +37,7 @@ import net.sf.acegisecurity.providers.dao.User;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.util.EqualsHelper;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.log4j.NDC;
@@ -57,11 +60,6 @@ public abstract class AuthenticationUtil
private static boolean mtEnabled = false;
private AuthenticationUtil()
{
super();
}
public static void setMtEnabled(boolean mtEnabled)
{
if (!AuthenticationUtil.mtEnabled)
@@ -75,107 +73,14 @@ public abstract class AuthenticationUtil
return AuthenticationUtil.mtEnabled;
}
public static Authentication setCurrentUser(String userName)
private AuthenticationUtil()
{
return setCurrentUser(userName, getDefaultUserDetails(userName));
}
public static Authentication setCurrentRealUser(String userName)
{
return setCurrentRealUser(userName, getDefaultUserDetails(userName));
}
public static Authentication setCurrentEffectiveUser(String userName)
{
return setCurrentEffectiveUser(userName, getDefaultUserDetails(userName));
}
public static Authentication setCurrentStoredUser(String userName)
{
return setCurrentStoredUser(userName, getDefaultUserDetails(userName));
super();
}
/**
* Explicitly set the current user to be authenticated.
*
* @param userName -
* String user id
* @param providedDetails -
* provided details for the user
* @return Authentication
* Utility method to create an authentication token
*/
public static Authentication setCurrentUser(String userName, UserDetails providedDetails) throws AuthenticationException
{
if (userName == null)
{
throw new AuthenticationException("Null user name");
}
try
{
UsernamePasswordAuthenticationToken auth = getAuthenticationToken(userName, providedDetails);
return setCurrentAuthentication(auth);
}
catch (net.sf.acegisecurity.AuthenticationException ae)
{
throw new AuthenticationException(ae.getMessage(), ae);
}
}
public static Authentication setCurrentRealUser(String userName, UserDetails providedDetails) throws AuthenticationException
{
if (userName == null)
{
throw new AuthenticationException("Null user name");
}
try
{
UsernamePasswordAuthenticationToken auth = getAuthenticationToken(userName, providedDetails);
return setCurrentRealAuthentication(auth);
}
catch (net.sf.acegisecurity.AuthenticationException ae)
{
throw new AuthenticationException(ae.getMessage(), ae);
}
}
public static Authentication setCurrentEffectiveUser(String userName, UserDetails providedDetails) throws AuthenticationException
{
if (userName == null)
{
throw new AuthenticationException("Null user name");
}
try
{
UsernamePasswordAuthenticationToken auth = getAuthenticationToken(userName, providedDetails);
return setCurrentEffectiveAuthentication(auth);
}
catch (net.sf.acegisecurity.AuthenticationException ae)
{
throw new AuthenticationException(ae.getMessage(), ae);
}
}
public static Authentication setCurrentStoredUser(String userName, UserDetails providedDetails) throws AuthenticationException
{
if (userName == null)
{
throw new AuthenticationException("Null user name");
}
try
{
UsernamePasswordAuthenticationToken auth = getAuthenticationToken(userName, providedDetails);
return setCurrentStoredAuthentication(auth);
}
catch (net.sf.acegisecurity.AuthenticationException ae)
{
throw new AuthenticationException(ae.getMessage(), ae);
}
}
private static UsernamePasswordAuthenticationToken getAuthenticationToken(String userName, UserDetails providedDetails)
{
UserDetails ud = null;
@@ -210,9 +115,6 @@ public abstract class AuthenticationUtil
/**
* Default implementation that makes an ACEGI object on the fly
*
* @param userName
* @return
*/
private static UserDetails getDefaultUserDetails(String userName)
{
@@ -223,72 +125,54 @@ public abstract class AuthenticationUtil
}
/**
* Explicitly set the current authentication.
*
* @param authentication
* Authentication
* Extract the username from the authentication.
*/
public static Authentication setCurrentAuthentication(Authentication authentication)
{
if (authentication == null)
{
clearCurrentSecurityContext();
return null;
}
else
{
Context context = ContextHolder.getContext();
AlfrescoSecureContext sc = null;
if ((context == null) || !(context instanceof AlfrescoSecureContext))
{
sc = new AlfrescoSecureContextImpl();
ContextHolder.setContext(sc);
}
else
{
sc = (AlfrescoSecureContext) context;
}
authentication.setAuthenticated(true);
// Sets real and effective
sc.setRealAuthentication(authentication);
sc.setEffectiveAuthentication(authentication);
// Support for logging tenant domain / username (via log4j NDC)
String userName = SYSTEM_USER_NAME;
if (authentication.getPrincipal() instanceof UserDetails)
{
userName = ((UserDetails) authentication.getPrincipal()).getUsername();
}
logNDC(userName);
return authentication;
}
}
public static void logNDC(String userName)
{
NDC.remove();
if (isMtEnabled())
{
int idx = userName.indexOf(TenantService.SEPARATOR);
if ((idx != -1) && (idx < (userName.length() - 1)))
{
NDC.push("Tenant:" + userName.substring(idx + 1) + " User:" + userName.substring(0, idx));
}
else
{
NDC.push("User:" + userName);
}
}
else
{
NDC.push("User:" + userName);
}
}
public static Authentication setCurrentRealAuthentication(Authentication authentication)
private static String getUserName(Authentication authentication)
{
if (authentication.getPrincipal() instanceof UserDetails)
{
return ((UserDetails) authentication.getPrincipal()).getUsername();
}
else
{
return authentication.getPrincipal().toString();
}
}
/**
* Authenticate as the given user. The user will be authenticated and all operations
* with be run in the context of this user.
*
* @param userName the user name
* @return the authentication token
*/
public static Authentication setFullyAuthenticatedUser(String userName)
{
return setFullyAuthenticatedUser(userName, getDefaultUserDetails(userName));
}
private static Authentication setFullyAuthenticatedUser(String userName, UserDetails providedDetails) throws AuthenticationException
{
if (userName == null)
{
throw new AuthenticationException("Null user name");
}
try
{
UsernamePasswordAuthenticationToken auth = getAuthenticationToken(userName, providedDetails);
return setFullAuthentication(auth);
}
catch (net.sf.acegisecurity.AuthenticationException ae)
{
throw new AuthenticationException(ae.getMessage(), ae);
}
}
/**
* Re-authenticate using a previously-created authentication.
*/
public static Authentication setFullAuthentication(Authentication authentication)
{
if (authentication == null)
{
@@ -309,12 +193,58 @@ public abstract class AuthenticationUtil
sc = (AlfrescoSecureContext) context;
}
authentication.setAuthenticated(true);
// Sets real and effective
sc.setRealAuthentication(authentication);
sc.setEffectiveAuthentication(authentication);
return authentication;
}
}
/**
* <b>WARN: Advanced usage only.</b><br/>
* Set the system user as the currently running user for authentication purposes.
*
* @return Authentication
*
* @see #setRunAsUser(String)
*/
public static Authentication setRunAsUserSystem()
{
return setRunAsUser(SYSTEM_USER_NAME);
}
public static Authentication setCurrentEffectiveAuthentication(Authentication authentication)
/**
* <b>WARN: Advanced usage only.</b><br/>
* Switch to the given user for all authenticated operations. The original, authenticated user
* can still be found using {@link #getAuthenticatedUser()}.
*
* @param userName the user to run as
* @return the new authentication
*/
public static Authentication setRunAsUser(String userName)
{
return setRunAsUser(userName, getDefaultUserDetails(userName));
}
/*package*/ static Authentication setRunAsUser(String userName, UserDetails providedDetails) throws AuthenticationException
{
if (userName == null)
{
throw new AuthenticationException("Null user name");
}
try
{
UsernamePasswordAuthenticationToken auth = getAuthenticationToken(userName, providedDetails);
return setRunAsAuthentication(auth);
}
catch (net.sf.acegisecurity.AuthenticationException ae)
{
throw new AuthenticationException(ae.getMessage(), ae);
}
}
/*package*/ static Authentication setRunAsAuthentication(Authentication authentication)
{
if (authentication == null)
{
@@ -335,71 +265,24 @@ public abstract class AuthenticationUtil
sc = (AlfrescoSecureContext) context;
}
authentication.setAuthenticated(true);
sc.setEffectiveAuthentication(authentication);
if (sc.getRealAuthentication() == null)
{
// There is no authentication in action
sc.setRealAuthentication(authentication);
}
sc.setEffectiveAuthentication(authentication);
return authentication;
}
}
public static Authentication setCurrentStoredAuthentication(Authentication authentication)
{
if (authentication == null)
{
clearCurrentSecurityContext();
return null;
}
else
{
Context context = ContextHolder.getContext();
AlfrescoSecureContext sc = null;
if ((context == null) || !(context instanceof AlfrescoSecureContext))
{
sc = new AlfrescoSecureContextImpl();
ContextHolder.setContext(sc);
}
else
{
sc = (AlfrescoSecureContext) context;
}
authentication.setAuthenticated(true);
sc.setStoredAuthentication(authentication);
return authentication;
}
}
/**
* Get the current authentication context
* Get the current authentication for application of permissions. This includes
* the any overlay details set by {@link #setRunAsUser(String)}.
*
* @return Authentication
* @return Authentication Returns the running authentication
* @throws AuthenticationException
*/
public static Authentication getCurrentAuthentication() throws AuthenticationException
{
return getCurrentRealAuthentication();
}
/**
* Get the current real authentication context
*
* @return Authentication
* @throws AuthenticationException
*/
public static Authentication getCurrentRealAuthentication() throws AuthenticationException
{
Context context = ContextHolder.getContext();
if ((context == null) || !(context instanceof AlfrescoSecureContext))
{
return null;
}
return ((AlfrescoSecureContext) context).getRealAuthentication();
}
/**
* Get the current effective authentication context
*
* @return Authentication
* @throws AuthenticationException
*/
public static Authentication getCurrentEffectiveAuthentication() throws AuthenticationException
public static Authentication getRunAsAuthentication() throws AuthenticationException
{
Context context = ContextHolder.getContext();
if ((context == null) || !(context instanceof AlfrescoSecureContext))
@@ -408,50 +291,32 @@ public abstract class AuthenticationUtil
}
return ((AlfrescoSecureContext) context).getEffectiveAuthentication();
}
/**
* Get the current stored authentication context
* <b>WARN: Advanced usage only.</b><br/>
* Get the authentication for that was set by an real authentication.
*
* @return Authentication
* @return Authentication Returns the real authentication
* @throws AuthenticationException
*/
public static Authentication getCurrentStoredAuthentication() throws AuthenticationException
public static Authentication getFullAuthentication() throws AuthenticationException
{
Context context = ContextHolder.getContext();
if ((context == null) || !(context instanceof AlfrescoSecureContext))
{
return null;
}
return ((AlfrescoSecureContext) context).getStoredAuthentication();
return ((AlfrescoSecureContext) context).getRealAuthentication();
}
/**
* Get the current user name.
* Get the user that is currently in effect for purposes of authentication. This includes
* any overlays introduced by {@link #setRunAsUser(String) runAs}.
*
* @return String
* @return Returns the name of the user
* @throws AuthenticationException
*/
public static String getCurrentUserName() throws AuthenticationException
{
return getCurrentRealUserName();
}
public static String getCurrentRealUserName() throws AuthenticationException
{
Context context = ContextHolder.getContext();
if ((context == null) || !(context instanceof AlfrescoSecureContext))
{
return null;
}
AlfrescoSecureContext ctx = (AlfrescoSecureContext) context;
if (ctx.getRealAuthentication() == null)
{
return null;
}
return getUserName(ctx.getRealAuthentication());
}
public static String getCurrentEffectiveUserName() throws AuthenticationException
public static String getRunAsUser() throws AuthenticationException
{
Context context = ContextHolder.getContext();
if ((context == null) || !(context instanceof AlfrescoSecureContext))
@@ -465,54 +330,36 @@ public abstract class AuthenticationUtil
}
return getUserName(ctx.getEffectiveAuthentication());
}
public static String getCurrentStoredUserName() throws AuthenticationException
public static boolean isRunAsUserTheSystemUser()
{
String runAsUser = getRunAsUser();
return EqualsHelper.nullSafeEquals(runAsUser, AuthenticationUtil.SYSTEM_USER_NAME);
}
/**
* Get the fully authenticated user.
* It returns the name of the user that last authenticated and excludes any overlay authentication set
* by {@link #runAs(org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork, String) runAs}.
*
* @return Returns the name of the authenticated user
* @throws AuthenticationException
*/
public static String getFullyAuthenticatedUser() throws AuthenticationException
{
Context context = ContextHolder.getContext();
if ((context == null) || !(context instanceof AlfrescoSecureContext))
{
return null;
}
AlfrescoSecureContext ctx = (AlfrescoSecureContext) context;
if (ctx.getStoredAuthentication() == null)
if (ctx.getRealAuthentication() == null)
{
return null;
}
return getUserName(ctx.getStoredAuthentication());
return getUserName(ctx.getRealAuthentication());
}
/**
* Get the current user name
*
* @param authentication
* Authentication
* @return String
*/
private static String getUserName(Authentication authentication)
{
String username;
if (authentication.getPrincipal() instanceof UserDetails)
{
username = ((UserDetails) authentication.getPrincipal()).getUsername();
}
else
{
username = authentication.getPrincipal().toString();
}
return username;
}
/**
* Set the system user as the current user.
*
* @return Authentication
*/
public static Authentication setSystemUserAsCurrentUser()
{
return setCurrentUser(SYSTEM_USER_NAME);
}
/**
* Get the name of the system user
*
@@ -531,12 +378,6 @@ public abstract class AuthenticationUtil
return PermissionService.GUEST_AUTHORITY.toLowerCase();
}
/* package */ static void clearCurrentSecurityContextOnly()
{
ContextHolder.setContext(null);
NDC.remove();
}
/**
* Remove the current security information
*/
@@ -544,7 +385,6 @@ public abstract class AuthenticationUtil
{
ContextHolder.setContext(null);
InMemoryTicketComponentImpl.clearCurrentSecurityContext();
NDC.remove();
}
/**
@@ -559,76 +399,189 @@ public abstract class AuthenticationUtil
*/
public static <R> R runAs(RunAsWork<R> runAsWork, String uid)
{
String effectiveUser = AuthenticationUtil.getCurrentEffectiveUserName();
String realUser = AuthenticationUtil.getCurrentRealUserName();
R result = null;
Authentication originalFullAuthentication = AuthenticationUtil.getFullAuthentication();
Authentication originalRunAsAuthentication = AuthenticationUtil.getRunAsAuthentication();
final R result;
try
{
if (isMtEnabled() && uid.equals(AuthenticationUtil.getSystemUserName()))
if (originalFullAuthentication == null)
{
// Running as System in MT-enabled env - check to see if System should run with MT domain context
int effectiveIdx = -1;
int realIdx = -1;
if (effectiveUser != null)
{
effectiveIdx = effectiveUser.indexOf(TenantService.SEPARATOR);
}
if (realUser != null)
{
realIdx = realUser.indexOf(TenantService.SEPARATOR);
}
if ((effectiveIdx != -1) && (effectiveIdx < (effectiveUser.length() - 1)))
{
uid = uid + TenantService.SEPARATOR + effectiveUser.substring(effectiveIdx + 1);
}
else if ((realIdx != -1) && (realIdx < (realUser.length() - 1)))
{
uid = uid + TenantService.SEPARATOR + realUser.substring(realIdx + 1);
}
AuthenticationUtil.setFullyAuthenticatedUser(uid);
}
if (realUser == null)
else
{
AuthenticationUtil.setCurrentRealUser(uid);
AuthenticationUtil.setRunAsUser(uid);
}
AuthenticationUtil.setCurrentEffectiveUser(uid);
result = runAsWork.doWork();
return result;
}
catch (Throwable exception)
{
// Re-throw the exception
if (exception instanceof RuntimeException)
{
throw (RuntimeException) exception;
}
else
{
throw new RuntimeException("Error during run as.", exception);
}
}
finally
{
if (originalFullAuthentication == null)
{
AuthenticationUtil.clearCurrentSecurityContext();
}
else
{
AuthenticationUtil.setFullAuthentication(originalFullAuthentication);
AuthenticationUtil.setRunAsAuthentication(originalRunAsAuthentication);
}
}
// String effectiveUser = AuthenticationUtil.getCurrentEffectiveUserName();
// String realUser = AuthenticationUtil.getCurrentRealUserName();
//
// R result = null;
// try
// {
// if(realUser == null)
// {
// AuthenticationUtil.setCurrentRealUser(uid);
// }
// AuthenticationUtil.setCurrentEffectiveUser(uid);
// result = runAsWork.doWork();
// return result;
// }
// catch (Throwable exception)
// {
//
// // Re-throw the exception
// if (exception instanceof RuntimeException)
// {
// throw (RuntimeException) exception;
// }
// else
// {
// throw new RuntimeException("Error during run as.", exception);
// }
// }
// finally
// {
// if(realUser == null)
// {
// AuthenticationUtil.clearCurrentSecurityContext();
// }
// else
// {
// if(!realUser.equals(AuthenticationUtil.getCurrentRealUserName()))
// {
// AuthenticationUtil.setCurrentRealUser(realUser);
// s_logger.warn("Resetting real user which has changed in RunAs block");
// }
// AuthenticationUtil.setCurrentEffectiveUser(effectiveUser);
//
// }
// }
}
private static ThreadLocal<Stack<Authentication>> threadLocalFullAuthenticationStack;
private static ThreadLocal<Stack<Authentication>> threadLocalRunAsAuthenticationStack;
static
{
threadLocalFullAuthenticationStack = new ThreadLocal<Stack<Authentication>>();
threadLocalRunAsAuthenticationStack = new ThreadLocal<Stack<Authentication>>();
}
/**
* Push the current authentication context onto a threadlocal stack.
*/
public static void pushAuthentication()
{
Authentication originalFullAuthentication = AuthenticationUtil.getFullAuthentication();
Authentication originalRunAsAuthentication = AuthenticationUtil.getRunAsAuthentication();
Stack<Authentication> fullAuthenticationStack = threadLocalFullAuthenticationStack.get();
if (fullAuthenticationStack == null)
{
fullAuthenticationStack = new Stack<Authentication>();
threadLocalFullAuthenticationStack.set(fullAuthenticationStack);
}
Stack<Authentication> runAsAuthenticationStack = threadLocalRunAsAuthenticationStack.get();
if (runAsAuthenticationStack == null)
{
runAsAuthenticationStack = new Stack<Authentication>();
threadLocalRunAsAuthenticationStack.set(runAsAuthenticationStack);
}
fullAuthenticationStack.push(originalFullAuthentication);
runAsAuthenticationStack.push(originalRunAsAuthentication);
}
/**
* Pop the authentication context from a threadlocal stack.
*/
public static void popAuthentication()
{
Stack<Authentication> fullAuthenticationStack = threadLocalFullAuthenticationStack.get();
if (fullAuthenticationStack == null)
{
fullAuthenticationStack = new Stack<Authentication>();
threadLocalFullAuthenticationStack.set(fullAuthenticationStack);
}
Stack<Authentication> runAsAuthenticationStack = threadLocalRunAsAuthenticationStack.get();
if (runAsAuthenticationStack == null)
{
runAsAuthenticationStack = new Stack<Authentication>();
threadLocalRunAsAuthenticationStack.set(runAsAuthenticationStack);
}
Authentication originalFullAuthentication = fullAuthenticationStack.pop();
Authentication originalRunAsAuthentication = runAsAuthenticationStack.pop();
if (originalFullAuthentication == null)
{
AuthenticationUtil.clearCurrentSecurityContext();
}
catch (Throwable exception)
else
{
AuthenticationUtil.setFullAuthentication(originalFullAuthentication);
AuthenticationUtil.setRunAsAuthentication(originalRunAsAuthentication);
}
}
// Re-throw the exception
if (exception instanceof RuntimeException)
{
throw (RuntimeException) exception;
}
else
{
throw new RuntimeException("Error during run as.", exception);
}
/**
* Logs the current authenticated users
*/
public static void logAuthenticatedUsers()
{
if (s_logger.isDebugEnabled())
{
s_logger.debug(
"Authentication: \n" +
" Fully authenticated: " + AuthenticationUtil.getFullyAuthenticatedUser() + "\n" +
" Run as: " + AuthenticationUtil.getRunAsUser());
}
finally
}
public static void logNDC(String userName)
{
NDC.remove();
if (isMtEnabled())
{
if (realUser == null)
int idx = userName.indexOf(TenantService.SEPARATOR);
if ((idx != -1) && (idx < (userName.length() - 1)))
{
AuthenticationUtil.clearCurrentSecurityContextOnly();
NDC.push("Tenant:" + userName.substring(idx + 1) + " User:" + userName.substring(0, idx));
}
else
{
if(!realUser.equals(AuthenticationUtil.getCurrentRealUserName()))
{
AuthenticationUtil.setCurrentRealUser(realUser);
s_logger.warn("Resetting real user which has changed in RunAs block");
}
AuthenticationUtil.setCurrentEffectiveUser(effectiveUser);
NDC.push("User:" + userName);
}
}
else
{
NDC.push("User:" + userName);
}
}
}