Merged V2.0 to HEAD

5523: Merged V1.4 to V2.0
      5494: db.schema.update=false disables ALL metadata queries
      5500: AR-1399 NTProtocolHander search handle leakage
      5522: AR-1412 IndexRemoteTransactionTracker startup
   5541: Merged V1.4 to V2.0
      5525: Pass-through authentication and domain mapping
         Resolved minor conflict on AlfrescoAuthenticator.java
      5526: Domain mapping support


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@5546 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/repo/security/authentication/ntlm/NTLMAuthenticationComponentImpl.java

@@ -34,6 +34,8 @@ import java.security.Security;
 import java.util.Enumeration;
 import java.util.Hashtable;
 
+import javax.transaction.UserTransaction;
+
 import net.sf.acegisecurity.Authentication;
 import net.sf.acegisecurity.AuthenticationServiceException;
 import net.sf.acegisecurity.BadCredentialsException;
@@ -53,7 +55,9 @@ import org.alfresco.repo.security.authentication.AuthenticationException;
 import org.alfresco.repo.security.authentication.NTLMMode;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
+import org.alfresco.service.cmr.security.NoSuchPersonException;
 import org.alfresco.service.cmr.security.PersonService;
+import org.alfresco.service.transaction.TransactionService;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -95,6 +99,10 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
     
     private boolean m_allowGuest;
     
+    // Allow authenticated users that do not have an Alfresco person to logon as guest
+    
+    private boolean m_allowAuthUserAsGuest;
+    
     // Table of currently active passthru authentications and the associated authentication session
     //
     // If the two authentication stages are not completed within a reasonable time the authentication
@@ -114,6 +122,7 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
     
     private PersonService m_personService;
     private NodeService m_nodeService;
+    private TransactionService m_transactionService;
     
     /**
      * Passthru Session Reaper Thread
@@ -362,6 +371,16 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
         m_allowGuest = Boolean.parseBoolean(guest);
     }
     
+    /**
+     * Allow authenticated users with no alfresco person record to logon with guest access
+     * 
+     * @param auth String
+     */
+    public void setAllowAuthUserAsGuest(String auth)
+    {
+        m_allowAuthUserAsGuest = Boolean.parseBoolean(auth);
+    }
+    
     /**
      * Set the JCE provider
      * 
@@ -461,6 +480,16 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
         m_nodeService = nodeService;
     }
     
+    /**
+     * Set the transaction service
+     * 
+     * @param transService TransactionService
+     */
+    public final void setTransactionService(TransactionService transService)
+    {
+        m_transactionService = transService;
+    }
+
     /**
      * Return the authentication session timeout, in milliseconds
      * 
@@ -756,7 +785,7 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
             
             // Open an authentication session for the new token and add to the active session list
             
-            authSess = m_passthruServers.openSession();
+            authSess = m_passthruServers.openSession( false, ntlmToken.getClientDomain());
             
             // Check if the session was opened to the passthru server
             
@@ -792,6 +821,8 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
         }
         else
         {
+            UserTransaction tx = null;
+            
             try
             {
                 // Stage two of the authentication, send the hashed password to the authentication server
@@ -835,6 +866,11 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
                 
                 ntlmToken.setAuthenticated(true);
 
+                // Wrap the service calls in a transaction
+                
+            	tx = m_transactionService.getUserTransaction( true);
+            	tx.begin();
+            	
                 // Map the passthru username to an Alfresco person
                 
                 NodeRef userNode = m_personService.getPerson(username);
@@ -861,7 +897,32 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
                     if ( logger.isDebugEnabled())
                         logger.debug("Setting current user using username " + username);
                 }
-            }                
+            }
+            catch (NoSuchPersonException ex)
+            {
+            	// Check if authenticated users are allowed on as guest when there is no Alfresco person record
+            	
+            	if ( m_allowAuthUserAsGuest == true)
+            	{
+                    // Set the guest authority
+                    
+                    GrantedAuthority[] authorities = new GrantedAuthority[1];
+                    authorities[0] = new GrantedAuthorityImpl(NTLMAuthorityGuest);
+                    
+                    ntlmToken.setAuthorities(authorities);
+
+                    // DEBUG
+                    
+                    if ( logger.isDebugEnabled())
+                        logger.debug("Allow passthru authenticated user to logon as guest, user=" + ntlmToken.getName());
+            	}
+            	else
+            	{
+            		// Logon failure, no matching person record
+            		
+                    throw new AuthenticationServiceException("Logon failure", ex);
+            	}
+            }
             catch (IOException ex)
             {
                 // Error connecting to the authentication server
@@ -899,6 +960,12 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
                 else
                     throw new BadCredentialsException("Logon failure");
             }
+            catch (Exception ex)
+            {
+                // General error
+                
+                throw new AuthenticationServiceException("General error", ex);
+            }
             finally
             {
                 // Make sure the authentication session is closed
@@ -919,6 +986,19 @@ public class NTLMAuthenticationComponentImpl extends AbstractAuthenticationCompo
                     {
                     }
                 }
+                
+                // Commit or rollback the transaction, if active
+                
+                if ( tx != null)
+                {
+                	try
+                	{
+                		tx.commit();
+                	}
+                	catch ( Exception ex)
+                	{
+                	}
+                }
             }
         }
     }

source/java/org/alfresco/repo/security/authentication/ntlm/NTLMLocalToken.java

@@ -24,6 +24,8 @@
  */
 package org.alfresco.repo.security.authentication.ntlm;
 
+import java.net.InetAddress;
+
 import net.sf.acegisecurity.GrantedAuthority;
 import net.sf.acegisecurity.providers.*;
 
@@ -37,6 +39,11 @@ public class NTLMLocalToken extends UsernamePasswordAuthenticationToken
 {
     private static final long serialVersionUID = -7946514578455279387L;
 
+    // Optional client domain and IP address, used to route the passthru authentication to the correct server(s)
+    
+    private String m_clientDomain;
+    private String m_clientAddr;
+    
     /**
      * Class constructor
      */
@@ -44,6 +51,17 @@ public class NTLMLocalToken extends UsernamePasswordAuthenticationToken
     {
         super(null, null);
     }
+
+    /**
+     * Class constructor
+     * 
+     * @param ipAddr InetAddress
+     */
+    protected NTLMLocalToken( InetAddress ipAddr)
+    {
+    	if ( ipAddr != null)
+    		m_clientAddr = ipAddr.getHostAddress();
+    }
     
     /**
      * Class constructor
@@ -55,6 +73,21 @@ public class NTLMLocalToken extends UsernamePasswordAuthenticationToken
         super(username.toLowerCase(), plainPwd);
     }
     
+    /**
+     * Class constructor
+     * 
+     * @param username String
+     * @param plainPwd String
+     * @param domain String
+     * @param ipAddr String
+     */
+    public NTLMLocalToken(String username, String plainPwd, String domain, String ipAddr) {
+        super(username != null ? username.toLowerCase() : "", plainPwd);
+        
+        m_clientDomain = domain;
+        m_clientAddr   = ipAddr;
+    }
+       
     /**
      * Check if the user logged on as a guest
      * 
@@ -103,4 +136,44 @@ public class NTLMLocalToken extends UsernamePasswordAuthenticationToken
         
         return found;
     }
+
+    /**
+     * Check if the client domain name is set
+     * 
+     * @return boolean
+     */
+    public final boolean hasClientDomain()
+    {
+    	return m_clientDomain != null ? true : false;
+    }
+    
+    /**
+     * Return the client domain
+     * 
+     * @return String
+     */
+    public final String getClientDomain()
+    {
+    	return m_clientDomain;
+    }
+
+    /**
+     * Check if the client IP address is set
+     * 
+     * @return boolean
+     */
+    public final boolean hasClientAddress()
+    {
+    	return m_clientAddr != null ? true : false;
+    }
+    
+    /**
+     * Return the client IP address
+     * 
+     * @return String
+     */
+    public final String getClientAddress()
+    {
+    	return m_clientAddr;
+    }
 }

source/java/org/alfresco/repo/security/authentication/ntlm/NTLMPassthruToken.java

@@ -24,6 +24,8 @@
  */
 package org.alfresco.repo.security.authentication.ntlm;
 
+import java.net.InetAddress;
+
 /**
  * <p>Used to provide passthru authentication to a remote Windows server using multiple stages that
  * allows authentication details to be passed between a client and the remote authenticating server without
@@ -59,6 +61,28 @@ public class NTLMPassthruToken extends NTLMLocalToken
         super("", "");
     }
     
+    /**
+     * Class constructor
+     * 
+     * @params domain String
+     */
+    public NTLMPassthruToken( String domain)
+    {
+        // We do not know the username yet, and will not know the password
+        
+        super("", "", domain, null);
+    }
+    
+    /**
+     * Class constructor
+     * 
+     * @param ipAddr InetAddress
+     */
+    public NTLMPassthruToken( InetAddress ipAddr)
+    {
+        super( ipAddr);
+    }
+    
     /**
      * Return the challenge
      *