inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged V3.2 to HEAD

Browse Source 
15219: ETHREEOH-2328: Alfresco authentication component could use wrong ACEGI AuthenticationManager if not at the start of the authentication chain
      - Moved authentication manager so that it is local to the alfrescoNtlm authentication subsystem


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@15225 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Dave Ward
2009-07-16 11:08:39 +00:00
parent 25c94b39a6
commit edb2c94241
5 changed files with 95 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
config/alfresco/authentication-services-context.xml
View File

@@ -46,24 +46,10 @@
<property name="providers">
<list>
<ref bean="authenticatedAuthenticationPassthroughProvider" />
<ref bean="daoAuthenticationProvider" />
</list>
</property>
</bean>
<!-- We provide a DAO to plug into the Acegi DaoAuthenticationProvider -->
<bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="authenticationDao">
<ref bean="authenticationDao" />
</property>
<property name="saltSource">
<ref bean="saltSource" />
</property>
<property name="passwordEncoder">
<ref bean="passwordEncoder" />
</property>
</bean>
<!-- An authentication Provider that just believes authentications -->
<!-- bound to the local thread are valid if they are set as -->
@@ -144,10 +130,6 @@
</property>
</bean>
<!-- The DAO also acts as a salt provider. -->
<alias alias="saltSource" name="authenticationDao"/>
<!-- Passwords are encoded using MD4 -->
<!-- This is not ideal and only done to be compatible with NTLM -->
<!-- authentication against the default authentication mechanism. -->

3
config/alfresco/network-protocol-context.xml
View File

@@ -7,9 +7,6 @@
<bean id="fileServerConfigurationBase"
abstract="true"
destroy-method="closeConfiguration">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="authenticationService">
<ref bean="authenticationService"/>
</property>

48
config/alfresco/subsystems/Authentication/alfresco/alfresco-authentication-context.xml
View File

@@ -71,7 +71,7 @@
</property>
</bean>
<!-- Authenticaton service for chaining -->
<!-- Authentication service for chaining -->
<bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
<property name="authenticationDao">
<ref bean="authenticationDao" />
@@ -94,4 +94,50 @@
</property>
</bean>
<!-- -->
<!-- The Acegi authentication manager. -->
<!-- -->
<!-- Provders are asked to authenticate in order. -->
<!-- First, is a provider that checks if an acegi authentication object -->
<!-- is already bound to the executing thread. If it is, and it is set -->
<!-- as authenticated then no further authentication is required. If -->
<!-- this is absent, Acegi validates the password for every method -->
<!-- invocation, which is too CPU expensive. If we set an -->
<!-- authentication based on a ticket etc .... or we want to set the -->
<!-- the system user as the current user ... we do not have the -->
<!-- password. So if we have set an authentication and set it as -->
<!-- authenticated that is sufficient to validate the user. -->
<!-- -->
<!-- If the authentication bound to the current thread is not set as -->
<!-- authenticated the standard Acegi DAO Authentication provider -->
<!-- is used to authenticate. -->
<!-- -->
<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="authenticatedAuthenticationPassthroughProvider" />
<ref bean="daoAuthenticationProvider" />
</list>
</property>
</bean>
<!-- We provide a DAO to plug into the Acegi DaoAuthenticationProvider -->
<bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="authenticationDao">
<ref bean="authenticationDao" />
</property>
<property name="saltSource">
<ref bean="saltSource" />
</property>
<property name="passwordEncoder">
<ref bean="passwordEncoder" />
</property>
</bean>
<!-- The DAO also acts as a salt provider. -->
<alias alias="saltSource" name="authenticationDao" />
</beans>

48
config/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml
View File

@@ -71,7 +71,7 @@
</property>
</bean>
<!-- Authenticaton service for chaining -->
<!-- Authentication service for chaining -->
<bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
<property name="authenticationDao">
<ref bean="authenticationDao" />
@@ -94,4 +94,50 @@
</property>
</bean>
<!-- -->
<!-- The Acegi authentication manager. -->
<!-- -->
<!-- Provders are asked to authenticate in order. -->
<!-- First, is a provider that checks if an acegi authentication object -->
<!-- is already bound to the executing thread. If it is, and it is set -->
<!-- as authenticated then no further authentication is required. If -->
<!-- this is absent, Acegi validates the password for every method -->
<!-- invocation, which is too CPU expensive. If we set an -->
<!-- authentication based on a ticket etc .... or we want to set the -->
<!-- the system user as the current user ... we do not have the -->
<!-- password. So if we have set an authentication and set it as -->
<!-- authenticated that is sufficient to validate the user. -->
<!-- -->
<!-- If the authentication bound to the current thread is not set as -->
<!-- authenticated the standard Acegi DAO Authentication provider -->
<!-- is used to authenticate. -->
<!-- -->
<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="authenticatedAuthenticationPassthroughProvider" />
<ref bean="daoAuthenticationProvider" />
</list>
</property>
</bean>
<!-- We provide a DAO to plug into the Acegi DaoAuthenticationProvider -->
<bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="authenticationDao">
<ref bean="authenticationDao" />
</property>
<property name="saltSource">
<ref bean="saltSource" />
</property>
<property name="passwordEncoder">
<ref bean="passwordEncoder" />
</property>
</bean>
<!-- The DAO also acts as a salt provider. -->
<alias alias="saltSource" name="authenticationDao" />
</beans>

20
source/java/org/alfresco/filesys/AbstractServerConfigurationBean.java
View File

@@ -139,10 +139,6 @@ public abstract class AbstractServerConfigurationBean extends ServerConfiguratio
protected static final int MaxSessionTimeout = 60 * 60; // 1 hour
// Authentication manager
private AuthenticationManager m_authenticationManager;
// Disk interface to use for shared filesystems
private ExtendedDiskInterface m_repoDiskInterface;
@@ -205,16 +201,6 @@ public abstract class AbstractServerConfigurationBean extends ServerConfiguratio
super( srvName);
}
/**
* Set the authentication manager
*
* @param authenticationManager AuthenticationManager
*/
public void setAuthenticationManager(AuthenticationManager authenticationManager)
{
m_authenticationManager = authenticationManager;
}
/**
* Set the authentication service
*
@@ -391,11 +377,7 @@ public abstract class AbstractServerConfigurationBean extends ServerConfiguratio
{
// Check that all required properties have been set
if (m_authenticationManager == null)
{
throw new AlfrescoRuntimeException("Property 'authenticationManager' not set");
}
else if (m_authenticationComponent == null)
if (m_authenticationComponent == null)
{
throw new AlfrescoRuntimeException("Property 'authenticationComponent' not set");
}