18157: ETHREEOH-3787: Support portal URL rewriting within surf webscripts
- WebScriptServletResponse extended to use portlet helper to rewrite URLs when running in context of a portlet. (We can't use WebScriptPortletRequest / Response because we need the full servlet runtime for Surf.)
- CMIS test webscripts corrected to be portlet enabled
18272: Merged DEV/BELARUS/V3.2-2010_01_11 to V3.2
18257: ETHREEOH-4002: User/Group sync does not handle LDAP communication failures
- Merged with corrections
18276: ETHREEOH-4002: Correction to previous checkin - modification dates are only persisted after successful processing of users and groups, so need to delete them on comms failure
18326: ETHREEOH-3873: usr:authorityContainer type metadata must be left in place for upgraded repositories
- Otherwise you get errors when re-indexing the migrated group nodes
18340: ETHREEOH-4069: LDAP sync cannot resolve DNs containing a slash character
- Due to JNDI interpreting the slash character as a separator
18403: ETHREEOH-4008: LDAP sync should preserve case of group members
- Was incorrectly extracting attributes from lower-cased DN
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@18433 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
18088: ETHREEOH-3787: Addition of liferay-display.xml to define category for demo portlet
18053: Build fix: Re-enable log ins to Alfresco web app when not running in a portlet container
- Removed direct dependencies between FacesHelper and portlet API
18037: Merged DEV/DAVEW/SURFPORTLET to V3.2
17669: Changes to enable surf rendering from a portlet
- New DispatcherPortlet forwards portlet requests to the DispatcherServlet as servlet requests.
- A new filter 'lazily' creates users' dashboard pages to avoid the need to have to redirect from site-index.jsp
- Build against JSR 286 portlet 2.0 API jar
- Exclude portlet API jar from war to avoid ClassCastExceptions
- Lazily init portlet authenticators to avoid ClassNotFoundExceptions when not running in a portlet container
- Fix web.xml schema validation problems
- UserFactory session keys given unique prefix to avoid class with Liferay shared session attributes
- Liferay deployment descriptor to enable user principal name resolution
- Fixed subsystem problem that prevented the override of a property with the empty string in alfresco-global.properties. Stopped 'unprotected' external auth from working.
18019: ETHREEOH-3770: LDAP sync now supports attribute range retrieval to get around limits imposed by Active Directory on multi-valued attributes
- Meant that groups with more than 1000 members were getting truncated in Active Directory
- Now switched on in ldap-ad and off in ldap subsystem
- Also switched off result set paging in ldap subsystem by default for wider compatibility with non-AD systems
17759: Merged DEV/BELARUS/V3.2-2009_11_24 to V3.2
17755: ETHREEOH-3739: build 283: Upgrades from 3.1.1 and 3.1.2 fail on JBoss 5.1
- The getFile method was created for ImapFoldersPatch to retrieve acp file for ACPImportPackageHandler.
- This method tries to load ACP file from file location and if it is unsuccessful then creates temporary file from resource input stream.
- In other words we apply aproach from ImporterBootstrap.
17600: ETHREEOH-1002: Avoid using HTTP 1.1 chunked transfer encoding to send heartbeat data because some proxy servers can't cope with it!
- Unit test can now parse chunked and un-chunked HTTP requests
17597: Further optimizations to authority caching
- Don't invalidate entire user authority lookup cache when user added to or removed from an authority
17588: Fix up authority caching
- Need to include tenant domain in cache key
- Also reinstated cache of user recursive group memberships for performance purposes
17559: ETHREEOH-3440: Authority search performance improvements
- AuthorityDAO now uses Lucene (again) to do wildcard style authority searches by name, type and zone
- Retrieval by exact name, type and zone still performed by DB methods
- DB methods now optimized to avoid having to load group child nodes to determine group membership
- Authority cache now stores authority node refs by name to reduce authority resolution queries
- ScriptGroup avoids hammering repository with multiple searches to determine group membership
17545: ETHREEOH-3371: Fixed group searches to search within the default zone and thus hide 'invisible' WCM and Share groups.
17527: ETHREEOH-3375: Use static inner class for cache key to avoid non serializable exceptions
17523: ETHREEOH-3337: Fix NPEs in RepoServerMgmt operations
- Transactional cache can have entries with non-null keys and null values
17521: ETHREEOH-3158: Proper handling of user validation failures in Kerberos Authentication filters.
17490: Fix failing HeartBeatTest
- Prevent possibility of both test and non-test public keys being used at the same time
17481: Fix build for Jan
- Removed JDK 1.6 String.isEmpty() references
17472: Follow-on for ETHREEOH-2648 - tighten guest login, eg. if no guest configured (in auth chain)
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@18108 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
16939: Merged V3.1 to V3.2
16938: ETHREEOH-622: AuthorityServiceImpl uses userNameMatcher to check for admin users according to case sensitivity settings
16934: ETHREEOH-2584: Coding error in BaseSSOAuthenticationFilter
16924: LDAP Performance
- Created NodeService addChild variants that can add associations to multiple parents (groups/zones) at the same time with a single path check.
- Created AuthorityService addAuthority variant that can add an authority to multiple groups at the same time, using the above
- Optimized group association creation strategy. Groups and Persons created in 'depth first' order (root groups first, parents last). Prevents the nodes having to be reindexed.
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@17070 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
16662: LDAP sync: improved group association filtering, referential integrity checking, deletion strategy and performance tuning of batch sizes
16648: ETHREEOH-2752: Improved ticket validation fix
- Invalidate user's tickets during person deletion rather than validation or it can mess up chained validation
16647: ETHREEOH-2534: Fixed Sharepoint NTLM authentication
- user details were never getting cached in the session
16579: Small improvement to LDAP error reporting
- Committed errors counted before successes in a logging interval
16515: LDAP sync performance
- Improved full sync strategy - run differential queries to work out required updates/additions and full queries to work out required deletions. Saves updating unchanged nodes.
- Use a TreeSet rather than a HashSet to gather group associations in an attempt to avoid blowing the heap size
16498: More LDAP performance improvements
- Uses thread pool with 4 worker threads and blocking queue to process returned results. The number of worker threads can be controlled by the synchronization.workerThreads property.
- Switched LDAP connection pooling back on again
- Group Associations processsed individually so that errors are collated and we get a better idea of their throughput
- Fixed potential bug. Group membership resolution done with isolated LDAP context to avoid cookies from paging creeping in.
16424: Try switching off LDAP connection pooling to see if it works better with our flaky server.
16414: Further LDAP fault tolerance
- Log causes of group member resolution failures where possible
16413: More fault tolerance for LDAP sync
- Always commit last sync times before overall sync is complete to avoid the 'forgetting' of differential sync information
- DN comparisons should be case insensitive to avoid issues resolving DNs to user and group IDs
16398: Improved monitoring and fault tolerance for LDAP sync
- When the batch is complete a summary of the number of errors and the last error stack trace will be logged at ERROR level
- Each individual error is logged at WARN level and progress information (including % complete) is collated and logged at INFO level after a configurable interval
- In the Enterprise Edition all metrics can be monitored in real time through JMX
- Sanity testing to be performed by Mike!
16319: Merged HEAD to V3.2
16316: ALFCOM-3397: JBoss 5 compatibility fix
- Relative paths used by LDAP subsystem configuration weren't being resolved correctly
- See also https://jira.jboss.org/jira/browse/JBAS-6548 and https://jira.springsource.org/browse/SPR-5120
16272: ETHREEOH-2752: Once more with feeling!
16261: ETHREEOH-2752: Correct exception propagation.
16260: ETHREEOH-2752: Fix ticket validation
- Current ticket was getting forgotten by previous fix
- Person validation in CHECK mode now done AFTER the current user is set, so that the current ticket is remembered
16243: ETHREEOH-2752: Improve ticket validation used by all authentication filters
- Now takes into account whether person actually exists or not
- Tickets for non-nonexistent persons are now considered invalid and cached session information is invalidated
- New BaseAuthenticationFilter superclass for all authentication filters
- Improved fix to ETHREEOH-2839: WebDAV user is cached consistently using a different session attribute from the Web Client
16233: ETHREEOH-2754: Correction to previous checkin.
- relogin for SSO authentication, logout for normal login page
- logout is default
16232: ETHREEOH-2754: Log Out Action outcome passed as a parameter
- relogin for SSO authentication, login for normal login page
- Means the log out link always leads to the correct place, even when the session has expired
- Also lowered ticket validation error logging to DEBUG level to avoid unnecessary noise in the logs from expired sessions
16220: ETHREEOH-2839: Fixed potential ClassCastExceptions when Alfresco accessed via WebDAV and Web Client links in same browser
- WebDAV side no longer directly casts session user to a WebDAVUser
- ContextListener no longer casts session user to web client user
- Web client side will 'promote' session user to a web client User if necessary via AuthenticationHelper
- All authentication filters made to use appropriate AuthenticationHelper methods
16211: ETHREEOH-2835: LDAP sync batches user and group deletions as well as creations
- Also improved logging of sync failures
16197: ETHREEOH-2782: LDAP subsystems now support search-based user DN resolution
- When ldap.authentication.userNameFormat isn't set (now the default) converts a user ID to a DN by running ldap.synchronization.personQuery with an extra condition tacked on the end to find the user by ID
- Structured directories and authentication by attributes not in the DN such as email address now supported
16189: ALFCOM-3283: Prevent errors when user accepts an invite when not logged in
- new isGuest attribute propagated to user object
- header component (used by accept-invite page) needs to avoid calling prefs and site webscripts for guest user
- Conditional stuff in header template changed to use user.isGuest
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16896 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
- Fixed parsing of timestamps
- Fixed resolution of group members
- Shared Spring configuration with ldap subsystem
- Authentication still only supported with DIGEST-MD5 binding enabled - chain with passthru authentication otherwise
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@14934 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
14587: Added new node service method getNodesWithoutParentAssocsOfType to public-services-security-context.xml (or at least my best guess at it!)
14586: Use US spelling of synchronization in filenames for consistency
14585: Lower the default user registry sync frequency to daily instead of hourly. Now users and groups are pulled over incrementally on login of missing users.
14583: Unit test for ChainingUserRegistrySynchronizer
14571: Migration patch for existing authorities previously held in users store
- Uses AuthorityService to recreate authorities in spaces store with new structure
14555: Authority service changes for LDAP sync improvements
- Moved sys:authorities container to spaces store
- All authorities now stored directly under sys:authorities
- Authorities can now be looked up directly by node service
- Secondary child associations used to model group relationships
- 'Root' groups for UI navigation determined dynamically by node service query
- cm:member association used to relate both authority containers and persons to other authorities
- New cm:inZone association relates persons and authority containers to synchronization 'zones' stored under sys:zones
- Look up of authority zone and all authorities in a zone to enable multi-zone LDAP sync
14524: Dev branch for finishing LDAP zones and upgrade impact
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@14588 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
