mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
2a6ade76fc
29870: ALF-9952: Compatibility fix to allow mounting of Alfresco WebDAV as a network drive on Windows XP (without WebDrive)
29872: Fixed ALF-7698 "Defects in tags picker in SHARE."
- now checks added items to avoid duplicates
29873: Made sure the onActionDetails doclib action generates SimpleDialog instance ids each time, to avoid multiple js class instances with the same id getting called for every dialog created.
29878: ALF-9378: Use caching plus a read write lock, in a similar manner to ALF-7064, to avoid contention in SubsystemProxyFactory under load
29881: Added helper text for the translators to the property file.
29910: ALF-7433: a file deleted using the web UI still appears in a NFS mount but with NULL stats
- timestamp propagation now enabled by default so NFS always works
- timestamp propagation less agressive - only has to propagate on adds / deletes and renames
29911: Values for recurrence strings updated now that I've read RFC-2445
29944: ALF-9988: Merged PATCHES/V3.3.4 to V3.4-BUG-FIX
28581: ALF-8944: Corrected sort parameter handling for datetime fields, based on analyzer and tokenization mode
29955: Fixed ALF-9965: Property names matching fails if the property contains non Alphanumeric characters
29956: Fixed ALF-9424: Webform(XSD): xf:switch switch group does not work based on "complexContent with Base" element.
29964: Fixed ALF-9089: TinyMCE convert_fonts_to_spans parameter is not being picked up in Web Forms
29977: L10N Updates from Gloria (based on rev29838).
29980: Ignore virtual tomcat directory
29981: Merged BRANCHES/DEV/BELARUS/V3.4-BUG-FIX-2011_08_19 to BRANCHES/DEV/V3.4-BUG-FIX
ALF-6808 : Incorrect Search Language Conversion for wild card characters (%, _) for MS SQL
29984: ALF-4753: Fix search query escaping in Alfresco Explorer
- AWC-1743 / CHK-2171 fix restored
29993: Merged DEV/TEMPORARY to V3.4-BUG-FIX
29989: ALF-9976: WebDAV Class 2 compliance issue with OPTIONS response.
Class 2 incompliance connected with absence of 'PROPPATCH' method in the 'Allow' response header has been fixed
30009: ALF-7239 : Documents from Records Manager cannot be viewed in Outlook
30012: Merged BRANCHES/DEV/BELARUS/V3.4-BUG-FIX-2011_08_19 to BRANCHES/DEV/V3.4-BUG-FIX:
29986: ALF-7105: pdfbox returns errors in the logs but one cannot understand what file is affected (PDFBox)
30014: ALF-6284: Fix for Share Kerberos SSO Websphere compatibility (by Pavel)
30016: Merged DEV to V3.4-BUG-FIX
29424: ALF-8715: NFS: Admin sometimes cannot edit content uploaded via JSF
Fix for "Can't open file for writing" during saving file in VI-like editors connected with FileExpiry daemon:
- 'getNodeOrNull()' method extracted to get and check on existence of the cached file object
and then update cache timeout or remove it from the cache;
- 'getNodeForPath()' was appropriately updated in accordance with logic extracted to 'getNodeOrNull()';
- 'fileExists()' method was corrected to take into account existence of the cached file object
30017: Reverses an accidental check in made with the last L10N bundle update (r29977)
30045: ALF-8664 - Custom 'mandatory' RM metadata causes editing issues
30053: ALF-9681: webScriptsRegistryCache size in ehcache-default.xml
webScriptsRegistryCache maxElementsInMemory size was incremented up to 1000
30079: ALF-10027: Fix template alfresco-global.properties for custom tomcat ports
- Obselete web.application.context.url removed
- alfresco.host, alfresco.port, share.host and share.port added
30080: Fixed parse error mentioned in ALF-9511 "RSS Feeds with HTTP Auth doesn't work with Feed dashlet"
- In java regexps the . (dot) does NOT include the \r or \n by default, to change that a (?s) instruction was added in the beginning of the regexp
30083: Fixed ALF-10048 "Multiple thumbnails in RSS feeds causes problem for RSS Feed dashlet"
30088: ALF-7433: Fix unit test fallout from new timestamp propagation behaviour
30089: ALF-7433: Further unit test fallout from new timestamp propagation behaviour
- testPermissionsAndPolicies needs to get folder modification date in a distinct transaction after populating it
30091: ALF-10050: CIFS: Coordinator is unable to delete content after IMAP has been enabled
- Transactional cache null entry issue
30096: ALF-9793: Allow auto-created NFS authenticated users to work
- Also removed admin from default mappings to avoid security hole
30102: ALF-8723 CIFS on Windows fails to start under certain conditions
- Found another place >= was required rather than just >
30104: ALF-9890 SiteService is not producing audit data.
- Internal siteService rather than public SiteService was being used, so there was no audit advice.
30119: ALF-9793: Fallout from previous fix. Prevent initialization error when there are no user mappings and NFS is not enabled.
30120: ALF-9526: Work around the fact that Websphere ignores the response encoding unless you call response.setCharacterEncoding()
- GlobalLocalizationFilter inserts a response wrapper that parses the charset parameter from the content type header, if it is present
30121: ALF-9535: Alfresco ignores Accept-Language sent from Share
- Ticket and webscript authentication (i.e. Share requests) will use the language set in request headers as the session language
30130: ALF-10049: Fix by Andrey to enable Flash upload on Weblogic!
30141: ALF-8732 Now if the adhoc workflow throws exceptions while sending a notification email then those exceptions are ignored.
30226: ALF-9415: JSF - Copy/Paste vs Cut/Paste add aspect rule.
30242: Added NodeService.getNodeRef(Long nodeId)
- First step to remove Lucene search from inbound email server
- Done while investigating ALF-9660
30243: Fixed ALF-9660: Inbound emails are always stored with encoding=UTF-8 regardless the encoding the email client uses.
- If the encoding is provided, then it is not guessed
- Includes tweak to remove Lucene search and rather use direct node ID-NodeRef translation provided by NodeService
30263: Incremented version revision
30264: ALF-10187: Merged V3.3 to V3.4-BUG-FIX
30003: ALF-9898: More defensive exception handling to avoid packet pool leaks and extra logging on packet pool exhaustion
30265: Merged V3.4 to V3.4-BUG-FIX
30259: ALF-6527 LangPack FR - [Search results' page] Incorrect label when search matches results
- Added "(s)" to "trouvé(s) dans l'entrepôt." (for a repository search - found in retest)
- The original change:
Added "(s)" to "trouvé(s) dans tous les sites." (for an All Sites search)
However this leaves the current site search. As a result I also:
Added "(s)" to "trouvé(s) dans le site {0}." (for a current Site search)
and checked with a French speaker that this would sound correct.
Note: all three labels are prefixed by a separate text label: "N résultat(s) "
30261: (RECORD ONLY) Merged V3.4-BUG-FIX to V3.4 (3.4.5)
30262: ALF-10186: Merged PATCHES/V3.4.1 to V3.4
30126: ALF-10075: Concurrency during CMIS document update causes content stream to close prematurely.
- Created BufferedRequest request wrapper in RepositoryContainer
- If the content stream is accessed directly it is streamed to a temporary file so that requests can be retried
30137: ALF-10075: Fixed NPE
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@30271 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
633 lines
25 KiB
Java
633 lines
25 KiB
Java
/*
|
|
* Copyright (C) 2005-2010 Alfresco Software Limited.
|
|
*
|
|
* This file is part of Alfresco
|
|
*
|
|
* Alfresco is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Alfresco is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
package org.alfresco.web.app.servlet;
|
|
|
|
import java.io.IOException;
|
|
import java.io.UnsupportedEncodingException;
|
|
|
|
import javax.faces.context.FacesContext;
|
|
import javax.servlet.ServletContext;
|
|
import javax.servlet.http.Cookie;
|
|
import javax.servlet.http.HttpServletRequest;
|
|
import javax.servlet.http.HttpServletResponse;
|
|
import javax.servlet.http.HttpSession;
|
|
|
|
import org.alfresco.error.AlfrescoRuntimeException;
|
|
import org.alfresco.model.ContentModel;
|
|
import org.alfresco.repo.SessionUser;
|
|
import org.alfresco.repo.management.subsystems.ActivateableBean;
|
|
import org.alfresco.repo.security.authentication.AuthenticationComponent;
|
|
import org.alfresco.repo.security.authentication.AuthenticationException;
|
|
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
|
import org.alfresco.repo.security.permissions.AccessDeniedException;
|
|
import org.alfresco.repo.transaction.RetryingTransactionHelper;
|
|
import org.alfresco.repo.webdav.auth.RemoteUserMapper;
|
|
import org.alfresco.service.ServiceRegistry;
|
|
import org.alfresco.service.cmr.repository.InvalidNodeRefException;
|
|
import org.alfresco.service.cmr.repository.NodeRef;
|
|
import org.alfresco.service.cmr.repository.NodeService;
|
|
import org.alfresco.service.cmr.security.AuthenticationService;
|
|
import org.alfresco.service.cmr.security.PersonService;
|
|
import org.alfresco.web.app.Application;
|
|
import org.alfresco.web.app.portlet.AlfrescoFacesPortlet;
|
|
import org.alfresco.web.bean.LoginBean;
|
|
import org.alfresco.web.bean.repository.User;
|
|
import org.alfresco.web.bean.users.UserPreferencesBean;
|
|
import org.apache.commons.logging.Log;
|
|
import org.apache.commons.logging.LogFactory;
|
|
import org.springframework.extensions.surf.util.Base64;
|
|
import org.springframework.extensions.surf.util.I18NUtil;
|
|
import org.springframework.web.context.WebApplicationContext;
|
|
import org.springframework.web.context.support.WebApplicationContextUtils;
|
|
|
|
/**
|
|
* Helper to authenticate the current user using available Ticket information.
|
|
* <p>
|
|
* User information is looked up in the Session. If found the ticket is retrieved and validated.
|
|
* If the ticket is invalid then a redirect is performed to the login page.
|
|
* <p>
|
|
* If no User info is found then a search will be made for a previous username stored in a Cookie
|
|
* value. If the username if found then a redirect to the Login page will occur. If no username
|
|
* is found then Guest access login will be attempted by the system. Guest access can be forced
|
|
* with the appropriate method call.
|
|
*
|
|
* @author Kevin Roast
|
|
*/
|
|
public final class AuthenticationHelper
|
|
{
|
|
/** session variables */
|
|
public static final String AUTHENTICATION_USER = "_alfAuthTicket";
|
|
public static final String SESSION_USERNAME = "_alfLastUser";
|
|
public static final String SESSION_INVALIDATED = "_alfSessionInvalid";
|
|
|
|
/** JSF bean IDs */
|
|
public static final String LOGIN_BEAN = "LoginBean";
|
|
|
|
/** public service bean IDs **/
|
|
private static final String AUTHENTICATION_SERVICE = "AuthenticationService";
|
|
private static final String AUTHENTICATION_COMPONENT = "AuthenticationComponent";
|
|
private static final String REMOTE_USER_MAPPER = "RemoteUserMapper";
|
|
private static final String UNPROTECTED_AUTH_SERVICE = "authenticationService";
|
|
private static final String PERSON_SERVICE = "personService";
|
|
|
|
/** cookie names */
|
|
private static final String COOKIE_ALFUSER = "alfUser0";
|
|
|
|
private static Log logger = LogFactory.getLog(AuthenticationHelper.class);
|
|
|
|
|
|
/**
|
|
* Does all the stuff you need to do after successfully authenticating/validating a user ticket to set up the request
|
|
* thread. A useful utility method for an authentication filter.
|
|
*
|
|
* @param sc
|
|
* the servlet context
|
|
* @param req
|
|
* the request
|
|
* @param res
|
|
* the response
|
|
*/
|
|
public static void setupThread(ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean useInterfaceLanguage)
|
|
{
|
|
// setup faces context
|
|
FacesContext fc = Application.inPortalServer() ? AlfrescoFacesPortlet.getFacesContext(req) : FacesHelper
|
|
.getFacesContext(req, res, sc);
|
|
|
|
// Set the current locale and language (overriding the one already decoded from the Accept-Language header
|
|
I18NUtil.setLocale(Application.getLanguage(req.getSession(), Application.getClientConfig(fc).isLanguageSelect() && useInterfaceLanguage));
|
|
|
|
// Programatically retrieve the UserPreferencesBean from JSF
|
|
UserPreferencesBean userPreferencesBean = (UserPreferencesBean) FacesHelper.getManagedBean(fc, "UserPreferencesBean");
|
|
if (userPreferencesBean != null)
|
|
{
|
|
String contentFilterLanguageStr = userPreferencesBean.getContentFilterLanguage();
|
|
if (contentFilterLanguageStr != null)
|
|
{
|
|
// Set the locale for the method interceptor for MLText properties
|
|
I18NUtil.setContentLocale(I18NUtil.parseLocale(contentFilterLanguageStr));
|
|
}
|
|
else
|
|
{
|
|
// Nothing has been selected, so remove the content filter
|
|
I18NUtil.setContentLocale(null);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Helper to authenticate the current user using session based Ticket information.
|
|
* <p>
|
|
* User information is looked up in the Session. If found the ticket is retrieved and validated.
|
|
* If no User info is found or the ticket is invalid then a redirect is performed to the login page.
|
|
*
|
|
* @param forceGuest True to force a Guest login attempt
|
|
*
|
|
* @return AuthenticationStatus result.
|
|
*/
|
|
public static AuthenticationStatus authenticate(
|
|
ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean forceGuest)
|
|
throws IOException
|
|
{
|
|
return authenticate(sc, req, res, forceGuest, true);
|
|
}
|
|
|
|
/**
|
|
* Helper to authenticate the current user using session based Ticket information.
|
|
* <p>
|
|
* User information is looked up in the Session. If found the ticket is retrieved and validated.
|
|
* If no User info is found or the ticket is invalid then a redirect is performed to the login page.
|
|
*
|
|
* @param forceGuest True to force a Guest login attempt
|
|
* @param allowGuest True to allow the Guest user if no user object represent
|
|
*
|
|
* @return AuthenticationStatus result.
|
|
*/
|
|
public static AuthenticationStatus authenticate(
|
|
ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean forceGuest, boolean allowGuest)
|
|
throws IOException
|
|
{
|
|
// retrieve the User object
|
|
User user = getUser(sc, req, res);
|
|
|
|
HttpSession session = req.getSession();
|
|
|
|
// get the login bean if we're not in the portal
|
|
LoginBean loginBean = null;
|
|
if (Application.inPortalServer() == false)
|
|
{
|
|
loginBean = (LoginBean)session.getAttribute(LOGIN_BEAN);
|
|
}
|
|
|
|
// setup the authentication context
|
|
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
|
|
AuthenticationService auth = (AuthenticationService)wc.getBean(AUTHENTICATION_SERVICE);
|
|
|
|
if (user == null || forceGuest)
|
|
{
|
|
// Check for the session invalidated flag - this is set by the Logout action in the LoginBean
|
|
// it signals a forced Logout and means we should not immediately attempt a relogin as Guest.
|
|
// The attribute is removed from the session by the login.jsp page after the Cookie containing
|
|
// the last stored username string is cleared.
|
|
if (session.getAttribute(AuthenticationHelper.SESSION_INVALIDATED) == null)
|
|
{
|
|
Cookie authCookie = getAuthCookie(req);
|
|
if (allowGuest == true && (authCookie == null || forceGuest))
|
|
{
|
|
// no previous authentication or forced Guest - attempt Guest access
|
|
try
|
|
{
|
|
auth.authenticateAsGuest();
|
|
|
|
// if we get here then Guest access was allowed and successful
|
|
setUser(sc, req, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket(), false);
|
|
|
|
// Set up the thread context
|
|
setupThread(sc, req, res, true);
|
|
|
|
// remove the session invalidated flag
|
|
session.removeAttribute(AuthenticationHelper.SESSION_INVALIDATED);
|
|
|
|
// it is the responsibilty of the caller to handle the Guest return status
|
|
return AuthenticationStatus.Guest;
|
|
}
|
|
catch (AuthenticationException guestError)
|
|
{
|
|
// Expected if Guest access not allowed - continue to login page as usual
|
|
}
|
|
catch (AccessDeniedException accessError)
|
|
{
|
|
// Guest is unable to access either properties on Person
|
|
AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
logger.warn("Unable to login as Guest: " + accessError.getMessage());
|
|
}
|
|
catch (Throwable e)
|
|
{
|
|
// Some other kind of serious failure to report
|
|
AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
throw new AlfrescoRuntimeException("Failed to authenticate as Guest user.", e);
|
|
}
|
|
}
|
|
}
|
|
|
|
// session invalidated - return to login screen
|
|
return AuthenticationStatus.Failure;
|
|
}
|
|
else
|
|
{
|
|
// set last authentication username cookie value
|
|
String loginName;
|
|
if (loginBean != null && (loginName = loginBean.getUsernameInternal()) != null)
|
|
{
|
|
setUsernameCookie(req, res, loginName);
|
|
}
|
|
|
|
// Set up the thread context
|
|
setupThread(sc, req, res, true);
|
|
|
|
return AuthenticationStatus.Success;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Helper to authenticate the current user using the supplied Ticket value.
|
|
*
|
|
* @return true if authentication successful, false otherwise.
|
|
*/
|
|
public static AuthenticationStatus authenticate(
|
|
ServletContext context, HttpServletRequest httpRequest, HttpServletResponse httpResponse, String ticket)
|
|
throws IOException
|
|
{
|
|
// setup the authentication context
|
|
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
|
|
AuthenticationService auth = (AuthenticationService)wc.getBean(AUTHENTICATION_SERVICE);
|
|
HttpSession session = httpRequest.getSession();
|
|
try
|
|
{
|
|
// If we already have a cached user, make sure it is for the right ticket
|
|
SessionUser user = (SessionUser)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
|
|
if (user != null && !user.getTicket().equals(ticket))
|
|
{
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
session.invalidate();
|
|
session = httpRequest.getSession();
|
|
}
|
|
user = null;
|
|
}
|
|
|
|
// Validate the ticket and associate it with the session
|
|
auth.validate(ticket);
|
|
|
|
// Cache a new user in the session if required
|
|
if (user == null)
|
|
{
|
|
setUser(context, httpRequest, auth.getCurrentUserName(), ticket, false);
|
|
}
|
|
}
|
|
catch (AuthenticationException authErr)
|
|
{
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
session.invalidate();
|
|
}
|
|
return AuthenticationStatus.Failure;
|
|
}
|
|
catch (Throwable e)
|
|
{
|
|
// Some other kind of serious failure
|
|
AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
return AuthenticationStatus.Failure;
|
|
}
|
|
|
|
// As we are authenticating via a ticket, establish the session locale using request headers rather than web client preferences
|
|
setupThread(context, httpRequest, httpResponse, false);
|
|
|
|
return AuthenticationStatus.Success;
|
|
}
|
|
|
|
/**
|
|
* Creates an object for an authenticated user and stores it in the session.
|
|
*
|
|
* @param context
|
|
* the servlet context
|
|
* @param req
|
|
* the request
|
|
* @param currentUsername
|
|
* the current user name
|
|
* @param ticket
|
|
* a validated ticket
|
|
* @param externalAuth
|
|
* was this user authenticated externally?
|
|
* @return the user object
|
|
*/
|
|
public static User setUser(ServletContext context, HttpServletRequest req, String currentUsername,
|
|
String ticket, boolean externalAuth)
|
|
{
|
|
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
|
|
|
|
User user = createUser(wc, currentUsername, ticket);
|
|
// store the User object in the Session - the authentication servlet will then proceed
|
|
HttpSession session = req.getSession(true);
|
|
session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user);
|
|
setExternalAuth(session, externalAuth);
|
|
return user;
|
|
}
|
|
|
|
/**
|
|
* Sets or clears the external authentication flag on the session
|
|
*
|
|
* @param session
|
|
* the session
|
|
* @param externalAuth
|
|
* was the user authenticated externally?
|
|
*/
|
|
private static void setExternalAuth(HttpSession session, boolean externalAuth)
|
|
{
|
|
if (externalAuth)
|
|
{
|
|
session.setAttribute(LoginBean.LOGIN_EXTERNAL_AUTH, Boolean.TRUE);
|
|
}
|
|
else
|
|
{
|
|
session.removeAttribute(LoginBean.LOGIN_EXTERNAL_AUTH);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Creates an object for an authentication user.
|
|
*
|
|
* @param wc
|
|
* the web application context
|
|
* @param currentUsername
|
|
* the current user name
|
|
* @param ticket
|
|
* a validated ticket
|
|
* @return the user object
|
|
*/
|
|
private static User createUser(final WebApplicationContext wc, final String currentUsername, final String ticket)
|
|
{
|
|
final ServiceRegistry services = (ServiceRegistry) wc.getBean(ServiceRegistry.SERVICE_REGISTRY);
|
|
return services.getTransactionService().getRetryingTransactionHelper().doInTransaction(
|
|
new RetryingTransactionHelper.RetryingTransactionCallback<User>()
|
|
{
|
|
|
|
public User execute() throws Throwable
|
|
{
|
|
NodeService nodeService = services.getNodeService();
|
|
PersonService personService = (PersonService) wc.getBean(PERSON_SERVICE);
|
|
NodeRef personRef = personService.getPerson(currentUsername);
|
|
User user = new User(currentUsername, ticket, personRef);
|
|
NodeRef homeRef = (NodeRef) nodeService.getProperty(personRef, ContentModel.PROP_HOMEFOLDER);
|
|
|
|
// check that the home space node exists - else Login cannot proceed
|
|
if (nodeService.exists(homeRef) == false)
|
|
{
|
|
throw new InvalidNodeRefException(homeRef);
|
|
}
|
|
user.setHomeSpaceId(homeRef.getId());
|
|
return user;
|
|
}
|
|
});
|
|
}
|
|
|
|
/**
|
|
* For no previous authentication or forced Guest - attempt Guest access
|
|
*
|
|
* @param ctx
|
|
* WebApplicationContext
|
|
* @param auth
|
|
* AuthenticationService
|
|
*/
|
|
public static User portalGuestAuthenticate(WebApplicationContext ctx, AuthenticationService auth)
|
|
{
|
|
try
|
|
{
|
|
auth.authenticateAsGuest();
|
|
|
|
return createUser(ctx, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket());
|
|
}
|
|
catch (AuthenticationException guestError)
|
|
{
|
|
// Expected if Guest access not allowed - continue to login page as usual
|
|
}
|
|
catch (AccessDeniedException accessError)
|
|
{
|
|
// Guest is unable to access either properties on Person
|
|
AuthenticationService unprotAuthService = (AuthenticationService) ctx.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
logger.warn("Unable to login as Guest: " + accessError.getMessage());
|
|
}
|
|
catch (Throwable e)
|
|
{
|
|
// Some other kind of serious failure to report
|
|
AuthenticationService unprotAuthService = (AuthenticationService) ctx.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
throw new AlfrescoRuntimeException("Failed to authenticate as Guest user.", e);
|
|
}
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* Uses the remote user mapper, if one is configured, to extract a user ID from the request
|
|
*
|
|
* @param sc
|
|
* the servlet context
|
|
* @param httpRequest
|
|
* The HTTP request
|
|
* @return the user ID if a user has been externally authenticated or <code>null</code> otherwise.
|
|
*/
|
|
public static String getRemoteUser(final ServletContext sc, final HttpServletRequest httpRequest)
|
|
{
|
|
String userId = null;
|
|
|
|
// If the remote user mapper is configured, we may be able to map in an externally authenticated user
|
|
final WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
|
|
RemoteUserMapper remoteUserMapper = (RemoteUserMapper) wc.getBean(REMOTE_USER_MAPPER);
|
|
if (!(remoteUserMapper instanceof ActivateableBean) || ((ActivateableBean) remoteUserMapper).isActive())
|
|
{
|
|
userId = remoteUserMapper.getRemoteUser(httpRequest);
|
|
}
|
|
return userId;
|
|
}
|
|
|
|
/**
|
|
* Attempts to retrieve the User object stored in the current session.
|
|
*
|
|
* @param sc
|
|
* the servlet context
|
|
* @param httpRequest
|
|
* The HTTP request
|
|
* @param httpResponse
|
|
* The HTTP response
|
|
* @return The User object representing the current user or null if it could not be found
|
|
*/
|
|
public static User getUser(final ServletContext sc, final HttpServletRequest httpRequest, HttpServletResponse httpResponse)
|
|
{
|
|
// If the remote user mapper is configured, we may be able to map in an externally authenticated user
|
|
String userId = getRemoteUser(sc, httpRequest);
|
|
|
|
final WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
|
|
HttpSession session = httpRequest.getSession();
|
|
User user = null;
|
|
|
|
// examine the appropriate session to try and find the User object
|
|
SessionUser sessionUser = Application.getCurrentUser(session);
|
|
|
|
// Make sure the ticket is valid, the person exists, and the cached user is of the right type (WebDAV users have
|
|
// been known to leak in but shouldn't now)
|
|
if (sessionUser != null)
|
|
{
|
|
AuthenticationService auth = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
|
|
try
|
|
{
|
|
auth.validate(sessionUser.getTicket());
|
|
if (sessionUser instanceof User)
|
|
{
|
|
user = (User)sessionUser;
|
|
setExternalAuth(session, userId != null);
|
|
}
|
|
else
|
|
{
|
|
user = setUser(sc, httpRequest, sessionUser.getUserName(), sessionUser.getTicket(), userId != null);
|
|
}
|
|
}
|
|
catch (AuthenticationException authErr)
|
|
{
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
session.invalidate();
|
|
}
|
|
}
|
|
}
|
|
|
|
// If the remote user mapper is configured, we may be able to map in an externally authenticated user
|
|
if (userId != null)
|
|
{
|
|
// We have a previously-cached user with the wrong identity - replace them
|
|
if (user != null && !user.getUserName().equals(userId))
|
|
{
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
session.invalidate();
|
|
}
|
|
user = null;
|
|
}
|
|
|
|
if (user == null)
|
|
{
|
|
// If we have been authenticated by other means, just propagate through the user identity
|
|
AuthenticationComponent authenticationComponent = (AuthenticationComponent) wc
|
|
.getBean(AUTHENTICATION_COMPONENT);
|
|
try
|
|
{
|
|
authenticationComponent.setCurrentUser(userId);
|
|
AuthenticationService authenticationService = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
|
|
user = setUser(sc, httpRequest, userId, authenticationService.getCurrentTicket(), true);
|
|
}
|
|
catch (AuthenticationException authErr)
|
|
{
|
|
// Allow for an invalid external user ID to be indicated
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
session.invalidate();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return user;
|
|
}
|
|
|
|
/**
|
|
* Setup the Alfresco auth cookie value.
|
|
*
|
|
* @param httpRequest
|
|
* @param httpResponse
|
|
* @param username
|
|
*/
|
|
public static void setUsernameCookie(HttpServletRequest httpRequest, HttpServletResponse httpResponse, String username)
|
|
{
|
|
Cookie authCookie = getAuthCookie(httpRequest);
|
|
// Let's Base 64 encode the username so it is a legal cookie value
|
|
String encodedUsername;
|
|
try
|
|
{
|
|
encodedUsername = Base64.encodeBytes(username.getBytes("UTF-8"));
|
|
}
|
|
catch (UnsupportedEncodingException e)
|
|
{
|
|
throw new RuntimeException(e);
|
|
}
|
|
if (authCookie == null)
|
|
{
|
|
authCookie = new Cookie(COOKIE_ALFUSER, encodedUsername);
|
|
}
|
|
else
|
|
{
|
|
authCookie.setValue(encodedUsername);
|
|
}
|
|
authCookie.setPath(httpRequest.getContextPath());
|
|
// TODO: make this configurable - currently 7 days (value in seconds)
|
|
authCookie.setMaxAge(60*60*24*7);
|
|
httpResponse.addCookie(authCookie);
|
|
}
|
|
|
|
/**
|
|
* Helper to return the Alfresco auth cookie. The cookie saves the last used username value.
|
|
*
|
|
* @param httpRequest
|
|
*
|
|
* @return Cookie if found or null if not present
|
|
*/
|
|
public static Cookie getAuthCookie(HttpServletRequest httpRequest)
|
|
{
|
|
Cookie authCookie = null;
|
|
Cookie[] cookies = httpRequest.getCookies();
|
|
if (cookies != null)
|
|
{
|
|
for (int i=0; i<cookies.length; i++)
|
|
{
|
|
if (COOKIE_ALFUSER.equals(cookies[i].getName()))
|
|
{
|
|
// found cookie
|
|
authCookie = cookies[i];
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
return authCookie;
|
|
}
|
|
|
|
/**
|
|
* Gets the decoded auth cookie value.
|
|
*
|
|
* @param authCookie
|
|
* the auth cookie
|
|
* @return the auth cookie value
|
|
*/
|
|
public static String getAuthCookieValue(Cookie authCookie)
|
|
{
|
|
String authCookieValue = authCookie.getValue();
|
|
if (authCookieValue == null)
|
|
{
|
|
return null;
|
|
}
|
|
try
|
|
{
|
|
return new String(Base64.decode(authCookieValue), "UTF-8");
|
|
}
|
|
catch (UnsupportedEncodingException e)
|
|
{
|
|
throw new RuntimeException(e);
|
|
}
|
|
}
|
|
}
|