(
- this.authenticationComponents == null ? 1 : this.authenticationComponents.size() + 1);
- services.add(this.mutableAuthenticationComponent);
- if (this.authenticationComponents != null)
- {
- services.addAll(this.authenticationComponents);
- }
- return services;
- }
- }
-
- @Override
- protected AuthenticationComponent getAuthenticationComponent(String name)
- {
- // not implemented
- return null;
- }
-}
diff --git a/src/main/java/org/alfresco/repo/security/authentication/NTLMMode.java b/src/main/java/org/alfresco/repo/security/authentication/NTLMMode.java
deleted file mode 100644
index e3f451ba83..0000000000
--- a/src/main/java/org/alfresco/repo/security/authentication/NTLMMode.java
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication;
-
-public enum NTLMMode
-{
- PASS_THROUGH, MD4_PROVIDER, NONE
-}
diff --git a/src/main/java/org/alfresco/repo/security/authentication/SimpleAcceptOrRejectAllAuthenticationComponentImpl.java b/src/main/java/org/alfresco/repo/security/authentication/SimpleAcceptOrRejectAllAuthenticationComponentImpl.java
index a4ae4e7d29..eb19aea8ec 100644
--- a/src/main/java/org/alfresco/repo/security/authentication/SimpleAcceptOrRejectAllAuthenticationComponentImpl.java
+++ b/src/main/java/org/alfresco/repo/security/authentication/SimpleAcceptOrRejectAllAuthenticationComponentImpl.java
@@ -27,7 +27,6 @@ package org.alfresco.repo.security.authentication;
import net.sf.acegisecurity.providers.dao.UsernameNotFoundException;
import org.alfresco.error.AlfrescoRuntimeException;
-import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.UserDetails;
@@ -47,10 +46,9 @@ import net.sf.acegisecurity.providers.dao.AuthenticationDao;
*
* @author Andy Hind
*/
-public class SimpleAcceptOrRejectAllAuthenticationComponentImpl extends AbstractAuthenticationComponent implements NLTMAuthenticator
+public class SimpleAcceptOrRejectAllAuthenticationComponentImpl extends AbstractAuthenticationComponent
{
private boolean accept = false;
- private boolean supportNtlm = false;
private AuthenticationDao authenticationDao;
@@ -69,11 +67,6 @@ public class SimpleAcceptOrRejectAllAuthenticationComponentImpl extends Abstract
this.accept = accept;
}
- public void setSupportNtlm(boolean supportNtlm)
- {
- this.supportNtlm = supportNtlm;
- }
-
public void authenticateImpl(String userName, char[] password) throws AuthenticationException
{
if(accept)
@@ -105,11 +98,6 @@ public class SimpleAcceptOrRejectAllAuthenticationComponentImpl extends Abstract
}
}
- public NTLMMode getNTLMMode()
- {
- return supportNtlm ? NTLMMode.MD4_PROVIDER : NTLMMode.NONE;
- }
-
/**
* The default is not to support Authentication token base authentication
*/
diff --git a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NLTMAuthenticator.java b/src/main/java/org/alfresco/repo/security/authentication/ntlm/NLTMAuthenticator.java
deleted file mode 100644
index 56594b0ef8..0000000000
--- a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NLTMAuthenticator.java
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication.ntlm;
-
-import net.sf.acegisecurity.Authentication;
-
-import org.alfresco.repo.security.authentication.AuthenticationComponent;
-import org.alfresco.repo.security.authentication.AuthenticationException;
-import org.alfresco.repo.security.authentication.NTLMMode;
-
-/**
- * An specialized {@link AuthenticationComponent} that is capable of handling NTLM authentication directly, either by
- * 'passing through' to a domain server or by validating an MD4 hashed password. Unlike other authentication methods,
- * these operations cannot be chained and must be handled by a specific authentication component.
- *
- * @author dward
- */
-public interface NLTMAuthenticator extends AuthenticationComponent
-{
- /**
- * Authenticate using a token.
- *
- * @param token
- * Authentication
- * @return Authentication
- * @throws AuthenticationException
- * the authentication exception
- */
- public Authentication authenticate(Authentication token) throws AuthenticationException;
-
- /**
- * Get the enum that describes NTLM integration.
- *
- * @return the NTLM mode
- */
- public NTLMMode getNTLMMode();
-
- /**
- * Get the MD4 password hash, as required by NTLM based authentication methods.
- *
- * @param userName
- * the user name
- * @return the m d4 hashed password
- */
- public String getMD4HashedPassword(String userName);
-}
diff --git a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationComponentImpl.java b/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationComponentImpl.java
deleted file mode 100644
index f0ab44ef2b..0000000000
--- a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationComponentImpl.java
+++ /dev/null
@@ -1,947 +0,0 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication.ntlm;
-
-import java.io.IOException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.Security;
-import java.util.Enumeration;
-import java.util.Hashtable;
-import java.util.StringTokenizer;
-
-import net.sf.acegisecurity.Authentication;
-import net.sf.acegisecurity.AuthenticationServiceException;
-import net.sf.acegisecurity.BadCredentialsException;
-import net.sf.acegisecurity.CredentialsExpiredException;
-import net.sf.acegisecurity.GrantedAuthority;
-import net.sf.acegisecurity.GrantedAuthorityImpl;
-
-import org.alfresco.error.AlfrescoRuntimeException;
-import org.alfresco.filesys.auth.PassthruServerFactory;
-import org.alfresco.jlan.server.auth.PasswordEncryptor;
-import org.alfresco.jlan.server.auth.passthru.AuthSessionFactory;
-import org.alfresco.jlan.server.auth.passthru.AuthenticateSession;
-import org.alfresco.jlan.server.auth.passthru.PassthruServers;
-import org.alfresco.jlan.smb.Protocol;
-import org.alfresco.jlan.smb.SMBException;
-import org.alfresco.jlan.smb.SMBStatus;
-import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent;
-import org.alfresco.repo.security.authentication.AuthenticationException;
-import org.alfresco.repo.security.authentication.NTLMMode;
-import org.alfresco.repo.transaction.RetryingTransactionHelper;
-import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
-import org.alfresco.service.cmr.security.NoSuchPersonException;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.springframework.beans.factory.InitializingBean;
-
-/**
- * NTLM Authentication Component Class
- *
- * Provides authentication using passthru to a Windows server(s)/domain controller(s) using the accounts
- * defined on the passthru server to validate users.
- *
- * @author GKSpencer
- */
-public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationComponent implements NLTMAuthenticator, InitializingBean
-{
- // Logging
-
- private static final Log logger = LogFactory.getLog(NTLMAuthenticationComponentImpl.class);
-
- // Constants
- //
- // Standard authorities
-
- public static final String NTLMAuthorityGuest = "Guest";
- public static final String NTLMAuthorityAdministrator = "Administrator";
-
- // Active session timeout
-
- private static final long DefaultSessionTimeout = 60000L; // 1 minute
- private static final long MinimumSessionTimeout = 5000L; // 5 seconds
-
- // Passthru authentication servers
-
- private PassthruServerFactory m_passthruServerFactory = new PassthruServerFactory();
- private PassthruServers m_passthruServers;
-
- // Password encryptor for generating password hash for local authentication
-
- private PasswordEncryptor m_encryptor;
-
- // Allow guest access
-
- private boolean m_allowGuest;
-
- // Allow authenticated users that do not have an Alfresco person to logon as guest
-
- private boolean m_allowAuthUserAsGuest;
-
- // Table of currently active passthru authentications and the associated authentication session
- //
- // If the two authentication stages are not completed within a reasonable time the authentication
- // session will be closed by the reaper thread.
-
- private Hashtable m_passthruSessions;
-
- // Active authentication session timeout, in milliseconds
-
- private long m_passthruSessTmo = DefaultSessionTimeout;
-
- // Authentication session reaper thread
-
- private PassthruReaperThread m_reaperThread;
-
- // Null domain uses any available server option
-
- private boolean m_nullDomainUseAnyServer;
-
- /**
- * Passthru Session Reaper Thread
- */
- class PassthruReaperThread extends Thread
- {
- // Thread shutdown request flag
-
- private boolean m_ishutdown;
-
- // Reaper wakeup interval, in milliseconds
-
- private long m_wakeupInterval = m_passthruSessTmo / 2;
-
- /**
- * Default constructor
- */
- PassthruReaperThread()
- {
- setDaemon(true);
- setName("PassthruReaper");
- start();
- }
-
- /**
- * Set the wakeup interval
- *
- * @param wakeup long
- */
- public final void setWakeup(long wakeup)
- {
- m_wakeupInterval = wakeup;
- }
-
- /**
- * Main thread code
- */
- public void run()
- {
- // Loop until shutdown
-
- m_ishutdown = false;
-
- while ( m_ishutdown == false)
- {
- // Sleep for a while
-
- try
- {
- sleep( m_wakeupInterval);
- }
- catch ( InterruptedException ex)
- {
- }
-
- // Check if there are any active sessions to check
-
- if ( m_passthruSessions.size() > 0)
- {
- // Enumerate the active sessions
-
- Enumeration tokenEnum = m_passthruSessions.keys();
- long timeNow = System.currentTimeMillis();
-
- while (tokenEnum.hasMoreElements())
- {
- // Get the current NTLM token and check if it has expired
-
- NTLMPassthruToken ntlmToken = tokenEnum.nextElement();
-
- if ( ntlmToken != null && ntlmToken.getAuthenticationExpireTime() < timeNow)
- {
- // Authentication token has expired, close the associated authentication session
-
- AuthenticateSession authSess = m_passthruSessions.get(ntlmToken);
- if ( authSess != null)
- {
- try
- {
- // Close the authentication session
-
- authSess.CloseSession();
- }
- catch ( Exception ex)
- {
- // Debug
-
- if(logger.isDebugEnabled())
- logger.debug("Error closing expired authentication session", ex);
- }
- }
-
- // Remove the expired token from the active list
-
- m_passthruSessions.remove(ntlmToken);
-
- // Debug
-
- if(logger.isDebugEnabled())
- logger.debug("Removed expired NTLM token " + ntlmToken);
- }
- }
- }
- }
-
- // Debug
-
- if(logger.isDebugEnabled())
- logger.debug("Passthru reaper thread shutdown");
- }
-
- /**
- * Shutdown the reaper thread
- */
- public final void shutdownRequest()
- {
- m_ishutdown = true;
- this.interrupt();
- }
- }
-
- /**
- * Class constructor
- */
- public NTLMAuthenticationComponentImpl() {
-
- // Create the password encryptor for local password hashing
-
- m_encryptor = new PasswordEncryptor();
-
- // Create the active session list and reaper thread
-
- m_passthruSessions = new Hashtable();
- m_reaperThread = new PassthruReaperThread();
- }
-
-
-
- public void afterPropertiesSet() throws Exception
- {
- if (m_passthruServers == null)
- {
- // Create the passthru authentication server list
- m_passthruServerFactory.afterPropertiesSet();
-
- m_passthruServers = (PassthruServers) m_passthruServerFactory.getObject();
- }
- }
-
-
-
- /**
- * Determine if guest logons are allowed
- *
- * @return boolean
- */
- public final boolean allowsGuest()
- {
- return m_allowGuest;
- }
-
-
- /**
- * Directly sets the passthru server list.
- *
- * @param servers
- * a passthru server list, usually created by {@link org.alfresco.filesys.auth.PassthruServerFactory}
- */
- public void setPassthruServers(PassthruServers servers)
- {
- m_passthruServers = servers;
- }
-
- /**
- * Set the domain to authenticate against
- *
- * @param domain String
- */
- public void setDomain(String domain) {
- if (domain.length() > 0)
- {
- m_passthruServerFactory.setDomain(domain);
- }
- }
-
- /**
- * Set the server(s) to authenticate against
- *
- * @param servers String
- */
- public void setServers(String servers) {
- if (servers.length() > 0)
- {
- m_passthruServerFactory.setServer(servers);
- }
- }
-
- /**
- * Use the local server as the authentication server
- *
- * @param useLocal String
- */
- public void setUseLocalServer(String useLocal)
- {
- m_passthruServerFactory.setLocalServer(Boolean.parseBoolean(useLocal));
- }
-
- /**
- * Allow guest access
- *
- * @param guest String
- */
- public void setGuestAccess(String guest)
- {
- m_allowGuest = Boolean.parseBoolean(guest);
- }
-
- /**
- * Allow authenticated users with no alfresco person record to logon with guest access
- *
- * @param auth String
- */
- public void setAllowAuthUserAsGuest(String auth)
- {
- m_allowAuthUserAsGuest = Boolean.parseBoolean(auth);
- }
-
- /**
- * Allow null domain passthru logons to use the first available passthru server
- *
- * @param nullDomain String
- */
- public void setNullDomainUseAnyServer(String nullDomain)
- {
- m_nullDomainUseAnyServer = Boolean.parseBoolean(nullDomain);
-
- // Push the setting to the passthru server component
-
- m_passthruServers.setNullDomainUseAnyServer( m_nullDomainUseAnyServer);
- }
-
- /**
- * Set the JCE provider
- *
- * @param providerClass String
- */
- public void setJCEProvider(String providerClass)
- {
- // Set the JCE provider, required to provide various encryption/hashing algorithms not available
- // in the standard Sun JDK/JRE
-
- try
- {
-
- // Load the JCE provider class and validate
-
- Object jceObj = Class.forName(providerClass).newInstance();
- if (jceObj instanceof java.security.Provider)
- {
-
- // Inform listeners, validate the configuration change
-
- Provider jceProvider = (Provider) jceObj;
-
- // Add the JCE provider
-
- Security.addProvider(jceProvider);
-
- // Debug
-
- if ( logger.isDebugEnabled())
- logger.debug("Using JCE provider " + providerClass);
- }
- else
- {
- throw new AlfrescoRuntimeException("JCE provider class is not a valid Provider class:" + providerClass);
- }
- }
- catch (ClassNotFoundException ex)
- {
- throw new AlfrescoRuntimeException("JCE provider class " + providerClass + " not found");
- }
- catch (Exception ex)
- {
- throw new AlfrescoRuntimeException("JCE provider class error", ex);
- }
- }
-
- /**
- * Set the authentication session timeout, in seconds
- *
- * @param sessTmo String
- */
- public void setSessionTimeout(String sessTmo)
- {
- // Convert to an integer value and range check the timeout value
-
- try
- {
- // Convert to an integer value
-
- long sessTmoMilli = Long.parseLong(sessTmo) * 1000L;
-
- if ( sessTmoMilli < MinimumSessionTimeout)
- {
- throw new AlfrescoRuntimeException("Authentication session timeout too low, " + sessTmo);
- }
-
- // Set the authentication session timeout value
-
- m_passthruSessTmo = sessTmoMilli;
-
- // Set the reaper thread wakeup interval
-
- m_reaperThread.setWakeup( sessTmoMilli / 2);
- }
- catch(NumberFormatException ex)
- {
- throw new AlfrescoRuntimeException("Invalid authenication session timeout value");
- }
- }
-
- /**
- * Return the authentication session timeout, in milliseconds
- *
- * @return long
- */
- private final long getSessionTimeout()
- {
- return m_passthruSessTmo;
- }
-
- /**
- * Authenticate
- *
- * @param userName String
- * @param password char[]
- * @throws AuthenticationException
- */
- protected void authenticateImpl(String userName, char[] password) throws AuthenticationException
- {
- // Debug
-
- if ( logger.isDebugEnabled())
- {
- logger.debug("Authenticate user=" + userName + " via local credentials");
- }
-
- // Create a local authentication token
-
- NTLMLocalToken authToken = new NTLMLocalToken(userName, new String(password));
-
- // Authenticate using the token
-
- authenticate( authToken);
-
- }
-
- /**
- * Authenticate using a token
- *
- * @param auth Authentication
- * @return Authentication
- * @throws AuthenticationException
- */
- public Authentication authenticate(Authentication auth) throws AuthenticationException
- {
- // DEBUG
-
- if ( logger.isDebugEnabled())
- {
- logger.debug("Authenticate " + auth + " via token");
- }
-
- // Check if the token is for passthru authentication
-
- if( auth instanceof NTLMPassthruToken)
- {
- // Access the NTLM passthru token
-
- NTLMPassthruToken ntlmToken = (NTLMPassthruToken) auth;
-
- // Authenticate using passthru
-
- authenticatePassthru(ntlmToken);
- }
-
- // Check for a local authentication token
-
- else if( auth instanceof NTLMLocalToken)
- {
- AuthenticateSession authSess = null;
-
- try
- {
-
- // Access the NTLM token
-
- NTLMLocalToken ntlmToken = (NTLMLocalToken) auth;
-
- // Open a session to an authentication server
-
- authSess = m_passthruServers.openSession();
-
- // Check fi the passthru session is valid
-
- if ( authSess == null)
- {
- // DEBUG
-
- if ( logger.isDebugEnabled())
- {
- logger.debug( "Failed to open passthru session, or no valid passthru server available for " + ntlmToken);
- }
-
- throw new AuthenticationException("authentication.err.connection.passthru.server");
- }
-
- // Authenticate using the credentials supplied
-
- authenticateLocal(ntlmToken, authSess);
- }
- finally
- {
- // Make sure the authentication session is closed
-
- if ( authSess != null)
- {
- try
- {
- authSess.CloseSession();
- }
- catch ( Exception ex)
- {
- }
- }
- }
- }
- else
- {
- // Unsupported authentication token
-
- throw new AuthenticationException("authentication.err.passthru.token.unsupported");
- }
-
- // Return the updated authentication token
-
- return getCurrentAuthentication();
- }
-
- /**
- * Get the enum that describes NTLM integration
- *
- * @return NTLMMode
- */
- public NTLMMode getNTLMMode()
- {
- return NTLMMode.PASS_THROUGH;
- }
-
- /**
- * Get the MD4 password hash, as required by NTLM based authentication methods.
- *
- * @param userName String
- * @return String
- */
- public String getMD4HashedPassword(String userName)
- {
- // Do not support MD4 hashed password
-
- throw new AlfrescoRuntimeException("MD4 passwords not supported");
- }
-
- /**
- * Authenticate a user using local credentials
- *
- * @param ntlmToken NTLMLocalToken
- * @param authSess AuthenticateSession
- * @throws org.alfresco.repo.security.authentication.AuthenticationException
- */
- private void authenticateLocal(NTLMLocalToken ntlmToken, AuthenticateSession authSess)
- {
- try
- {
- // Get the plaintext password and generate an NTLM1 password hash
-
- String username = (String) ntlmToken.getPrincipal();
- String plainPwd = (String) ntlmToken.getCredentials();
- byte[] ntlm1Pwd = m_encryptor.generateEncryptedPassword( plainPwd, authSess.getEncryptionKey(), PasswordEncryptor.NTLM1, null, null);
-
- // Send the logon request to the authentication server
- //
- // Note: Only use the stronger NTLM hash, we do not send the LM hash
-
- authSess.doSessionSetup(username, null, ntlm1Pwd);
-
- // Check if the session has logged on as a guest
-
- if ( authSess.isGuest() || username.equalsIgnoreCase("GUEST"))
- {
- // If guest access is enabled add a guest authority to the token
-
- if ( allowsGuest())
- {
- // Set the guest authority
-
- GrantedAuthority[] authorities = new GrantedAuthority[2];
- authorities[0] = new GrantedAuthorityImpl(NTLMAuthorityGuest);
- authorities[1] = new GrantedAuthorityImpl("ROLE_AUTHENTICATED");
-
- ntlmToken.setAuthorities(authorities);
- }
- else
- {
- // Guest access not allowed
-
- throw new AuthenticationException("authentication.err.passthru.guest.notenabled");
- }
- }
- else
- {
- // Set authorities
-
- GrantedAuthority[] authorities = new GrantedAuthority[1];
- authorities[0] = new GrantedAuthorityImpl("ROLE_AUTHENTICATED");
-
- ntlmToken.setAuthorities(authorities);
- }
-
- // Indicate that the token is authenticated
-
- ntlmToken.setAuthenticated(true);
-
- // Map the passthru username to an Alfresco person
-
- clearCurrentSecurityContext();
- setCurrentUser( username);
-
- // Debug
-
- if ( logger.isDebugEnabled())
- {
- logger.debug("Authenticated token=" + ntlmToken);
- }
- }
- catch (NoSuchAlgorithmException ex)
- {
- // JCE provider does not have the required encryption/hashing algorithms
-
- throw new AuthenticationException("JCE provider error", ex);
- }
- catch (InvalidKeyException ex)
- {
- // Problem creating key during encryption
-
- throw new AuthenticationException("Invalid key error", ex);
- }
- catch (IOException ex)
- {
- // Error connecting to the authentication server
-
- throw new AuthenticationException("I/O error", ex);
- }
- catch (SMBException ex)
- {
- // Check the returned status code to determine why the logon failed and throw an appropriate exception
-
- if ( ex.getErrorClass() == SMBStatus.NTErr)
- {
- AuthenticationException authEx = null;
-
- switch( ex.getErrorCode())
- {
- case SMBStatus.NTLogonFailure:
- authEx = new AuthenticationException("Logon failure");
- break;
- case SMBStatus.NTAccountDisabled:
- authEx = new AuthenticationException("authentication.err.passthru.user.disabled");
- break;
- default:
- authEx = new AuthenticationException("Logon failure");
- break;
- }
-
- throw authEx;
- }
- else
- {
- throw new AuthenticationException("Logon failure");
- }
- }
- }
-
- /**
- * Authenticate using passthru authentication with a client
- *
- * @param ntlmToken NTLMPassthruToken
- * @throws org.alfresco.repo.security.authentication.AuthenticationException
- */
- private void authenticatePassthru(NTLMPassthruToken ntlmToken)
- {
- // Check if the token has an authentication session, if not then it is either a new token
- // or the session has been timed out
-
- AuthenticateSession authSess = m_passthruSessions.get(ntlmToken);
-
- if ( authSess == null)
- {
- // Check if the token has a challenge, if it does then the associated session has been
- // timed out
-
- if ( ntlmToken.getChallenge() != null)
- {
- throw new AuthenticationException("Authentication session expired");
- }
-
- // Open an authentication session for the new token and add to the active session list
-
- authSess = m_passthruServers.openSession( false, ntlmToken.getClientDomain());
-
- // Check if the session was opened to the passthru server
-
- if ( authSess == null)
- {
- throw new AuthenticationException("authentication.err.connection.passthru.server");
- }
-
- ntlmToken.setAuthenticationExpireTime(System.currentTimeMillis() + getSessionTimeout());
-
- // Get the challenge from the initial session negotiate stage
-
- ntlmToken.setChallenge(new NTLMChallenge(authSess.getEncryptionKey()));
-
- StringBuilder details = new StringBuilder();
-
- // Build a details string with the authentication session details
-
- details.append(authSess.getDomain());
- details.append("\\");
- details.append(authSess.getPCShare().getNodeName());
- details.append(",");
- details.append(authSess.getSession().getProtocolName());
-
- ntlmToken.setDetails(details.toString());
-
- // Put the token/session into the active session list
-
- m_passthruSessions.put(ntlmToken, authSess);
-
- // Debug
-
- if ( logger.isDebugEnabled())
- logger.debug("Passthru stage 1 token " + ntlmToken);
- }
- else
- {
- try
- {
- // Stage two of the authentication, send the hashed password to the authentication server
-
- byte[] lmPwd = null;
- byte[] ntlmPwd = null;
-
- if ( ntlmToken.getPasswordType() == PasswordEncryptor.LANMAN)
- lmPwd = ntlmToken.getHashedPassword();
- else if ( ntlmToken.getPasswordType() == PasswordEncryptor.NTLM1)
- ntlmPwd = ntlmToken.getHashedPassword();
-
- String username = (String) ntlmToken.getPrincipal();
-
- authSess.doSessionSetup(username, lmPwd, ntlmPwd);
-
- // Check if the session has logged on as a guest
-
- if ( authSess.isGuest() || username.equalsIgnoreCase("GUEST"))
- {
- // If guest access is enabled add a guest authority to the token
-
- if ( allowsGuest())
- {
- // Set the guest authority
-
- GrantedAuthority[] authorities = new GrantedAuthority[1];
- authorities[0] = new GrantedAuthorityImpl(NTLMAuthorityGuest);
-
- ntlmToken.setAuthorities(authorities);
- }
- else
- {
- // Guest access not allowed
-
- throw new AuthenticationException("authentication.err.passthru.guest.notenabled");
- }
- }
-
- // Indicate that the token is authenticated
-
- ntlmToken.setAuthenticated(true);
-
- // Wrap the service calls in a transaction
-
- RetryingTransactionHelper helper = getTransactionService().getRetryingTransactionHelper();
-
- final String currentUser = username;
-
- helper.doInTransaction(new RetryingTransactionCallback()
- {
- public Void execute() throws AuthenticationException
- {
- clearCurrentSecurityContext();
- setCurrentUser(currentUser);
- return null;
- }
- });
- }
- catch (NoSuchPersonException ex)
- {
- // Check if authenticated users are allowed on as guest when there is no Alfresco person record
-
- if ( m_allowAuthUserAsGuest == true)
- {
- // Set the guest authority
-
- GrantedAuthority[] authorities = new GrantedAuthority[1];
- authorities[0] = new GrantedAuthorityImpl(NTLMAuthorityGuest);
-
- ntlmToken.setAuthorities(authorities);
-
- // DEBUG
-
- if ( logger.isDebugEnabled())
- {
- logger.debug("Allow passthru authenticated user to logon as guest, user=" + ntlmToken.getName());
- }
- }
- else
- {
- // Logon failure, no matching person record
- throw new AuthenticationException("authentication.err.passthru.user.notfound", ex);
- }
- }
- catch (IOException ex)
- {
- // Error connecting to the authentication server
- throw new AuthenticationException("Unable to connect to the authentication server", ex);
- }
- catch (SMBException ex)
- {
- // Debug
-
- if ( logger.isDebugEnabled())
- {
- logger.debug("Passthru exception, " + ex);
- }
- // Check the returned status code to determine why the logon failed and throw an appropriate exception
-
- if ( ex.getErrorClass() == SMBStatus.NTErr)
- {
- AuthenticationException authEx = null;
-
- switch( ex.getErrorCode())
- {
- case SMBStatus.NTLogonFailure:
- authEx = new AuthenticationException("Logon failure");
- break;
- case SMBStatus.NTAccountDisabled:
- authEx = new AuthenticationException("authentication.err.passthru.user.disabled");
- break;
- default:
- authEx = new AuthenticationException("Logon failure");
- break;
- }
-
- throw authEx;
- }
- else
- {
- throw new AuthenticationException("Logon failure");
- }
- }
- finally
- {
- // Make sure the authentication session is closed
-
- if ( authSess != null)
- {
- try
- {
- // Remove the session from the active list
-
- m_passthruSessions.remove(ntlmToken);
-
- // Close the session to the authentication server
-
- authSess.CloseSession();
- }
- catch (Exception ex)
- {
- logger.debug("unable to close session", ex);
- }
- }
- }
- }
- }
-
- /**
- * Check if the user exists
- *
- * @param userName String
- * @return boolean
- */
- public boolean exists(String userName)
- {
- throw new UnsupportedOperationException();
- }
-
- @Override
- protected boolean implementationAllowsGuestLogin()
- {
- return allowsGuest();
- }
-
-
-}
diff --git a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationProvider.java b/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationProvider.java
deleted file mode 100644
index ad273c244f..0000000000
--- a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationProvider.java
+++ /dev/null
@@ -1,771 +0,0 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication.ntlm;
-
-import java.io.IOException;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.Security;
-import java.util.Enumeration;
-import java.util.Hashtable;
-
-import org.alfresco.error.AlfrescoRuntimeException;
-import org.alfresco.jlan.server.auth.PasswordEncryptor;
-import org.alfresco.jlan.server.auth.passthru.AuthenticateSession;
-import org.alfresco.jlan.server.auth.passthru.PassthruServers;
-import org.alfresco.jlan.smb.SMBException;
-import org.alfresco.jlan.smb.SMBStatus;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import net.sf.acegisecurity.*;
-import net.sf.acegisecurity.providers.*;
-
-/**
- * NTLM Authentication Provider
- *
- * @author GKSpencer
- */
-public class NTLMAuthenticationProvider implements AuthenticationProvider
-{
- private static final Log logger = LogFactory.getLog("org.alfresco.acegi");
-
- // Constants
- //
- // Standard authorities
-
- public static final String NTLMAuthorityGuest = "Guest";
- public static final String NTLMAuthorityAdministrator = "Administrator";
-
- // Active session timeout
-
- private static final long DefaultSessionTimeout = 60000L; // 1 minute
- private static final long MinimumSessionTimeout = 5000L; // 5 seconds
-
- // Passthru authentication servers
-
- private PassthruServers m_passthruServers;
-
- // Password encryptor for generating password hash for local authentication
-
- private PasswordEncryptor m_encryptor;
-
- // Allow guest access
-
- private boolean m_allowGuest;
-
- // Table of currently active passthru authentications and the associated authentication session
- //
- // If the two authentication stages are not completed within a reasonable time the authentication
- // session will be closed by the reaper thread.
-
- private Hashtable m_passthruSessions;
-
- // Active authentication session timeout, in milliseconds
-
- private long m_passthruSessTmo = DefaultSessionTimeout;
-
- // Authentication session reaper thread
-
- private PassthruReaperThread m_reaperThread;
-
- /**
- * Passthru Session Repear Thread
- */
- class PassthruReaperThread extends Thread
- {
- // Thread shutdown request flag
-
- private boolean m_ishutdown;
-
- // Reaper wakeup interval, in milliseconds
-
- private long m_wakeupInterval = m_passthruSessTmo / 2;
-
- /**
- * Default constructor
- */
- PassthruReaperThread()
- {
- setDaemon(true);
- setName("PassthruReaper");
- start();
- }
-
- /**
- * Set the wakeup interval
- *
- * @param wakeup long
- */
- public final void setWakeup(long wakeup)
- {
- m_wakeupInterval = wakeup;
- }
-
- /**
- * Main thread code
- */
- public void run()
- {
- // Loop until shutdown
-
- m_ishutdown = false;
-
- while ( m_ishutdown == false)
- {
- // Sleep for a while
-
- try
- {
- sleep( m_wakeupInterval);
- }
- catch ( InterruptedException ex)
- {
- }
-
- // Check if there are any active sessions to check
-
- if ( m_passthruSessions.size() > 0)
- {
- // Enumerate the active sessions
-
- Enumeration tokenEnum = m_passthruSessions.keys();
- long timeNow = System.currentTimeMillis();
-
- while (tokenEnum.hasMoreElements())
- {
- // Get the current NTLM token and check if it has expired
-
- NTLMPassthruToken ntlmToken = tokenEnum.nextElement();
-
- if ( ntlmToken != null && ntlmToken.getAuthenticationExpireTime() < timeNow)
- {
- // Authentication token has expired, close the associated authentication session
-
- AuthenticateSession authSess = m_passthruSessions.get(ntlmToken);
- if ( authSess != null)
- {
- try
- {
- // Close the authentication session
-
- authSess.CloseSession();
- }
- catch ( Exception ex)
- {
- // Debug
-
- if(logger.isDebugEnabled())
- logger.debug("Error closing expired authentication session", ex);
- }
- }
-
- // Remove the expired token from the active list
-
- m_passthruSessions.remove(ntlmToken);
-
- // Debug
-
- if(logger.isDebugEnabled())
- logger.debug("Removed expired NTLM token " + ntlmToken);
- }
- }
- }
- }
-
- // Debug
-
- if(logger.isDebugEnabled())
- logger.debug("Passthru reaper thread shutdown");
- }
-
- /**
- * Shutdown the reaper thread
- */
- public final void shutdownRequest()
- {
- m_ishutdown = true;
- this.interrupt();
- }
- }
-
- /**
- * Class constructor
- */
- public NTLMAuthenticationProvider() {
-
- // Create the passthru authentication server list
-
- m_passthruServers = new PassthruServers();
-
- // Create the password encryptor for local password hashing
-
- m_encryptor = new PasswordEncryptor();
-
- // Create the active session list and reaper thread
-
- m_passthruSessions = new Hashtable();
- m_reaperThread = new PassthruReaperThread();
- }
-
- /**
- * Authenticate a user
- *
- * @param auth Authentication
- * @return Authentication
- * @exception AuthenticationException
- */
- public Authentication authenticate(Authentication auth) throws AuthenticationException
- {
- // DEBUG
-
- if ( logger.isDebugEnabled())
- logger.debug("Authenticate " + auth);
-
- // Check if the token is for passthru authentication
-
- if( auth instanceof NTLMPassthruToken)
- {
- // Access the NTLM passthru token
-
- NTLMPassthruToken ntlmToken = (NTLMPassthruToken) auth;
-
- // Authenticate using passthru
-
- authenticatePassthru(ntlmToken);
- }
-
- // Check for a local authentication token
-
- else if( auth instanceof NTLMLocalToken)
- {
- AuthenticateSession authSess = null;
-
- try
- {
-
- // Access the NTLM token
-
- NTLMLocalToken ntlmToken = (NTLMLocalToken) auth;
-
- // Open a session to an authentication server
-
- authSess = m_passthruServers.openSession();
-
- // Authenticate using the credentials supplied
-
- authenticateLocal(ntlmToken, authSess);
- }
- finally
- {
- // Make sure the authentication session is closed
-
- if ( authSess != null)
- {
- try
- {
- authSess.CloseSession();
- }
- catch ( Exception ex)
- {
- }
- }
- }
- }
-
- // Return the updated authentication token
-
- return auth;
- }
-
- /**
- * Determine if this provider supports the specified authentication token
- *
- * @param authentication Class
- */
- public boolean supports(Class authentication)
- {
- // Check if the authentication is an NTLM authentication token
-
- if ( NTLMPassthruToken.class.isAssignableFrom(authentication))
- return true;
- return NTLMLocalToken.class.isAssignableFrom(authentication);
- }
-
- /**
- * Determine if guest logons are allowed
- *
- * @return boolean
- */
- public final boolean allowsGuest()
- {
- return m_allowGuest;
- }
-
- /**
- * Set the domain to authenticate against
- *
- * @param domain String
- */
- public final void setDomain(String domain) {
-
- // Check if the passthru server list is already configured
-
- if ( m_passthruServers.getTotalServerCount() > 0)
- throw new AlfrescoRuntimeException("Passthru server list already configured");
-
- // Configure the passthru authentication server list using the domain controllers
-
- try
- {
- m_passthruServers.setDomain(domain);
- }
- catch (IOException ex)
- {
- throw new AlfrescoRuntimeException("Failed to set passthru domain", ex);
- }
- }
-
- /**
- * Set the server(s) to authenticate against
- *
- * @param servers String
- */
- public final void setServers(String servers) {
-
- // Check if the passthru server list is already configured
-
- if ( m_passthruServers.getTotalServerCount() > 0)
- throw new AlfrescoRuntimeException("Passthru server list already configured");
-
- // Configure the passthru authenticaiton list using a list of server names/addresses
-
- m_passthruServers.setServerList(servers);
- }
-
- /**
- * Use the local server as the authentication server
- *
- * @param useLocal String
- */
- public final void setUseLocalServer(String useLocal)
- {
- // Check if the local server should be used for authentication
-
- if ( Boolean.parseBoolean(useLocal) == true)
- {
- // Check if the passthru server list is already configured
-
- if ( m_passthruServers.getTotalServerCount() > 0)
- throw new AlfrescoRuntimeException("Passthru server list already configured");
-
- try
- {
- // Get the list of local network addresses
-
- InetAddress[] localAddrs = InetAddress.getAllByName(InetAddress.getLocalHost().getHostName());
-
- // Build the list of local addresses
-
- if ( localAddrs != null && localAddrs.length > 0)
- {
- StringBuilder addrStr = new StringBuilder();
-
- for ( InetAddress curAddr : localAddrs)
- {
- if ( curAddr.isLoopbackAddress() == false)
- {
- addrStr.append(curAddr.getHostAddress());
- addrStr.append(",");
- }
- }
-
- if ( addrStr.length() > 0)
- addrStr.setLength(addrStr.length() - 1);
-
- // Set the server list using the local address list
-
- m_passthruServers.setServerList(addrStr.toString());
- }
- else
- throw new AlfrescoRuntimeException("No local server address(es)");
- }
- catch ( UnknownHostException ex)
- {
- throw new AlfrescoRuntimeException("Failed to get local address list");
- }
- }
- }
-
- /**
- * Allow guest access
- *
- * @param guest String
- */
- public final void setGuestAccess(String guest)
- {
- m_allowGuest = Boolean.parseBoolean(guest);
- }
-
- /**
- * Set the JCE provider
- *
- * @param providerClass String
- */
- public final void setJCEProvider(String providerClass)
- {
- // Set the JCE provider, required to provide various encryption/hashing algorithms not available
- // in the standard Sun JDK/JRE
-
- try
- {
-
- // Load the JCE provider class and validate
-
- Object jceObj = Class.forName(providerClass).newInstance();
- if (jceObj instanceof java.security.Provider)
- {
-
- // Inform listeners, validate the configuration change
-
- Provider jceProvider = (Provider) jceObj;
-
- // Add the JCE provider
-
- Security.addProvider(jceProvider);
-
- // Debug
-
- if ( logger.isDebugEnabled())
- logger.debug("Using JCE provider " + providerClass);
- }
- else
- {
- throw new AlfrescoRuntimeException("JCE provider class is not a valid Provider class");
- }
- }
- catch (ClassNotFoundException ex)
- {
- throw new AlfrescoRuntimeException("JCE provider class " + providerClass + " not found");
- }
- catch (Exception ex)
- {
- throw new AlfrescoRuntimeException("JCE provider class error", ex);
- }
- }
-
- /**
- * Set the authentication session timeout, in seconds
- *
- * @param sessTmo String
- */
- public final void setSessionTimeout(String sessTmo)
- {
- // Convert to an integer value and range check the timeout value
-
- try
- {
- // Convert to an integer value
-
- long sessTmoMilli = Long.parseLong(sessTmo) * 1000L;
-
- if ( sessTmoMilli < MinimumSessionTimeout)
- throw new AlfrescoRuntimeException("Authentication session timeout too low, " + sessTmo);
-
- // Set the authentication session timeout value
-
- m_passthruSessTmo = sessTmoMilli;
-
- // Set the reaper thread wakeup interval
-
- m_reaperThread.setWakeup( sessTmoMilli / 2);
- }
- catch(NumberFormatException ex)
- {
- throw new AlfrescoRuntimeException("Invalid authenication session timeout value");
- }
- }
-
- /**
- * Return the authentication session timeout, in milliseconds
- *
- * @return long
- */
- private final long getSessionTimeout()
- {
- return m_passthruSessTmo;
- }
-
- /**
- * Authenticate a user using local credentials
- *
- * @param ntlmToken NTLMLocalToken
- * @param authSess AuthenticateSession
- */
- private void authenticateLocal(NTLMLocalToken ntlmToken, AuthenticateSession authSess)
- {
- try
- {
- // Get the plaintext password and generate an NTLM1 password hash
-
- String username = (String) ntlmToken.getPrincipal();
- String plainPwd = (String) ntlmToken.getCredentials();
- byte[] ntlm1Pwd = m_encryptor.generateEncryptedPassword( plainPwd, authSess.getEncryptionKey(), PasswordEncryptor.NTLM1, null, null);
-
- // Send the logon request to the authentication server
- //
- // Note: Only use the stronger NTLM hash, we do not send the LM hash
-
- authSess.doSessionSetup(username, null, ntlm1Pwd);
-
- // Check if the session has logged on as a guest
-
- if ( authSess.isGuest() || username.equalsIgnoreCase("GUEST"))
- {
- // If guest access is enabled add a guest authority to the token
-
- if ( allowsGuest())
- {
- // Set the guest authority
-
- GrantedAuthority[] authorities = new GrantedAuthority[1];
- authorities[0] = new GrantedAuthorityImpl(NTLMAuthorityGuest);
-
- ntlmToken.setAuthorities(authorities);
- }
- else
- {
- // Guest access not allowed
-
- throw new BadCredentialsException("Guest logons disabled");
- }
- }
-
- // Indicate that the token is authenticated
-
- ntlmToken.setAuthenticated(true);
- }
- catch (NoSuchAlgorithmException ex)
- {
- // JCE provider does not have the required encryption/hashing algorithms
-
- throw new AuthenticationServiceException("JCE provider error", ex);
- }
- catch (InvalidKeyException ex)
- {
- // Problem creating key during encryption
-
- throw new AuthenticationServiceException("Invalid key error", ex);
- }
- catch (IOException ex)
- {
- // Error connecting to the authentication server
-
- throw new AuthenticationServiceException("I/O error", ex);
- }
- catch (SMBException ex)
- {
- // Check the returned status code to determine why the logon failed and throw an appropriate exception
-
- if ( ex.getErrorClass() == SMBStatus.NTErr)
- {
- AuthenticationException authEx = null;
-
- switch( ex.getErrorCode())
- {
- case SMBStatus.NTLogonFailure:
- authEx = new BadCredentialsException("Logon failure");
- break;
- case SMBStatus.NTAccountDisabled:
- authEx = new DisabledException("Account disabled");
- break;
- default:
- authEx = new BadCredentialsException("Logon failure");
- break;
- }
-
- throw authEx;
- }
- else
- throw new BadCredentialsException("Logon failure");
- }
- }
-
- /**
- * Authenticate using passthru authentication with a client
- *
- * @param ntlmToken NTLMPassthruToken
- */
- private void authenticatePassthru(NTLMPassthruToken ntlmToken)
- {
- // Check if the token has an authentication session, if not then it is either a new token
- // or the session has been timed out
-
- AuthenticateSession authSess = m_passthruSessions.get(ntlmToken);
-
- if ( authSess == null)
- {
- // Check if the token has a challenge, if it does then the associated session has been
- // timed out
-
- if ( ntlmToken.getChallenge() != null)
- throw new CredentialsExpiredException("Authentication session expired");
-
- // Open an authentication session for the new token and add to the active session list
-
- authSess = m_passthruServers.openSession();
-
- ntlmToken.setAuthenticationExpireTime(System.currentTimeMillis() + getSessionTimeout());
-
- // Get the challenge from the initial session negotiate stage
-
- ntlmToken.setChallenge(new NTLMChallenge(authSess.getEncryptionKey()));
-
- StringBuilder details = new StringBuilder();
-
- // Build a details string with the authentication session details
-
- details.append(authSess.getDomain());
- details.append("\\");
- details.append(authSess.getPCShare().getNodeName());
- details.append(",");
- details.append(authSess.getSession().getProtocolName());
-
- ntlmToken.setDetails(details.toString());
-
- // Put the token/session into the active session list
-
- m_passthruSessions.put(ntlmToken, authSess);
-
- // Debug
-
- if ( logger.isDebugEnabled())
- logger.debug("Passthru stage 1 token " + ntlmToken);
- }
- else
- {
- try
- {
- // Stage two of the authentication, send the hashed password to the authentication server
-
- byte[] lmPwd = null;
- byte[] ntlmPwd = null;
-
- if ( ntlmToken.getPasswordType() == PasswordEncryptor.LANMAN)
- lmPwd = ntlmToken.getHashedPassword();
- else if ( ntlmToken.getPasswordType() == PasswordEncryptor.NTLM1)
- ntlmPwd = ntlmToken.getHashedPassword();
-
- String username = (String) ntlmToken.getPrincipal();
-
- authSess.doSessionSetup(username, lmPwd, ntlmPwd);
-
- // Check if the session has logged on as a guest
-
- if ( authSess.isGuest() || username.equalsIgnoreCase("GUEST"))
- {
- // If guest access is enabled add a guest authority to the token
-
- if ( allowsGuest())
- {
- // Set the guest authority
-
- GrantedAuthority[] authorities = new GrantedAuthority[1];
- authorities[0] = new GrantedAuthorityImpl(NTLMAuthorityGuest);
-
- ntlmToken.setAuthorities(authorities);
- }
- else
- {
- // Guest access not allowed
-
- throw new BadCredentialsException("Guest logons disabled");
- }
- }
-
- // Indicate that the token is authenticated
-
- ntlmToken.setAuthenticated(true);
- }
- catch (IOException ex)
- {
- // Error connecting to the authentication server
-
- throw new AuthenticationServiceException("I/O error", ex);
- }
- catch (SMBException ex)
- {
- // Check the returned status code to determine why the logon failed and throw an appropriate exception
-
- if ( ex.getErrorClass() == SMBStatus.NTErr)
- {
- AuthenticationException authEx = null;
-
- switch( ex.getErrorCode())
- {
- case SMBStatus.NTLogonFailure:
- authEx = new BadCredentialsException("Logon failure");
- break;
- case SMBStatus.NTAccountDisabled:
- authEx = new DisabledException("Account disabled");
- break;
- default:
- authEx = new BadCredentialsException("Logon failure");
- break;
- }
-
- throw authEx;
- }
- else
- throw new BadCredentialsException("Logon failure");
- }
- finally
- {
- // Make sure the authentication session is closed
-
- if ( authSess != null)
- {
- try
- {
- // Remove the session from the active list
-
- m_passthruSessions.remove(ntlmToken);
-
- // Close the session to the authentication server
-
- authSess.CloseSession();
- }
- catch (Exception ex)
- {
- }
- }
- }
- }
- }
-}
diff --git a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMChallenge.java b/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMChallenge.java
deleted file mode 100644
index fd19d84bc1..0000000000
--- a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMChallenge.java
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication.ntlm;
-
-import org.alfresco.jlan.util.HexDump;
-
-/**
- * Contains the NTLM challenge bytes.
- *
- * @author GKSpencer
- */
-public class NTLMChallenge
-{
- // Challenge bytes
-
- private byte[] m_challenge;
-
- /**
- * Class constructor
- *
- * @param chbyts byte[]
- */
- protected NTLMChallenge(byte[] chbyts)
- {
- m_challenge = chbyts;
- }
-
- /**
- * Return the challenge bytes
- *
- * @return byte[]
- */
- public final byte[] getBytes()
- {
- return m_challenge;
- }
-
- /**
- * Check for object equality
- *
- * @param obj Object
- * @return boolean
- */
- public boolean equals(Object obj)
- {
- if ( obj instanceof NTLMChallenge)
- {
- NTLMChallenge ntlmCh = (NTLMChallenge) obj;
-
- // Check if both challenges are null
-
- if ( getBytes() == null && ntlmCh.getBytes() == null)
- return true;
-
- // Check if both challenges are the same length
-
- if ( getBytes() != null && ntlmCh.getBytes() != null &&
- getBytes().length == ntlmCh.getBytes().length)
- {
- // Check if challenages are the same value
-
- byte[] ntlmBytes = ntlmCh.getBytes();
-
- for ( int i = 0; i < m_challenge.length; i++)
- if ( m_challenge[i] != ntlmBytes[i])
- return false;
- }
- else
- return false;
- }
-
- // Not the same type
-
- return false;
- }
-
- /**
- * Return the challenge as a string
- *
- * @return String
- */
- public String toString()
- {
- StringBuilder str = new StringBuilder();
-
- str.append("[");
- str.append(HexDump.hexString(getBytes(), " "));
- str.append("]");
-
- return str.toString();
- }
-}
diff --git a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMLocalToken.java b/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMLocalToken.java
deleted file mode 100644
index 29e86aa891..0000000000
--- a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMLocalToken.java
+++ /dev/null
@@ -1,180 +0,0 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication.ntlm;
-
-import java.net.InetAddress;
-
-import net.sf.acegisecurity.GrantedAuthority;
-import net.sf.acegisecurity.providers.*;
-
-/**
- * Used to provide authentication with a remote Windows server when the username and password are
- * provided locally.
- *
- * @author GKSpencer
- */
-public class NTLMLocalToken extends UsernamePasswordAuthenticationToken
-{
- private static final long serialVersionUID = -7946514578455279387L;
-
- // Optional client domain and IP address, used to route the passthru authentication to the correct server(s)
-
- private String m_clientDomain;
- private String m_clientAddr;
-
- /**
- * Class constructor
- */
- protected NTLMLocalToken()
- {
- super(null, null);
- }
-
- /**
- * Class constructor
- *
- * @param ipAddr InetAddress
- */
- protected NTLMLocalToken( InetAddress ipAddr)
- {
- if ( ipAddr != null)
- m_clientAddr = ipAddr.getHostAddress();
- }
-
- /**
- * Class constructor
- *
- * @param username String
- * @param plainPwd String
- */
- public NTLMLocalToken(String username, String plainPwd) {
- super(username.toLowerCase(), plainPwd);
- }
-
- /**
- * Class constructor
- *
- * @param username String
- * @param plainPwd String
- * @param domain String
- * @param ipAddr String
- */
- public NTLMLocalToken(String username, String plainPwd, String domain, String ipAddr) {
- super(username != null ? username.toLowerCase() : "", plainPwd);
-
- m_clientDomain = domain;
- m_clientAddr = ipAddr;
- }
-
- /**
- * Check if the user logged on as a guest
- *
- * @return boolean
- */
- public final boolean isGuestLogon()
- {
- return hasAuthority(NTLMAuthenticationProvider.NTLMAuthorityGuest);
- }
-
- /**
- * Check if the user is an administrator
- *
- * @return boolean
- */
- public final boolean isAdministrator()
- {
- return hasAuthority(NTLMAuthenticationProvider.NTLMAuthorityAdministrator);
- }
-
- /**
- * Search for the specified authority
- *
- * @param authority String
- * @return boolean
- */
- public final boolean hasAuthority(String authority)
- {
- boolean found = false;
- GrantedAuthority[] authorities = getAuthorities();
-
- if ( authorities != null && authorities.length > 0)
- {
- // Search for the specified authority
-
- int i = 0;
-
- while ( found == false && i < authorities.length)
- {
- if ( authorities[i++].getAuthority().equals(authority))
- found = true;
- }
- }
-
- // Return the status
-
- return found;
- }
-
- /**
- * Check if the client domain name is set
- *
- * @return boolean
- */
- public final boolean hasClientDomain()
- {
- return m_clientDomain != null ? true : false;
- }
-
- /**
- * Return the client domain
- *
- * @return String
- */
- public final String getClientDomain()
- {
- return m_clientDomain;
- }
-
- /**
- * Check if the client IP address is set
- *
- * @return boolean
- */
- public final boolean hasClientAddress()
- {
- return m_clientAddr != null ? true : false;
- }
-
- /**
- * Return the client IP address
- *
- * @return String
- */
- public final String getClientAddress()
- {
- return m_clientAddr;
- }
-}
diff --git a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMPassthruToken.java b/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMPassthruToken.java
deleted file mode 100644
index eb52fa5f48..0000000000
--- a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NTLMPassthruToken.java
+++ /dev/null
@@ -1,184 +0,0 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication.ntlm;
-
-import java.net.InetAddress;
-
-/**
- *
Used to provide passthru authentication to a remote Windows server using multiple stages that
- * allows authentication details to be passed between a client and the remote authenticating server without
- * the password being known by the authentication provider.
- *
- * @author GKSpencer
- */
-public class NTLMPassthruToken extends NTLMLocalToken
-{
- private static final long serialVersionUID = -4635444888514735368L;
-
- // Challenge for this session
-
- private NTLMChallenge m_challenge;
-
- // User name, hashed password and algorithm type
-
- private String m_username;
- private byte[] m_hashedPassword;
- private int m_hashType;
-
- // Time that the authentication session will expire
-
- private long m_authExpiresAt;
-
- /**
- * Class constructor
- */
- public NTLMPassthruToken()
- {
- // We do not know the username yet, and will not know the password
-
- super("", "");
- }
-
- /**
- * Class constructor
- *
- * @param domain String
- */
- public NTLMPassthruToken( String domain)
- {
- // We do not know the username yet, and will not know the password
-
- super("", "", domain, null);
- }
-
- /**
- * Class constructor
- *
- * @param ipAddr InetAddress
- */
- public NTLMPassthruToken( InetAddress ipAddr)
- {
- super( ipAddr);
- }
-
- /**
- * Return the challenge
- *
- * @return NTLMChallenge
- */
- public final NTLMChallenge getChallenge()
- {
- return m_challenge;
- }
-
- /**
- * Return the user account
- *
- * @return Object
- */
- public final Object getPrincipal()
- {
- return m_username;
- }
-
- /**
- * Return the hashed password
- *
- * @return byte[]
- */
- public final byte[] getHashedPassword()
- {
- return m_hashedPassword;
- }
-
- /**
- * Return the hashed password type
- *
- * @return int
- */
- public final int getPasswordType()
- {
- return m_hashType;
- }
-
- /**
- * Return the authentication expiry time, this will be zero if the authentication session has not yet
- * been opened to the server
- *
- * @return long
- */
- public final long getAuthenticationExpireTime()
- {
- return m_authExpiresAt;
- }
-
- /**
- * Set the hashed password and type
- *
- * @param hashedPassword byte[]
- * @param hashType int
- */
- public final void setUserAndPassword(String username, byte[] hashedPassword, int hashType)
- {
- m_username = username.toLowerCase();
- m_hashedPassword = hashedPassword;
- m_hashType = hashType;
- }
-
- /**
- * Set the challenge for this token
- *
- * @param challenge NTLMChallenge
- */
- protected final void setChallenge(NTLMChallenge challenge)
- {
- m_challenge = challenge;
- }
-
- /**
- * Set the authentication expire time, this indicates that an authentication session is associated with this
- * token and the session will be closed if the authentication is not completed by this time.
- *
- * @param expireTime long
- */
- protected final void setAuthenticationExpireTime(long expireTime)
- {
- m_authExpiresAt = expireTime;
- }
-
- /**
- * Check for object equality
- *
- * @param obj Object
- * @return boolean
- */
- public boolean equals(Object obj)
- {
- // Only match on the same object
-
- return this == obj;
- }
-}
diff --git a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NullMutableAuthenticationDao.java b/src/main/java/org/alfresco/repo/security/authentication/ntlm/NullMutableAuthenticationDao.java
deleted file mode 100644
index bae3218cc2..0000000000
--- a/src/main/java/org/alfresco/repo/security/authentication/ntlm/NullMutableAuthenticationDao.java
+++ /dev/null
@@ -1,264 +0,0 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
-package org.alfresco.repo.security.authentication.ntlm;
-
-import java.util.Date;
-
-import net.sf.acegisecurity.UserDetails;
-import net.sf.acegisecurity.providers.dao.UsernameNotFoundException;
-
-import org.alfresco.error.AlfrescoRuntimeException;
-import org.alfresco.repo.security.authentication.AuthenticationException;
-import org.alfresco.repo.security.authentication.MutableAuthenticationDao;
-import org.alfresco.service.cmr.repository.NodeService;
-import org.springframework.dao.DataAccessException;
-
-/**
- * Null Mutable Authentication Dao Class
- *
- *
Mutable authentication implementation that does nothing.
- *
- * @author GKSpencer
- */
-public class NullMutableAuthenticationDao implements MutableAuthenticationDao
-{
- /**
- * @param nodeService ignored
- */
- public void setNodeService(NodeService nodeService)
- {
- // do nothing
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public void createUser(String userName, char[] rawPassword) throws AuthenticationException
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public void createUser(String caseSensitiveUserName, String hashedpassword, char[] rawPassword) throws AuthenticationException
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public void updateUser(String userName, char[] rawPassword) throws AuthenticationException
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public void deleteUser(String userName) throws AuthenticationException
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * Check is a user exists.
- *
- * @return true always
- */
- @Override
- public boolean userExists(String userName)
- {
- return true;
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public void setEnabled(String userName, boolean enabled)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public boolean getEnabled(String userName)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public void setAccountExpires(String userName, boolean expires)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public boolean getAccountExpires(String userName)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public boolean getAccountHasExpired(String userName)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public void setCredentialsExpire(String userName, boolean expires)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public boolean getCredentialsExpire(String userName)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public boolean getCredentialsHaveExpired(String userName)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public void setLocked(String userName, boolean locked)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public boolean getLocked(String userName)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public boolean getAccountlocked(String userName)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public void setAccountExpiryDate(String userName, Date exipryDate)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public Date getAccountExpiryDate(String userName)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public void setCredentialsExpiryDate(String userName, Date exipryDate)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public Date getCredentialsExpiryDate(String userName)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public String getMD4HashedPassword(String userName)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public UserDetails loadUserByUsername(String arg0) throws UsernameNotFoundException, DataAccessException
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-
- /**
- * @throws AlfrescoRuntimeException Not implemented
- */
- @Override
- public Object getSalt(UserDetails user)
- {
- throw new AlfrescoRuntimeException("Not implemented");
- }
-}
diff --git a/src/main/java/org/alfresco/repo/security/authentication/subsystems/SubsystemChainingFtpAuthenticator.java b/src/main/java/org/alfresco/repo/security/authentication/subsystems/SubsystemChainingFtpAuthenticator.java
index b253348d2b..b8ff2ddb32 100644
--- a/src/main/java/org/alfresco/repo/security/authentication/subsystems/SubsystemChainingFtpAuthenticator.java
+++ b/src/main/java/org/alfresco/repo/security/authentication/subsystems/SubsystemChainingFtpAuthenticator.java
@@ -1,28 +1,28 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software.
- * If the software was purchased under a paid Alfresco license, the terms of
- * the paid license agreement will prevail. Otherwise, the software is
- * provided under the following open source license terms:
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see .
- * #L%
- */
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
package org.alfresco.repo.security.authentication.subsystems;
@@ -80,7 +80,7 @@ public class SubsystemChainingFtpAuthenticator extends AbstractChainingFtpAuthen
{
continue;
}
- // Only add active authenticators. E.g. we might have an passthru FTP authenticator that is disabled.
+ // Only add active authenticators. E.g. we might have a FTP authenticator that is disabled.
if (!(authenticator instanceof ActivateableBean)
|| ((ActivateableBean) authenticator).isActive())
{
diff --git a/src/main/resources/alfresco/messages/authentication.properties b/src/main/resources/alfresco/messages/authentication.properties
index 0fd9860fca..7738e1ef35 100644
--- a/src/main/resources/alfresco/messages/authentication.properties
+++ b/src/main/resources/alfresco/messages/authentication.properties
@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=LDAP User {0} not found
authentication.err.connection.ldap.manager.notfound=LDAP Manager User {0} not found
authentication.err.connection.ldap.search=Unable to search LDAP. Reason {0}
-# PASSTHRU
-authentication.err.connection.passthru.server=Failed to open session to passthru server
-authentication.err.passthru.token.unsupported=Unsupported authentication token type
-authentication.err.passthru.guest.notenabled=Guest logons disabled
-authentication.err.passthru.user.disabled=Account disabled
-authentication.err.passthru.user.notfound=Passthru user {0} not found
-
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Validation of request
authentication.step.ldap.connecting=Connecting to LDAP Server {0}
diff --git a/src/main/resources/alfresco/messages/authentication_de.properties b/src/main/resources/alfresco/messages/authentication_de.properties
index 5167a5d53b..1875f78b4b 100644
--- a/src/main/resources/alfresco/messages/authentication_de.properties
+++ b/src/main/resources/alfresco/messages/authentication_de.properties
@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=LDAP-Benutzer {0} nicht gefunde
authentication.err.connection.ldap.manager.notfound=LDAP Manager-Benutzer {0} nicht gefunden
authentication.err.connection.ldap.search=LDAP kann nicht durchsucht werden. Grund: {0}
-# PASSTHRU
-authentication.err.connection.passthru.server=Sitzung mit Passthru-Server konnte nicht ge\u00f6ffnet werden
-authentication.err.passthru.token.unsupported=Nicht unterst\u00fctzter Authentifizierungs-Token
-authentication.err.passthru.guest.notenabled=G\u00e4ste-Anmeldungen deaktiviert
-authentication.err.passthru.user.disabled=Konto deaktiviert
-authentication.err.passthru.user.notfound=Passthru-Benutzer {0} nicht gefunden
-
# Authentication Diagnostic Steps
authentication.step.ldap.validation=\u00dcberpr\u00fcfung der Anfrage
authentication.step.ldap.connecting=Verbindungsaufbau zum LDAP-Server {0}
diff --git a/src/main/resources/alfresco/messages/authentication_es.properties b/src/main/resources/alfresco/messages/authentication_es.properties
index 99fc3612ae..2f6bfadf73 100644
--- a/src/main/resources/alfresco/messages/authentication_es.properties
+++ b/src/main/resources/alfresco/messages/authentication_es.properties
@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=No se encontr\u00f3 el usuario
authentication.err.connection.ldap.manager.notfound=No se encontr\u00f3 el usuario administrador LDAP {0}
authentication.err.connection.ldap.search=No se pudo buscar LDAP. Raz\u00f3n {0}
-# PASSTHRU
-authentication.err.connection.passthru.server=No se pudo abrir una sesi\u00f3n en el servidor passthru
-authentication.err.passthru.token.unsupported=Tipo de token de autenticaci\u00f3n no compatible
-authentication.err.passthru.guest.notenabled=Inicios de sesi\u00f3n como invitado deshabilitados
-authentication.err.passthru.user.disabled=Cuenta deshabilitada
-authentication.err.passthru.user.notfound=No se encontr\u00f3 el usuario passthru {0}
-
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Validaci\u00f3n de solicitud
authentication.step.ldap.connecting=Conectando al servidor LDAP {0}
diff --git a/src/main/resources/alfresco/messages/authentication_fr.properties b/src/main/resources/alfresco/messages/authentication_fr.properties
index 92df8fb3ac..c6ae3a3943 100644
--- a/src/main/resources/alfresco/messages/authentication_fr.properties
+++ b/src/main/resources/alfresco/messages/authentication_fr.properties
@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=Utilisateur LDAP {0} introuvabl
authentication.err.connection.ldap.manager.notfound=Utilisateur gestionnaire LDAP {0} introuvable
authentication.err.connection.ldap.search=Impossible de rechercher dans LDAP. Raison {0}
-# PASSTHRU
-authentication.err.connection.passthru.server=Impossible d'ouvrir une session sur le serveur interm\u00e9diaire
-authentication.err.passthru.token.unsupported=Type de jeton d'authentification non pris en charge
-authentication.err.passthru.guest.notenabled=Connexions invit\u00e9s d\u00e9sactiv\u00e9es
-authentication.err.passthru.user.disabled=Compte d\u00e9sactiv\u00e9
-authentication.err.passthru.user.notfound=Utilisateur interm\u00e9diaire {0} introuvable
-
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Validation de requ\u00eate
authentication.step.ldap.connecting=Connexion au serveur LDAP {0}
diff --git a/src/main/resources/alfresco/messages/authentication_it.properties b/src/main/resources/alfresco/messages/authentication_it.properties
index 9839ebc382..92eb6bd06c 100644
--- a/src/main/resources/alfresco/messages/authentication_it.properties
+++ b/src/main/resources/alfresco/messages/authentication_it.properties
@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=Utente LDAP {0} non trovato
authentication.err.connection.ldap.manager.notfound=Utente manager LDAP {0} non trovato
authentication.err.connection.ldap.search=Impossibile cercare in LDAP. Motivo {0}
-# PASSTHRU
-authentication.err.connection.passthru.server=Impossibile aprire una sessione con il server passthru
-authentication.err.passthru.token.unsupported=Tipo di token di autenticazione non supportato
-authentication.err.passthru.guest.notenabled=Login ospiti disabilitati
-authentication.err.passthru.user.disabled=Account disabilitato
-authentication.err.passthru.user.notfound=Utente Passthru {0} non trovato
-
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Convalida della richiesta
authentication.step.ldap.connecting=Connessione al server LDAP {0} in corso
diff --git a/src/main/resources/alfresco/messages/authentication_ja.properties b/src/main/resources/alfresco/messages/authentication_ja.properties
index 0ad9ce9be7..5421330115 100644
--- a/src/main/resources/alfresco/messages/authentication_ja.properties
+++ b/src/main/resources/alfresco/messages/authentication_ja.properties
@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=LDAP \u30e6\u30fc\u30b6\u30fc {
authentication.err.connection.ldap.manager.notfound=LDAP \u30de\u30cd\u30fc\u30b8\u30e3\u30e6\u30fc\u30b6\u30fc {0} \u304c\u898b\u3064\u304b\u308a\u307e\u305b\u3093
authentication.err.connection.ldap.search=LDAP \u3092\u691c\u7d22\u3067\u304d\u307e\u305b\u3093\u3002 \u7406\u7531\uff1a {0}
-# PASSTHRU
-authentication.err.connection.passthru.server=\u30d1\u30b9\u30b9\u30eb\u30fc\u30b5\u30fc\u30d0\u30fc\u3078\u306e\u30bb\u30c3\u30b7\u30e7\u30f3\u3092\u958b\u3051\u307e\u305b\u3093\u3067\u3057\u305f
-authentication.err.passthru.token.unsupported=\u30b5\u30dd\u30fc\u30c8\u3055\u308c\u3066\u3044\u306a\u3044\u8a8d\u8a3c\u30c8\u30fc\u30af\u30f3\u30bf\u30a4\u30d7\u3067\u3059
-authentication.err.passthru.guest.notenabled=\u30b2\u30b9\u30c8\u30ed\u30b0\u30a4\u30f3\u304c\u7121\u52b9\u3067\u3059
-authentication.err.passthru.user.disabled=\u30a2\u30ab\u30a6\u30f3\u30c8\u304c\u7121\u52b9\u3067\u3059
-authentication.err.passthru.user.notfound=\u30d1\u30b9\u30b9\u30eb\u30fc\u30e6\u30fc\u30b6\u30fc {0} \u304c\u898b\u3064\u304b\u308a\u307e\u305b\u3093
-
# Authentication Diagnostic Steps
authentication.step.ldap.validation=\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u691c\u8a3c
authentication.step.ldap.connecting=LDAP \u30b5\u30fc\u30d0\u30fc {0} \u306b\u63a5\u7d9a\u3057\u3066\u3044\u307e\u3059
diff --git a/src/main/resources/alfresco/messages/authentication_nb.properties b/src/main/resources/alfresco/messages/authentication_nb.properties
index 8ea91f18a7..ff3cac291e 100644
--- a/src/main/resources/alfresco/messages/authentication_nb.properties
+++ b/src/main/resources/alfresco/messages/authentication_nb.properties
@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=Finner ikke LDAP-brukeren {0}
authentication.err.connection.ldap.manager.notfound=Finner ikke LDAP-administratorbrukeren {0}
authentication.err.connection.ldap.search=Kan ikke s\u00f8ke i LDAP. \u00c5rsak {0}
-# PASSTHRU
-authentication.err.connection.passthru.server=Kan ikke \u00e5pne \u00f8kt til gjennomgangsserver
-authentication.err.passthru.token.unsupported=Tokentype for godkjenning st\u00f8ttes ikke
-authentication.err.passthru.guest.notenabled=Gjestep\u00e5logginger er deaktivert
-authentication.err.passthru.user.disabled=Konto er deaktivert
-authentication.err.passthru.user.notfound=Finner ikke gjennomgangsbrukeren {0}
-
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Validering av foresp\u00f8rsel
authentication.step.ldap.connecting=Koble til LDAP-server {0}
diff --git a/src/main/resources/alfresco/messages/authentication_nl.properties b/src/main/resources/alfresco/messages/authentication_nl.properties
index 2d390f56c0..f25e24e2d7 100644
--- a/src/main/resources/alfresco/messages/authentication_nl.properties
+++ b/src/main/resources/alfresco/messages/authentication_nl.properties
@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=LDAP-gebruiker {0} niet gevonde
authentication.err.connection.ldap.manager.notfound=LDAP-beheerdergebruiker {0} niet gevonden
authentication.err.connection.ldap.search=Kan niet zoeken naar LDAP. Reden {0}
-# PASSTHRU
-authentication.err.connection.passthru.server=Kan sessie met Passthru-server niet openen
-authentication.err.passthru.token.unsupported=Niet-ondersteund type verificatietoken
-authentication.err.passthru.guest.notenabled=Gastaanmeldingen uitgeschakeld
-authentication.err.passthru.user.disabled=Account uitgeschakeld
-authentication.err.passthru.user.notfound=Passthru-gebruiker {0} niet gevonden
-
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Validatie van aanvraag
authentication.step.ldap.connecting=Verbinding maken LDAP-server {0}
diff --git a/src/main/resources/alfresco/messages/authentication_pt_BR.properties b/src/main/resources/alfresco/messages/authentication_pt_BR.properties
index 536ab7781b..411fadb9be 100644
--- a/src/main/resources/alfresco/messages/authentication_pt_BR.properties
+++ b/src/main/resources/alfresco/messages/authentication_pt_BR.properties
@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=Usu\u00e1rio LDAP {0} n\u00e3o
authentication.err.connection.ldap.manager.notfound=Usu\u00e1rio do gerenciador LDAP {0} n\u00e3o encontrado
authentication.err.connection.ldap.search=N\u00e3o \u00e9 poss\u00edvel pesquisar o LDAP. Raz\u00e3o {0}
-# PASSTHRU
-authentication.err.connection.passthru.server=Falha ao abrir a sess\u00e3o para o servidor de passagem
-authentication.err.passthru.token.unsupported=Tipo de token de autentica\u00e7\u00e3o n\u00e3o suportado
-authentication.err.passthru.guest.notenabled=Logons de convidado desativados
-authentication.err.passthru.user.disabled=Conta desativada
-authentication.err.passthru.user.notfound=Usu\u00e1rio de passagem {0} n\u00e3o encontrado
-
# Authentication Diagnostic Steps
authentication.step.ldap.validation=Valida\u00e7\u00e3o de solicita\u00e7\u00e3o
authentication.step.ldap.connecting=Conectando-se ao servidor LDAP {0}
diff --git a/src/main/resources/alfresco/messages/authentication_ru.properties b/src/main/resources/alfresco/messages/authentication_ru.properties
index 6a2ade27e1..cf1a5c582f 100644
--- a/src/main/resources/alfresco/messages/authentication_ru.properties
+++ b/src/main/resources/alfresco/messages/authentication_ru.properties
@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=\u041f\u043e\u043b\u044c\u0437\
authentication.err.connection.ldap.manager.notfound=\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0434\u0438\u0441\u043f\u0435\u0442\u0447\u0435\u0440\u0430 LDAP {0} \u043d\u0435 \u043d\u0430\u0439\u0434\u0435\u043d
authentication.err.connection.ldap.search=\u041d\u0435 \u0443\u0434\u0430\u0435\u0442\u0441\u044f \u043d\u0430\u0439\u0442\u0438 LDAP. \u041f\u0440\u0438\u0447\u0438\u043d\u0430: {0}
-# PASSTHRU
-authentication.err.connection.passthru.server=\u041d\u0435 \u0443\u0434\u0430\u043b\u043e\u0441\u044c \u043e\u0442\u043a\u0440\u044b\u0442\u044c \u0441\u0435\u0430\u043d\u0441 \u0441\u0432\u044f\u0437\u0438 \u0441 \u043f\u0440\u043e\u043c\u0435\u0436\u0443\u0442\u043e\u0447\u043d\u044b\u043c \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c
-authentication.err.passthru.token.unsupported=\u041d\u0435\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0435\u043c\u044b\u0439 \u0442\u0438\u043f \u043c\u0430\u0440\u043a\u0435\u0440\u0430 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438
-authentication.err.passthru.guest.notenabled=\u0412\u0445\u043e\u0434\u044b \u0433\u043e\u0441\u0442\u044f \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u044b
-authentication.err.passthru.user.disabled=\u0423\u0447\u0435\u0442\u043d\u0430\u044f \u0437\u0430\u043f\u0438\u0441\u044c \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0430
-authentication.err.passthru.user.notfound=\u041f\u0440\u043e\u043c\u0435\u0436\u0443\u0442\u043e\u0447\u043d\u044b\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c {0} \u043d\u0435 \u043d\u0430\u0439\u0434\u0435\u043d
-
# Authentication Diagnostic Steps
authentication.step.ldap.validation=\u041f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0437\u0430\u043f\u0440\u043e\u0441\u0430
authentication.step.ldap.connecting=\u041f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 \u043a \u0441\u0435\u0440\u0432\u0435\u0440\u0443 LDAP {0}
diff --git a/src/main/resources/alfresco/messages/authentication_zh_CN.properties b/src/main/resources/alfresco/messages/authentication_zh_CN.properties
index 02a22d91fb..e94a8867d6 100644
--- a/src/main/resources/alfresco/messages/authentication_zh_CN.properties
+++ b/src/main/resources/alfresco/messages/authentication_zh_CN.properties
@@ -12,13 +12,6 @@ authentication.err.connection.ldap.user.notfound=\u672a\u627e\u5230 LDAP \u7528\
authentication.err.connection.ldap.manager.notfound=\u672a\u627e\u5230 LDAP \u7ba1\u7406\u5668\u7528\u6237 {0}
authentication.err.connection.ldap.search=\u65e0\u6cd5\u641c\u7d22 LDAP\u3002 \u539f\u56e0 {0}
-# PASSTHRU
-authentication.err.connection.passthru.server=\u6253\u5f00 passthru \u670d\u52a1\u5668\u4f1a\u8bdd\u5931\u8d25
-authentication.err.passthru.token.unsupported=\u8eab\u4efd\u9a8c\u8bc1\u4ee4\u724c\u7c7b\u578b\u4e0d\u53d7\u652f\u6301
-authentication.err.passthru.guest.notenabled=\u5df2\u7981\u7528\u8bbf\u5ba2\u767b\u5f55
-authentication.err.passthru.user.disabled=\u5df2\u7981\u7528\u5e10\u6237
-authentication.err.passthru.user.notfound=\u672a\u627e\u5230 Passthru \u7528\u6237 {0}
-
# Authentication Diagnostic Steps
authentication.step.ldap.validation=\u8bf7\u6c42\u9a8c\u8bc1
authentication.step.ldap.connecting=\u6b63\u5728\u8fde\u63a5\u5230 LDAP \u670d\u52a1\u5668 {0}
diff --git a/src/main/resources/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml b/src/main/resources/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml
index 7ce2921f9d..52b8ec122d 100644
--- a/src/main/resources/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml
+++ b/src/main/resources/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml
@@ -63,7 +63,6 @@
org.alfresco.repo.security.authentication.AuthenticationComponent
- org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator
diff --git a/src/main/resources/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.properties b/src/main/resources/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.properties
deleted file mode 100644
index 92a05ba64e..0000000000
--- a/src/main/resources/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.properties
+++ /dev/null
@@ -1,13 +0,0 @@
-passthru.authentication.useLocalServer=false
-passthru.authentication.domain=DOMAIN
-passthru.authentication.servers=
-passthru.authentication.guestAccess=false
-passthru.authentication.defaultAdministratorUserNames=
-#Timeout value when opening a session to an authentication server, in milliseconds
-passthru.authentication.connectTimeout=5000
-#Offline server check interval in seconds
-passthru.authentication.offlineCheckInterval=300
-passthru.authentication.protocolOrder=TCPIP,NetBIOS
-passthru.authentication.authenticateFTP=true
-passthru.authentication.sessionCleanup=true
-passthru.authentication.broadcastMask=
diff --git a/src/main/resources/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml b/src/main/resources/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml
deleted file mode 100644
index afc62caada..0000000000
--- a/src/main/resources/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml
+++ /dev/null
@@ -1,125 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ${passthru.authentication.useLocalServer}
-
-
- ${passthru.authentication.servers}
-
-
- ${passthru.authentication.domain}
-
-
-
- ${passthru.authentication.connectTimeout}
-
-
-
- ${passthru.authentication.offlineCheckInterval}
-
-
- ${passthru.authentication.protocolOrder}
-
-
- true
-
-
- ${passthru.authentication.broadcastMask}
-
-
-
-
-
-
-
-
-
-
-
- org.alfresco.repo.security.authentication.AuthenticationComponent
- org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator
-
-
-
-