mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-21 18:09:20 +00:00
Merged HEAD-BUG-FIX (5.1/Cloud) to HEAD (5.1/Cloud)
90921: MNT-12765 - No endpoints can be configured in Share that use external-auth and a different URL - as they will be redirected down the URL for 'alfresco' endpoint.
Merged PROPERTY_GROUP_PROTOTYPING (5.0/Cloud) to HEAD-BUG-FIX (5.0/Cloud)
90742: Refactoring of SSO paths
- Added Session User authentication support to RemoteUserAuthenticatorFactory - so can use cookie based auth for example with Public API route.
- Tidy up of common duplicated code constants e.g. _alfAuthTicket
- Added Global Authentication Filter around the /api/* endpoint to allow SSO active over Public API
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@94744 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
@@ -18,11 +18,17 @@
|
|||||||
*/
|
*/
|
||||||
package org.alfresco.repo.web.scripts.servlet;
|
package org.alfresco.repo.web.scripts.servlet;
|
||||||
|
|
||||||
|
import javax.servlet.http.HttpSession;
|
||||||
|
|
||||||
|
import org.alfresco.repo.SessionUser;
|
||||||
import org.alfresco.repo.management.subsystems.ActivateableBean;
|
import org.alfresco.repo.management.subsystems.ActivateableBean;
|
||||||
import org.alfresco.repo.security.authentication.AuthenticationComponent;
|
import org.alfresco.repo.security.authentication.AuthenticationComponent;
|
||||||
|
import org.alfresco.repo.security.authentication.AuthenticationException;
|
||||||
import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
|
import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
|
||||||
import org.alfresco.repo.web.auth.AuthenticationListener;
|
import org.alfresco.repo.web.auth.AuthenticationListener;
|
||||||
import org.alfresco.repo.web.auth.TicketCredentials;
|
import org.alfresco.repo.web.auth.TicketCredentials;
|
||||||
|
import org.alfresco.repo.web.auth.WebCredentials;
|
||||||
|
import org.alfresco.repo.webdav.auth.AuthenticationDriver;
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
import org.springframework.extensions.webscripts.Authenticator;
|
import org.springframework.extensions.webscripts.Authenticator;
|
||||||
@@ -80,18 +86,54 @@ public class RemoteUserAuthenticatorFactory extends BasicHttpAuthenticatorFactor
|
|||||||
@Override
|
@Override
|
||||||
public boolean authenticate(RequiredAuthentication required, boolean isGuest)
|
public boolean authenticate(RequiredAuthentication required, boolean isGuest)
|
||||||
{
|
{
|
||||||
|
boolean authenticated = false;
|
||||||
|
|
||||||
// retrieve the remote user if configured and available - authenticate that user directly
|
// retrieve the remote user if configured and available - authenticate that user directly
|
||||||
final String userId = getRemoteUser();
|
final String userId = getRemoteUser();
|
||||||
if (userId != null)
|
if (userId != null)
|
||||||
{
|
{
|
||||||
authenticationComponent.setCurrentUser(userId);
|
authenticationComponent.setCurrentUser(userId);
|
||||||
listener.userAuthenticated(new TicketCredentials(authenticationService.getCurrentTicket()));
|
listener.userAuthenticated(new TicketCredentials(authenticationService.getCurrentTicket()));
|
||||||
return true;
|
authenticated = true;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
return super.authenticate(required, isGuest);
|
// is there a Session which might contain a valid user ticket?
|
||||||
|
HttpSession session = servletReq.getHttpServletRequest().getSession(false);
|
||||||
|
if (session != null)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
SessionUser user = (SessionUser)session.getAttribute(AuthenticationDriver.AUTHENTICATION_USER);
|
||||||
|
if (user != null)
|
||||||
|
{
|
||||||
|
// Validate the ticket for the current SessionUser
|
||||||
|
authenticationService.validate(user.getTicket());
|
||||||
|
if (logger.isDebugEnabled())
|
||||||
|
logger.debug("Ticket is valid; retaining cached user in session.");
|
||||||
|
listener.userAuthenticated(new TicketCredentials(user.getTicket()));
|
||||||
|
authenticated = true;
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
authenticated = super.authenticate(required, isGuest);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (AuthenticationException authErr)
|
||||||
|
{
|
||||||
|
if (logger.isDebugEnabled())
|
||||||
|
logger.debug("An Authentication error occur, removing User session: ", authErr);
|
||||||
|
session.removeAttribute(AuthenticationDriver.AUTHENTICATION_USER);
|
||||||
|
session.invalidate();
|
||||||
|
listener.authenticationFailed(new WebCredentials() {});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
authenticated = super.authenticate(required, isGuest);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return authenticated;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -33,6 +33,8 @@ import javax.servlet.http.HttpServletResponse;
|
|||||||
*/
|
*/
|
||||||
public interface AuthenticationDriver
|
public interface AuthenticationDriver
|
||||||
{
|
{
|
||||||
|
public static final String AUTHENTICATION_USER = "_alfAuthTicket";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Authenticate user based on information in http request such as Authorization header or cached session
|
* Authenticate user based on information in http request such as Authorization header or cached session
|
||||||
* information.
|
* information.
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (C) 2005-2013 Alfresco Software Limited.
|
* Copyright (C) 2005-2014 Alfresco Software Limited.
|
||||||
*
|
*
|
||||||
* This file is part of Alfresco
|
* This file is part of Alfresco
|
||||||
*
|
*
|
||||||
@@ -85,7 +85,6 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
|
|||||||
this.serverConfiguration = serverConfiguration;
|
this.serverConfiguration = serverConfiguration;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Activates or deactivates the bean
|
* Activates or deactivates the bean
|
||||||
*
|
*
|
||||||
@@ -166,8 +165,6 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
|
|||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Callback executed on successful ticket validation during Type3 Message processing.
|
* Callback executed on successful ticket validation during Type3 Message processing.
|
||||||
*
|
*
|
||||||
|
|||||||
@@ -49,8 +49,6 @@ import org.apache.commons.logging.LogFactory;
|
|||||||
*/
|
*/
|
||||||
public class SSOFallbackBasicAuthenticationDriver implements AuthenticationDriver
|
public class SSOFallbackBasicAuthenticationDriver implements AuthenticationDriver
|
||||||
{
|
{
|
||||||
public static final String AUTHENTICATION_USER = "_alfAuthTicket";
|
|
||||||
|
|
||||||
private Log logger = LogFactory.getLog(SSOFallbackBasicAuthenticationDriver.class);
|
private Log logger = LogFactory.getLog(SSOFallbackBasicAuthenticationDriver.class);
|
||||||
|
|
||||||
private AuthenticationService authenticationService;
|
private AuthenticationService authenticationService;
|
||||||
@@ -58,7 +56,7 @@ public class SSOFallbackBasicAuthenticationDriver implements AuthenticationDrive
|
|||||||
private NodeService nodeService;
|
private NodeService nodeService;
|
||||||
private TransactionService transactionService;
|
private TransactionService transactionService;
|
||||||
|
|
||||||
private String userAttributeName = AUTHENTICATION_USER;
|
private String userAttributeName = AuthenticationDriver.AUTHENTICATION_USER;
|
||||||
|
|
||||||
public void setAuthenticationService(AuthenticationService authenticationService)
|
public void setAuthenticationService(AuthenticationService authenticationService)
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user