mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-21 18:09:20 +00:00
Merged HEAD-BUG-FIX (5.1/Cloud) to HEAD (5.1/Cloud)
90921: MNT-12765 - No endpoints can be configured in Share that use external-auth and a different URL - as they will be redirected down the URL for 'alfresco' endpoint.
Merged PROPERTY_GROUP_PROTOTYPING (5.0/Cloud) to HEAD-BUG-FIX (5.0/Cloud)
90742: Refactoring of SSO paths
- Added Session User authentication support to RemoteUserAuthenticatorFactory - so can use cookie based auth for example with Public API route.
- Tidy up of common duplicated code constants e.g. _alfAuthTicket
- Added Global Authentication Filter around the /api/* endpoint to allow SSO active over Public API
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@94744 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
@@ -18,11 +18,17 @@
|
||||
*/
|
||||
package org.alfresco.repo.web.scripts.servlet;
|
||||
|
||||
import javax.servlet.http.HttpSession;
|
||||
|
||||
import org.alfresco.repo.SessionUser;
|
||||
import org.alfresco.repo.management.subsystems.ActivateableBean;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationComponent;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationException;
|
||||
import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
|
||||
import org.alfresco.repo.web.auth.AuthenticationListener;
|
||||
import org.alfresco.repo.web.auth.TicketCredentials;
|
||||
import org.alfresco.repo.web.auth.WebCredentials;
|
||||
import org.alfresco.repo.webdav.auth.AuthenticationDriver;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.springframework.extensions.webscripts.Authenticator;
|
||||
@@ -80,18 +86,54 @@ public class RemoteUserAuthenticatorFactory extends BasicHttpAuthenticatorFactor
|
||||
@Override
|
||||
public boolean authenticate(RequiredAuthentication required, boolean isGuest)
|
||||
{
|
||||
boolean authenticated = false;
|
||||
|
||||
// retrieve the remote user if configured and available - authenticate that user directly
|
||||
final String userId = getRemoteUser();
|
||||
if (userId != null)
|
||||
{
|
||||
authenticationComponent.setCurrentUser(userId);
|
||||
listener.userAuthenticated(new TicketCredentials(authenticationService.getCurrentTicket()));
|
||||
return true;
|
||||
authenticated = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
return super.authenticate(required, isGuest);
|
||||
// is there a Session which might contain a valid user ticket?
|
||||
HttpSession session = servletReq.getHttpServletRequest().getSession(false);
|
||||
if (session != null)
|
||||
{
|
||||
try
|
||||
{
|
||||
SessionUser user = (SessionUser)session.getAttribute(AuthenticationDriver.AUTHENTICATION_USER);
|
||||
if (user != null)
|
||||
{
|
||||
// Validate the ticket for the current SessionUser
|
||||
authenticationService.validate(user.getTicket());
|
||||
if (logger.isDebugEnabled())
|
||||
logger.debug("Ticket is valid; retaining cached user in session.");
|
||||
listener.userAuthenticated(new TicketCredentials(user.getTicket()));
|
||||
authenticated = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
authenticated = super.authenticate(required, isGuest);
|
||||
}
|
||||
}
|
||||
catch (AuthenticationException authErr)
|
||||
{
|
||||
if (logger.isDebugEnabled())
|
||||
logger.debug("An Authentication error occur, removing User session: ", authErr);
|
||||
session.removeAttribute(AuthenticationDriver.AUTHENTICATION_USER);
|
||||
session.invalidate();
|
||||
listener.authenticationFailed(new WebCredentials() {});
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
authenticated = super.authenticate(required, isGuest);
|
||||
}
|
||||
}
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -33,6 +33,8 @@ import javax.servlet.http.HttpServletResponse;
|
||||
*/
|
||||
public interface AuthenticationDriver
|
||||
{
|
||||
public static final String AUTHENTICATION_USER = "_alfAuthTicket";
|
||||
|
||||
/**
|
||||
* Authenticate user based on information in http request such as Authorization header or cached session
|
||||
* information.
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (C) 2005-2013 Alfresco Software Limited.
|
||||
* Copyright (C) 2005-2014 Alfresco Software Limited.
|
||||
*
|
||||
* This file is part of Alfresco
|
||||
*
|
||||
@@ -85,7 +85,6 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
|
||||
this.serverConfiguration = serverConfiguration;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Activates or deactivates the bean
|
||||
*
|
||||
@@ -166,8 +165,6 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
|
||||
{
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Callback executed on successful ticket validation during Type3 Message processing.
|
||||
*
|
||||
|
||||
@@ -49,8 +49,6 @@ import org.apache.commons.logging.LogFactory;
|
||||
*/
|
||||
public class SSOFallbackBasicAuthenticationDriver implements AuthenticationDriver
|
||||
{
|
||||
public static final String AUTHENTICATION_USER = "_alfAuthTicket";
|
||||
|
||||
private Log logger = LogFactory.getLog(SSOFallbackBasicAuthenticationDriver.class);
|
||||
|
||||
private AuthenticationService authenticationService;
|
||||
@@ -58,7 +56,7 @@ public class SSOFallbackBasicAuthenticationDriver implements AuthenticationDrive
|
||||
private NodeService nodeService;
|
||||
private TransactionService transactionService;
|
||||
|
||||
private String userAttributeName = AUTHENTICATION_USER;
|
||||
private String userAttributeName = AuthenticationDriver.AUTHENTICATION_USER;
|
||||
|
||||
public void setAuthenticationService(AuthenticationService authenticationService)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user