mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-14 17:58:59 +00:00
Merged V4.1-BUG-FIX to HEAD
42804: Merged BRANCHES/DEV/BELARUS/V4.1-BUG-FIX-2012_10_17 to BRANCHES/DEV/V4.1-BUG-FIX:
42748: ALF-14200: Adding Invalid Aspects Via CMIS ATOM API Results in NullPointerException
42810: Fix for ALF-15276 - sys:locale Attribute No Longer Available From jsnode
42814: ALF-15276 - small improvement to remove duplicated data from response
42824: ALF-15048: Merged PATCHES/V4.0.2 to V4.1-BUG-FIX
42724: ALF-16048: CLONE - Version history doesn't go beyond two versions (0.1 and 0.2) when dragged and dropped via CIFS from Mac Lion OSx
42739: ALF-16048: New files missing from previous check in
42742: ALF-16048: Another missing file.
42839: ALF-16417: Fix "Hybrid Sync - can retain invalid cloud tickets in a local cache"
- retry once for invalid auth
- also externalise the implicit/default cache config
42849: NodeDAO: Added new method to retrieve specific store ID
- public Pair<Long, StoreRef> getStore(StoreRef storeRef);
42857: Merged DEV to V4.1-BUG-FIX
42821: ALF-13506 : WCMQS Example Application Caching Causes Changes to Inconsistently Appear on the Editorial Web Site
Concurrency was improved for AssetImpl class.
The returned values of the collections were made unmodifiable in the classes which implement Resource interface.
42872: ALF-15601: "Performance issue using CMIS method getChildren() - gets version history"
- avoids getting the version history (an expensive operation) if possible i.e. in the case of current version (live) nodes like for getChildren
42900: Merged DEV to V4.1-BUG-FIX
42734: ALF-15335 : 'external' authentication subsystem debug information too scarce
Extended debug information in the authentication subsystem.
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@42904 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Dave Ward
@@ -101,6 +101,9 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De
|
||||
public void doFilter(ServletContext context, ServletRequest req, ServletResponse resp, FilterChain chain)
|
||||
throws IOException, ServletException
|
||||
{
|
||||
if (logger.isDebugEnabled())
|
||||
logger.debug("Entering AuthenticationFilter.");
|
||||
|
||||
// Assume it's an HTTP request
|
||||
|
||||
HttpServletRequest httpReq = (HttpServletRequest) req;
|
||||
@@ -111,13 +114,16 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De
|
||||
|
||||
if (user == null)
|
||||
{
|
||||
if (logger.isDebugEnabled())
|
||||
logger.debug("There is no user in the session.");
|
||||
// Get the authorization header
|
||||
|
||||
String authHdr = httpReq.getHeader("Authorization");
|
||||
|
||||
if ( authHdr != null && authHdr.length() > 5 && authHdr.substring(0,5).equalsIgnoreCase("BASIC"))
|
||||
{
|
||||
// Basic authentication details present
|
||||
if (logger.isDebugEnabled())
|
||||
logger.debug("Basic authentication details present in the header.");
|
||||
byte[] encodedString = Base64.decodeBase64(authHdr.substring(5).getBytes());
|
||||
|
||||
// ALF-13621: Due to browser inconsistencies we have to try a fallback path of encodings
|
||||
@@ -160,15 +166,18 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De
|
||||
}
|
||||
catch (CharacterCodingException e)
|
||||
{
|
||||
// Didn't decode using this charset. Try the next one or fail
|
||||
if (logger.isDebugEnabled())
|
||||
logger.debug("Didn't decode using " + decoder.getClass().getName(), e);
|
||||
}
|
||||
catch (AuthenticationException ex)
|
||||
{
|
||||
// Do nothing, user object will be null
|
||||
if (logger.isDebugEnabled())
|
||||
logger.debug("Authentication error ", ex);
|
||||
}
|
||||
catch (NoSuchPersonException e)
|
||||
{
|
||||
// Do nothing, user object will be null
|
||||
if (logger.isDebugEnabled())
|
||||
logger.debug("There is no such person error ", e);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -208,7 +217,8 @@ public class AuthenticationFilter extends BaseAuthenticationFilter implements De
|
||||
|
||||
if ( user == null)
|
||||
{
|
||||
// No user/ticket, force the client to prompt for logon details
|
||||
if (logger.isDebugEnabled())
|
||||
logger.debug("No user/ticket, force the client to prompt for logon details.");
|
||||
|
||||
httpResp.setHeader("WWW-Authenticate", "BASIC realm=\"Alfresco DAV Server\"");
|
||||
httpResp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
||||
|
||||
@@ -192,6 +192,8 @@ public abstract class BaseAuthenticationFilter
|
||||
&& (!(remoteUserMapper instanceof ActivateableBean) || ((ActivateableBean) remoteUserMapper).isActive()))
|
||||
{
|
||||
userId = remoteUserMapper.getRemoteUser(httpServletRequest);
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Found a remote user: " + userId);
|
||||
}
|
||||
|
||||
String sessionAttrib = getUserAttributeName();
|
||||
@@ -201,12 +203,15 @@ public abstract class BaseAuthenticationFilter
|
||||
{
|
||||
try
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Found a session user: " + sessionUser.getUserName());
|
||||
authenticationService.validate(sessionUser.getTicket());
|
||||
setExternalAuth(session, externalAuth);
|
||||
}
|
||||
catch (AuthenticationException e)
|
||||
{
|
||||
// The ticket may have expired or the person could have been removed
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("The ticket may have expired or the person could have been removed, invalidating session.", e);
|
||||
invalidateSession(httpServletRequest);
|
||||
sessionUser = null;
|
||||
}
|
||||
@@ -214,9 +219,12 @@ public abstract class BaseAuthenticationFilter
|
||||
|
||||
if (userId != null)
|
||||
{
|
||||
// We have a previously-cached user with the wrong identity - replace them
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("We have a previously-cached user with the wrong identity - replace them.");
|
||||
if (sessionUser != null && !sessionUser.getUserName().equals(userId))
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Removing the session user, invalidating session.");
|
||||
session.removeAttribute(sessionAttrib);
|
||||
session.invalidate();
|
||||
sessionUser = null;
|
||||
@@ -225,6 +233,8 @@ public abstract class BaseAuthenticationFilter
|
||||
if (sessionUser == null)
|
||||
{
|
||||
// If we have been authenticated by other means, just propagate through the user identity
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Propagating through the user identity: " + userId);
|
||||
authenticationComponent.setCurrentUser(userId);
|
||||
session = httpServletRequest.getSession();
|
||||
|
||||
@@ -319,6 +329,8 @@ public abstract class BaseAuthenticationFilter
|
||||
protected SessionUser createUserEnvironment(HttpSession session, final String userName, final String ticket, boolean externalAuth)
|
||||
throws IOException, ServletException
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Create the User environment for: " + userName);
|
||||
SessionUser user = doInSystemTransaction(new RetryingTransactionHelper.RetryingTransactionCallback<SessionUser>()
|
||||
{
|
||||
public SessionUser execute() throws Throwable
|
||||
@@ -400,6 +412,8 @@ public abstract class BaseAuthenticationFilter
|
||||
protected boolean handleLoginForm(HttpServletRequest req, HttpServletResponse res) throws IOException,
|
||||
ServletException
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Handling the login form.");
|
||||
// Invalidate current session
|
||||
HttpSession session = req.getSession(false);
|
||||
if (session != null)
|
||||
@@ -424,12 +438,16 @@ public abstract class BaseAuthenticationFilter
|
||||
|
||||
if (username == null || username.length() == 0)
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Username not specified in the login form.");
|
||||
res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Username not specified");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (password == null)
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Password not specified in the login form.");
|
||||
res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Password not specified");
|
||||
return false;
|
||||
}
|
||||
@@ -442,10 +460,14 @@ public abstract class BaseAuthenticationFilter
|
||||
}
|
||||
catch (AuthenticationException e)
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Login failed", e);
|
||||
res.sendError(HttpServletResponse.SC_FORBIDDEN, "Login failed");
|
||||
}
|
||||
catch (JSONException jErr)
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Unable to parse JSON POST body", jErr);
|
||||
res.sendError(HttpServletResponse.SC_BAD_REQUEST, "Unable to parse JSON POST body: " + jErr.getMessage());
|
||||
}
|
||||
return false;
|
||||
|
||||
@@ -319,6 +319,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
if (checkForTicketParameter(context, req, resp))
|
||||
{
|
||||
// Filter validate hook
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Authenticated with a ticket parameter.");
|
||||
onValidate( context, req, resp);
|
||||
|
||||
// Chain to the next filter
|
||||
@@ -398,13 +400,15 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
{
|
||||
// Allow the user to access the requested page
|
||||
onValidate(context, req, resp);
|
||||
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Authenticated through Kerberos.");
|
||||
return true;
|
||||
}
|
||||
else
|
||||
{
|
||||
// Send back a request for SPNEGO authentication
|
||||
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Failed SPNEGO authentication.");
|
||||
restartLoginChallenge(context, req, resp);
|
||||
return false;
|
||||
}
|
||||
@@ -413,6 +417,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
{
|
||||
// Even though the user successfully authenticated, the ticket may not be granted, e.g. to
|
||||
// max user limit
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Validate failed.", ex);
|
||||
onValidateFailed(context, req, resp, httpSess);
|
||||
return false;
|
||||
}
|
||||
@@ -462,13 +468,16 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
|
||||
{
|
||||
// Process the callback list
|
||||
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Processing the JAAS callback list of " + callbacks.length + " items.");
|
||||
for (int i = 0; i < callbacks.length; i++)
|
||||
{
|
||||
// Request for user name
|
||||
|
||||
if (callbacks[i] instanceof NameCallback)
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Request for user name.");
|
||||
NameCallback cb = (NameCallback) callbacks[i];
|
||||
cb.setName(m_accountName);
|
||||
}
|
||||
@@ -476,6 +485,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
// Request for password
|
||||
else if (callbacks[i] instanceof PasswordCallback)
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Request for password.");
|
||||
PasswordCallback cb = (PasswordCallback) callbacks[i];
|
||||
cb.setPassword(m_password.toCharArray());
|
||||
}
|
||||
@@ -484,6 +495,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
|
||||
else if (callbacks[i] instanceof RealmCallback)
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Request for realm.");
|
||||
RealmCallback cb = (RealmCallback) callbacks[i];
|
||||
cb.setText(m_krbRealm);
|
||||
}
|
||||
@@ -585,6 +598,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
HttpSession session = req.getSession(false);
|
||||
if (session != null)
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Clearing session.");
|
||||
session.invalidate();
|
||||
}
|
||||
logonStartAgain(context, req, resp);
|
||||
@@ -600,6 +615,8 @@ public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthentica
|
||||
*/
|
||||
public void logonStartAgain(ServletContext context, HttpServletRequest req, HttpServletResponse resp) throws IOException
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Issuing login challenge to browser.");
|
||||
// Force the logon to start again
|
||||
resp.setHeader("WWW-Authenticate", "Negotiate");
|
||||
resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
||||
|
||||
@@ -717,6 +717,9 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication
|
||||
*/
|
||||
protected final boolean checkNTLMv1(String md4hash, byte[] challenge, Type3NTLMMessage type3Msg, boolean checkLMHash)
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug(("Perform an NTLMv1 hashed password check."));
|
||||
|
||||
// Generate the local encrypted password using the challenge that was sent to the client
|
||||
byte[] p21 = new byte[21];
|
||||
byte[] md4byts = m_md4Encoder.decodeHash(md4hash);
|
||||
@@ -747,12 +750,14 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication
|
||||
|
||||
if (i == clientHash.length)
|
||||
{
|
||||
// Hashed passwords match
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug(("Hashed passwords match."));
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
// Hashed passwords do not match
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug(("Hashed passwords do not match."));
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -766,6 +771,8 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication
|
||||
*/
|
||||
protected final boolean checkNTLMv2(String md4hash, byte[] challenge, Type3NTLMMessage type3Msg)
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug(("Perform an NTLMv2 check."));
|
||||
boolean ntlmv2OK = false;
|
||||
boolean lmv2OK = false;
|
||||
|
||||
@@ -792,8 +799,8 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication
|
||||
|
||||
if (i == clientHmac.length)
|
||||
{
|
||||
// HMAC matches the client, user authenticated
|
||||
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug(("HMAC matches the client, user authenticated."));
|
||||
ntlmv2OK = true;
|
||||
}
|
||||
}
|
||||
@@ -829,7 +836,8 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication
|
||||
|
||||
if (i == lmv2Hmac.length)
|
||||
{
|
||||
// LMv2 HMAC matches the client, user authenticated
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug(("LMv2 HMAC matches the client, user authenticated."));
|
||||
|
||||
//return true;
|
||||
lmv2OK = true;
|
||||
@@ -862,6 +870,8 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication
|
||||
*/
|
||||
protected final boolean checkNTLMv2SessionKey(String md4hash, byte[] challenge, Type3NTLMMessage type3Msg)
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug(("Perform an NTLMv2 session key check."));
|
||||
// Create the value to be encrypted by appending the server challenge and client challenge
|
||||
// and applying an MD5 digest
|
||||
byte[] nonce = new byte[16];
|
||||
@@ -921,12 +931,13 @@ public abstract class BaseNTLMAuthenticationFilter extends BaseSSOAuthentication
|
||||
|
||||
if (i == clientHash.length)
|
||||
{
|
||||
// Hashed password check successful
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug(("Hashed password check successful."));
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
// Password check failed
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug(("Password check failed."));
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
@@ -264,6 +264,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
|
||||
// If this isn't the same ticket, invalidate the session
|
||||
if (user != null && !ticket.equals(user.getTicket()))
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("The ticket doesn't match, invalidate the session.");
|
||||
invalidateSession(req);
|
||||
user = null;
|
||||
}
|
||||
@@ -271,6 +273,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
|
||||
// If we don't yet have a valid cached user, validate the ticket and create one
|
||||
if (user == null)
|
||||
{
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("There is no valid cached user, validate the ticket and create one.");
|
||||
authenticationService.validate(ticket);
|
||||
user = createUserEnvironment(req.getSession(), authenticationService.getCurrentUserName(),
|
||||
authenticationService.getCurrentTicket(), true);
|
||||
@@ -413,6 +417,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
|
||||
protected synchronized String getServerName()
|
||||
{
|
||||
// Get the local server name, try the file server config first
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Searching for local server name.");
|
||||
String srvName = null;
|
||||
if (serverConfiguration != null)
|
||||
{
|
||||
@@ -431,6 +437,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
|
||||
}
|
||||
|
||||
m_lastResolvedServerName = null;
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Found server name in the file server configuration: " + srvName);
|
||||
m_lastConfiguredServerName = srvName;
|
||||
if (serverConfiguration != null)
|
||||
{
|
||||
@@ -441,7 +449,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
|
||||
InetAddress resolved = InetAddress.getByName(m_lastConfiguredServerName);
|
||||
if (resolved == null)
|
||||
{
|
||||
// Failed to resolve the configured name
|
||||
if (getLogger().isDebugEnabled())
|
||||
getLogger().debug("Failed to resolve the configured name.");
|
||||
|
||||
m_lastResolvedServerName = serverConfiguration.getLocalServerName(true);
|
||||
}
|
||||
@@ -478,6 +487,8 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
|
||||
|
||||
m_lastResolvedServerName = InetAddress.getLocalHost().getHostName();
|
||||
|
||||
if (getLogger().isInfoEnabled())
|
||||
getLogger().info("Found FQDN " + m_lastResolvedServerName);
|
||||
// Strip any domain name
|
||||
|
||||
int pos = m_lastResolvedServerName.indexOf(".");
|
||||
|
||||
Reference in New Issue
Block a user