From cd46ad7f7343b547af9b41840ebc95ab0da5041d Mon Sep 17 00:00:00 2001 From: Dave Ward Date: Sun, 21 Oct 2012 18:09:03 +0000 Subject: [PATCH] Merged V4.1-BUG-FIX to HEAD 42804: Merged BRANCHES/DEV/BELARUS/V4.1-BUG-FIX-2012_10_17 to BRANCHES/DEV/V4.1-BUG-FIX: 42748: ALF-14200: Adding Invalid Aspects Via CMIS ATOM API Results in NullPointerException 42810: Fix for ALF-15276 - sys:locale Attribute No Longer Available From jsnode 42814: ALF-15276 - small improvement to remove duplicated data from response 42824: ALF-15048: Merged PATCHES/V4.0.2 to V4.1-BUG-FIX 42724: ALF-16048: CLONE - Version history doesn't go beyond two versions (0.1 and 0.2) when dragged and dropped via CIFS from Mac Lion OSx 42739: ALF-16048: New files missing from previous check in 42742: ALF-16048: Another missing file. 42839: ALF-16417: Fix "Hybrid Sync - can retain invalid cloud tickets in a local cache" - retry once for invalid auth - also externalise the implicit/default cache config 42849: NodeDAO: Added new method to retrieve specific store ID - public Pair getStore(StoreRef storeRef); 42857: Merged DEV to V4.1-BUG-FIX 42821: ALF-13506 : WCMQS Example Application Caching Causes Changes to Inconsistently Appear on the Editorial Web Site Concurrency was improved for AssetImpl class. The returned values of the collections were made unmodifiable in the classes which implement Resource interface. 42872: ALF-15601: "Performance issue using CMIS method getChildren() - gets version history" - avoids getting the version history (an expensive operation) if possible i.e. in the case of current version (live) nodes like for getChildren 42900: Merged DEV to V4.1-BUG-FIX 42734: ALF-15335 : 'external' authentication subsystem debug information too scarce Extended debug information in the authentication subsystem. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@42904 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../webdav/auth/AuthenticationFilter.java | 20 ++++++++++---- .../webdav/auth/BaseAuthenticationFilter.java | 26 ++++++++++++++++-- .../BaseKerberosAuthenticationFilter.java | 23 +++++++++++++--- .../auth/BaseNTLMAuthenticationFilter.java | 27 +++++++++++++------ .../auth/BaseSSOAuthenticationFilter.java | 13 ++++++++- 5 files changed, 90 insertions(+), 19 deletions(-) diff --git a/source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java index e759c4facc..dff44b42dc 100644 --- a/source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/AuthenticationFilter.java @@ -101,6 +101,9 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De public void doFilter(ServletContext context, ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException { + if (logger.isDebugEnabled()) + logger.debug("Entering AuthenticationFilter."); + // Assume it's an HTTP request HttpServletRequest httpReq = (HttpServletRequest) req; @@ -111,13 +114,16 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De if (user == null) { + if (logger.isDebugEnabled()) + logger.debug("There is no user in the session."); // Get the authorization header String authHdr = httpReq.getHeader("Authorization"); if ( authHdr != null && authHdr.length() > 5 && authHdr.substring(0,5).equalsIgnoreCase("BASIC")) { - // Basic authentication details present + if (logger.isDebugEnabled()) + logger.debug("Basic authentication details present in the header."); byte[] encodedString = Base64.decodeBase64(authHdr.substring(5).getBytes()); // ALF-13621: Due to browser inconsistencies we have to try a fallback path of encodings @@ -160,15 +166,18 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De } catch (CharacterCodingException e) { - // Didn't decode using this charset. Try the next one or fail + if (logger.isDebugEnabled()) + logger.debug("Didn't decode using " + decoder.getClass().getName(), e); } catch (AuthenticationException ex) { - // Do nothing, user object will be null + if (logger.isDebugEnabled()) + logger.debug("Authentication error ", ex); } catch (NoSuchPersonException e) { - // Do nothing, user object will be null + if (logger.isDebugEnabled()) + logger.debug("There is no such person error ", e); } } } @@ -208,7 +217,8 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De if ( user == null) { - // No user/ticket, force the client to prompt for logon details + if (logger.isDebugEnabled()) + logger.debug("No user/ticket, force the client to prompt for logon details."); httpResp.setHeader("WWW-Authenticate", "BASIC realm=\"Alfresco DAV Server\""); httpResp.setStatus(HttpServletResponse.SC_UNAUTHORIZED); diff --git a/source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java index 5d2d3e35d8..7da8d80f80 100644 --- a/source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/BaseAuthenticationFilter.java @@ -192,6 +192,8 @@ public abstract class BaseAuthenticationFilter && (!(remoteUserMapper instanceof ActivateableBean) || ((ActivateableBean) remoteUserMapper).isActive())) { userId = remoteUserMapper.getRemoteUser(httpServletRequest); + if (getLogger().isDebugEnabled()) + getLogger().debug("Found a remote user: " + userId); } String sessionAttrib = getUserAttributeName(); @@ -201,12 +203,15 @@ public abstract class BaseAuthenticationFilter { try { + if (getLogger().isDebugEnabled()) + getLogger().debug("Found a session user: " + sessionUser.getUserName()); authenticationService.validate(sessionUser.getTicket()); setExternalAuth(session, externalAuth); } catch (AuthenticationException e) { - // The ticket may have expired or the person could have been removed + if (getLogger().isDebugEnabled()) + getLogger().debug("The ticket may have expired or the person could have been removed, invalidating session.", e); invalidateSession(httpServletRequest); sessionUser = null; } @@ -214,9 +219,12 @@ public abstract class BaseAuthenticationFilter if (userId != null) { - // We have a previously-cached user with the wrong identity - replace them + if (getLogger().isDebugEnabled()) + getLogger().debug("We have a previously-cached user with the wrong identity - replace them."); if (sessionUser != null && !sessionUser.getUserName().equals(userId)) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Removing the session user, invalidating session."); session.removeAttribute(sessionAttrib); session.invalidate(); sessionUser = null; @@ -225,6 +233,8 @@ public abstract class BaseAuthenticationFilter if (sessionUser == null) { // If we have been authenticated by other means, just propagate through the user identity + if (getLogger().isDebugEnabled()) + getLogger().debug("Propagating through the user identity: " + userId); authenticationComponent.setCurrentUser(userId); session = httpServletRequest.getSession(); @@ -319,6 +329,8 @@ public abstract class BaseAuthenticationFilter protected SessionUser createUserEnvironment(HttpSession session, final String userName, final String ticket, boolean externalAuth) throws IOException, ServletException { + if (getLogger().isDebugEnabled()) + getLogger().debug("Create the User environment for: " + userName); SessionUser user = doInSystemTransaction(new RetryingTransactionHelper.RetryingTransactionCallback() { public SessionUser execute() throws Throwable @@ -400,6 +412,8 @@ public abstract class BaseAuthenticationFilter protected boolean handleLoginForm(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { + if (getLogger().isDebugEnabled()) + getLogger().debug("Handling the login form."); // Invalidate current session HttpSession session = req.getSession(false); if (session != null) @@ -424,12 +438,16 @@ public abstract class BaseAuthenticationFilter if (username == null || username.length() == 0) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Username not specified in the login form."); res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Username not specified"); return false; } if (password == null) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Password not specified in the login form."); res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Password not specified"); return false; } @@ -442,10 +460,14 @@ public abstract class BaseAuthenticationFilter } catch (AuthenticationException e) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Login failed", e); res.sendError(HttpServletResponse.SC_FORBIDDEN, "Login failed"); } catch (JSONException jErr) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Unable to parse JSON POST body", jErr); res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Unable to parse JSON POST body: " + jErr.getMessage()); } return false; diff --git a/source/java/org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.java index 2c4bdc0b14..95256d04b5 100644 --- a/source/java/org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.java @@ -319,6 +319,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica if (checkForTicketParameter(context, req, resp)) { // Filter validate hook + if (getLogger().isDebugEnabled()) + getLogger().debug("Authenticated with a ticket parameter."); onValidate( context, req, resp); // Chain to the next filter @@ -398,13 +400,15 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica { // Allow the user to access the requested page onValidate(context, req, resp); - + if (getLogger().isDebugEnabled()) + getLogger().debug("Authenticated through Kerberos."); return true; } else { // Send back a request for SPNEGO authentication - + if (getLogger().isDebugEnabled()) + getLogger().debug("Failed SPNEGO authentication."); restartLoginChallenge(context, req, resp); return false; } @@ -413,6 +417,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica { // Even though the user successfully authenticated, the ticket may not be granted, e.g. to // max user limit + if (getLogger().isDebugEnabled()) + getLogger().debug("Validate failed.", ex); onValidateFailed(context, req, resp, httpSess); return false; } @@ -462,13 +468,16 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { // Process the callback list - + if (getLogger().isDebugEnabled()) + getLogger().debug("Processing the JAAS callback list of " + callbacks.length + " items."); for (int i = 0; i < callbacks.length; i++) { // Request for user name if (callbacks[i] instanceof NameCallback) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Request for user name."); NameCallback cb = (NameCallback) callbacks[i]; cb.setName(m_accountName); } @@ -476,6 +485,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica // Request for password else if (callbacks[i] instanceof PasswordCallback) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Request for password."); PasswordCallback cb = (PasswordCallback) callbacks[i]; cb.setPassword(m_password.toCharArray()); } @@ -484,6 +495,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica else if (callbacks[i] instanceof RealmCallback) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Request for realm."); RealmCallback cb = (RealmCallback) callbacks[i]; cb.setText(m_krbRealm); } @@ -585,6 +598,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica HttpSession session = req.getSession(false); if (session != null) { + if (getLogger().isDebugEnabled()) + getLogger().debug("Clearing session."); session.invalidate(); } logonStartAgain(context, req, resp); @@ -600,6 +615,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica */ public void logonStartAgain(ServletContext context, HttpServletRequest req, HttpServletResponse resp) throws IOException { + if (getLogger().isDebugEnabled()) + getLogger().debug("Issuing login challenge to browser."); // Force the logon to start again resp.setHeader("WWW-Authenticate", "Negotiate"); resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED); diff --git a/source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java index 3532bcebc8..39b5bce74b 100644 --- a/source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/BaseNTLMAuthenticationFilter.java @@ -717,6 +717,9 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication */ protected final boolean checkNTLMv1(String md4hash, byte[] challenge, Type3NTLMMessage type3Msg, boolean checkLMHash) { + if (getLogger().isDebugEnabled()) + getLogger().debug(("Perform an NTLMv1 hashed password check.")); + // Generate the local encrypted password using the challenge that was sent to the client byte[] p21 = new byte[21]; byte[] md4byts = m_md4Encoder.decodeHash(md4hash); @@ -747,12 +750,14 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication if (i == clientHash.length) { - // Hashed passwords match + if (getLogger().isDebugEnabled()) + getLogger().debug(("Hashed passwords match.")); return true; } } - // Hashed passwords do not match + if (getLogger().isDebugEnabled()) + getLogger().debug(("Hashed passwords do not match.")); return false; } @@ -766,6 +771,8 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication */ protected final boolean checkNTLMv2(String md4hash, byte[] challenge, Type3NTLMMessage type3Msg) { + if (getLogger().isDebugEnabled()) + getLogger().debug(("Perform an NTLMv2 check.")); boolean ntlmv2OK = false; boolean lmv2OK = false; @@ -792,8 +799,8 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication if (i == clientHmac.length) { - // HMAC matches the client, user authenticated - + if (getLogger().isDebugEnabled()) + getLogger().debug(("HMAC matches the client, user authenticated.")); ntlmv2OK = true; } } @@ -829,7 +836,8 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication if (i == lmv2Hmac.length) { - // LMv2 HMAC matches the client, user authenticated + if (getLogger().isDebugEnabled()) + getLogger().debug(("LMv2 HMAC matches the client, user authenticated.")); //return true; lmv2OK = true; @@ -862,6 +870,8 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication */ protected final boolean checkNTLMv2SessionKey(String md4hash, byte[] challenge, Type3NTLMMessage type3Msg) { + if (getLogger().isDebugEnabled()) + getLogger().debug(("Perform an NTLMv2 session key check.")); // Create the value to be encrypted by appending the server challenge and client challenge // and applying an MD5 digest byte[] nonce = new byte[16]; @@ -921,12 +931,13 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication if (i == clientHash.length) { - // Hashed password check successful + if (getLogger().isDebugEnabled()) + getLogger().debug(("Hashed password check successful.")); return true; } } - - // Password check failed + if (getLogger().isDebugEnabled()) + getLogger().debug(("Password check failed.")); return false; } diff --git a/source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java b/source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java index e37ccc3b8b..697ffee0ff 100644 --- a/source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java +++ b/source/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java @@ -264,6 +264,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt // If this isn't the same ticket, invalidate the session if (user != null && !ticket.equals(user.getTicket())) { + if (getLogger().isDebugEnabled()) + getLogger().debug("The ticket doesn't match, invalidate the session."); invalidateSession(req); user = null; } @@ -271,6 +273,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt // If we don't yet have a valid cached user, validate the ticket and create one if (user == null) { + if (getLogger().isDebugEnabled()) + getLogger().debug("There is no valid cached user, validate the ticket and create one."); authenticationService.validate(ticket); user = createUserEnvironment(req.getSession(), authenticationService.getCurrentUserName(), authenticationService.getCurrentTicket(), true); @@ -413,6 +417,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt protected synchronized String getServerName() { // Get the local server name, try the file server config first + if (getLogger().isDebugEnabled()) + getLogger().debug("Searching for local server name."); String srvName = null; if (serverConfiguration != null) { @@ -431,6 +437,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt } m_lastResolvedServerName = null; + if (getLogger().isDebugEnabled()) + getLogger().debug("Found server name in the file server configuration: " + srvName); m_lastConfiguredServerName = srvName; if (serverConfiguration != null) { @@ -441,7 +449,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt InetAddress resolved = InetAddress.getByName(m_lastConfiguredServerName); if (resolved == null) { - // Failed to resolve the configured name + if (getLogger().isDebugEnabled()) + getLogger().debug("Failed to resolve the configured name."); m_lastResolvedServerName = serverConfiguration.getLocalServerName(true); } @@ -478,6 +487,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt m_lastResolvedServerName = InetAddress.getLocalHost().getHostName(); + if (getLogger().isInfoEnabled()) + getLogger().info("Found FQDN " + m_lastResolvedServerName); // Strip any domain name int pos = m_lastResolvedServerName.indexOf(".");