16062: ETHREEOH-2792: Support login via external SSO systems (such as CAS) in Alfresco Share
- In Alfresco, new "external" authentication subsystem maps user identity from HttpServletRequest.getRemoteUser() or configured header
- In Share, the UserFactory also recognizes HttpServletRequest.getRemoteUser() - no special filters required
- User ID propagated to Alfresco through X-Alfresco-Remote-User HTTP header
- This can be done securely via the use of an SSL client certificate that identifies the Share application to Alfresco as a special 'proxy' user
- New <keystore> section added to webscript-framework-config that allows specification of the keystore holding the client certificate and trusted CAs
- Support for SSL authentication and propagation of Cookies through redirects added to RemoteClient so that initial redirects through sign on pages are supported
- TODO: Wiki
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16065 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
15940: Merged V3.1 to V3.2 (record only)
15939: Merged V3.2 to V3.1
15936: ETHREEOH-2498: Fixed problems with auto-creation of users in CIFS Authenticators (including Kerberos)
15936: ETHREEOH-2498: Fixed problems with auto-creation of users in CIFS Authenticators (including Kerberos)
- Converted to using RetryingTransactionHelper and avoid problems with nested transactionService
- Will trigger LDAP sync if enabled
- Also switched on disableNTLM in kerberos-authentication-context.xml to force Kerberos CIFS authentication in Kerberos subsystem
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@15941 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
15737: ETHREEOH-2535: Home folders for LDAP imported users appear in wrong place
- Changed the default for ldap.synchronization.defaultHomeFolderProvider to be userHomesHomeFolderProvider
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@15738 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
15388: ETHREEOH-1872: Better debug logging in authentication components
- Now each authentication component logs every step of the authentication process (including reason for failure) if you switch on debug logging for that component or the entire org.alfresco.repo.security.authentication package. E.g.
log4j.logger.org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl=debug
log4j.logger.org.alfresco.repo.security.authentication.AuthenticationComponentImpl=debug
log4j.logger.org.alfresco.repo.security.authentication=debug
15196: Further LDAP sync performance improvements
- Bunch user and group creations into small transactions (except for differential sync on login)
- Run a differential sync on startup (so that bulk of users are not brought over on first login)
- Can be disabled by synchronization.syncOnStartup property
15135: Node creation / ACL performance improvements
- When an ACL was set on a leaf node such as a person, redundant 'shared' ACLs were created for child nodes with getInheritedAccessControlList(), even though no child nodes existed.
- Now setInheritanceForChildren() makes a 'lazy' call to getInheritedAccessControlList(), only when it realises there are child nodes
15133: Changes to datasource definition for improved performance
- Enable caching and reuse of prepared statements (by default 40 for each connection)
- Removed custom-connection-pool-context.xml.sample and instead introduced complete property set into repository.properties
- Updated v3.2 Wiki docs http://wiki.alfresco.com/wiki/Database_Configuration#Overriding_the_Database_Connection_Properties
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@15439 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
15219: ETHREEOH-2328: Alfresco authentication component could use wrong ACEGI AuthenticationManager if not at the start of the authentication chain
- Moved authentication manager so that it is local to the alfrescoNtlm authentication subsystem
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@15225 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
- Fixed parsing of timestamps
- Fixed resolution of group members
- Shared Spring configuration with ldap subsystem
- Authentication still only supported with DIGEST-MD5 binding enabled - chain with passthru authentication otherwise
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@14934 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
- synchronization.syncWhenMissingPeopleLogIn
- synchronization.autoCreatePeopleOnLogin
When both are false you can now cause users who your LDAP sync doesn't bring in to be rejected (seems to be a requirement)
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@14814 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
- Open office seems to be temperamental about starting if its env:UserInstallation argument doesn't begin "file:///" on Windows or "file://" on Unix. The argument may not contain any backslashes either. Unfortunately, this doesn't correspond to Java's File to URI conversion
- Created OpenOfficeURI class for doing the formatting instead instead
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@14771 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
14587: Added new node service method getNodesWithoutParentAssocsOfType to public-services-security-context.xml (or at least my best guess at it!)
14586: Use US spelling of synchronization in filenames for consistency
14585: Lower the default user registry sync frequency to daily instead of hourly. Now users and groups are pulled over incrementally on login of missing users.
14583: Unit test for ChainingUserRegistrySynchronizer
14571: Migration patch for existing authorities previously held in users store
- Uses AuthorityService to recreate authorities in spaces store with new structure
14555: Authority service changes for LDAP sync improvements
- Moved sys:authorities container to spaces store
- All authorities now stored directly under sys:authorities
- Authorities can now be looked up directly by node service
- Secondary child associations used to model group relationships
- 'Root' groups for UI navigation determined dynamically by node service query
- cm:member association used to relate both authority containers and persons to other authorities
- New cm:inZone association relates persons and authority containers to synchronization 'zones' stored under sys:zones
- Look up of authority zone and all authorities in a zone to enable multi-zone LDAP sync
14524: Dev branch for finishing LDAP zones and upgrade impact
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@14588 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
- Set of overridable properties now centralized to new global-properties bean and referenced by repository-properties, hibernateConfigProperties and subsystems
- Installer defaults can now be specified in classpath:alfresco-global.properties
- A special BeanFactoryPostProcessor ensures backward compatibility with existing alfresco/extension/*-context.xml files overriding repository-properties or hibernateConfigProperties.
- Subsystems pick up initial property values from global-properties. Placeholders expanded.
- Messages now output when subsystems stopped and started
- Object names lists to allow better hierarchical organisation
- Composite properties now supported by child application contexts
- Materialized in context.xml as ListFactoryBeans - lists of beans
- Configured values injected before application context started
- Configurable via alfresco-global.properties or JMX
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@14351 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
- An authentication chain of size 1 configured by default
- DefaultChildApplicationContextManager supports dynamic configuration of the authentication chain via Spring or JMX. Any number of instances of any type allowed in chain.
- SubsystemChainingAuthenticationComponent and SubsystemChainingAuthenticationService iterate across configured chain for Authentication
- SSO (NTLM / Kerberos) and CIFS authentication independently activatable for any component in chain (where supported).
- SubsystemChainingProxyFactory used to proxy directly to first active CIFS authenticator or SSO filter in the chain
- CIFS server knows not to bother starting if authentication chain doesn't have an active CIFS authenticator (e.g. LDAP only)
- Rationalization of subsystem configuration folder structure and JMX object naming
- Classpath based extension mechanism for community edition - alfresco/extension/subsystems/<category>/<typeName>/<id>/*.properties in classpath can be used to configure specific subsystem instances
- Simplification of JMX infrastructure. No longer Spring bean definition based, thus allowing dynamic creation/registration of new instances at runtime.
- New AuthenticationChainTest unit test
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@14030 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
- All supporting classes moved out to thirdparty subsystem
- Open Office service automatically started if available
- All utility locations editable via JMX (and subsystem can be reinitialized with new values without rebooting tomcat)
- New ContentTransformerWorker interface introduced in order to allow separation between ContentTransformer registry and third party utilities
- Existing JMX query capabilities preserved
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@13860 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
- PassthruServerFactory created to allows PassthruServers singleton to be shared by CIFS, FTP and Alfresco passthru authenticators
- Also added NTLM + Alfresco (non-passthru) example. Doesn't seem to work yet!
- ExtendedServerConfigurationAccessor interface added BaseSSOAuthenticationFilter to get at local server name info from file server configuration
- toString() added to CIFSAuthenticator so that we can still properly log the authenticator type
- Fixed WebDAVServlet to go through ServerConfigurationAccessor interface to avoid ClassCastException
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@13823 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
- Minor JLAN changes (backward compatible)
- CIFSAuthenticator implements an interface (to allow dynamic proxying to authentication subsystem)
- CIFSAuthenticator accesses ServerConfiguration via ServerConfigurationAccessor interface and doesn't retain references to config sections (again to allow dynamic proxying and hot swapping)
- ConfigSections have way of directly setting container initialised authenticators, sharemappers, etc.
- Authenticators, etc. still support initialisation from config service in backward compatible manner.
- Most of ServerConfigurationBean moved to AbstractServerConfigurationBean superclass.
- New org.alfresco.filesys.config package with ServerConfigurationBean implementation and supporting classes that can be initialised by a Spring container.
- File server authenticators moved into authentication subsystem. TODO: Kerberos and NTLM
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@13795 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
13659: Fix NTLMAuthenticationFilter to call super.afterPropertiesSet()
13658: MOB-424: Utility to Dump JMX Data
- new enterprise distributable jmx-dumper.jar
- command line invocation via "java -jar jmx-dumper.jar"
- admin web access via http://localhost:8080/alfresco/faces/jsp/admin/jmx-dumper.jsp
13575: Preconfigured authentication stacks for alfresco, LDAP, Kerberos and NTLM. TODO: file server config.
13493: Initial work to enable selection, configuration, testing and hot-swapping of different authentication subsystems via JMX or admin UI.
13309: Changes to allow datasource and property configuration via JNDI
- Move AVM catalina .jars into 3rd-party/lib/virtual-tomcat so that they don't get automatically included in the .war file and hence stop JNDI lookups from working
- Allow JNDI lookup of datasource – use standard app server mechanisms for managing it but still fall back to 'normal' one
- Allow properties to be overridden by JNDI env-entries as well as system properties. Including hibernate dialect ones. Web.xml can then declare required env-entries and these can be defined on deployment.
- Rewire iBatis so that no config file edits are necessary when dialect is changed
- Use proxy around datasource so that auto-commit is always activated for iBatis
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@13668 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
