diff --git a/source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java index e759c4facc..dff44b42dc 100644 --- a/source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java @@ -101,6 +101,9 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De public void doFilter(ServletContext context, ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException { + if (logger.isDebugEnabled()) + logger.debug("Entering AuthenticationFilter."); + // Assume it's an HTTP request HttpServletRequest httpReq = (HttpServletRequest) req; @@ -111,13 +114,16 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De if (user == null) { + if (logger.isDebugEnabled()) + logger.debug("There is no user in the session."); // Get the authorization header String authHdr = httpReq.getHeader("Authorization"); if ( authHdr != null && authHdr.length() > 5 && authHdr.substring(0,5).equalsIgnoreCase("BASIC")) { - // Basic authentication details present + if (logger.isDebugEnabled()) + logger.debug("Basic authentication details present in the header."); byte[] encodedString = Base64.decodeBase64(authHdr.substring(5).getBytes()); // ALF-13621: Due to browser inconsistencies we have to try a fallback path of encodings @@ -160,15 +166,18 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De } catch (CharacterCodingException e) { - // Didn't decode using this charset. Try the next one or fail + if (logger.isDebugEnabled()) + logger.debug("Didn't decode using " + decoder.getClass().getName(), e); } catch (AuthenticationException ex) { - // Do nothing, user object will be null + if (logger.isDebugEnabled()) + logger.debug("Authentication error ", ex); } catch (NoSuchPersonException e) { - // Do nothing, user object will be null + if (logger.isDebugEnabled()) + logger.debug("There is no such person error ", e); } } } @@ -208,7 +217,8 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De if ( user == null) { - // No user/ticket, force the client to prompt for logon details + if (logger.isDebugEnabled()) + logger.debug("No user/ticket, force the client to prompt for logon details."); httpResp.setHeader("WWW-Authenticate", "BASIC realm=\"Alfresco DAV Server\""); httpResp.setStatus(HttpServletResponse.SC_UNAUTHORIZED); diff --git a/source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java index 5d2d3e35d8..7da8d80f80 100644 --- a/source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java @@ -192,6 +192,8 @@ public abstract class BaseAuthenticationFilter && (!(remoteUserMapper instanceof ActivateableBean) || ((ActivateableBean) remoteUserMapper).isActive())) { userId = remoteUserMapper.getRemoteUser(httpServletRequest); + if (getLogger().isDebugEnabled()) + getLogger().debug("Found a remote user: " + userId); } String sessionAttrib = getUserAttributeName(); @@ -201,12 +203,15 @@ public abstract class BaseAuthenticationFilter { try { + if (getLogger().isDebugEnabled()) + getLogger().debug("Found a session user: " + sessionUser.getUserName()); authenticationService.validate(sessionUser.getTicket()); setExternalAuth(session, externalAuth); } catch (AuthenticationException e) { - // The ticket may have expired or the person could have been removed + if (getLogger().isDebugEnabled()) + getLogger().debug("The ticket may have expired or the person could have been removed, invalidating session.", e); invalidateSession(httpServletRequest); sessionUser = null; } @@ -214,9 +219,12 @@ public abstract class BaseAuthenticationFilter if (userId != null) { - // We have a previously-cached user with the wrong identity - replace them + if (getLogger().isDebugEnabled()) + getLogger().debug("We have a previously-cached user with the wrong identity - replace them."); if (sessionUser != null && !sessionUser.getUserName().equals(userId)) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Removing the session user, invalidating session."); session.removeAttribute(sessionAttrib); session.invalidate(); sessionUser = null; @@ -225,6 +233,8 @@ public abstract class BaseAuthenticationFilter if (sessionUser == null) { // If we have been authenticated by other means, just propagate through the user identity + if (getLogger().isDebugEnabled()) + getLogger().debug("Propagating through the user identity: " + userId); authenticationComponent.setCurrentUser(userId); session = httpServletRequest.getSession(); @@ -319,6 +329,8 @@ public abstract class BaseAuthenticationFilter protected SessionUser createUserEnvironment(HttpSession session, final String userName, final String ticket, boolean externalAuth) throws IOException, ServletException { + if (getLogger().isDebugEnabled()) + getLogger().debug("Create the User environment for: " + userName); SessionUser user = doInSystemTransaction(new RetryingTransactionHelper.RetryingTransactionCallback() { public SessionUser execute() throws Throwable @@ -400,6 +412,8 @@ public abstract class BaseAuthenticationFilter protected boolean handleLoginForm(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { + if (getLogger().isDebugEnabled()) + getLogger().debug("Handling the login form."); // Invalidate current session HttpSession session = req.getSession(false); if (session != null) @@ -424,12 +438,16 @@ public abstract class BaseAuthenticationFilter if (username == null || username.length() == 0) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Username not specified in the login form."); res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Username not specified"); return false; } if (password == null) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Password not specified in the login form."); res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Password not specified"); return false; } @@ -442,10 +460,14 @@ public abstract class BaseAuthenticationFilter } catch (AuthenticationException e) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Login failed", e); res.sendError(HttpServletResponse.SC_FORBIDDEN, "Login failed"); } catch (JSONException jErr) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Unable to parse JSON POST body", jErr); res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Unable to parse JSON POST body: " + jErr.getMessage()); } return false; diff --git a/source/java/org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.java index 2c4bdc0b14..95256d04b5 100644 --- a/source/java/org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.java @@ -319,6 +319,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica if (checkForTicketParameter(context, req, resp)) { // Filter validate hook + if (getLogger().isDebugEnabled()) + getLogger().debug("Authenticated with a ticket parameter."); onValidate( context, req, resp); // Chain to the next filter @@ -398,13 +400,15 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica { // Allow the user to access the requested page onValidate(context, req, resp); - + if (getLogger().isDebugEnabled()) + getLogger().debug("Authenticated through Kerberos."); return true; } else { // Send back a request for SPNEGO authentication - + if (getLogger().isDebugEnabled()) + getLogger().debug("Failed SPNEGO authentication."); restartLoginChallenge(context, req, resp); return false; } @@ -413,6 +417,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica { // Even though the user successfully authenticated, the ticket may not be granted, e.g. to // max user limit + if (getLogger().isDebugEnabled()) + getLogger().debug("Validate failed.", ex); onValidateFailed(context, req, resp, httpSess); return false; } @@ -462,13 +468,16 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { // Process the callback list - + if (getLogger().isDebugEnabled()) + getLogger().debug("Processing the JAAS callback list of " + callbacks.length + " items."); for (int i = 0; i < callbacks.length; i++) { // Request for user name if (callbacks[i] instanceof NameCallback) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Request for user name."); NameCallback cb = (NameCallback) callbacks[i]; cb.setName(m_accountName); } @@ -476,6 +485,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica // Request for password else if (callbacks[i] instanceof PasswordCallback) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Request for password."); PasswordCallback cb = (PasswordCallback) callbacks[i]; cb.setPassword(m_password.toCharArray()); } @@ -484,6 +495,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica else if (callbacks[i] instanceof RealmCallback) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Request for realm."); RealmCallback cb = (RealmCallback) callbacks[i]; cb.setText(m_krbRealm); } @@ -585,6 +598,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica HttpSession session = req.getSession(false); if (session != null) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Clearing session."); session.invalidate(); } logonStartAgain(context, req, resp); @@ -600,6 +615,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica */ public void logonStartAgain(ServletContext context, HttpServletRequest req, HttpServletResponse resp) throws IOException { + if (getLogger().isDebugEnabled()) + getLogger().debug("Issuing login challenge to browser."); // Force the logon to start again resp.setHeader("WWW-Authenticate", "Negotiate"); resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED); diff --git a/source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java index 3532bcebc8..39b5bce74b 100644 --- a/source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java @@ -717,6 +717,9 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication */ protected final boolean checkNTLMv1(String md4hash, byte[] challenge, Type3NTLMMessage type3Msg, boolean checkLMHash) { + if (getLogger().isDebugEnabled()) + getLogger().debug(("Perform an NTLMv1 hashed password check.")); + // Generate the local encrypted password using the challenge that was sent to the client byte[] p21 = new byte[21]; byte[] md4byts = m_md4Encoder.decodeHash(md4hash); @@ -747,12 +750,14 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication if (i == clientHash.length) { - // Hashed passwords match + if (getLogger().isDebugEnabled()) + getLogger().debug(("Hashed passwords match.")); return true; } } - // Hashed passwords do not match + if (getLogger().isDebugEnabled()) + getLogger().debug(("Hashed passwords do not match.")); return false; } @@ -766,6 +771,8 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication */ protected final boolean checkNTLMv2(String md4hash, byte[] challenge, Type3NTLMMessage type3Msg) { + if (getLogger().isDebugEnabled()) + getLogger().debug(("Perform an NTLMv2 check.")); boolean ntlmv2OK = false; boolean lmv2OK = false; @@ -792,8 +799,8 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication if (i == clientHmac.length) { - // HMAC matches the client, user authenticated - + if (getLogger().isDebugEnabled()) + getLogger().debug(("HMAC matches the client, user authenticated.")); ntlmv2OK = true; } } @@ -829,7 +836,8 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication if (i == lmv2Hmac.length) { - // LMv2 HMAC matches the client, user authenticated + if (getLogger().isDebugEnabled()) + getLogger().debug(("LMv2 HMAC matches the client, user authenticated.")); //return true; lmv2OK = true; @@ -862,6 +870,8 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication */ protected final boolean checkNTLMv2SessionKey(String md4hash, byte[] challenge, Type3NTLMMessage type3Msg) { + if (getLogger().isDebugEnabled()) + getLogger().debug(("Perform an NTLMv2 session key check.")); // Create the value to be encrypted by appending the server challenge and client challenge // and applying an MD5 digest byte[] nonce = new byte[16]; @@ -921,12 +931,13 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication if (i == clientHash.length) { - // Hashed password check successful + if (getLogger().isDebugEnabled()) + getLogger().debug(("Hashed password check successful.")); return true; } } - - // Password check failed + if (getLogger().isDebugEnabled()) + getLogger().debug(("Password check failed.")); return false; } diff --git a/source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java index e37ccc3b8b..697ffee0ff 100644 --- a/source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java @@ -264,6 +264,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt // If this isn't the same ticket, invalidate the session if (user != null && !ticket.equals(user.getTicket())) { + if (getLogger().isDebugEnabled()) + getLogger().debug("The ticket doesn't match, invalidate the session."); invalidateSession(req); user = null; } @@ -271,6 +273,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt // If we don't yet have a valid cached user, validate the ticket and create one if (user == null) { + if (getLogger().isDebugEnabled()) + getLogger().debug("There is no valid cached user, validate the ticket and create one."); authenticationService.validate(ticket); user = createUserEnvironment(req.getSession(), authenticationService.getCurrentUserName(), authenticationService.getCurrentTicket(), true); @@ -413,6 +417,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt protected synchronized String getServerName() { // Get the local server name, try the file server config first + if (getLogger().isDebugEnabled()) + getLogger().debug("Searching for local server name."); String srvName = null; if (serverConfiguration != null) { @@ -431,6 +437,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt } m_lastResolvedServerName = null; + if (getLogger().isDebugEnabled()) + getLogger().debug("Found server name in the file server configuration: " + srvName); m_lastConfiguredServerName = srvName; if (serverConfiguration != null) { @@ -441,7 +449,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt InetAddress resolved = InetAddress.getByName(m_lastConfiguredServerName); if (resolved == null) { - // Failed to resolve the configured name + if (getLogger().isDebugEnabled()) + getLogger().debug("Failed to resolve the configured name."); m_lastResolvedServerName = serverConfiguration.getLocalServerName(true); } @@ -478,6 +487,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt m_lastResolvedServerName = InetAddress.getLocalHost().getHostName(); + if (getLogger().isInfoEnabled()) + getLogger().info("Found FQDN " + m_lastResolvedServerName); // Strip any domain name int pos = m_lastResolvedServerName.indexOf(".");