inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-24 17:32:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

REPO-3263 Remove passthru (#270)

Browse Source
This commit is contained in:
Alex Mukha
2018-11-07 15:37:15 +00:00
committed by GitHub
parent ea970794f5
commit ee2299c7bb
38 changed files with 89 additions and 4329 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/file-protocols/ftp-protocol/resource/class/ftp-class-diagram.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 139 KiB

After

Width:  |  Height:  |  Size: 193 KiB

27
docs/file-protocols/ftp-protocol/resource/class/ftp-class-diagram.puml
View File

@@ -41,7 +41,6 @@ class org.alfresco.filesys.auth.ftp.FTPAuthenticatorBase {
# getAuthenticationComponent() : AuthenticationComponent
# getAuthenticationService() : AuthenticationService
# getAuthorityService() : AuthorityService
# getNTLMAuthenticator() : NLTMAuthenticator
# getTransactionService() : TransactionService
+ authenticateUser(c ClientInfo, c FTPSrvSession) : boolean
+ closeAuthenticator() : void
@@ -56,29 +55,6 @@ class org.alfresco.filesys.auth.ftp.FTPAuthenticatorBase {
+ setConfig(i ServerConfigurationAccessor) : void
+ setTransactionService(i TransactionService) : void
}
class org.alfresco.filesys.auth.ftp.PassthruFtpAuthenticator {
+ DefaultSessionTmo : int
+ MaxCheckInterval : int
+ MaxSessionTmo : int
+ MinCheckInterval : int
+ MinSessionTmo : int
+ PassthruKeepAliveInterval : long
- m_localPassThruServers : boolean
- m_passthruServers : c PassthruServers
- m_passwordEncryptor : c PasswordEncryptor
--
+ PassthruFtpAuthenticator()
# doGuestLogon(c AlfrescoClientInfo, c SrvSession) : void
# getSecurityConfig() : SecurityConfigSection
# mapClientAddressToDomain(c InetAddress) : String
+ authenticateUser(c ClientInfo, c FTPSrvSession) : boolean
+ closeAuthenticator() : void
+ initialize() : void
+ initialize(c ServerConfiguration, i ConfigElement) : void
+ setPassthruServers(c PassthruServers) : void
- doPassthruUserAuthentication(c ClientInfo, c SrvSession) : boolean
}
class org.alfresco.filesys.auth.ftp.AlfrescoFtpAuthenticator {
# m_encryptor : c PasswordEncryptor
@@ -99,11 +75,8 @@ org.alfresco.filesys.auth.ftp.FTPAuthenticatorBase "1" o-left- "1" org.apache.
org.alfresco.filesys.auth.ftp.FTPAuthenticatorBase "1" o-left- "1" org.alfresco.jlan.server.config.ServerConfigurationAccessor : serverConfiguration: i ServerConfigurationAccessor
org.alfresco.filesys.auth.ftp.FTPAuthenticatorBase "1" o-left- "1" org.alfresco.repo.security.authentication.AuthenticationComponent : authenticationComponent: i AuthenticationComponent
org.alfresco.filesys.auth.ftp.FTPAuthenticatorBase "1" o-left- "1" org.alfresco.service.cmr.security.AuthorityService : authorityService: i AuthorityService
org.alfresco.filesys.auth.ftp.PassthruFtpAuthenticator "1" o-left- "1" org.alfresco.jlan.server.auth.PasswordEncryptor : m_passwordEncryptor: c PasswordEncryptor
org.alfresco.filesys.auth.ftp.FTPAuthenticatorBase "1" o-left- "1" org.alfresco.service.cmr.security.AuthenticationService : authenticationService: i AuthenticationService
org.alfresco.filesys.auth.ftp.PassthruFtpAuthenticator "1" o-left- "1" org.alfresco.jlan.server.auth.passthru.PassthruServers : m_passthruServers: c PassthruServers
org.alfresco.filesys.auth.ftp.AlfrescoFtpAuthenticator -up|> org.alfresco.filesys.auth.ftp.FTPAuthenticatorBase
org.alfresco.filesys.auth.ftp.PassthruFtpAuthenticator -up|> org.alfresco.filesys.auth.ftp.FTPAuthenticatorBase
org.alfresco.filesys.auth.ftp.FTPAuthenticatorBase ..up|> org.alfresco.jlan.ftp.FTPAuthenticator
org.alfresco.filesys.auth.ftp.FTPAuthenticatorBase ..up|> org.alfresco.repo.management.subsystems.ActivateableBean
org.alfresco.filesys.auth.ftp.FTPAuthenticatorBase ..up|> org.springframework.beans.factory.DisposableBean

BIN
docs/file-protocols/webdav-protocol/resource/class/webdav-class-diagram.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 491 KiB

After

Width:  |  Height:  |  Size: 808 KiB

48
docs/file-protocols/webdav-protocol/resource/class/webdav-class-diagram.puml
View File

@@ -185,14 +185,6 @@ class javax.servlet.ServletInputStream {
# ServletInputStream()
+ readLine(class [B, int, int) : int
}
class org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter {
- logger : i Log
--
+ NTLMAuthenticationFilter()
# getLogger() : Log
# onValidateFailed(i ServletContext, i HttpServletRequest, i HttpServletResponse, i HttpSession, i WebCredentials) : void
}
class org.alfresco.repo.webdav.DeleteMethod {
- activityPoster : i WebDAVActivityPoster
@@ -682,39 +674,6 @@ class org.alfresco.repo.webdav.WebDAVMethod$Condition {
+ getLockTokensMatch() : LinkedList
+ getLockTokensNotMatch() : LinkedList
}
class org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter {
# AUTHORIZATION : c String
# AUTH_NTLM : c String
# WWW_AUTHENTICATE : c String
+ NTLM_AUTH_DETAILS : c String
+ NTLM_AUTH_SESSION : c String
- NTLM_FLAGS_NTLM1 : int
- NTLM_FLAGS_NTLM2 : int
- m_allowGuest : boolean
- m_disableNTLMv2 : boolean
- m_encryptor : c PasswordEncryptor
- m_mapUnknownUserToGuest : boolean
- m_md4Encoder : i MD4PasswordEncoder
- m_ntlmFlags : int
- m_random : c Random
- nltmAuthenticator : i NLTMAuthenticator
--
+ BaseNTLMAuthenticationFilter()
# checkNTLMv1(c String, class [B, c Type3NTLMMessage, boolean) : boolean
# checkNTLMv2(c String, class [B, c Type3NTLMMessage) : boolean
# checkNTLMv2SessionKey(c String, class [B, c Type3NTLMMessage) : boolean
# disableNTLMv2() : void
# getMD4Hash(c String) : String
# init() : void
# processType1(c Type1NTLMMessage, i HttpServletRequest, i HttpServletResponse) : void
# processType3(c Type3NTLMMessage, i ServletContext, i HttpServletRequest, i HttpServletResponse) : boolean
# validateLocalHashedPassword(c Type3NTLMMessage, c NTLMLogonDetails, boolean, c String) : boolean
+ authenticateRequest(i ServletContext, i HttpServletRequest, i HttpServletResponse) : boolean
+ restartLoginChallenge(i ServletContext, i HttpServletRequest, i HttpServletResponse) : void
+ setMapUnknownUserToGuest(boolean) : void
- clearSession(i HttpSession) : void
}
interface org.alfresco.repo.webdav.WebDAVActivityPoster {
--
@@ -1460,11 +1419,9 @@ org.alfresco.repo.webdav.ActivityPosterImpl "1" o-left- "1" org.apache.commons
org.alfresco.repo.webdav.ExceptionHandler "1" o-left- "1" javax.servlet.http.HttpServletResponse : response: i HttpServletResponse
org.alfresco.repo.webdav.PropPatchMethod$PropertyAction "1" o-left- "1" org.alfresco.repo.webdav.WebDAVProperty : property: c WebDAVProperty
org.alfresco.repo.webdav.auth.HTTPRequestAuthenticationFilter "1" o-left- "1" java.util.regex.Pattern : m_authPattern: c Pattern
org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter "1" o-left- "1" org.alfresco.repo.security.authentication.MD4PasswordEncoder : m_md4Encoder: i MD4PasswordEncoder
org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter "1" o-left- "1" javax.security.auth.login.LoginContext : m_loginContext: c LoginContext
org.alfresco.repo.webdav.PropPatchMethod$PropertyAction "1" o-left- "1" org.alfresco.repo.webdav.PropPatchMethod : this$0: c PropPatchMethod
org.alfresco.repo.webdav.WebDAVLockServiceImpl "1" o-left- "1" org.alfresco.service.transaction.TransactionService : transactionService: i TransactionService
org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter "1" o-left- "1" org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator : nltmAuthenticator: i NLTMAuthenticator
org.alfresco.repo.webdav.PropPatchMethod "1" o-left- "*" org.alfresco.repo.webdav.PropPatchMethod$PropertyAction : m_propertyActions: ArrayList< PropPatchMethod$PropertyAction>
org.alfresco.repo.webdav.LockMethod "1" o-left- "1" java.util.Timer : timer: c Timer
org.alfresco.repo.webdav.WebDavServiceImpl "1" o-left- "1" org.alfresco.service.cmr.repository.NodeService : nodeService: i NodeService
@@ -1533,13 +1490,11 @@ org.alfresco.repo.webdav.WebDAVHelper "1" o-left- "1" org.alfresco.repo.tenant
org.alfresco.repo.webdav.WebDAVServlet "1" o-left- "1" org.alfresco.service.transaction.TransactionService : transactionService: i TransactionService
org.alfresco.repo.webdav.auth.HTTPRequestAuthenticationFilterTestFilter$Handler "1" o-left- "1" javax.servlet.http.HttpServletRequest : httpReq: i HttpServletRequest
org.alfresco.repo.webdav.auth.SSOFallbackBasicAuthenticationDriver "1" o-left- "1" org.alfresco.service.cmr.repository.NodeService : nodeService: i NodeService
org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter "1" o-left- "1" org.apache.commons.logging.Log : logger: i Log
org.alfresco.repo.webdav.WebDAVLockServiceImpl "1" o-left- "1" org.apache.commons.logging.Log : logger: i Log
org.alfresco.repo.webdav.WebDAVHelper "1" o-left- "1" org.alfresco.service.ServiceRegistry : m_serviceRegistry: i ServiceRegistry
org.alfresco.repo.webdav.WebDAVMethod "1" o-left- "1" org.apache.commons.logging.Log : logger: i Log
org.alfresco.repo.webdav.MTNodesCache2 "1" o-left- "1" org.alfresco.service.cmr.repository.NodeService : nodeService: i NodeService
javax.servlet.http.HttpServlet "1" o-left- "1" java.util.ResourceBundle : lStrings: c ResourceBundle
org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter "1" o-left- "1" org.alfresco.jlan.server.auth.PasswordEncryptor : m_encryptor: c PasswordEncryptor
org.alfresco.repo.webdav.auth.BaseAuthenticationFilter "1" o-left- "1" org.alfresco.service.transaction.TransactionService : transactionService: i TransactionService
org.alfresco.repo.webdav.WebDAVMethod "1" o-left- "*" org.alfresco.service.cmr.repository.NodeRef : m_childToParent: Map< NodeRef, NodeRef>
org.alfresco.repo.webdav.WebDAVServlet "1" o-left- "1" org.alfresco.service.cmr.repository.NodeRef : defaultRootNode: c NodeRef
@@ -1548,7 +1503,6 @@ org.alfresco.repo.webdav.WebDavServiceImpl "1" o-left- "1" org.alfresco.servic
org.alfresco.repo.webdav.WebDAVLockServiceImpl "1" o-left- "1" org.alfresco.service.cmr.coci.CheckOutCheckInService : checkOutCheckInService: i CheckOutCheckInService
org.springframework.extensions.surf.util.AbstractLifecycleBean "1" o-left- "1" org.springframework.context.ApplicationContext : applicationContext: i ApplicationContext
org.alfresco.repo.webdav.auth.HTTPRequestAuthenticationFilter "1" o-left- "1" org.alfresco.repo.security.authentication.AuthenticationComponent : m_authComponent: i AuthenticationComponent
org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter "1" o-left- "1" java.util.Random : m_random: c Random
org.alfresco.repo.webdav.ExceptionHandler "1" o-left- "1" org.apache.commons.logging.Log : logger: i Log
org.alfresco.repo.webdav.WebDAVServlet "1" o-left- "1" org.apache.commons.logging.Log : logger: i Log
org.alfresco.repo.webdav.WebDAVMethod "1" o-left- "1" javax.servlet.http.HttpServletRequest : m_request: i HttpServletRequest
@@ -1583,12 +1537,10 @@ org.alfresco.repo.webdav.MoveMethod -up|> org.alfresco.repo.webdav.Hierarchica
org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter -up|> org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter
org.alfresco.repo.webdav.WebDavBootstrap -up|> org.springframework.extensions.surf.util.AbstractLifecycleBean
org.alfresco.repo.webdav.PostMethod -up|> org.alfresco.repo.webdav.PutMethod
org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter -up|> org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter
org.alfresco.repo.webdav.DeleteMethod -up|> org.alfresco.repo.webdav.WebDAVMethod
org.alfresco.repo.webdav.PropPatchMethod -up|> org.alfresco.repo.webdav.PropFindMethod
org.alfresco.repo.webdav.CopyMethod -up|> org.alfresco.repo.webdav.MoveMethod
org.alfresco.repo.webdav.auth.HTTPRequestAuthenticationFilter -up|> org.alfresco.repo.webdav.auth.BaseAuthenticationFilter
org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter -up|> org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter
org.alfresco.repo.webdav.LockMethod -up|> org.alfresco.repo.webdav.WebDAVMethod
org.alfresco.repo.webdav.auth.AuthenticationFilter -up|> org.alfresco.repo.webdav.auth.BaseAuthenticationFilter
org.alfresco.repo.webdav.UnlockMethod -up|> org.alfresco.repo.webdav.WebDAVMethod

8
docs/identity-provider/authentication/README.md
View File

@@ -16,7 +16,6 @@ Alfresco provides a default Authentication implementation that uses userid's and
to integrate with a number of external Authentication providers including
* Active Directory
* Kerberos
* NTLM
* LDAP
***
@@ -40,8 +39,6 @@ to integrate with a number of external Authentication providers including
* [JAAS](http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html)
* [Kerberos](https://msdn.microsoft.com/en-us/library/bb742516.aspx)
* [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)
* [NTLM](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378749(v=vs.85).aspx)
***
### Design
@@ -56,7 +53,7 @@ are stored in the Alfresco repository.
#### Chaining
Most production systems that use Alfresco will rely upon more secure approaches, so Alfresco also allows the
customer to integrate a choice of existing authentication providers, including *Active Directory*, *Kerberos*, *LDAP* and *NTLM*.
customer to integrate a choice of existing authentication providers, including *Active Directory*, *Kerberos* and *LDAP*.
The implementation of each such Authorization provider is delivered as a separate Alfresco Subsystem.
The Subsystems are chained together as an ordered list of providers each of which, in turn, will be given
@@ -86,9 +83,6 @@ depicted in [Client Login](../../../share/share-app/resource/sequence/client-log
##### Kerberos Authentication Login Flow
![Note](https://img.shields.io/badge/Editor-TODO-yellow.svg?&style=flat-square?colorB=2196f3&style=flat-square)
##### NTLM Authentication Login Flow
![Note](https://img.shields.io/badge/Editor-TODO-yellow.svg?&style=flat-square?colorB=2196f3&style=flat-square)
#### Class Diagram
![Authentication](../resource/class/org.alfresco.service.cmr.security.class.png)

2
l10n.properties
View File

@@ -3,5 +3,5 @@
MESSAGE_SEARCH_PATH="src/main/resources/alfresco/messages/action-config*.properties src/main/resources/alfresco/messages/action-service*.properties src/main/resources/alfresco/messages/activiti-engine-messages*.properties src/main/resources/alfresco/messages/activities-service*.properties src/main/resources/alfresco/messages/activity-list*.properties src/main/resources/alfresco/messages/application-model*.properties src/main/resources/alfresco/messages/authentication*.properties src/main/resources/alfresco/messages/bootstrap-content-template-examples*.properties src/main/resources/alfresco/messages/bootstrap-example-javascripts*.properties src/main/resources/alfresco/messages/bootstrap-example-smartfoldertemplates*.properties src/main/resources/alfresco/messages/bootstrap-imapScripts*.properties src/main/resources/alfresco/messages/bootstrap-javascripts*.properties src/main/resources/alfresco/messages/bootstrap-messages*.properties src/main/resources/alfresco/messages/bootstrap-readme-template*.properties src/main/resources/alfresco/messages/bootstrap-spaces*.properties src/main/resources/alfresco/messages/bootstrap-templates*.properties src/main/resources/alfresco/messages/bootstrap-tutorial*.properties src/main/resources/alfresco/messages/bootstrap-webScripts*.properties src/main/resources/alfresco/messages/bootstrap-webScriptsExtensions*.properties src/main/resources/alfresco/messages/bpm-messages*.properties src/main/resources/alfresco/messages/categories*.properties src/main/resources/alfresco/messages/coci-service*.properties src/main/resources/alfresco/messages/content-filter-languages*.properties src/main/resources/alfresco/messages/content-model*.properties src/main/resources/alfresco/messages/copy-service*.properties src/main/resources/alfresco/messages/custommodel-service*.properties src/main/resources/alfresco/messages/discussion-messages*.properties src/main/resources/alfresco/messages/distributionpolicies-model*.properties src/main/resources/alfresco/messages/doclink-service*.properties src/main/resources/alfresco/messages/download-model*.properties src/main/resources/alfresco/messages/email-server-model*.properties src/main/resources/alfresco/messages/email-service*.properties src/main/resources/alfresco/messages/file-folder-service*.properties src/main/resources/alfresco/messages/form-service*.properties src/main/resources/alfresco/messages/forum-model*.properties src/main/resources/alfresco/messages/imap-service*.properties src/main/resources/alfresco/messages/initiate-inplace*.properties src/main/resources/alfresco/messages/invitation-service*.properties src/main/resources/alfresco/messages/lock-service*.properties src/main/resources/alfresco/messages/notification-service*.properties src/main/resources/alfresco/messages/period-provider*.properties src/main/resources/alfresco/messages/permissions-service*.properties src/main/resources/alfresco/messages/quickshare-service*.properties src/main/resources/alfresco/messages/rendition-config*.properties src/main/resources/alfresco/messages/replication*.properties src/main/resources/alfresco/messages/repoadmin-service*.properties src/main/resources/alfresco/messages/reset-password-messages*.properties src/main/resources/alfresco/messages/rule-config*.properties src/main/resources/alfresco/messages/site-model*.properties src/main/resources/alfresco/messages/site-service*.properties src/main/resources/alfresco/messages/slingshot*.properties src/main/resources/alfresco/messages/smartfolder-model*.properties src/main/resources/alfresco/messages/subscription-service*.properties src/main/resources/alfresco/messages/system-messages*.properties src/main/resources/alfresco/messages/system-model*.properties src/main/resources/alfresco/messages/template-service*.properties src/main/resources/alfresco/messages/templates-messages*.properties src/main/resources/alfresco/messages/transfer-model*.properties src/main/resources/alfresco/messages/transfer-service*.properties src/main/resources/alfresco/messages/ui-inplace*.properties src/main/resources/alfresco/messages/webdav-messages*.properties src/main/resources/alfresco/messages/workflow-package-messages*.properties src/main/resources/alfresco/workflow/invitation-moderated-workflow-messages*.properties src/main/resources/alfresco/workflow/invitation-nominated-workflow-messages*.properties src/main/resources/alfresco/workflow/workflow-messages*.properties"
EXCLUDED_FILES="src/main/resources/alfresco/messages/content-service.properties src/main/resources/alfresco/messages/module-messages.properties src/main/resources/alfresco/messages/patch-service.properties src/main/resources/alfresco/messages/repoadmin-interpreter-help.properties src/main/resources/alfresco/messages/schema-update.properties src/main/resources/alfresco/messages/tenant-interpreter-help.properties src/main/resources/alfresco/messages/version-service.properties src/main/resources/alfresco/messages/workflow-interpreter-help.properties src/main/resources/alfresco/alfresco-shared.properties src/main/resources/alfresco/caches.properties src/main/resources/alfresco/repository.properties src/main/resources/alfresco/client/config/repo-clients-apps.properties src/main/resources/alfresco/domain/cache-strategies.properties src/main/resources/alfresco/domain/hibernate-cfg.properties src/main/resources/alfresco/domain/quartz.properties src/main/resources/alfresco/domain/transaction.properties src/main/resources/alfresco/keystore/keystore-passwords.properties src/main/resources/alfresco/keystore/ssl-keystore-passwords.properties src/main/resources/alfresco/keystore/ssl-truststore-passwords.properties src/main/resources/alfresco/metadata/DWGMetadataExtracter.properties src/main/resources/alfresco/metadata/HtmlMetadataExtracter.properties src/main/resources/alfresco/metadata/MailMetadataExtracter.properties src/main/resources/alfresco/metadata/MP3MetadataExtracter.properties src/main/resources/alfresco/metadata/OfficeMetadataExtracter.properties src/main/resources/alfresco/metadata/PdfBoxMetadataExtracter.properties src/main/resources/alfresco/metadata/PoiMetadataExtracter.properties src/main/resources/alfresco/metadata/RFC822MetadataExtracter.properties src/main/resources/alfresco/metadata/TikaAudioMetadataExtracter.properties src/main/resources/alfresco/metadata/TikaAutoMetadataExtracter.properties src/main/resources/alfresco/metadata/TikaSpringConfiguredMetadataExtracter.properties src/main/resources/alfresco/subsystems/ActivitiesFeed/default/activities-jobs.properties src/main/resources/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication.properties src/main/resources/alfresco/subsystems/Authentication/external/external-authentication.properties src/main/resources/alfresco/subsystems/Authentication/kerberos/kerberos-authentication.properties src/main/resources/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties src/main/resources/alfresco/subsystems/Authentication/ldap-ad/ldap-ad-authentication.properties src/main/resources/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.properties src/main/resources/alfresco/subsystems/email/InboundSMTP/inboundSMTP.properties src/main/resources/alfresco/subsystems/email/OutboundSMTP/outboundSMTP.properties src/main/resources/alfresco/subsystems/fileServers/default/file-servers.properties src/main/resources/alfresco/subsystems/imap/default/imap-server.properties src/main/resources/alfresco/subsystems/Replication/default/replication.properties src/main/resources/alfresco/subsystems/Search/noindex/common-search.properties src/main/resources/alfresco/subsystems/Search/noindex/noindex-search.properties src/main/resources/alfresco/subsystems/Search/solr/common-search.properties src/main/resources/alfresco/subsystems/Search/solr/solr-backup.properties src/main/resources/alfresco/subsystems/Search/solr/solr-search.properties src/main/resources/alfresco/subsystems/Search/solr/facet/solr-facets-config.properties src/main/resources/alfresco/subsystems/Search/solr4/common-search.properties src/main/resources/alfresco/subsystems/Search/solr4/solr-backup.properties src/main/resources/alfresco/subsystems/Search/solr4/solr-search.properties src/main/resources/alfresco/subsystems/Search/solr6/common-search.properties src/main/resources/alfresco/subsystems/Search/solr6/solr-backup.properties src/main/resources/alfresco/subsystems/Search/solr6/solr-search.properties src/main/resources/alfresco/subsystems/Subscriptions/default/subscription-service.properties src/main/resources/alfresco/subsystems/Synchronization/default/default-synchronization.properties src/main/resources/alfresco/subsystems/sysAdmin/default/sysadmin-parameter.properties src/main/resources/alfresco/subsystems/thirdparty/default/alfresco-pdf-renderer-transform.properties src/main/resources/alfresco/subsystems/thirdparty/default/imagemagick-transform.properties src/main/resources/alfresco/subsystems/Transformers/default/transformers.properties src/main/resources/org/alfresco/encryption/keystore-parameters.properties src/main/resources/org/alfresco/repo/i18n/testMessages.properties src/main/resources/org/alfresco/repo/module/tool/default-file-mapping.properties src/main/resources/alfresco/metadata/JodConverterMetadataExtracter.properties src/main/resources/alfresco/subsystems/OOoJodconverter/default/jodconverter.properties"
EXCLUDED_FILES="src/main/resources/alfresco/messages/content-service.properties src/main/resources/alfresco/messages/module-messages.properties src/main/resources/alfresco/messages/patch-service.properties src/main/resources/alfresco/messages/repoadmin-interpreter-help.properties src/main/resources/alfresco/messages/schema-update.properties src/main/resources/alfresco/messages/tenant-interpreter-help.properties src/main/resources/alfresco/messages/version-service.properties src/main/resources/alfresco/messages/workflow-interpreter-help.properties src/main/resources/alfresco/alfresco-shared.properties src/main/resources/alfresco/caches.properties src/main/resources/alfresco/repository.properties src/main/resources/alfresco/client/config/repo-clients-apps.properties src/main/resources/alfresco/domain/cache-strategies.properties src/main/resources/alfresco/domain/hibernate-cfg.properties src/main/resources/alfresco/domain/quartz.properties src/main/resources/alfresco/domain/transaction.properties src/main/resources/alfresco/keystore/keystore-passwords.properties src/main/resources/alfresco/keystore/ssl-keystore-passwords.properties src/main/resources/alfresco/keystore/ssl-truststore-passwords.properties src/main/resources/alfresco/metadata/DWGMetadataExtracter.properties src/main/resources/alfresco/metadata/HtmlMetadataExtracter.properties src/main/resources/alfresco/metadata/MailMetadataExtracter.properties src/main/resources/alfresco/metadata/MP3MetadataExtracter.properties src/main/resources/alfresco/metadata/OfficeMetadataExtracter.properties src/main/resources/alfresco/metadata/PdfBoxMetadataExtracter.properties src/main/resources/alfresco/metadata/PoiMetadataExtracter.properties src/main/resources/alfresco/metadata/RFC822MetadataExtracter.properties src/main/resources/alfresco/metadata/TikaAudioMetadataExtracter.properties src/main/resources/alfresco/metadata/TikaAutoMetadataExtracter.properties src/main/resources/alfresco/metadata/TikaSpringConfiguredMetadataExtracter.properties src/main/resources/alfresco/subsystems/ActivitiesFeed/default/activities-jobs.properties src/main/resources/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication.properties src/main/resources/alfresco/subsystems/Authentication/external/external-authentication.properties src/main/resources/alfresco/subsystems/Authentication/kerberos/kerberos-authentication.properties src/main/resources/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties src/main/resources/alfresco/subsystems/Authentication/ldap-ad/ldap-ad-authentication.properties src/main/resources/alfresco/subsystems/email/InboundSMTP/inboundSMTP.properties src/main/resources/alfresco/subsystems/email/OutboundSMTP/outboundSMTP.properties src/main/resources/alfresco/subsystems/fileServers/default/file-servers.properties src/main/resources/alfresco/subsystems/imap/default/imap-server.properties src/main/resources/alfresco/subsystems/Replication/default/replication.properties src/main/resources/alfresco/subsystems/Search/noindex/common-search.properties src/main/resources/alfresco/subsystems/Search/noindex/noindex-search.properties src/main/resources/alfresco/subsystems/Search/solr/common-search.properties src/main/resources/alfresco/subsystems/Search/solr/solr-backup.properties src/main/resources/alfresco/subsystems/Search/solr/solr-search.properties src/main/resources/alfresco/subsystems/Search/solr/facet/solr-facets-config.properties src/main/resources/alfresco/subsystems/Search/solr4/common-search.properties src/main/resources/alfresco/subsystems/Search/solr4/solr-backup.properties src/main/resources/alfresco/subsystems/Search/solr4/solr-search.properties src/main/resources/alfresco/subsystems/Search/solr6/common-search.properties src/main/resources/alfresco/subsystems/Search/solr6/solr-backup.properties src/main/resources/alfresco/subsystems/Search/solr6/solr-search.properties src/main/resources/alfresco/subsystems/Subscriptions/default/subscription-service.properties src/main/resources/alfresco/subsystems/Synchronization/default/default-synchronization.properties src/main/resources/alfresco/subsystems/sysAdmin/default/sysadmin-parameter.properties src/main/resources/alfresco/subsystems/thirdparty/default/alfresco-pdf-renderer-transform.properties src/main/resources/alfresco/subsystems/thirdparty/default/imagemagick-transform.properties src/main/resources/alfresco/subsystems/Transformers/default/transformers.properties src/main/resources/org/alfresco/encryption/keystore-parameters.properties src/main/resources/org/alfresco/repo/i18n/testMessages.properties src/main/resources/org/alfresco/repo/module/tool/default-file-mapping.properties src/main/resources/alfresco/metadata/JodConverterMetadataExtracter.properties src/main/resources/alfresco/subsystems/OOoJodconverter/default/jodconverter.properties"

454
src/main/java/org/alfresco/filesys/auth/PassthruServerFactory.java
View File

@@ -1,454 +0,0 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.filesys.auth;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InterfaceAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.net.UnknownHostException;
import java.util.Enumeration;
import java.util.StringTokenizer;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.jlan.netbios.NetBIOSSession;
import org.alfresco.jlan.server.auth.passthru.AuthSessionFactory;
import org.alfresco.jlan.server.auth.passthru.PassthruServers;
import org.alfresco.jlan.server.config.InvalidConfigurationException;
import org.alfresco.jlan.smb.Protocol;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.beans.factory.InitializingBean;
/**
* A Factory for {@link PassthruServers} objects, allowing setting of the server list via local server, individual
* servers or domain name.
*
* @author dward
*/
public class PassthruServerFactory implements FactoryBean, InitializingBean, DisposableBean
{
private static final Log logger = LogFactory.getLog("org.alfresco.smb.protocol.auth");
public final static int DefaultSessionTmo = 5000; // 5 seconds
public final static int MinSessionTmo = 2000; // 2 seconds
public final static int MaxSessionTmo = 30000; // 30 seconds
public final static int MinCheckInterval = 10; // 10 seconds
public final static int MaxCheckInterval = 15 * 60; // 15 minutes
private Integer timeout;
private boolean localServer;
private String server;
private String domain;
private Integer offlineCheckInterval;
private PassthruServers passthruServers;
private boolean nullDomainUseAnyServer;
/**
* Sets the timeout for opening a session to an authentication server
*
* @param timeout
* a time period in milliseconds
*/
public void setTimeout(int timeout)
{
this.timeout = timeout;
}
/**
* Indicates whether the local server should be used as the authentication server
*
* @param localServer
* <code>true</code> if the local server should be used as the authentication server
*/
public void setLocalServer(boolean localServer)
{
this.localServer = localServer;
}
/**
* Sets the server(s) to authenticate against.
*
* @param server
* comma-delimited list of server names
*/
public void setServer(String server)
{
this.server = server;
}
/**
* Sets the domain to authenticate against
*
* @param domain
* a domain name
*/
public void setDomain(String domain)
{
this.domain = domain;
}
/**
* Sets the offline server check interval in seconds
*
* @param offlineCheckInterval
* a time interval in seconds
*/
public void setOfflineCheckInterval(Integer offlineCheckInterval)
{
this.offlineCheckInterval = offlineCheckInterval;
}
/**
* Set the null domain to use any available server option
*
* @param nullDomain boolean
*/
public final void setNullDomainUseAnyServer( boolean nullDomain)
{
this.nullDomainUseAnyServer = nullDomain;
}
/**
* Set the protocol order for passthru connections
*
* @param protoOrder
* a comma-delimited list containing one or more of "NetBIOS" and "TCPIP" in any order
*/
public void setProtocolOrder(String protoOrder)
{
// Parse the protocol order list
StringTokenizer tokens = new StringTokenizer(protoOrder, ",");
int primaryProto = Protocol.None;
int secondaryProto = Protocol.None;
// There should only be one or two tokens
if (tokens.countTokens() > 2)
throw new AlfrescoRuntimeException("Invalid protocol order list, " + protoOrder);
// Get the primary protocol
if (tokens.hasMoreTokens())
{
// Parse the primary protocol
String primaryStr = tokens.nextToken();
if (primaryStr.equalsIgnoreCase("TCPIP"))
primaryProto = Protocol.NativeSMB;
else if (primaryStr.equalsIgnoreCase("NetBIOS"))
primaryProto = Protocol.TCPNetBIOS;
else
throw new AlfrescoRuntimeException("Invalid protocol type, " + primaryStr);
// Check if there is a secondary protocol, and validate
if (tokens.hasMoreTokens())
{
// Parse the secondary protocol
String secondaryStr = tokens.nextToken();
if (secondaryStr.equalsIgnoreCase("TCPIP") && primaryProto != Protocol.NativeSMB)
secondaryProto = Protocol.NativeSMB;
else if (secondaryStr.equalsIgnoreCase("NetBIOS") && primaryProto != Protocol.TCPNetBIOS)
secondaryProto = Protocol.TCPNetBIOS;
else
throw new AlfrescoRuntimeException("Invalid secondary protocol, " + secondaryStr);
}
}
// Set the protocol order used for passthru authentication sessions
AuthSessionFactory.setProtocolOrder(primaryProto, secondaryProto);
// DEBUG
if (logger.isDebugEnabled())
logger.debug("Protocol order primary=" + Protocol.asString(primaryProto) + ", secondary="
+ Protocol.asString(secondaryProto));
}
/**
* Set the broadcast mask to use for NetBIOS name lookups
*
* @param bcastMask String
* @exception AlfrescoRuntimeException
*/
public final void setBroadcastMask( String bcastMask)
throws IOException {
if ( bcastMask == null || bcastMask.length() == 0) {
// Clear the NetBIOS subnet mask
NetBIOSSession.setDefaultSubnetMask( null);
return;
}
// Find the network adapter with the matching broadcast mask
try {
Enumeration<NetworkInterface> netEnum = NetworkInterface.getNetworkInterfaces();
NetworkInterface bcastIface = null;
while ( netEnum.hasMoreElements() && bcastIface == null) {
NetworkInterface ni = netEnum.nextElement();
for ( InterfaceAddress iAddr : ni.getInterfaceAddresses()) {
InetAddress broadcast = iAddr.getBroadcast();
if ( broadcast != null && broadcast.getHostAddress().equals( bcastMask))
bcastIface = ni;
}
}
// DEBUG
if ( logger.isDebugEnabled()) {
if ( bcastIface != null)
logger.debug("Broadcast mask " + bcastMask + " found on network interface " + bcastIface.getDisplayName() + "/" + bcastIface.getName());
else
logger.debug("Failed to find network interface for broadcast mask " + bcastMask);
}
// Check if we found a valid network interface for the broadcast mask
if ( bcastIface == null)
throw new AlfrescoRuntimeException("Network interface for broadcast mask " + bcastMask + " not found");
// Set the NetBIOS broadcast mask
NetBIOSSession.setDefaultSubnetMask( bcastMask);
}
catch ( SocketException ex) {
}
}
public void afterPropertiesSet() throws InvalidConfigurationException
{
// Check if the offline check interval has been specified
if (this.offlineCheckInterval != null)
{
// Range check the value
if (this.offlineCheckInterval < MinCheckInterval || this.offlineCheckInterval > MaxCheckInterval)
throw new InvalidConfigurationException("Invalid offline check interval, valid range is "
+ MinCheckInterval + " to " + MaxCheckInterval);
// Set the offline check interval for offline passthru servers
passthruServers = new PassthruServers(this.offlineCheckInterval);
// DEBUG
if (logger.isDebugEnabled())
logger.debug("Using offline check interval of " + this.offlineCheckInterval + " seconds");
}
else
{
// Create the passthru server list with the default offline check interval
passthruServers = new PassthruServers();
}
// Propagate the debug setting
if (logger.isDebugEnabled())
passthruServers.setDebug(true);
// Check if the session timeout has been specified
if (this.timeout != null)
{
// Range check the timeout
if (this.timeout < MinSessionTmo || this.timeout > MaxSessionTmo)
throw new InvalidConfigurationException("Invalid session timeout, valid range is " + MinSessionTmo
+ " to " + MaxSessionTmo);
// Set the session timeout for connecting to an authentication server
passthruServers.setConnectionTimeout(this.timeout);
}
passthruServers.setNullDomainUseAnyServer(this.nullDomainUseAnyServer);
// Check if a server name has been specified
String srvList = null;
if (localServer)
{
try
{
// Get the list of local network addresses
InetAddress[] localAddrs = InetAddress.getAllByName(InetAddress.getLocalHost().getHostName());
// Build the list of local addresses
if (localAddrs != null && localAddrs.length > 0)
{
StringBuilder addrStr = new StringBuilder();
for (InetAddress curAddr : localAddrs)
{
if (curAddr.isLoopbackAddress() == false)
{
addrStr.append(curAddr.getHostAddress());
addrStr.append(",");
}
}
if (addrStr.length() > 0)
addrStr.setLength(addrStr.length() - 1);
// Set the server list using the local address list
srvList = addrStr.toString();
}
else
throw new AlfrescoRuntimeException("No local server address(es)");
}
catch (UnknownHostException ex)
{
throw new AlfrescoRuntimeException("Failed to get local address list");
}
}
if (this.server != null && this.server.length() > 0)
{
// Check if the server name was already set
if (srvList != null)
throw new AlfrescoRuntimeException("Set passthru server via local server or specify name");
// Get the passthru authenticator server name
srvList = this.server;
}
// If the passthru server name has been set initialize the passthru connection
if (srvList != null)
{
// Initialize using a list of server names/addresses
passthruServers.setServerList(srvList);
}
else
{
// Get the domain/workgroup name
String domainName = null;
// Check if a domain name has been specified
if (this.domain != null && this.domain.length() > 0)
{
// Check if the authentication server has already been set, ie. server name was also specified
if (srvList != null)
throw new AlfrescoRuntimeException("Specify server or domain name for passthru authentication");
domainName = this.domain;
}
// If the domain name has been set initialize the passthru connection
if (domainName != null)
{
try
{
// Initialize using the domain
passthruServers.setDomain(domainName);
}
catch (IOException ex)
{
throw new AlfrescoRuntimeException("Error setting passthru domain, " + ex.getMessage());
}
}
}
// Check if we have an authentication server
if (passthruServers.getTotalServerCount() == 0)
throw new AlfrescoRuntimeException("No valid authentication servers found for passthru");
}
/*
* (non-Javadoc)
* @see org.springframework.beans.factory.InitializingBean#getObject()
*/
public Object getObject()
{
return passthruServers;
}
/*
* (non-Javadoc)
* @see org.springframework.beans.factory.FactoryBean#getObjectType()
*/
public Class<?> getObjectType()
{
return PassthruServers.class;
}
/*
* (non-Javadoc)
* @see org.springframework.beans.factory.FactoryBean#isSingleton()
*/
public boolean isSingleton()
{
return true;
}
/*
* (non-Javadoc)
* @see org.springframework.beans.factory.DisposableBean#destroy()
*/
public void destroy() throws Exception
{
passthruServers.shutdown();
}
}

13
src/main/java/org/alfresco/filesys/auth/ftp/AlfrescoFtpAuthenticator.java
View File

@@ -34,11 +34,8 @@ import org.alfresco.jlan.ftp.FTPSrvSession;
import org.alfresco.jlan.server.SrvSession;
import org.alfresco.jlan.server.auth.ClientInfo;
import org.alfresco.jlan.server.auth.PasswordEncryptor;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.MD4PasswordEncoder;
import org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl;
import org.alfresco.repo.security.authentication.NTLMMode;
import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
/**
* Alfresco FTP Authenticator Class
@@ -170,16 +167,10 @@ public class AlfrescoFtpAuthenticator extends FTPAuthenticatorBase {
if (logger.isDebugEnabled())
{
AuthenticationComponent authenticationComponent = getAuthenticationComponent();
logger
.debug("Authenticated user "
logger.debug("Authenticated user "
+ client.getUserName()
+ " sts="
+ authSts
+ " via "
+ (authenticationComponent instanceof NLTMAuthenticator
&& ((NLTMAuthenticator) authenticationComponent).getNTLMMode() == NTLMMode.MD4_PROVIDER ? "MD4"
: "Passthru"));
+ authSts);
}
// Return the authentication status

79
src/main/java/org/alfresco/filesys/auth/ftp/FTPAuthenticatorBase.java
View File

@@ -1,28 +1,28 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.filesys.auth.ftp;
@@ -38,7 +38,6 @@ import org.alfresco.jlan.server.config.ServerConfiguration;
import org.alfresco.jlan.server.config.ServerConfigurationAccessor;
import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.transaction.TransactionService;
@@ -162,13 +161,13 @@ public abstract class FTPAuthenticatorBase implements FTPAuthenticator, Activate
throw new InvalidConfigurationException("server configuration accessor property not set");
}
/**
* Authenticate the user
*
* @param info ClientInfo
* @param sess FTPSrvSession
* @return boolean
*/
/**
* Authenticate the user
*
* @param info ClientInfo
* @param sess FTPSrvSession
* @return boolean
*/
public abstract boolean authenticateUser(ClientInfo info, FTPSrvSession sess);
/**
@@ -188,20 +187,6 @@ public abstract class FTPAuthenticatorBase implements FTPAuthenticator, Activate
return this.authenticationComponent;
}
/**
* Returns an SSO-enabled authentication component.
*
* @return NLTMAuthenticator
*/
protected final NLTMAuthenticator getNTLMAuthenticator()
{
if (!(this.authenticationComponent instanceof NLTMAuthenticator))
{
throw new IllegalStateException("Attempt to use non SSO-enabled authentication component for SSO");
}
return (NLTMAuthenticator)this.authenticationComponent;
}
/**
* Return the authentication service
*

497
src/main/java/org/alfresco/filesys/auth/ftp/PassthruFtpAuthenticator.java
View File

@@ -1,497 +0,0 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.filesys.auth.ftp;
import java.net.InetAddress;
import javax.transaction.Status;
import javax.transaction.UserTransaction;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.filesys.ExtendedServerConfigurationAccessor;
import org.alfresco.filesys.alfresco.AlfrescoClientInfo;
import org.alfresco.filesys.auth.PassthruServerFactory;
import org.alfresco.jlan.ftp.FTPSrvSession;
import org.alfresco.jlan.server.SrvSession;
import org.alfresco.jlan.server.auth.ClientInfo;
import org.alfresco.jlan.server.auth.PasswordEncryptor;
import org.alfresco.jlan.server.auth.passthru.AuthenticateSession;
import org.alfresco.jlan.server.auth.passthru.DomainMapping;
import org.alfresco.jlan.server.auth.passthru.PassthruServers;
import org.alfresco.jlan.server.config.InvalidConfigurationException;
import org.alfresco.jlan.server.config.SecurityConfigSection;
import org.alfresco.jlan.server.config.ServerConfiguration;
import org.alfresco.jlan.util.IPAddress;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.NTLMMode;
import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
import org.springframework.extensions.config.ConfigElement;
/**
* Passthru FTP Authenticator Class
*
* @author gkspencer
*/
public class PassthruFtpAuthenticator extends FTPAuthenticatorBase {
// Constants
public final static int DefaultSessionTmo = 5000; // 5 seconds
public final static int MinSessionTmo = 2000; // 2 seconds
public final static int MaxSessionTmo = 30000; // 30 seconds
public final static int MinCheckInterval = 10; // 10 seconds
public final static int MaxCheckInterval = 15 * 60; // 15 minutes
// Passthru keep alive interval
public final static long PassthruKeepAliveInterval = 60000L; // 60 seconds
// Passthru servers used to authenticate users
private PassthruServers m_passthruServers;
private boolean m_localPassThruServers;
// Password encryption, for CIFS NTLM style encryption/hashing
private PasswordEncryptor m_passwordEncryptor;
protected SecurityConfigSection getSecurityConfig()
{
return (SecurityConfigSection) this.serverConfiguration.getConfigSection(SecurityConfigSection.SectionName);
}
public void setPassthruServers(PassthruServers passthruServers)
{
m_passthruServers = passthruServers;
}
/**
* Initialize the authenticator
*
* @param config ServerConfiguration
* @param params ConfigElement
* @exception InvalidConfigurationException
*/
@Override
public void initialize(ServerConfiguration config, ConfigElement params)
throws InvalidConfigurationException {
// Manually construct our own passthru server list
PassthruServerFactory factory = new PassthruServerFactory();
// Check if the offline check interval has been specified
ConfigElement checkInterval = params.getChild("offlineCheckInterval");
if ( checkInterval != null)
{
try
{
// Validate the check interval value
factory.setOfflineCheckInterval(Integer.parseInt(checkInterval.getValue()));
}
catch (NumberFormatException ex)
{
throw new InvalidConfigurationException("Invalid offline check interval specified");
}
}
// Check if the session timeout has been specified
ConfigElement sessTmoElem = params.getChild("Timeout");
if (sessTmoElem != null)
{
try
{
// Validate the session timeout value
factory.setTimeout(Integer.parseInt(sessTmoElem.getValue()));
}
catch (NumberFormatException ex)
{
throw new InvalidConfigurationException("Invalid timeout value specified");
}
}
// Get the extended server configuration
ExtendedServerConfigurationAccessor configExtended = null;
if ( config instanceof ExtendedServerConfigurationAccessor)
configExtended = (ExtendedServerConfigurationAccessor) config;
// Check if the local server should be used
if ( params.getChild("LocalServer") != null && configExtended != null) {
// Get the local server name, trim the domain name
String server = configExtended.getLocalServerName( true);
if ( server == null)
throw new AlfrescoRuntimeException("Passthru authenticator failed to get local server name");
factory.setServer(server);
}
// Check if a server name has been specified
ConfigElement srvNamesElem = params.getChild("Server");
if (srvNamesElem != null && srvNamesElem.getValue().length() > 0)
{
factory.setServer(srvNamesElem.getValue());
}
// Check if the local domain/workgroup should be used
if ( params.getChild("LocalDomain") != null && configExtended != null) {
// Get the local domain/workgroup name
factory.setDomain(configExtended.getLocalDomainName());
}
// Check if a domain name has been specified
ConfigElement domNameElem = params.getChild("Domain");
if (domNameElem != null && domNameElem.getValue().length() > 0)
{
factory.setDomain(domNameElem.getValue());
}
// Check if a protocol order has been set
ConfigElement protoOrderElem = params.getChild("ProtocolOrder");
if (protoOrderElem != null && protoOrderElem.getValue().length() > 0)
{
factory.setProtocolOrder(protoOrderElem.getValue());
}
// Complete initialization
factory.afterPropertiesSet();
setPassthruServers((PassthruServers) factory.getObject());
// Remember that we have to shut down the servers
m_localPassThruServers = true;
super.initialize(config, params);
}
/**
* Initialize the authenticator (after properties have been set)
*
* @exception InvalidConfigurationException
*/
@Override
public void initialize() throws InvalidConfigurationException
{
super.initialize();
// Check if the appropriate authentication component type is configured
AuthenticationComponent authenticationComponent = getAuthenticationComponent();
if (authenticationComponent instanceof NLTMAuthenticator
&& ((NLTMAuthenticator) authenticationComponent).getNTLMMode() == NTLMMode.MD4_PROVIDER)
throw new AlfrescoRuntimeException(
"Wrong authentication setup for passthru authenticator (cannot be used with Alfresco users)");
// Create the password encryptor
m_passwordEncryptor = new PasswordEncryptor();
}
/**
* Authenticate the user
*
* @param client ClientInfo
* @param sess FTPSrvSession
* @return boolean
*/
public boolean authenticateUser(ClientInfo client, FTPSrvSession sess) {
// Check that the client is an Alfresco client
if ( client instanceof AlfrescoClientInfo == false)
return false;
// Check if this is a guest logon
boolean authSts = false;
UserTransaction tx = null;
try {
if ( client.isGuest()) {
// Get a guest authentication token
doGuestLogon((AlfrescoClientInfo) client, sess);
// Indicate logged on as guest
authSts = true;
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Authenticated guest user " + client.getUserName() + " sts=" + authSts);
// Return the guest status
return authSts;
}
// Start a transaction
tx = getTransactionService().getUserTransaction(false);
tx.begin();
// Perform passthru authentication check
authSts = doPassthruUserAuthentication(client, sess);
// Check if the user is an administrator
if ( authSts == true && client.getLogonType() == ClientInfo.LogonNormal)
checkForAdminUserName( client);
}
catch (Exception ex) {
if ( logger.isDebugEnabled())
logger.debug(ex);
}
finally {
// Commit the transaction
if ( tx != null) {
try {
// Commit or rollback the transaction
if ( tx.getStatus() == Status.STATUS_MARKED_ROLLBACK) {
// Transaction is marked for rollback
tx.rollback();
}
else {
// Commit the transaction
tx.commit();
}
}
catch (Exception ex) {
}
}
}
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Authenticated user " + client.getUserName() + " sts=" + authSts + " via Passthru");
// Return the authentication status
return authSts;
}
/**
* Logon using the guest user account
*
* @param client AlfrescoClientInfo
* @param sess SrvSession
*/
protected void doGuestLogon(AlfrescoClientInfo client, SrvSession sess) {
// Get a guest authentication token
getAuthenticationService().authenticateAsGuest();
String ticket = getAuthenticationService().getCurrentTicket();
client.setAuthenticationTicket(ticket);
// Mark the client as being a guest logon
client.setGuest(true);
}
/**
* Perform passthru authentication
*
* @param client Client information
* @param sess Server session
* @return boolean
*/
private final boolean doPassthruUserAuthentication(ClientInfo client, SrvSession sess) {
// Authenticate the FTP user by opening a session to a remote CIFS server
boolean authSts = false;
AuthenticateSession authSess = null;
try
{
// Try and map the client address to a domain
String domain = mapClientAddressToDomain( sess.getRemoteAddress());
authSess = m_passthruServers.openSession( false, domain);
if (authSess != null)
{
// Use the challenge key returned from the authentication server to generate the hashed password
byte[] challenge = authSess.getEncryptionKey();
byte[] ntlmHash = m_passwordEncryptor.generateEncryptedPassword( client.getPasswordAsString(), challenge, PasswordEncryptor.NTLM1, client.getUserName(), null);
// Run the passthru authentication second stage
authSess.doSessionSetup(client.getDomain(), client.getUserName(), null, null, ntlmHash, 0);
// Check if the user has been logged on as a guest
if (authSess.isGuest())
{
// Get a guest authentication token
doGuestLogon((AlfrescoClientInfo) client, sess);
// Allow the user access as a guest
authSts = true;
// Debug
if (logger.isDebugEnabled())
logger.debug("Passthru authenticate user=" + client.getUserName() + ", GUEST");
}
else
{
// Set the current user to be authenticated, save the authentication token
AlfrescoClientInfo alfClient = (AlfrescoClientInfo) client;
getAuthenticationComponent().setCurrentUser(client.getUserName());
alfClient.setAuthenticationTicket(getAuthenticationService().getCurrentTicket());
// Passwords match, grant access
authSts = true;
client.setLogonType( ClientInfo.LogonNormal);
// Logging
if ( logger.isInfoEnabled())
logger.info("Logged on user " + client.getUserName() + " ( address " + sess.getRemoteAddress() + ")");
}
// Close the passthru authentication session
authSess.CloseSession();
authSess = null;
}
}
catch (Exception ex)
{
logger.debug("Passthru error", ex);
}
finally {
// Make sure the authentication session has been closed
if ( authSess != null) {
try {
authSess.CloseSession();
}
catch( Exception ex) {
}
}
}
// Return the logon status
return authSts;
}
/**
* Map a client IP address to a domain
*
* @param clientIP InetAddress
* @return String
*/
protected final String mapClientAddressToDomain(InetAddress clientIP) {
// Check if there are any domain mappings
if ( !getSecurityConfig().hasDomainMappings() )
return null;
// Convert the client IP address to an integer value
int clientAddr = IPAddress.asInteger(clientIP);
for (DomainMapping domainMap : getSecurityConfig().getDomainMappings()) {
if ( domainMap.isMemberOfDomain(clientAddr)) {
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Mapped client IP " + clientIP + " to domain " + domainMap.getDomain());
return domainMap.getDomain();
}
}
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Failed to map client IP " + clientIP + " to a domain");
// No domain mapping for the client address
return null;
}
/**
* Close the authenticator
*/
public void closeAuthenticator()
{
super.closeAuthenticator();
// Close the passthru authentication server list
if ( m_localPassThruServers && m_passthruServers != null)
m_passthruServers.shutdown();
}
}

61
src/main/java/org/alfresco/filesys/config/ServerConfigurationBean.java
View File

@@ -51,9 +51,6 @@ import org.alfresco.jlan.ftp.FTPConfigSection;
import org.alfresco.jlan.ftp.FTPPath;
import org.alfresco.jlan.ftp.InvalidPathException;
import org.alfresco.jlan.server.auth.acl.AccessControlList;
import org.alfresco.jlan.server.auth.passthru.DomainMapping;
import org.alfresco.jlan.server.auth.passthru.RangeDomainMapping;
import org.alfresco.jlan.server.auth.passthru.SubnetDomainMapping;
import org.alfresco.jlan.server.config.CoreServerConfigSection;
import org.alfresco.jlan.server.config.InvalidConfigurationException;
import org.alfresco.jlan.server.config.SecurityConfigSection;
@@ -744,64 +741,6 @@ public class ServerConfigurationBean extends AbstractServerConfigurationBean imp
// Associate the share mapper
secConfig.setShareMapper(shareMapper);
}
// Check if any domain mappings have been specified
List<DomainMappingConfigBean> mappings = securityConfigBean.getDomainMappings();
if (mappings != null)
{
DomainMapping mapping = null;
for (DomainMappingConfigBean domainMap : mappings)
{
// Get the domain name
String name = domainMap.getName();
// Check if the domain is specified by subnet or range
String subnetStr = domainMap.getSubnet();
String rangeFromStr;
if (subnetStr != null && subnetStr.length() > 0)
{
String maskStr = domainMap.getMask();
// Parse the subnet and mask, to validate and convert to int values
int subnet = IPAddress.parseNumericAddress(subnetStr);
int mask = IPAddress.parseNumericAddress(maskStr);
if (subnet == 0 || mask == 0)
throw new AlfrescoRuntimeException("Invalid subnet/mask for domain mapping " + name);
// Create the subnet domain mapping
mapping = new SubnetDomainMapping(name, subnet, mask);
}
else if ((rangeFromStr = domainMap.getRangeFrom()) != null && rangeFromStr.length() > 0)
{
String rangeToStr = domainMap.getRangeTo();
// Parse the range from/to values and convert to int values
int rangeFrom = IPAddress.parseNumericAddress(rangeFromStr);
int rangeTo = IPAddress.parseNumericAddress(rangeToStr);
if (rangeFrom == 0 || rangeTo == 0)
throw new AlfrescoRuntimeException("Invalid address range domain mapping " + name);
// Create the subnet domain mapping
mapping = new RangeDomainMapping(name, rangeFrom, rangeTo);
}
else
throw new AlfrescoRuntimeException("Invalid domain mapping specified");
// Add the domain mapping
secConfig.addDomainMapping(mapping);
}
}
}
catch (InvalidConfigurationException ex)
{

61
src/main/java/org/alfresco/repo/security/authentication/AuthenticationComponentImpl.java
View File

@@ -1,28 +1,28 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication;
import java.io.PrintWriter;
@@ -38,7 +38,6 @@ import net.sf.acegisecurity.context.ContextHolder;
import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
import org.alfresco.repo.tenant.TenantContextHolder;
import org.alfresco.repo.tenant.TenantDisabledException;
import org.alfresco.repo.tenant.TenantUtil;
@@ -49,7 +48,7 @@ import org.alfresco.util.Pair;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
public class AuthenticationComponentImpl extends AbstractAuthenticationComponent implements NLTMAuthenticator
public class AuthenticationComponentImpl extends AbstractAuthenticationComponent
{
private static Log logger = LogFactory.getLog(AuthenticationComponentImpl.class);
@@ -223,14 +222,6 @@ public class AuthenticationComponentImpl extends AbstractAuthenticationComponent
throw new AlfrescoRuntimeException("Authentication via token not supported");
}
/**
* This implementation supported MD4 password hashes.
*/
public NTLMMode getNTLMMode()
{
return NTLMMode.MD4_PROVIDER;
}
@Override
protected boolean implementationAllowsGuestLogin()
{

321
src/main/java/org/alfresco/repo/security/authentication/ChainingAuthenticationComponentImpl.java
View File

@@ -1,321 +0,0 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import net.sf.acegisecurity.Authentication;
import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
/**
* A chaining authentication component is required for all the beans that wire up an authentication component and not an
* authentication service. It supports chaining in much the same way and wires up components in the same way as the
* chaining authentication service wires up services.
*
* @author andyh
*/
public class ChainingAuthenticationComponentImpl extends AbstractChainingAuthenticationComponent implements NLTMAuthenticator
{
/**
* NLTM authentication mode - if unset - finds the first component that supports NTLM - if set - finds the first
* component that supports the specified mode.
*/
private NTLMMode ntlmMode = null;
/**
* The authentication components
*/
private List<AuthenticationComponent> authenticationComponents;
/**
* An authentication service that supports change (as wired in to the authentication service). It is never used for
* change it is to ensure it is at the top of the list (as required by the chaining authentication service)
*/
private AuthenticationComponent mutableAuthenticationComponent;
/**
* Get the authentication components
*
* @return - a list of authentication components
*/
public List<AuthenticationComponent> getAuthenticationComponents()
{
return this.authenticationComponents;
}
/**
* Set a list of authentication components
*
*/
public void setAuthenticationComponents(List<AuthenticationComponent> authenticationComponents)
{
this.authenticationComponents = authenticationComponents;
}
/**
* Get the authentication service thta must be at the top of the list (this may be null)
*
* @return AuthenticationComponent
*/
public AuthenticationComponent getMutableAuthenticationComponent()
{
return this.mutableAuthenticationComponent;
}
/**
* Set the authentication component at the top of the list.
*
* @param mutableAuthenticationComponent AuthenticationComponent
*/
public void setMutableAuthenticationComponent(AuthenticationComponent mutableAuthenticationComponent)
{
this.mutableAuthenticationComponent = mutableAuthenticationComponent;
}
public void setNtlmMode(NTLMMode ntlmMode)
{
this.ntlmMode = ntlmMode;
}
/**
* NTLM passthrough authentication - if a mode is defined - the first PASS_THROUGH provider is used - if not, the
* first component that supports NTLM is used if it supports PASS_THROUGH
*/
public Authentication authenticate(Authentication token) throws AuthenticationException
{
if (this.ntlmMode != null)
{
switch (this.ntlmMode)
{
case NONE:
throw new AuthenticationException("NTLM is not supported");
case MD4_PROVIDER:
throw new AuthenticationException("NTLM passthrough is not supported then configured for MD4 hashing");
case PASS_THROUGH:
for (AuthenticationComponent authComponent : getUsableAuthenticationComponents())
{
if (!(authComponent instanceof NLTMAuthenticator))
{
continue;
}
NLTMAuthenticator ssoAuthenticator = (NLTMAuthenticator)authComponent;
if (ssoAuthenticator.getNTLMMode() == NTLMMode.PASS_THROUGH)
{
return ssoAuthenticator.authenticate(token);
}
}
throw new AuthenticationException("No NTLM passthrough authentication to use");
default:
throw new AuthenticationException("No NTLM passthrough authentication to use");
}
}
else
{
for (AuthenticationComponent authComponent : getUsableAuthenticationComponents())
{
if (!(authComponent instanceof NLTMAuthenticator))
{
continue;
}
NLTMAuthenticator ssoAuthenticator = (NLTMAuthenticator)authComponent;
if (ssoAuthenticator.getNTLMMode() != NTLMMode.NONE)
{
if (ssoAuthenticator.getNTLMMode() == NTLMMode.PASS_THROUGH)
{
return ssoAuthenticator.authenticate(token);
}
else
{
throw new AuthenticationException(
"The first authentication component to support NTLM supports MD4 hashing");
}
}
}
throw new AuthenticationException("No NTLM passthrough authentication to use");
}
}
/**
* Get the guest user name
*/
public String getGuestUserName()
{
return AuthenticationUtil.getGuestUserName();
}
/**
* Get the MD4 password hash
*/
public String getMD4HashedPassword(String userName)
{
if (this.ntlmMode != null)
{
switch (this.ntlmMode)
{
case NONE:
throw new AuthenticationException("NTLM is not supported");
case PASS_THROUGH:
throw new AuthenticationException("NTLM passthrough is not supported then configured for MD4 hashing");
case MD4_PROVIDER:
for (AuthenticationComponent authComponent : getUsableAuthenticationComponents())
{
if (!(authComponent instanceof NLTMAuthenticator))
{
continue;
}
NLTMAuthenticator ssoAuthenticator = (NLTMAuthenticator)authComponent;
if (ssoAuthenticator.getNTLMMode() == NTLMMode.MD4_PROVIDER)
{
return ssoAuthenticator.getMD4HashedPassword(userName);
}
}
throw new AuthenticationException("No MD4 provider available");
default:
throw new AuthenticationException("No MD4 provider available");
}
}
else
{
for (AuthenticationComponent authComponent : getUsableAuthenticationComponents())
{
if (!(authComponent instanceof NLTMAuthenticator))
{
continue;
}
NLTMAuthenticator ssoAuthenticator = (NLTMAuthenticator)authComponent;
if (ssoAuthenticator.getNTLMMode() != NTLMMode.NONE)
{
if (ssoAuthenticator.getNTLMMode() == NTLMMode.PASS_THROUGH)
{
throw new AuthenticationException(
"The first authentication component to support NTLM supports passthrough");
}
else
{
return ssoAuthenticator.getMD4HashedPassword(userName);
}
}
}
throw new AuthenticationException("No MD4 provider available");
}
}
/**
* Get the NTLM mode - this is only what is set if one of the implementations provides support for that mode.
*/
public NTLMMode getNTLMMode()
{
if (this.ntlmMode != null)
{
switch (this.ntlmMode)
{
case NONE:
return NTLMMode.NONE;
case PASS_THROUGH:
for (AuthenticationComponent authComponent : getUsableAuthenticationComponents())
{
if (!(authComponent instanceof NLTMAuthenticator))
{
continue;
}
NLTMAuthenticator ssoAuthenticator = (NLTMAuthenticator)authComponent;
if (ssoAuthenticator.getNTLMMode() == NTLMMode.PASS_THROUGH)
{
return NTLMMode.PASS_THROUGH;
}
}
return NTLMMode.NONE;
case MD4_PROVIDER:
for (AuthenticationComponent authComponent : getUsableAuthenticationComponents())
{
if (!(authComponent instanceof NLTMAuthenticator))
{
continue;
}
NLTMAuthenticator ssoAuthenticator = (NLTMAuthenticator)authComponent;
if (ssoAuthenticator.getNTLMMode() == NTLMMode.MD4_PROVIDER)
{
return NTLMMode.MD4_PROVIDER;
}
}
return NTLMMode.NONE;
default:
return NTLMMode.NONE;
}
}
else
{
for (AuthenticationComponent authComponent : getUsableAuthenticationComponents())
{
if (!(authComponent instanceof NLTMAuthenticator))
{
continue;
}
NLTMAuthenticator ssoAuthenticator = (NLTMAuthenticator)authComponent;
if (ssoAuthenticator.getNTLMMode() != NTLMMode.NONE)
{
return ssoAuthenticator.getNTLMMode();
}
}
return NTLMMode.NONE;
}
}
/**
* Helper to get authentication components
*
*/
protected Collection<AuthenticationComponent> getUsableAuthenticationComponents()
{
if (this.mutableAuthenticationComponent == null)
{
return this.authenticationComponents;
}
else
{
ArrayList<AuthenticationComponent> services = new ArrayList<AuthenticationComponent>(
this.authenticationComponents == null ? 1 : this.authenticationComponents.size() + 1);
services.add(this.mutableAuthenticationComponent);
if (this.authenticationComponents != null)
{
services.addAll(this.authenticationComponents);
}
return services;
}
}
@Override
protected AuthenticationComponent getAuthenticationComponent(String name)
{
// not implemented
return null;
}
}

31
src/main/java/org/alfresco/repo/security/authentication/NTLMMode.java
View File

@@ -1,31 +0,0 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication;
public enum NTLMMode
{
PASS_THROUGH, MD4_PROVIDER, NONE
}

14
src/main/java/org/alfresco/repo/security/authentication/SimpleAcceptOrRejectAllAuthenticationComponentImpl.java
View File

@@ -27,7 +27,6 @@ package org.alfresco.repo.security.authentication;
import net.sf.acegisecurity.providers.dao.UsernameNotFoundException;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.UserDetails;
@@ -47,10 +46,9 @@ import net.sf.acegisecurity.providers.dao.AuthenticationDao;
*
* @author Andy Hind
*/
public class SimpleAcceptOrRejectAllAuthenticationComponentImpl extends AbstractAuthenticationComponent implements NLTMAuthenticator
public class SimpleAcceptOrRejectAllAuthenticationComponentImpl extends AbstractAuthenticationComponent
{
private boolean accept = false;
private boolean supportNtlm = false;
private AuthenticationDao authenticationDao;
@@ -69,11 +67,6 @@ public class SimpleAcceptOrRejectAllAuthenticationComponentImpl extends Abstract
this.accept = accept;
}
public void setSupportNtlm(boolean supportNtlm)
{
this.supportNtlm = supportNtlm;
}
public void authenticateImpl(String userName, char[] password) throws AuthenticationException
{
if(accept)
@@ -105,11 +98,6 @@ public class SimpleAcceptOrRejectAllAuthenticationComponentImpl extends Abstract
}
}
public NTLMMode getNTLMMode()
{
return supportNtlm ? NTLMMode.MD4_PROVIDER : NTLMMode.NONE;
}
/**
* The default is not to support Authentication token base authentication
*/

69
src/main/java/org/alfresco/repo/security/authentication/ntlm/NLTMAuthenticator.java
View File

@@ -1,69 +0,0 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.ntlm;
import net.sf.acegisecurity.Authentication;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.NTLMMode;
/**
* An specialized {@link AuthenticationComponent} that is capable of handling NTLM authentication directly, either by
* 'passing through' to a domain server or by validating an MD4 hashed password. Unlike other authentication methods,
* these operations cannot be chained and must be handled by a specific authentication component.
*
* @author dward
*/
public interface NLTMAuthenticator extends AuthenticationComponent
{
/**
* Authenticate using a token.
*
* @param token
* Authentication
* @return Authentication
* @throws AuthenticationException
* the authentication exception
*/
public Authentication authenticate(Authentication token) throws AuthenticationException;
/**
* Get the enum that describes NTLM integration.
*
* @return the NTLM mode
*/
public NTLMMode getNTLMMode();
/**
* Get the MD4 password hash, as required by NTLM based authentication methods.
*
* @param userName
* the user name
* @return the m d4 hashed password
*/
public String getMD4HashedPassword(String userName);
}

947
src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationComponentImpl.java
View File

@@ -1,947 +0,0 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.ntlm;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.Security;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.StringTokenizer;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.AuthenticationServiceException;
import net.sf.acegisecurity.BadCredentialsException;
import net.sf.acegisecurity.CredentialsExpiredException;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.GrantedAuthorityImpl;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.filesys.auth.PassthruServerFactory;
import org.alfresco.jlan.server.auth.PasswordEncryptor;
import org.alfresco.jlan.server.auth.passthru.AuthSessionFactory;
import org.alfresco.jlan.server.auth.passthru.AuthenticateSession;
import org.alfresco.jlan.server.auth.passthru.PassthruServers;
import org.alfresco.jlan.smb.Protocol;
import org.alfresco.jlan.smb.SMBException;
import org.alfresco.jlan.smb.SMBStatus;
import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.NTLMMode;
import org.alfresco.repo.transaction.RetryingTransactionHelper;
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
import org.alfresco.service.cmr.security.NoSuchPersonException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
/**
* NTLM Authentication Component Class
*
* <p>Provides authentication using passthru to a Windows server(s)/domain controller(s) using the accounts
* defined on the passthru server to validate users.
*
* @author GKSpencer
*/
public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationComponent implements NLTMAuthenticator, InitializingBean
{
// Logging
private static final Log logger = LogFactory.getLog(NTLMAuthenticationComponentImpl.class);
// Constants
//
// Standard authorities
public static final String NTLMAuthorityGuest = "Guest";
public static final String NTLMAuthorityAdministrator = "Administrator";
// Active session timeout
private static final long DefaultSessionTimeout = 60000L; // 1 minute
private static final long MinimumSessionTimeout = 5000L; // 5 seconds
// Passthru authentication servers
private PassthruServerFactory m_passthruServerFactory = new PassthruServerFactory();
private PassthruServers m_passthruServers;
// Password encryptor for generating password hash for local authentication
private PasswordEncryptor m_encryptor;
// Allow guest access
private boolean m_allowGuest;
// Allow authenticated users that do not have an Alfresco person to logon as guest
private boolean m_allowAuthUserAsGuest;
// Table of currently active passthru authentications and the associated authentication session
//
// If the two authentication stages are not completed within a reasonable time the authentication
// session will be closed by the reaper thread.
private Hashtable<NTLMPassthruToken,AuthenticateSession> m_passthruSessions;
// Active authentication session timeout, in milliseconds
private long m_passthruSessTmo = DefaultSessionTimeout;
// Authentication session reaper thread
private PassthruReaperThread m_reaperThread;
// Null domain uses any available server option
private boolean m_nullDomainUseAnyServer;
/**
* Passthru Session Reaper Thread
*/
class PassthruReaperThread extends Thread
{
// Thread shutdown request flag
private boolean m_ishutdown;
// Reaper wakeup interval, in milliseconds
private long m_wakeupInterval = m_passthruSessTmo / 2;
/**
* Default constructor
*/
PassthruReaperThread()
{
setDaemon(true);
setName("PassthruReaper");
start();
}
/**
* Set the wakeup interval
*
* @param wakeup long
*/
public final void setWakeup(long wakeup)
{
m_wakeupInterval = wakeup;
}
/**
* Main thread code
*/
public void run()
{
// Loop until shutdown
m_ishutdown = false;
while ( m_ishutdown == false)
{
// Sleep for a while
try
{
sleep( m_wakeupInterval);
}
catch ( InterruptedException ex)
{
}
// Check if there are any active sessions to check
if ( m_passthruSessions.size() > 0)
{
// Enumerate the active sessions
Enumeration<NTLMPassthruToken> tokenEnum = m_passthruSessions.keys();
long timeNow = System.currentTimeMillis();
while (tokenEnum.hasMoreElements())
{
// Get the current NTLM token and check if it has expired
NTLMPassthruToken ntlmToken = tokenEnum.nextElement();
if ( ntlmToken != null && ntlmToken.getAuthenticationExpireTime() < timeNow)
{
// Authentication token has expired, close the associated authentication session
AuthenticateSession authSess = m_passthruSessions.get(ntlmToken);
if ( authSess != null)
{
try
{
// Close the authentication session
authSess.CloseSession();
}
catch ( Exception ex)
{
// Debug
if(logger.isDebugEnabled())
logger.debug("Error closing expired authentication session", ex);
}
}
// Remove the expired token from the active list
m_passthruSessions.remove(ntlmToken);
// Debug
if(logger.isDebugEnabled())
logger.debug("Removed expired NTLM token " + ntlmToken);
}
}
}
}
// Debug
if(logger.isDebugEnabled())
logger.debug("Passthru reaper thread shutdown");
}
/**
* Shutdown the reaper thread
*/
public final void shutdownRequest()
{
m_ishutdown = true;
this.interrupt();
}
}
/**
* Class constructor
*/
public NTLMAuthenticationComponentImpl() {
// Create the password encryptor for local password hashing
m_encryptor = new PasswordEncryptor();
// Create the active session list and reaper thread
m_passthruSessions = new Hashtable<NTLMPassthruToken,AuthenticateSession>();
m_reaperThread = new PassthruReaperThread();
}
public void afterPropertiesSet() throws Exception
{
if (m_passthruServers == null)
{
// Create the passthru authentication server list
m_passthruServerFactory.afterPropertiesSet();
m_passthruServers = (PassthruServers) m_passthruServerFactory.getObject();
}
}
/**
* Determine if guest logons are allowed
*
* @return boolean
*/
public final boolean allowsGuest()
{
return m_allowGuest;
}
/**
* Directly sets the passthru server list.
*
* @param servers
* a passthru server list, usually created by {@link org.alfresco.filesys.auth.PassthruServerFactory}
*/
public void setPassthruServers(PassthruServers servers)
{
m_passthruServers = servers;
}
/**
* Set the domain to authenticate against
*
* @param domain String
*/
public void setDomain(String domain) {
if (domain.length() > 0)
{
m_passthruServerFactory.setDomain(domain);
}
}
/**
* Set the server(s) to authenticate against
*
* @param servers String
*/
public void setServers(String servers) {
if (servers.length() > 0)
{
m_passthruServerFactory.setServer(servers);
}
}
/**
* Use the local server as the authentication server
*
* @param useLocal String
*/
public void setUseLocalServer(String useLocal)
{
m_passthruServerFactory.setLocalServer(Boolean.parseBoolean(useLocal));
}
/**
* Allow guest access
*
* @param guest String
*/
public void setGuestAccess(String guest)
{
m_allowGuest = Boolean.parseBoolean(guest);
}
/**
* Allow authenticated users with no alfresco person record to logon with guest access
*
* @param auth String
*/
public void setAllowAuthUserAsGuest(String auth)
{
m_allowAuthUserAsGuest = Boolean.parseBoolean(auth);
}
/**
* Allow null domain passthru logons to use the first available passthru server
*
* @param nullDomain String
*/
public void setNullDomainUseAnyServer(String nullDomain)
{
m_nullDomainUseAnyServer = Boolean.parseBoolean(nullDomain);
// Push the setting to the passthru server component
m_passthruServers.setNullDomainUseAnyServer( m_nullDomainUseAnyServer);
}
/**
* Set the JCE provider
*
* @param providerClass String
*/
public void setJCEProvider(String providerClass)
{
// Set the JCE provider, required to provide various encryption/hashing algorithms not available
// in the standard Sun JDK/JRE
try
{
// Load the JCE provider class and validate
Object jceObj = Class.forName(providerClass).newInstance();
if (jceObj instanceof java.security.Provider)
{
// Inform listeners, validate the configuration change
Provider jceProvider = (Provider) jceObj;
// Add the JCE provider
Security.addProvider(jceProvider);
// Debug
if ( logger.isDebugEnabled())
logger.debug("Using JCE provider " + providerClass);
}
else
{
throw new AlfrescoRuntimeException("JCE provider class is not a valid Provider class:" + providerClass);
}
}
catch (ClassNotFoundException ex)
{
throw new AlfrescoRuntimeException("JCE provider class " + providerClass + " not found");
}
catch (Exception ex)
{
throw new AlfrescoRuntimeException("JCE provider class error", ex);
}
}
/**
* Set the authentication session timeout, in seconds
*
* @param sessTmo String
*/
public void setSessionTimeout(String sessTmo)
{
// Convert to an integer value and range check the timeout value
try
{
// Convert to an integer value
long sessTmoMilli = Long.parseLong(sessTmo) * 1000L;
if ( sessTmoMilli < MinimumSessionTimeout)
{
throw new AlfrescoRuntimeException("Authentication session timeout too low, " + sessTmo);
}
// Set the authentication session timeout value
m_passthruSessTmo = sessTmoMilli;
// Set the reaper thread wakeup interval
m_reaperThread.setWakeup( sessTmoMilli / 2);
}
catch(NumberFormatException ex)
{
throw new AlfrescoRuntimeException("Invalid authenication session timeout value");
}
}
/**
* Return the authentication session timeout, in milliseconds
*
* @return long
*/
private final long getSessionTimeout()
{
return m_passthruSessTmo;
}
/**
* Authenticate
*
* @param userName String
* @param password char[]
* @throws AuthenticationException
*/
protected void authenticateImpl(String userName, char[] password) throws AuthenticationException
{
// Debug
if ( logger.isDebugEnabled())
{
logger.debug("Authenticate user=" + userName + " via local credentials");
}
// Create a local authentication token
NTLMLocalToken authToken = new NTLMLocalToken(userName, new String(password));
// Authenticate using the token
authenticate( authToken);
}
/**
* Authenticate using a token
*
* @param auth Authentication
* @return Authentication
* @throws AuthenticationException
*/
public Authentication authenticate(Authentication auth) throws AuthenticationException
{
// DEBUG
if ( logger.isDebugEnabled())
{
logger.debug("Authenticate " + auth + " via token");
}
// Check if the token is for passthru authentication
if( auth instanceof NTLMPassthruToken)
{
// Access the NTLM passthru token
NTLMPassthruToken ntlmToken = (NTLMPassthruToken) auth;
// Authenticate using passthru
authenticatePassthru(ntlmToken);
}
// Check for a local authentication token
else if( auth instanceof NTLMLocalToken)
{
AuthenticateSession authSess = null;
try
{
// Access the NTLM token
NTLMLocalToken ntlmToken = (NTLMLocalToken) auth;
// Open a session to an authentication server
authSess = m_passthruServers.openSession();
// Check fi the passthru session is valid
if ( authSess == null)
{
// DEBUG
if ( logger.isDebugEnabled())
{
logger.debug( "Failed to open passthru session, or no valid passthru server available for " + ntlmToken);
}
throw new AuthenticationException("authentication.err.connection.passthru.server");
}
// Authenticate using the credentials supplied
authenticateLocal(ntlmToken, authSess);
}
finally
{
// Make sure the authentication session is closed
if ( authSess != null)
{
try
{
authSess.CloseSession();
}
catch ( Exception ex)
{
}
}
}
}
else
{
// Unsupported authentication token
throw new AuthenticationException("authentication.err.passthru.token.unsupported");
}
// Return the updated authentication token
return getCurrentAuthentication();
}
/**
* Get the enum that describes NTLM integration
*
* @return NTLMMode
*/
public NTLMMode getNTLMMode()
{
return NTLMMode.PASS_THROUGH;
}
/**
* Get the MD4 password hash, as required by NTLM based authentication methods.
*
* @param userName String
* @return String
*/
public String getMD4HashedPassword(String userName)
{
// Do not support MD4 hashed password
throw new AlfrescoRuntimeException("MD4 passwords not supported");
}
/**
* Authenticate a user using local credentials
*
* @param ntlmToken NTLMLocalToken
* @param authSess AuthenticateSession
* @throws org.alfresco.repo.security.authentication.AuthenticationException
*/
private void authenticateLocal(NTLMLocalToken ntlmToken, AuthenticateSession authSess)
{
try
{
// Get the plaintext password and generate an NTLM1 password hash
String username = (String) ntlmToken.getPrincipal();
String plainPwd = (String) ntlmToken.getCredentials();
byte[] ntlm1Pwd = m_encryptor.generateEncryptedPassword( plainPwd, authSess.getEncryptionKey(), PasswordEncryptor.NTLM1, null, null);
// Send the logon request to the authentication server
//
// Note: Only use the stronger NTLM hash, we do not send the LM hash
authSess.doSessionSetup(username, null, ntlm1Pwd);
// Check if the session has logged on as a guest
if ( authSess.isGuest() || username.equalsIgnoreCase("GUEST"))
{
// If guest access is enabled add a guest authority to the token
if ( allowsGuest())
{
// Set the guest authority
GrantedAuthority[] authorities = new GrantedAuthority[2];
authorities[0] = new GrantedAuthorityImpl(NTLMAuthorityGuest);
authorities[1] = new GrantedAuthorityImpl("ROLE_AUTHENTICATED");
ntlmToken.setAuthorities(authorities);
}
else
{
// Guest access not allowed
throw new AuthenticationException("authentication.err.passthru.guest.notenabled");
}
}
else
{
// Set authorities
GrantedAuthority[] authorities = new GrantedAuthority[1];
authorities[0] = new GrantedAuthorityImpl("ROLE_AUTHENTICATED");
ntlmToken.setAuthorities(authorities);
}
// Indicate that the token is authenticated
ntlmToken.setAuthenticated(true);
// Map the passthru username to an Alfresco person
clearCurrentSecurityContext();
setCurrentUser( username);
// Debug
if ( logger.isDebugEnabled())
{
logger.debug("Authenticated token=" + ntlmToken);
}
}
catch (NoSuchAlgorithmException ex)
{
// JCE provider does not have the required encryption/hashing algorithms
throw new AuthenticationException("JCE provider error", ex);
}
catch (InvalidKeyException ex)
{
// Problem creating key during encryption
throw new AuthenticationException("Invalid key error", ex);
}
catch (IOException ex)
{
// Error connecting to the authentication server
throw new AuthenticationException("I/O error", ex);
}
catch (SMBException ex)
{
// Check the returned status code to determine why the logon failed and throw an appropriate exception
if ( ex.getErrorClass() == SMBStatus.NTErr)
{
AuthenticationException authEx = null;
switch( ex.getErrorCode())
{
case SMBStatus.NTLogonFailure:
authEx = new AuthenticationException("Logon failure");
break;
case SMBStatus.NTAccountDisabled:
authEx = new AuthenticationException("authentication.err.passthru.user.disabled");
break;
default:
authEx = new AuthenticationException("Logon failure");
break;
}
throw authEx;
}
else
{
throw new AuthenticationException("Logon failure");
}
}
}
/**
* Authenticate using passthru authentication with a client
*
* @param ntlmToken NTLMPassthruToken
* @throws org.alfresco.repo.security.authentication.AuthenticationException
*/
private void authenticatePassthru(NTLMPassthruToken ntlmToken)
{
// Check if the token has an authentication session, if not then it is either a new token
// or the session has been timed out
AuthenticateSession authSess = m_passthruSessions.get(ntlmToken);
if ( authSess == null)
{
// Check if the token has a challenge, if it does then the associated session has been
// timed out
if ( ntlmToken.getChallenge() != null)
{
throw new AuthenticationException("Authentication session expired");
}
// Open an authentication session for the new token and add to the active session list
authSess = m_passthruServers.openSession( false, ntlmToken.getClientDomain());
// Check if the session was opened to the passthru server
if ( authSess == null)
{
throw new AuthenticationException("authentication.err.connection.passthru.server");
}
ntlmToken.setAuthenticationExpireTime(System.currentTimeMillis() + getSessionTimeout());
// Get the challenge from the initial session negotiate stage
ntlmToken.setChallenge(new NTLMChallenge(authSess.getEncryptionKey()));
StringBuilder details = new StringBuilder();
// Build a details string with the authentication session details
details.append(authSess.getDomain());
details.append("\\");
details.append(authSess.getPCShare().getNodeName());
details.append(",");
details.append(authSess.getSession().getProtocolName());
ntlmToken.setDetails(details.toString());
// Put the token/session into the active session list
m_passthruSessions.put(ntlmToken, authSess);
// Debug
if ( logger.isDebugEnabled())
logger.debug("Passthru stage 1 token " + ntlmToken);
}
else
{
try
{
// Stage two of the authentication, send the hashed password to the authentication server
byte[] lmPwd = null;
byte[] ntlmPwd = null;
if ( ntlmToken.getPasswordType() == PasswordEncryptor.LANMAN)
lmPwd = ntlmToken.getHashedPassword();
else if ( ntlmToken.getPasswordType() == PasswordEncryptor.NTLM1)
ntlmPwd = ntlmToken.getHashedPassword();
String username = (String) ntlmToken.getPrincipal();
authSess.doSessionSetup(username, lmPwd, ntlmPwd);
// Check if the session has logged on as a guest
if ( authSess.isGuest() || username.equalsIgnoreCase("GUEST"))
{
// If guest access is enabled add a guest authority to the token
if ( allowsGuest())
{
// Set the guest authority
GrantedAuthority[] authorities = new GrantedAuthority[1];
authorities[0] = new GrantedAuthorityImpl(NTLMAuthorityGuest);
ntlmToken.setAuthorities(authorities);
}
else
{
// Guest access not allowed
throw new AuthenticationException("authentication.err.passthru.guest.notenabled");
}
}
// Indicate that the token is authenticated
ntlmToken.setAuthenticated(true);
// Wrap the service calls in a transaction
RetryingTransactionHelper helper = getTransactionService().getRetryingTransactionHelper();
final String currentUser = username;
helper.doInTransaction(new RetryingTransactionCallback<Void>()
{
public Void execute() throws AuthenticationException
{
clearCurrentSecurityContext();
setCurrentUser(currentUser);
return null;
}
});
}
catch (NoSuchPersonException ex)
{
// Check if authenticated users are allowed on as guest when there is no Alfresco person record
if ( m_allowAuthUserAsGuest == true)
{
// Set the guest authority
GrantedAuthority[] authorities = new GrantedAuthority[1];
authorities[0] = new GrantedAuthorityImpl(NTLMAuthorityGuest);
ntlmToken.setAuthorities(authorities);
// DEBUG
if ( logger.isDebugEnabled())
{
logger.debug("Allow passthru authenticated user to logon as guest, user=" + ntlmToken.getName());
}
}
else
{
// Logon failure, no matching person record
throw new AuthenticationException("authentication.err.passthru.user.notfound", ex);
}
}
catch (IOException ex)
{
// Error connecting to the authentication server
throw new AuthenticationException("Unable to connect to the authentication server", ex);
}
catch (SMBException ex)
{
// Debug
if ( logger.isDebugEnabled())
{
logger.debug("Passthru exception, " + ex);
}
// Check the returned status code to determine why the logon failed and throw an appropriate exception
if ( ex.getErrorClass() == SMBStatus.NTErr)
{
AuthenticationException authEx = null;
switch( ex.getErrorCode())
{
case SMBStatus.NTLogonFailure:
authEx = new AuthenticationException("Logon failure");
break;
case SMBStatus.NTAccountDisabled:
authEx = new AuthenticationException("authentication.err.passthru.user.disabled");
break;
default:
authEx = new AuthenticationException("Logon failure");
break;
}
throw authEx;
}
else
{
throw new AuthenticationException("Logon failure");
}
}
finally
{
// Make sure the authentication session is closed
if ( authSess != null)
{
try
{
// Remove the session from the active list
m_passthruSessions.remove(ntlmToken);
// Close the session to the authentication server
authSess.CloseSession();
}
catch (Exception ex)
{
logger.debug("unable to close session", ex);
}
}
}
}
}
/**
* Check if the user exists
*
* @param userName String
* @return boolean
*/
public boolean exists(String userName)
{
throw new UnsupportedOperationException();
}
@Override
protected boolean implementationAllowsGuestLogin()
{
return allowsGuest();
}
}

771
src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationProvider.java
View File

@@ -1,771 +0,0 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.ntlm;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.Security;
import java.util.Enumeration;
import java.util.Hashtable;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.jlan.server.auth.PasswordEncryptor;
import org.alfresco.jlan.server.auth.passthru.AuthenticateSession;
import org.alfresco.jlan.server.auth.passthru.PassthruServers;
import org.alfresco.jlan.smb.SMBException;
import org.alfresco.jlan.smb.SMBStatus;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import net.sf.acegisecurity.*;
import net.sf.acegisecurity.providers.*;
/**
* NTLM Authentication Provider
*
* @author GKSpencer
*/
public class NTLMAuthenticationProvider implements AuthenticationProvider
{
private static final Log logger = LogFactory.getLog("org.alfresco.acegi");
// Constants
//
// Standard authorities
public static final String NTLMAuthorityGuest = "Guest";
public static final String NTLMAuthorityAdministrator = "Administrator";
// Active session timeout
private static final long DefaultSessionTimeout = 60000L; // 1 minute
private static final long MinimumSessionTimeout = 5000L; // 5 seconds
// Passthru authentication servers
private PassthruServers m_passthruServers;
// Password encryptor for generating password hash for local authentication
private PasswordEncryptor m_encryptor;
// Allow guest access
private boolean m_allowGuest;
// Table of currently active passthru authentications and the associated authentication session
//
// If the two authentication stages are not completed within a reasonable time the authentication
// session will be closed by the reaper thread.
private Hashtable<NTLMPassthruToken,AuthenticateSession> m_passthruSessions;
// Active authentication session timeout, in milliseconds
private long m_passthruSessTmo = DefaultSessionTimeout;
// Authentication session reaper thread
private PassthruReaperThread m_reaperThread;
/**
* Passthru Session Repear Thread
*/
class PassthruReaperThread extends Thread
{
// Thread shutdown request flag
private boolean m_ishutdown;
// Reaper wakeup interval, in milliseconds
private long m_wakeupInterval = m_passthruSessTmo / 2;
/**
* Default constructor
*/
PassthruReaperThread()
{
setDaemon(true);
setName("PassthruReaper");
start();
}
/**
* Set the wakeup interval
*
* @param wakeup long
*/
public final void setWakeup(long wakeup)
{
m_wakeupInterval = wakeup;
}
/**
* Main thread code
*/
public void run()
{
// Loop until shutdown
m_ishutdown = false;
while ( m_ishutdown == false)
{
// Sleep for a while
try
{
sleep( m_wakeupInterval);
}
catch ( InterruptedException ex)
{
}
// Check if there are any active sessions to check
if ( m_passthruSessions.size() > 0)
{
// Enumerate the active sessions
Enumeration<NTLMPassthruToken> tokenEnum = m_passthruSessions.keys();
long timeNow = System.currentTimeMillis();
while (tokenEnum.hasMoreElements())
{
// Get the current NTLM token and check if it has expired
NTLMPassthruToken ntlmToken = tokenEnum.nextElement();
if ( ntlmToken != null && ntlmToken.getAuthenticationExpireTime() < timeNow)
{
// Authentication token has expired, close the associated authentication session
AuthenticateSession authSess = m_passthruSessions.get(ntlmToken);
if ( authSess != null)
{
try
{
// Close the authentication session
authSess.CloseSession();
}
catch ( Exception ex)
{
// Debug
if(logger.isDebugEnabled())
logger.debug("Error closing expired authentication session", ex);
}
}
// Remove the expired token from the active list
m_passthruSessions.remove(ntlmToken);
// Debug
if(logger.isDebugEnabled())
logger.debug("Removed expired NTLM token " + ntlmToken);
}
}
}
}
// Debug
if(logger.isDebugEnabled())
logger.debug("Passthru reaper thread shutdown");
}
/**
* Shutdown the reaper thread
*/
public final void shutdownRequest()
{
m_ishutdown = true;
this.interrupt();
}
}
/**
* Class constructor
*/
public NTLMAuthenticationProvider() {
// Create the passthru authentication server list
m_passthruServers = new PassthruServers();
// Create the password encryptor for local password hashing
m_encryptor = new PasswordEncryptor();
// Create the active session list and reaper thread
m_passthruSessions = new Hashtable<NTLMPassthruToken,AuthenticateSession>();
m_reaperThread = new PassthruReaperThread();
}
/**
* Authenticate a user
*
* @param auth Authentication
* @return Authentication
* @exception AuthenticationException
*/
public Authentication authenticate(Authentication auth) throws AuthenticationException
{
// DEBUG
if ( logger.isDebugEnabled())
logger.debug("Authenticate " + auth);
// Check if the token is for passthru authentication
if( auth instanceof NTLMPassthruToken)
{
// Access the NTLM passthru token
NTLMPassthruToken ntlmToken = (NTLMPassthruToken) auth;
// Authenticate using passthru
authenticatePassthru(ntlmToken);
}
// Check for a local authentication token
else if( auth instanceof NTLMLocalToken)
{
AuthenticateSession authSess = null;
try
{
// Access the NTLM token
NTLMLocalToken ntlmToken = (NTLMLocalToken) auth;
// Open a session to an authentication server
authSess = m_passthruServers.openSession();
// Authenticate using the credentials supplied
authenticateLocal(ntlmToken, authSess);
}
finally
{
// Make sure the authentication session is closed
if ( authSess != null)
{
try
{
authSess.CloseSession();
}
catch ( Exception ex)
{
}
}
}
}
// Return the updated authentication token
return auth;
}
/**
* Determine if this provider supports the specified authentication token
*
* @param authentication Class
*/
public boolean supports(Class authentication)
{
// Check if the authentication is an NTLM authentication token
if ( NTLMPassthruToken.class.isAssignableFrom(authentication))
return true;
return NTLMLocalToken.class.isAssignableFrom(authentication);
}
/**
* Determine if guest logons are allowed
*
* @return boolean
*/
public final boolean allowsGuest()
{
return m_allowGuest;
}
/**
* Set the domain to authenticate against
*
* @param domain String
*/
public final void setDomain(String domain) {
// Check if the passthru server list is already configured
if ( m_passthruServers.getTotalServerCount() > 0)
throw new AlfrescoRuntimeException("Passthru server list already configured");
// Configure the passthru authentication server list using the domain controllers
try
{
m_passthruServers.setDomain(domain);
}
catch (IOException ex)
{
throw new AlfrescoRuntimeException("Failed to set passthru domain", ex);
}
}
/**
* Set the server(s) to authenticate against
*
* @param servers String
*/
public final void setServers(String servers) {
// Check if the passthru server list is already configured
if ( m_passthruServers.getTotalServerCount() > 0)
throw new AlfrescoRuntimeException("Passthru server list already configured");
// Configure the passthru authenticaiton list using a list of server names/addresses
m_passthruServers.setServerList(servers);
}
/**
* Use the local server as the authentication server
*
* @param useLocal String
*/
public final void setUseLocalServer(String useLocal)
{
// Check if the local server should be used for authentication
if ( Boolean.parseBoolean(useLocal) == true)
{
// Check if the passthru server list is already configured
if ( m_passthruServers.getTotalServerCount() > 0)
throw new AlfrescoRuntimeException("Passthru server list already configured");
try
{
// Get the list of local network addresses
InetAddress[] localAddrs = InetAddress.getAllByName(InetAddress.getLocalHost().getHostName());
// Build the list of local addresses
if ( localAddrs != null && localAddrs.length > 0)
{
StringBuilder addrStr = new StringBuilder();
for ( InetAddress curAddr : localAddrs)
{
if ( curAddr.isLoopbackAddress() == false)
{
addrStr.append(curAddr.getHostAddress());
addrStr.append(",");
}
}
if ( addrStr.length() > 0)
addrStr.setLength(addrStr.length() - 1);
// Set the server list using the local address list
m_passthruServers.setServerList(addrStr.toString());
}
else
throw new AlfrescoRuntimeException("No local server address(es)");
}
catch ( UnknownHostException ex)
{
throw new AlfrescoRuntimeException("Failed to get local address list");
}
}
}
/**
* Allow guest access
*
* @param guest String
*/
public final void setGuestAccess(String guest)
{
m_allowGuest = Boolean.parseBoolean(guest);
}
/**
* Set the JCE provider
*
* @param providerClass String
*/
public final void setJCEProvider(String providerClass)
{
// Set the JCE provider, required to provide various encryption/hashing algorithms not available
// in the standard Sun JDK/JRE
try
{
// Load the JCE provider class and validate
Object jceObj = Class.forName(providerClass).newInstance();
if (jceObj instanceof java.security.Provider)
{
// Inform listeners, validate the configuration change
Provider jceProvider = (Provider) jceObj;
// Add the JCE provider
Security.addProvider(jceProvider);
// Debug
if ( logger.isDebugEnabled())
logger.debug("Using JCE provider " + providerClass);
}
else
{
throw new AlfrescoRuntimeException("JCE provider class is not a valid Provider class");
}
}
catch (ClassNotFoundException ex)
{
throw new AlfrescoRuntimeException("JCE provider class " + providerClass + " not found");
}
catch (Exception ex)
{
throw new AlfrescoRuntimeException("JCE provider class error", ex);
}
}
/**
* Set the authentication session timeout, in seconds
*
* @param sessTmo String
*/
public final void setSessionTimeout(String sessTmo)
{
// Convert to an integer value and range check the timeout value
try
{
// Convert to an integer value
long sessTmoMilli = Long.parseLong(sessTmo) * 1000L;
if ( sessTmoMilli < MinimumSessionTimeout)
throw new AlfrescoRuntimeException("Authentication session timeout too low, " + sessTmo);
// Set the authentication session timeout value
m_passthruSessTmo = sessTmoMilli;
// Set the reaper thread wakeup interval
m_reaperThread.setWakeup( sessTmoMilli / 2);
}
catch(NumberFormatException ex)
{
throw new AlfrescoRuntimeException("Invalid authenication session timeout value");
}
}
/**
* Return the authentication session timeout, in milliseconds
*
* @return long
*/
private final long getSessionTimeout()
{
return m_passthruSessTmo;
}
/**
* Authenticate a user using local credentials
*
* @param ntlmToken NTLMLocalToken
* @param authSess AuthenticateSession
*/
private void authenticateLocal(NTLMLocalToken ntlmToken, AuthenticateSession authSess)
{
try
{
// Get the plaintext password and generate an NTLM1 password hash
String username = (String) ntlmToken.getPrincipal();
String plainPwd = (String) ntlmToken.getCredentials();
byte[] ntlm1Pwd = m_encryptor.generateEncryptedPassword( plainPwd, authSess.getEncryptionKey(), PasswordEncryptor.NTLM1, null, null);
// Send the logon request to the authentication server
//
// Note: Only use the stronger NTLM hash, we do not send the LM hash
authSess.doSessionSetup(username, null, ntlm1Pwd);
// Check if the session has logged on as a guest
if ( authSess.isGuest() || username.equalsIgnoreCase("GUEST"))
{
// If guest access is enabled add a guest authority to the token
if ( allowsGuest())
{
// Set the guest authority
GrantedAuthority[] authorities = new GrantedAuthority[1];
authorities[0] = new GrantedAuthorityImpl(NTLMAuthorityGuest);
ntlmToken.setAuthorities(authorities);
}
else
{
// Guest access not allowed
throw new BadCredentialsException("Guest logons disabled");
}
}
// Indicate that the token is authenticated
ntlmToken.setAuthenticated(true);
}
catch (NoSuchAlgorithmException ex)
{
// JCE provider does not have the required encryption/hashing algorithms
throw new AuthenticationServiceException("JCE provider error", ex);
}
catch (InvalidKeyException ex)
{
// Problem creating key during encryption
throw new AuthenticationServiceException("Invalid key error", ex);
}
catch (IOException ex)
{
// Error connecting to the authentication server
throw new AuthenticationServiceException("I/O error", ex);
}
catch (SMBException ex)
{
// Check the returned status code to determine why the logon failed and throw an appropriate exception
if ( ex.getErrorClass() == SMBStatus.NTErr)
{
AuthenticationException authEx = null;
switch( ex.getErrorCode())
{
case SMBStatus.NTLogonFailure:
authEx = new BadCredentialsException("Logon failure");
break;
case SMBStatus.NTAccountDisabled:
authEx = new DisabledException("Account disabled");
break;
default:
authEx = new BadCredentialsException("Logon failure");
break;
}
throw authEx;
}
else
throw new BadCredentialsException("Logon failure");
}
}
/**
* Authenticate using passthru authentication with a client
*
* @param ntlmToken NTLMPassthruToken
*/
private void authenticatePassthru(NTLMPassthruToken ntlmToken)
{
// Check if the token has an authentication session, if not then it is either a new token
// or the session has been timed out
AuthenticateSession authSess = m_passthruSessions.get(ntlmToken);
if ( authSess == null)
{
// Check if the token has a challenge, if it does then the associated session has been
// timed out
if ( ntlmToken.getChallenge() != null)
throw new CredentialsExpiredException("Authentication session expired");
// Open an authentication session for the new token and add to the active session list
authSess = m_passthruServers.openSession();
ntlmToken.setAuthenticationExpireTime(System.currentTimeMillis() + getSessionTimeout());
// Get the challenge from the initial session negotiate stage
ntlmToken.setChallenge(new NTLMChallenge(authSess.getEncryptionKey()));
StringBuilder details = new StringBuilder();
// Build a details string with the authentication session details
details.append(authSess.getDomain());
details.append("\\");
details.append(authSess.getPCShare().getNodeName());
details.append(",");
details.append(authSess.getSession().getProtocolName());
ntlmToken.setDetails(details.toString());
// Put the token/session into the active session list
m_passthruSessions.put(ntlmToken, authSess);
// Debug
if ( logger.isDebugEnabled())
logger.debug("Passthru stage 1 token " + ntlmToken);
}
else
{
try
{
// Stage two of the authentication, send the hashed password to the authentication server
byte[] lmPwd = null;
byte[] ntlmPwd = null;
if ( ntlmToken.getPasswordType() == PasswordEncryptor.LANMAN)
lmPwd = ntlmToken.getHashedPassword();
else if ( ntlmToken.getPasswordType() == PasswordEncryptor.NTLM1)
ntlmPwd = ntlmToken.getHashedPassword();
String username = (String) ntlmToken.getPrincipal();
authSess.doSessionSetup(username, lmPwd, ntlmPwd);
// Check if the session has logged on as a guest
if ( authSess.isGuest() || username.equalsIgnoreCase("GUEST"))
{
// If guest access is enabled add a guest authority to the token
if ( allowsGuest())
{
// Set the guest authority
GrantedAuthority[] authorities = new GrantedAuthority[1];
authorities[0] = new GrantedAuthorityImpl(NTLMAuthorityGuest);
ntlmToken.setAuthorities(authorities);
}
else
{
// Guest access not allowed
throw new BadCredentialsException("Guest logons disabled");
}
}
// Indicate that the token is authenticated
ntlmToken.setAuthenticated(true);
}
catch (IOException ex)
{
// Error connecting to the authentication server
throw new AuthenticationServiceException("I/O error", ex);
}
catch (SMBException ex)
{
// Check the returned status code to determine why the logon failed and throw an appropriate exception
if ( ex.getErrorClass() == SMBStatus.NTErr)
{
AuthenticationException authEx = null;
switch( ex.getErrorCode())
{
case SMBStatus.NTLogonFailure:
authEx = new BadCredentialsException("Logon failure");
break;
case SMBStatus.NTAccountDisabled:
authEx = new DisabledException("Account disabled");
break;
default:
authEx = new BadCredentialsException("Logon failure");
break;
}
throw authEx;
}
else
throw new BadCredentialsException("Logon failure");
}
finally
{
// Make sure the authentication session is closed
if ( authSess != null)
{
try
{
// Remove the session from the active list
m_passthruSessions.remove(ntlmToken);
// Close the session to the authentication server
authSess.CloseSession();
}
catch (Exception ex)
{
}
}
}
}
}
}

115
src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMChallenge.java
View File

@@ -1,115 +0,0 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.ntlm;
import org.alfresco.jlan.util.HexDump;
/**
* Contains the NTLM challenge bytes.
*
* @author GKSpencer
*/
public class NTLMChallenge
{
// Challenge bytes
private byte[] m_challenge;
/**
* Class constructor
*
* @param chbyts byte[]
*/
protected NTLMChallenge(byte[] chbyts)
{
m_challenge = chbyts;
}
/**
* Return the challenge bytes
*
* @return byte[]
*/
public final byte[] getBytes()
{
return m_challenge;
}
/**
* Check for object equality
*
* @param obj Object
* @return boolean
*/
public boolean equals(Object obj)
{
if ( obj instanceof NTLMChallenge)
{
NTLMChallenge ntlmCh = (NTLMChallenge) obj;
// Check if both challenges are null
if ( getBytes() == null && ntlmCh.getBytes() == null)
return true;
// Check if both challenges are the same length
if ( getBytes() != null && ntlmCh.getBytes() != null &&
getBytes().length == ntlmCh.getBytes().length)
{
// Check if challenages are the same value
byte[] ntlmBytes = ntlmCh.getBytes();
for ( int i = 0; i < m_challenge.length; i++)
if ( m_challenge[i] != ntlmBytes[i])
return false;
}
else
return false;
}
// Not the same type
return false;
}
/**
* Return the challenge as a string
*
* @return String
*/
public String toString()
{
StringBuilder str = new StringBuilder();
str.append("[");
str.append(HexDump.hexString(getBytes(), " "));
str.append("]");
return str.toString();
}
}

180
src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMLocalToken.java
View File

@@ -1,180 +0,0 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.ntlm;
import java.net.InetAddress;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.providers.*;
/**
* <p>Used to provide authentication with a remote Windows server when the username and password are
* provided locally.
*
* @author GKSpencer
*/
public class NTLMLocalToken extends UsernamePasswordAuthenticationToken
{
private static final long serialVersionUID = -7946514578455279387L;
// Optional client domain and IP address, used to route the passthru authentication to the correct server(s)
private String m_clientDomain;
private String m_clientAddr;
/**
* Class constructor
*/
protected NTLMLocalToken()
{
super(null, null);
}
/**
* Class constructor
*
* @param ipAddr InetAddress
*/
protected NTLMLocalToken( InetAddress ipAddr)
{
if ( ipAddr != null)
m_clientAddr = ipAddr.getHostAddress();
}
/**
* Class constructor
*
* @param username String
* @param plainPwd String
*/
public NTLMLocalToken(String username, String plainPwd) {
super(username.toLowerCase(), plainPwd);
}
/**
* Class constructor
*
* @param username String
* @param plainPwd String
* @param domain String
* @param ipAddr String
*/
public NTLMLocalToken(String username, String plainPwd, String domain, String ipAddr) {
super(username != null ? username.toLowerCase() : "", plainPwd);
m_clientDomain = domain;
m_clientAddr = ipAddr;
}
/**
* Check if the user logged on as a guest
*
* @return boolean
*/
public final boolean isGuestLogon()
{
return hasAuthority(NTLMAuthenticationProvider.NTLMAuthorityGuest);
}
/**
* Check if the user is an administrator
*
* @return boolean
*/
public final boolean isAdministrator()
{
return hasAuthority(NTLMAuthenticationProvider.NTLMAuthorityAdministrator);
}
/**
* Search for the specified authority
*
* @param authority String
* @return boolean
*/
public final boolean hasAuthority(String authority)
{
boolean found = false;
GrantedAuthority[] authorities = getAuthorities();
if ( authorities != null && authorities.length > 0)
{
// Search for the specified authority
int i = 0;
while ( found == false && i < authorities.length)
{
if ( authorities[i++].getAuthority().equals(authority))
found = true;
}
}
// Return the status
return found;
}
/**
* Check if the client domain name is set
*
* @return boolean
*/
public final boolean hasClientDomain()
{
return m_clientDomain != null ? true : false;
}
/**
* Return the client domain
*
* @return String
*/
public final String getClientDomain()
{
return m_clientDomain;
}
/**
* Check if the client IP address is set
*
* @return boolean
*/
public final boolean hasClientAddress()
{
return m_clientAddr != null ? true : false;
}
/**
* Return the client IP address
*
* @return String
*/
public final String getClientAddress()
{
return m_clientAddr;
}
}

184
src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMPassthruToken.java
View File

@@ -1,184 +0,0 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.ntlm;
import java.net.InetAddress;
/**
* <p>Used to provide passthru authentication to a remote Windows server using multiple stages that
* allows authentication details to be passed between a client and the remote authenticating server without
* the password being known by the authentication provider.
*
* @author GKSpencer
*/
public class NTLMPassthruToken extends NTLMLocalToken
{
private static final long serialVersionUID = -4635444888514735368L;
// Challenge for this session
private NTLMChallenge m_challenge;
// User name, hashed password and algorithm type
private String m_username;
private byte[] m_hashedPassword;
private int m_hashType;
// Time that the authentication session will expire
private long m_authExpiresAt;
/**
* Class constructor
*/
public NTLMPassthruToken()
{
// We do not know the username yet, and will not know the password
super("", "");
}
/**
* Class constructor
*
* @param domain String
*/
public NTLMPassthruToken( String domain)
{
// We do not know the username yet, and will not know the password
super("", "", domain, null);
}
/**
* Class constructor
*
* @param ipAddr InetAddress
*/
public NTLMPassthruToken( InetAddress ipAddr)
{
super( ipAddr);
}
/**
* Return the challenge
*
* @return NTLMChallenge
*/
public final NTLMChallenge getChallenge()
{
return m_challenge;
}
/**
* Return the user account
*
* @return Object
*/
public final Object getPrincipal()
{
return m_username;
}
/**
* Return the hashed password
*
* @return byte[]
*/
public final byte[] getHashedPassword()
{
return m_hashedPassword;
}
/**
* Return the hashed password type
*
* @return int
*/
public final int getPasswordType()
{
return m_hashType;
}
/**
* Return the authentication expiry time, this will be zero if the authentication session has not yet
* been opened to the server
*
* @return long
*/
public final long getAuthenticationExpireTime()
{
return m_authExpiresAt;
}
/**
* Set the hashed password and type
*
* @param hashedPassword byte[]
* @param hashType int
*/
public final void setUserAndPassword(String username, byte[] hashedPassword, int hashType)
{
m_username = username.toLowerCase();
m_hashedPassword = hashedPassword;
m_hashType = hashType;
}
/**
* Set the challenge for this token
*
* @param challenge NTLMChallenge
*/
protected final void setChallenge(NTLMChallenge challenge)
{
m_challenge = challenge;
}
/**
* Set the authentication expire time, this indicates that an authentication session is associated with this
* token and the session will be closed if the authentication is not completed by this time.
*
* @param expireTime long
*/
protected final void setAuthenticationExpireTime(long expireTime)
{
m_authExpiresAt = expireTime;
}
/**
* Check for object equality
*
* @param obj Object
* @return boolean
*/
public boolean equals(Object obj)
{
// Only match on the same object
return this == obj;
}
}

264
src/main/java/org/alfresco/repo/security/authentication/ntlm/NullMutableAuthenticationDao.java
View File

@@ -1,264 +0,0 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.ntlm;
import java.util.Date;
import net.sf.acegisecurity.UserDetails;
import net.sf.acegisecurity.providers.dao.UsernameNotFoundException;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.MutableAuthenticationDao;
import org.alfresco.service.cmr.repository.NodeService;
import org.springframework.dao.DataAccessException;
/**
* Null Mutable Authentication Dao Class
*
* <p>Mutable authentication implementation that does nothing.
*
* @author GKSpencer
*/
public class NullMutableAuthenticationDao implements MutableAuthenticationDao
{
/**
* @param nodeService ignored
*/
public void setNodeService(NodeService nodeService)
{
// do nothing
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public void createUser(String userName, char[] rawPassword) throws AuthenticationException
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public void createUser(String caseSensitiveUserName, String hashedpassword, char[] rawPassword) throws AuthenticationException
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public void updateUser(String userName, char[] rawPassword) throws AuthenticationException
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public void deleteUser(String userName) throws AuthenticationException
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* Check is a user exists.
*
* @return <tt>true</tt> always
*/
@Override
public boolean userExists(String userName)
{
return true;
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public void setEnabled(String userName, boolean enabled)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public boolean getEnabled(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public void setAccountExpires(String userName, boolean expires)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public boolean getAccountExpires(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public boolean getAccountHasExpired(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public void setCredentialsExpire(String userName, boolean expires)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public boolean getCredentialsExpire(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public boolean getCredentialsHaveExpired(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public void setLocked(String userName, boolean locked)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public boolean getLocked(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public boolean getAccountlocked(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public void setAccountExpiryDate(String userName, Date exipryDate)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public Date getAccountExpiryDate(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public void setCredentialsExpiryDate(String userName, Date exipryDate)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public Date getCredentialsExpiryDate(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public String getMD4HashedPassword(String userName)
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public UserDetails loadUserByUsername(String arg0) throws UsernameNotFoundException, DataAccessException
{
throw new AlfrescoRuntimeException("Not implemented");
}
/**
* @throws AlfrescoRuntimeException Not implemented
*/
@Override
public Object getSalt(UserDetails user)
{
throw new AlfrescoRuntimeException("Not implemented");
}
}

52
src/main/java/org/alfresco/repo/security/authentication/subsystems/SubsystemChainingFtpAuthenticator.java
View File

@@ -1,28 +1,28 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authentication.subsystems;
@@ -80,7 +80,7 @@ public class SubsystemChainingFtpAuthenticator extends AbstractChainingFtpAuthen
{
continue;
}
// Only add active authenticators. E.g. we might have an passthru FTP authenticator that is disabled.
// Only add active authenticators. E.g. we might have a FTP authenticator that is disabled.
if (!(authenticator instanceof ActivateableBean)
|| ((ActivateableBean) authenticator).isActive())
{

7
src/main/resources/alfresco/messages/authentication.properties
View File

@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=LDAP User {0} not found
authentication.err.connection.ldap.manager.notfound=LDAP Manager User {0} not found
authentication.err.connection.ldap.search=Unable to search LDAP. Reason {0}
# PASSTHRU
authentication.err.connection.passthru.server=Failed to open session to passthru server
authentication.err.passthru.token.unsupported=Unsupported authentication token type
authentication.err.passthru.guest.notenabled=Guest logons disabled
authentication.err.passthru.user.disabled=Account disabled
authentication.err.passthru.user.notfound=Passthru user {0} not found
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Validation of request
authentication.step.ldap.connecting=Connecting to LDAP Server {0}

7
src/main/resources/alfresco/messages/authentication_de.properties
View File

@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=LDAP-Benutzer {0} nicht gefunde
authentication.err.connection.ldap.manager.notfound=LDAP Manager-Benutzer {0} nicht gefunden
authentication.err.connection.ldap.search=LDAP kann nicht durchsucht werden. Grund: {0}
# PASSTHRU
authentication.err.connection.passthru.server=Sitzung mit Passthru-Server konnte nicht ge\u00f6ffnet werden
authentication.err.passthru.token.unsupported=Nicht unterst\u00fctzter Authentifizierungs-Token
authentication.err.passthru.guest.notenabled=G\u00e4ste-Anmeldungen deaktiviert
authentication.err.passthru.user.disabled=Konto deaktiviert
authentication.err.passthru.user.notfound=Passthru-Benutzer {0} nicht gefunden
# Authentication Diagnostic Steps
authentication.step.ldap.validation=\u00dcberpr\u00fcfung der Anfrage
authentication.step.ldap.connecting=Verbindungsaufbau zum LDAP-Server {0}

7
src/main/resources/alfresco/messages/authentication_es.properties
View File

@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=No se encontr\u00f3 el usuario
authentication.err.connection.ldap.manager.notfound=No se encontr\u00f3 el usuario administrador LDAP {0}
authentication.err.connection.ldap.search=No se pudo buscar LDAP. Raz\u00f3n {0}
# PASSTHRU
authentication.err.connection.passthru.server=No se pudo abrir una sesi\u00f3n en el servidor passthru
authentication.err.passthru.token.unsupported=Tipo de token de autenticaci\u00f3n no compatible
authentication.err.passthru.guest.notenabled=Inicios de sesi\u00f3n como invitado deshabilitados
authentication.err.passthru.user.disabled=Cuenta deshabilitada
authentication.err.passthru.user.notfound=No se encontr\u00f3 el usuario passthru {0}
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Validaci\u00f3n de solicitud
authentication.step.ldap.connecting=Conectando al servidor LDAP {0}

7
src/main/resources/alfresco/messages/authentication_fr.properties
View File

@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=Utilisateur LDAP {0} introuvabl
authentication.err.connection.ldap.manager.notfound=Utilisateur gestionnaire LDAP {0} introuvable
authentication.err.connection.ldap.search=Impossible de rechercher dans LDAP. Raison {0}
# PASSTHRU
authentication.err.connection.passthru.server=Impossible d'ouvrir une session sur le serveur interm\u00e9diaire
authentication.err.passthru.token.unsupported=Type de jeton d'authentification non pris en charge
authentication.err.passthru.guest.notenabled=Connexions invit\u00e9s d\u00e9sactiv\u00e9es
authentication.err.passthru.user.disabled=Compte d\u00e9sactiv\u00e9
authentication.err.passthru.user.notfound=Utilisateur interm\u00e9diaire {0} introuvable
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Validation de requ\u00eate
authentication.step.ldap.connecting=Connexion au serveur LDAP {0}

7
src/main/resources/alfresco/messages/authentication_it.properties
View File

@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=Utente LDAP {0} non trovato
authentication.err.connection.ldap.manager.notfound=Utente manager LDAP {0} non trovato
authentication.err.connection.ldap.search=Impossibile cercare in LDAP. Motivo {0}
# PASSTHRU
authentication.err.connection.passthru.server=Impossibile aprire una sessione con il server passthru
authentication.err.passthru.token.unsupported=Tipo di token di autenticazione non supportato
authentication.err.passthru.guest.notenabled=Login ospiti disabilitati
authentication.err.passthru.user.disabled=Account disabilitato
authentication.err.passthru.user.notfound=Utente Passthru {0} non trovato
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Convalida della richiesta
authentication.step.ldap.connecting=Connessione al server LDAP {0} in corso

7
src/main/resources/alfresco/messages/authentication_ja.properties
View File

@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=LDAP \u30e6\u30fc\u30b6\u30fc {
authentication.err.connection.ldap.manager.notfound=LDAP \u30de\u30cd\u30fc\u30b8\u30e3\u30e6\u30fc\u30b6\u30fc {0} \u304c\u898b\u3064\u304b\u308a\u307e\u305b\u3093
authentication.err.connection.ldap.search=LDAP \u3092\u691c\u7d22\u3067\u304d\u307e\u305b\u3093\u3002 \u7406\u7531\uff1a {0}
# PASSTHRU
authentication.err.connection.passthru.server=\u30d1\u30b9\u30b9\u30eb\u30fc\u30b5\u30fc\u30d0\u30fc\u3078\u306e\u30bb\u30c3\u30b7\u30e7\u30f3\u3092\u958b\u3051\u307e\u305b\u3093\u3067\u3057\u305f
authentication.err.passthru.token.unsupported=\u30b5\u30dd\u30fc\u30c8\u3055\u308c\u3066\u3044\u306a\u3044\u8a8d\u8a3c\u30c8\u30fc\u30af\u30f3\u30bf\u30a4\u30d7\u3067\u3059
authentication.err.passthru.guest.notenabled=\u30b2\u30b9\u30c8\u30ed\u30b0\u30a4\u30f3\u304c\u7121\u52b9\u3067\u3059
authentication.err.passthru.user.disabled=\u30a2\u30ab\u30a6\u30f3\u30c8\u304c\u7121\u52b9\u3067\u3059
authentication.err.passthru.user.notfound=\u30d1\u30b9\u30b9\u30eb\u30fc\u30e6\u30fc\u30b6\u30fc {0} \u304c\u898b\u3064\u304b\u308a\u307e\u305b\u3093
# Authentication Diagnostic Steps
authentication.step.ldap.validation=\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u691c\u8a3c
authentication.step.ldap.connecting=LDAP \u30b5\u30fc\u30d0\u30fc {0} \u306b\u63a5\u7d9a\u3057\u3066\u3044\u307e\u3059

7
src/main/resources/alfresco/messages/authentication_nb.properties
View File

@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=Finner ikke LDAP-brukeren {0}
authentication.err.connection.ldap.manager.notfound=Finner ikke LDAP-administratorbrukeren {0}
authentication.err.connection.ldap.search=Kan ikke s\u00f8ke i LDAP. \u00c5rsak {0}
# PASSTHRU
authentication.err.connection.passthru.server=Kan ikke \u00e5pne \u00f8kt til gjennomgangsserver
authentication.err.passthru.token.unsupported=Tokentype for godkjenning st\u00f8ttes ikke
authentication.err.passthru.guest.notenabled=Gjestep\u00e5logginger er deaktivert
authentication.err.passthru.user.disabled=Konto er deaktivert
authentication.err.passthru.user.notfound=Finner ikke gjennomgangsbrukeren {0}
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Validering av foresp\u00f8rsel
authentication.step.ldap.connecting=Koble til LDAP-server {0}

7
src/main/resources/alfresco/messages/authentication_nl.properties
View File

@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=LDAP-gebruiker {0} niet gevonde
authentication.err.connection.ldap.manager.notfound=LDAP-beheerdergebruiker {0} niet gevonden
authentication.err.connection.ldap.search=Kan niet zoeken naar LDAP. Reden {0}
# PASSTHRU
authentication.err.connection.passthru.server=Kan sessie met Passthru-server niet openen
authentication.err.passthru.token.unsupported=Niet-ondersteund type verificatietoken
authentication.err.passthru.guest.notenabled=Gastaanmeldingen uitgeschakeld
authentication.err.passthru.user.disabled=Account uitgeschakeld
authentication.err.passthru.user.notfound=Passthru-gebruiker {0} niet gevonden
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Validatie van aanvraag
authentication.step.ldap.connecting=Verbinding maken LDAP-server {0}

7
src/main/resources/alfresco/messages/authentication_pt_BR.properties
View File

@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=Usu\u00e1rio LDAP {0} n\u00e3o
authentication.err.connection.ldap.manager.notfound=Usu\u00e1rio do gerenciador LDAP {0} n\u00e3o encontrado
authentication.err.connection.ldap.search=N\u00e3o \u00e9 poss\u00edvel pesquisar o LDAP. Raz\u00e3o {0}
# PASSTHRU
authentication.err.connection.passthru.server=Falha ao abrir a sess\u00e3o para o servidor de passagem
authentication.err.passthru.token.unsupported=Tipo de token de autentica\u00e7\u00e3o n\u00e3o suportado
authentication.err.passthru.guest.notenabled=Logons de convidado desativados
authentication.err.passthru.user.disabled=Conta desativada
authentication.err.passthru.user.notfound=Usu\u00e1rio de passagem {0} n\u00e3o encontrado
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Valida\u00e7\u00e3o de solicita\u00e7\u00e3o
authentication.step.ldap.connecting=Conectando-se ao servidor LDAP {0}

7
src/main/resources/alfresco/messages/authentication_ru.properties
View File

@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=\u041f\u043e\u043b\u044c\u0437\
authentication.err.connection.ldap.manager.notfound=\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0434\u0438\u0441\u043f\u0435\u0442\u0447\u0435\u0440\u0430 LDAP {0} \u043d\u0435 \u043d\u0430\u0439\u0434\u0435\u043d
authentication.err.connection.ldap.search=\u041d\u0435 \u0443\u0434\u0430\u0435\u0442\u0441\u044f \u043d\u0430\u0439\u0442\u0438 LDAP. \u041f\u0440\u0438\u0447\u0438\u043d\u0430: {0}
# PASSTHRU
authentication.err.connection.passthru.server=\u041d\u0435 \u0443\u0434\u0430\u043b\u043e\u0441\u044c \u043e\u0442\u043a\u0440\u044b\u0442\u044c \u0441\u0435\u0430\u043d\u0441 \u0441\u0432\u044f\u0437\u0438 \u0441 \u043f\u0440\u043e\u043c\u0435\u0436\u0443\u0442\u043e\u0447\u043d\u044b\u043c \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c
authentication.err.passthru.token.unsupported=\u041d\u0435\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0435\u043c\u044b\u0439 \u0442\u0438\u043f \u043c\u0430\u0440\u043a\u0435\u0440\u0430 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438
authentication.err.passthru.guest.notenabled=\u0412\u0445\u043e\u0434\u044b \u0433\u043e\u0441\u0442\u044f \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u044b
authentication.err.passthru.user.disabled=\u0423\u0447\u0435\u0442\u043d\u0430\u044f \u0437\u0430\u043f\u0438\u0441\u044c \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0430
authentication.err.passthru.user.notfound=\u041f\u0440\u043e\u043c\u0435\u0436\u0443\u0442\u043e\u0447\u043d\u044b\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c {0} \u043d\u0435 \u043d\u0430\u0439\u0434\u0435\u043d
# Authentication Diagnostic Steps
authentication.step.ldap.validation=\u041f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0437\u0430\u043f\u0440\u043e\u0441\u0430
authentication.step.ldap.connecting=\u041f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 \u043a \u0441\u0435\u0440\u0432\u0435\u0440\u0443 LDAP {0}

7
src/main/resources/alfresco/messages/authentication_zh_CN.properties
View File

@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=\u672a\u627e\u5230 LDAP \u7528\
authentication.err.connection.ldap.manager.notfound=\u672a\u627e\u5230 LDAP \u7ba1\u7406\u5668\u7528\u6237 {0}
authentication.err.connection.ldap.search=\u65e0\u6cd5\u641c\u7d22 LDAP\u3002 \u539f\u56e0 {0}
# PASSTHRU
authentication.err.connection.passthru.server=\u6253\u5f00 passthru \u670d\u52a1\u5668\u4f1a\u8bdd\u5931\u8d25
authentication.err.passthru.token.unsupported=\u8eab\u4efd\u9a8c\u8bc1\u4ee4\u724c\u7c7b\u578b\u4e0d\u53d7\u652f\u6301
authentication.err.passthru.guest.notenabled=\u5df2\u7981\u7528\u8bbf\u5ba2\u767b\u5f55
authentication.err.passthru.user.disabled=\u5df2\u7981\u7528\u5e10\u6237
authentication.err.passthru.user.notfound=\u672a\u627e\u5230 Passthru \u7528\u6237 {0}
# Authentication Diagnostic Steps
authentication.step.ldap.validation=\u8bf7\u6c42\u9a8c\u8bc1
authentication.step.ldap.connecting=\u6b63\u5728\u8fde\u63a5\u5230 LDAP \u670d\u52a1\u5668 {0}

1
src/main/resources/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml
View File

@@ -63,7 +63,6 @@
<property name="proxyInterfaces">
<list>
<value>org.alfresco.repo.security.authentication.AuthenticationComponent</value>
<value>org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator</value>
</list>
</property>
<property name="transactionManager">

13
src/main/resources/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.properties
View File

@@ -1,13 +0,0 @@
passthru.authentication.useLocalServer=false
passthru.authentication.domain=DOMAIN
passthru.authentication.servers=
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NetBIOS
passthru.authentication.authenticateFTP=true
passthru.authentication.sessionCleanup=true
passthru.authentication.broadcastMask=

125
src/main/resources/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml
View File

@@ -1,125 +0,0 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<!-- The passthru servers -->
<!-- Properties that specify the server(s) to use for passthru -->
<!-- authentication :- -->
<!-- useLocalServer use the local server for authentication -->
<!-- domain use domain controllers from the specified domain-->
<!-- servers comma delimted list of server addresses or -->
<!-- names -->
<bean id="passthruServers" class="org.alfresco.filesys.auth.PassthruServerFactory">
<property name="localServer">
<value>${passthru.authentication.useLocalServer}</value>
</property>
<property name="server">
<value>${passthru.authentication.servers}</value>
</property>
<property name="domain">
<value>${passthru.authentication.domain}</value>
</property>
<!-- Timeout value when opening a session to an authentication server, in milliseconds -->
<property name="timeout">
<value>${passthru.authentication.connectTimeout}</value>
</property>
<!-- Offline server check interval in seconds -->
<property name="offlineCheckInterval">
<value>${passthru.authentication.offlineCheckInterval}</value>
</property>
<property name="protocolOrder">
<value>${passthru.authentication.protocolOrder}</value>
</property>
<property name="nullDomainUseAnyServer">
<value>true</value>
</property>
<property name="broadcastMask">
<value>${passthru.authentication.broadcastMask}</value>
</property>
</bean>
<!-- The authentication component. -->
<!-- Use the passthru authentication component to authenticate using -->
<!-- user accounts on one or more Windows servers. -->
<bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl"
parent="authenticationComponentBase">
<property name="passthruServers">
<ref bean="passthruServers" />
</property>
<property name="personService">
<ref bean="personService" />
</property>
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="transactionService">
<ref bean="transactionComponent" />
</property>
<property name="guestAccess">
<value>${passthru.authentication.guestAccess}</value>
</property>
<property name="defaultAdministratorUserNameList">
<value>${passthru.authentication.defaultAdministratorUserNames}</value>
</property>
</bean>
<!-- Wrapped version to be used within subsystem -->
<bean id="AuthenticationComponent" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
<property name="proxyInterfaces">
<list>
<value>org.alfresco.repo.security.authentication.AuthenticationComponent</value>
<value>org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator</value>
</list>
</property>
<property name="transactionManager">
<ref bean="transactionManager" />
</property>
<property name="target">
<ref bean="authenticationComponent" />
</property>
<property name="transactionAttributes">
<props>
<prop key="*">${server.transaction.mode.default}</prop>
</props>
</property>
</bean>
<!-- Authenticaton service for chaining -->
<bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
<property name="ticketComponent">
<ref bean="ticketComponent" />
</property>
<property name="authenticationComponent">
<ref bean="authenticationComponent" />
</property>
<property name="sysAdminParams">
<ref bean="sysAdminParams" />
</property>
<property name="protectedUsersCache">
<ref bean="protectedUsersCache" />
</property>
<property name="protectionEnabled">
<value>${authentication.protection.enabled}</value>
</property>
<property name="protectionLimit">
<value>${authentication.protection.limit}</value>
</property>
<property name="protectionPeriodSeconds">
<value>${authentication.protection.periodSeconds}</value>
</property>
</bean>
<!-- FTP authentication -->
<bean id="ftpAuthenticator" class="org.alfresco.filesys.auth.ftp.PassthruFtpAuthenticator" parent="ftpAuthenticatorBase">
<property name="active">
<value>${passthru.authentication.authenticateFTP}</value>
</property>
<property name="passthruServers">
<ref bean="passthruServers" />
</property>
</bean>
</beans>

4
src/test/resources/log4j.properties
View File

@@ -123,10 +123,6 @@ log4j.logger.org.alfresco.ftp.protocol=error
#log4j.logger.org.alfresco.webdav.protocol=debug
log4j.logger.org.alfresco.webdav.protocol=info
# NTLM servlet filters
#log4j.logger.org.alfresco.web.app.servlet.NTLMAuthenticationFilter=debug
#log4j.logger.org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter=debug
# Kerberos servlet filters
#log4j.logger.org.alfresco.web.app.servlet.KerberosAuthenticationFilter=debug
#log4j.logger.org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter=debug