Merged V3.2 to HEAD

15219: ETHREEOH-2328: Alfresco authentication component could use wrong ACEGI AuthenticationManager if not at the start of the authentication chain - Moved authentication manager so that it is local to the alfrescoNtlm authentication subsystem git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@15225 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2009-07-16 11:08:39 +00:00
parent 25c94b39a6
commit edb2c94241
5 changed files with 95 additions and 42 deletions
--- a/config/alfresco/authentication-services-context.xml
+++ b/config/alfresco/authentication-services-context.xml
@@ -46,24 +46,10 @@
        <property name="providers">
            <list>
                <ref bean="authenticatedAuthenticationPassthroughProvider" />
                <ref bean="daoAuthenticationProvider" />
            </list>
        </property>
    </bean>
    <!-- We provide a DAO to plug into the Acegi DaoAuthenticationProvider  -->
    <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
        <property name="authenticationDao">
            <ref bean="authenticationDao" />
        </property>
        <property name="saltSource">
            <ref bean="saltSource" />
        </property>
        <property name="passwordEncoder">
            <ref bean="passwordEncoder" />
        </property>
    </bean>
    <!-- An authentication Provider that just believes authentications      -->
    <!-- bound to the local thread are valid if they are set as             -->
@@ -144,10 +130,6 @@
      </property>
   </bean>
    <!-- The DAO also acts as a salt provider.                              -->
    <alias alias="saltSource" name="authenticationDao"/>
    <!-- Passwords are encoded using MD4                                    -->
    <!-- This is not ideal and only done to be compatible with NTLM         -->
    <!-- authentication against the default authentication mechanism.       -->
--- a/config/alfresco/network-protocol-context.xml
+++ b/config/alfresco/network-protocol-context.xml
@@ -7,9 +7,6 @@
   <bean id="fileServerConfigurationBase"
         abstract="true"
         destroy-method="closeConfiguration">
      <property name="authenticationManager">
         <ref bean="authenticationManager"/>
      </property>
      <property name="authenticationService">
         <ref bean="authenticationService"/>
      </property>
--- a/config/alfresco/subsystems/Authentication/alfresco/alfresco-authentication-context.xml
+++ b/config/alfresco/subsystems/Authentication/alfresco/alfresco-authentication-context.xml
@@ -71,7 +71,7 @@
      </property>
   </bean>
-   <!-- Authenticaton service for chaining -->
+   <!-- Authentication service for chaining -->
   <bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
      <property name="authenticationDao">
         <ref bean="authenticationDao" />
@@ -94,4 +94,50 @@
      </property>
   </bean>
   <!--                                                                    -->
   <!-- The Acegi authentication manager.                                  -->
   <!--                                                                    -->
   <!-- Provders are asked to authenticate in order.                       -->
   <!-- First, is a provider that checks if an acegi authentication object -->
   <!-- is already bound to the executing thread. If it is, and it is set  -->
   <!-- as authenticated then no further authentication is required. If    -->
   <!-- this is absent, Acegi validates the password for every method      -->
   <!-- invocation, which is too CPU expensive. If we set an               -->
   <!-- authentication based on a ticket etc .... or we want to set the    -->
   <!-- the system user as the current user ... we do not have the         -->
   <!-- password. So if we have set an authentication and set it as        -->
   <!-- authenticated that is sufficient to validate the user.             -->
   <!--                                                                    -->
   <!-- If the authentication bound to the current thread is not set as    -->
   <!-- authenticated the standard Acegi DAO Authentication provider       -->
   <!-- is used to authenticate.                                           -->
   <!--                                                                    -->
   <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
      <property name="providers">
         <list>
            <ref bean="authenticatedAuthenticationPassthroughProvider" />
            <ref bean="daoAuthenticationProvider" />
         </list>
      </property>
   </bean>
   <!-- We provide a DAO to plug into the Acegi DaoAuthenticationProvider  -->
   <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
      <property name="authenticationDao">
         <ref bean="authenticationDao" />
      </property>
      <property name="saltSource">
         <ref bean="saltSource" />
      </property>
      <property name="passwordEncoder">
         <ref bean="passwordEncoder" />
      </property>
   </bean>
   <!-- The DAO also acts as a salt provider.                              -->
   <alias alias="saltSource" name="authenticationDao" />
 </beans>
--- a/config/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml
+++ b/config/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml
@@ -71,7 +71,7 @@
      </property>
   </bean>
-   <!-- Authenticaton service for chaining -->
+   <!-- Authentication service for chaining -->
   <bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
      <property name="authenticationDao">
         <ref bean="authenticationDao" />
@@ -94,4 +94,50 @@
      </property>
   </bean>
   <!--                                                                    -->
   <!-- The Acegi authentication manager.                                  -->
   <!--                                                                    -->
   <!-- Provders are asked to authenticate in order.                       -->
   <!-- First, is a provider that checks if an acegi authentication object -->
   <!-- is already bound to the executing thread. If it is, and it is set  -->
   <!-- as authenticated then no further authentication is required. If    -->
   <!-- this is absent, Acegi validates the password for every method      -->
   <!-- invocation, which is too CPU expensive. If we set an               -->
   <!-- authentication based on a ticket etc .... or we want to set the    -->
   <!-- the system user as the current user ... we do not have the         -->
   <!-- password. So if we have set an authentication and set it as        -->
   <!-- authenticated that is sufficient to validate the user.             -->
   <!--                                                                    -->
   <!-- If the authentication bound to the current thread is not set as    -->
   <!-- authenticated the standard Acegi DAO Authentication provider       -->
   <!-- is used to authenticate.                                           -->
   <!--                                                                    -->
   <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
      <property name="providers">
         <list>
            <ref bean="authenticatedAuthenticationPassthroughProvider" />
            <ref bean="daoAuthenticationProvider" />
         </list>
      </property>
   </bean>
   <!-- We provide a DAO to plug into the Acegi DaoAuthenticationProvider  -->
   <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
      <property name="authenticationDao">
         <ref bean="authenticationDao" />
      </property>
      <property name="saltSource">
         <ref bean="saltSource" />
      </property>
      <property name="passwordEncoder">
         <ref bean="passwordEncoder" />
      </property>
   </bean>
   <!-- The DAO also acts as a salt provider.                              -->
   <alias alias="saltSource" name="authenticationDao" />
 </beans>
--- a/source/java/org/alfresco/filesys/AbstractServerConfigurationBean.java
+++ b/source/java/org/alfresco/filesys/AbstractServerConfigurationBean.java
@@ -139,10 +139,6 @@ public abstract class AbstractServerConfigurationBean extends ServerConfiguratio
  protected static final int MaxSessionTimeout    = 60 * 60;  // 1 hour
  // Authentication manager
  private AuthenticationManager m_authenticationManager;
  // Disk interface to use for shared filesystems
  private ExtendedDiskInterface m_repoDiskInterface;
@@ -205,16 +201,6 @@ public abstract class AbstractServerConfigurationBean extends ServerConfiguratio
      super( srvName);
  }
  /**
   * Set the authentication manager
   * 
   * @param authenticationManager AuthenticationManager
   */
  public void setAuthenticationManager(AuthenticationManager authenticationManager)
  {
      m_authenticationManager = authenticationManager;
  }
  /**
   * Set the authentication service
   * 
@@ -391,11 +377,7 @@ public abstract class AbstractServerConfigurationBean extends ServerConfiguratio
  {
      // Check that all required properties have been set
-      if (m_authenticationManager == null)
+      if (m_authenticationComponent == null)
      {
          throw new AlfrescoRuntimeException("Property 'authenticationManager' not set");
      }
      else if (m_authenticationComponent == null)
      {
          throw new AlfrescoRuntimeException("Property 'authenticationComponent' not set");
      }