* User information is looked up in the Session. If found the ticket is retrieved and validated. * If the ticket is invalid then a redirect is performed to the login page. *
* If no User info is found then a search will be made for a previous username stored in a Cookie * value. If the username if found then a redirect to the Login page will occur. If no username * is found then Guest access login will be attempted by the system. Guest access can be forced * with the appropriate method call. * * @author Kevin Roast */ public final class AuthenticationHelper { /** session variables */ public static final String AUTHENTICATION_USER = "_alfAuthTicket"; public static final String SESSION_USERNAME = "_alfLastUser"; public static final String SESSION_INVALIDATED = "_alfSessionInvalid"; /** JSF bean IDs */ public static final String LOGIN_BEAN = "LoginBean"; /** public service bean IDs **/ private static final String AUTHENTICATION_SERVICE = "AuthenticationService"; private static final String AUTHENTICATION_COMPONENT = "AuthenticationComponent"; private static final String REMOTE_USER_MAPPER = "RemoteUserMapper"; private static final String UNPROTECTED_AUTH_SERVICE = "authenticationService"; private static final String PERSON_SERVICE = "personService"; /** cookie names */ private static final String COOKIE_ALFUSER = "alfUser"; private static Log logger = LogFactory.getLog(AuthenticationHelper.class); /** * Does all the stuff you need to do after successfully authenticating/validating a user ticket to set up the request * thread. A useful utility method for an authentication filter. * * @param sc * the servlet context * @param req * the request * @param res * the response */ public static void setupThread(ServletContext sc, HttpServletRequest req, HttpServletResponse res) { // setup faces context FacesContext fc = FacesHelper.getFacesContext(req, res, sc); // Set the current locale and language if (Application.getClientConfig(fc).isLanguageSelect()) { I18NUtil.setLocale(Application.getLanguage(req.getSession())); } else { // Set the current thread locale (also for JSF context) fc.getViewRoot().setLocale(BaseServlet.setLanguageFromRequestHeader(req, sc)); } // Programatically retrieve the UserPreferencesBean from JSF UserPreferencesBean userPreferencesBean = (UserPreferencesBean) fc.getApplication().createValueBinding( "#{UserPreferencesBean}").getValue(fc); if (userPreferencesBean != null) { String contentFilterLanguageStr = userPreferencesBean.getContentFilterLanguage(); if (contentFilterLanguageStr != null) { // Set the locale for the method interceptor for MLText properties I18NUtil.setContentLocale(I18NUtil.parseLocale(contentFilterLanguageStr)); } else { // Nothing has been selected, so remove the content filter I18NUtil.setContentLocale(null); } } } /** * Helper to authenticate the current user using session based Ticket information. *
* User information is looked up in the Session. If found the ticket is retrieved and validated. * If no User info is found or the ticket is invalid then a redirect is performed to the login page. * * @param forceGuest True to force a Guest login attempt * * @return AuthenticationStatus result. */ public static AuthenticationStatus authenticate( ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean forceGuest) throws IOException { return authenticate(sc, req, res, forceGuest, true); } /** * Helper to authenticate the current user using session based Ticket information. *
* User information is looked up in the Session. If found the ticket is retrieved and validated.
* If no User info is found or the ticket is invalid then a redirect is performed to the login page.
*
* @param forceGuest True to force a Guest login attempt
* @param allowGuest True to allow the Guest user if no user object represent
*
* @return AuthenticationStatus result.
*/
public static AuthenticationStatus authenticate(
ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean forceGuest, boolean allowGuest)
throws IOException
{
// retrieve the User object
User user = getUser(sc, req, res);
HttpSession session = req.getSession();
// get the login bean if we're not in the portal
LoginBean loginBean = null;
if (Application.inPortalServer() == false)
{
loginBean = (LoginBean)session.getAttribute(LOGIN_BEAN);
}
// setup the authentication context
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
AuthenticationService auth = (AuthenticationService)wc.getBean(AUTHENTICATION_SERVICE);
if (user == null || forceGuest)
{
// Check for the session invalidated flag - this is set by the Logout action in the LoginBean
// it signals a forced Logout and means we should not immediately attempt a relogin as Guest.
// The attribute is removed from the session by the login.jsp page after the Cookie containing
// the last stored username string is cleared.
if (session.getAttribute(AuthenticationHelper.SESSION_INVALIDATED) == null)
{
Cookie authCookie = getAuthCookie(req);
if (allowGuest == true && (authCookie == null || forceGuest))
{
// no previous authentication or forced Guest - attempt Guest access
try
{
auth.authenticateAsGuest();
// if we get here then Guest access was allowed and successful
setUser(sc, req, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket(), false);
// Set up the thread context
setupThread(sc, req, res);
// remove the session invalidated flag
session.removeAttribute(AuthenticationHelper.SESSION_INVALIDATED);
// it is the responsibilty of the caller to handle the Guest return status
return AuthenticationStatus.Guest;
}
catch (AuthenticationException guestError)
{
// Expected if Guest access not allowed - continue to login page as usual
}
catch (AccessDeniedException accessError)
{
// Guest is unable to access either properties on Person
AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
unprotAuthService.clearCurrentSecurityContext();
logger.warn("Unable to login as Guest: " + accessError.getMessage());
}
catch (Throwable e)
{
// Some other kind of serious failure to report
AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
unprotAuthService.clearCurrentSecurityContext();
throw new AlfrescoRuntimeException("Failed to authenticate as Guest user.", e);
}
}
}
// session invalidated - return to login screen
return AuthenticationStatus.Failure;
}
else
{
// set last authentication username cookie value
String loginName;
if (loginBean != null && (loginName = loginBean.getUsernameInternal()) != null)
{
setUsernameCookie(req, res, loginName);
}
// Set up the thread context
setupThread(sc, req, res);
return AuthenticationStatus.Success;
}
}
/**
* Helper to authenticate the current user using the supplied Ticket value.
*
* @return true if authentication successful, false otherwise.
*/
public static AuthenticationStatus authenticate(
ServletContext context, HttpServletRequest httpRequest, HttpServletResponse httpResponse, String ticket)
throws IOException
{
// setup the authentication context
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
AuthenticationService auth = (AuthenticationService)wc.getBean(AUTHENTICATION_SERVICE);
HttpSession session = httpRequest.getSession();
try
{
auth.validate(ticket);
// We may have previously been authenticated via WebDAV so we may need to 'promote' the user object
SessionUser user = (SessionUser)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
if (user == null || !(user instanceof User))
{
setUser(context, httpRequest, auth.getCurrentUserName(), ticket, false);
}
}
catch (AuthenticationException authErr)
{
session.removeAttribute(AUTHENTICATION_USER);
return AuthenticationStatus.Failure;
}
catch (Throwable e)
{
// Some other kind of serious failure
AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
unprotAuthService.clearCurrentSecurityContext();
return AuthenticationStatus.Failure;
}
// Set up the thread context
setupThread(context, httpRequest, httpResponse);
return AuthenticationStatus.Success;
}
/**
* Creates an object for an authenticated user and stores it in the session.
*
* @param context
* the servlet context
* @param req
* the request
* @param currentUsername
* the current user name
* @param ticket
* a validated ticket
* @param externalAuth
* was this user authenticated externally?
* @return the user object
*/
public static User setUser(ServletContext context, HttpServletRequest req, String currentUsername,
String ticket, boolean externalAuth)
{
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
User user = createUser(wc, currentUsername, ticket);
// store the User object in the Session - the authentication servlet will then proceed
HttpSession session = req.getSession(true);
session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user);
setExternalAuth(session, externalAuth);
return user;
}
/**
* Sets or clears the external authentication flag on the session
*
* @param session
* the session
* @param externalAuth
* was the user authenticated externally?
*/
private static void setExternalAuth(HttpSession session, boolean externalAuth)
{
if (externalAuth)
{
session.setAttribute(LoginBean.LOGIN_EXTERNAL_AUTH, Boolean.TRUE);
}
else
{
session.removeAttribute(LoginBean.LOGIN_EXTERNAL_AUTH);
}
}
/**
* Creates an object for an authentication user.
*
* @param wc
* the web application context
* @param currentUsername
* the current user name
* @param ticket
* a validated ticket
* @return the user object
*/
private static User createUser(final WebApplicationContext wc, final String currentUsername, final String ticket)
{
final ServiceRegistry services = (ServiceRegistry) wc.getBean(ServiceRegistry.SERVICE_REGISTRY);
return services.getTransactionService().getRetryingTransactionHelper().doInTransaction(
new RetryingTransactionHelper.RetryingTransactionCallback