mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
e0e04abccd
22215: Fix compilation error
22240: ALF-4207: Download servlets show error page with permissions error rather than login page when non-guest user has insufficient permissions
22241: ALF-4469: External Access Servlet should also show status 403 errors to non-guest users, as in ALF-4207
22244: ALF-4599: CIFS access to alfresco with Kerberos authentication creates wrong users with domain suffix
ALF-4395: recognize Kerberos machine accounts with lower case names
22247: ALF-4397: Properly handle null values in SortableSelectItem.compareTo()
22248: Merged DEV/TEMPORARY to V3.3-BUG-FIX
21963: ALF-4390: ModuleManagementTool is not returning error code in case of failure
Error code constants and appropriate System.exit(code) invokations were added.
22260: ALF-4597: InviteContentUsersWizard was caching permissions in a non-type-specific cache
- removed the cache - didn't allow for dynamic model updates either
22269: Merged V3.3 to V3.3-BUG-FIX (RECORD ONLY)
22268: Merged V3.3-BUG-FIX to V3.3
- Merged across all differences from V3.3-BUG-FIX
22270: Incremented revision number
22467: Merge from V3.3 to V3.3BUG-FIX. Fix for ALF-4741.
V3.3: 22466 Merge from V3.2 to V3.3. Fix for ALF-4741.
V3.2: 22465 Fix for ALF-4741. Repository Web Scripts can produce a corrupted response after a transaction collision/retry.
22667: Merged DEV/TEMPORARY to V3.3-BUG-FIX
22665: ALF-4825: Unlocking checked out content cause both original & working copy un-usable.
Do not include unlock in the actions list when a node has a working copy.
22691: Add missing "logAbandoned" (= false) prop to config - follow on to r15133 (related to ALF-4020 / ETWOTWO-562)
22710: ALF-3948 - from time to time we have exception "Failed to init dictionaryRegistry"
22718: Merge from V3.3 to V3.3-BUG-FIX
r 22715 Merge from V3.2 to V3.3
r 22713 Fix for ALF-4946 Possible NullPointerException during creation of thumbnails whose names are null-valued.
22722: Merged V3.3 to V3.3-BUG-FIX
22271: ALF-3712: Merged HEAD to V3.3
22249: Bin contents were not being packaged.
22272: Merged DEV/TEMPORARY to V3.3
22067: ALF-4479: when using webdav inline edit on webdav + MS Word 2003 +IE6, one gets: Unable to check in Content Node due to system error. Access Denied. You do not have the appropriate permissions to perform this operation.
- Do not unlock a working copy.
22273: Merged DEV/TEMPORARY to V3.3
21729: ALF-3112: Property parameterTemplates not resolved correctly for SimpleTemplateActionDefinition
The temporary fix for unconfigurable valueSeparator property.
https://jira.springframework.org/browse/SPR-7429
22274: Merged DEV/TEMPORARY to V3.3
21993: ALF-4396: webdav "supportedlock" propfind request returns malformed response
WebDAV supported lock elements were wrapped by “lockentry” elements according to the WebDAV specification.
22276: ALF-3890: FTP Change Working Directory (CWD) command works with root-relative paths with more than one component
22277: Merged DEV/TEMPORARY to V3.3
22076: ALF-3579: Open the Details Page URL removes the header, navigation bar etc
The identifiers for modify action tag and details' actions tag should be different in the details pages. For documents:
in the filelink-details.jsp and document-details.jsp. For spaces: in the space-details.jsp and spacelink-details.jsp.
22285: Merged HEAD to V3.3
22284: Fix for ALF-3063 "Incorrect behaviour on filtering by tag in Repository". Labels updated to more accurately reflect behaviour.
22299: Fix for ALF-3893: lucene.indexer.mergerTargetIndexCount is redundant
- this property is now used to control the merging of indexes as was intended
22309: Merged DEV/TEMPORARY to V3.3 (Approved by Roy)
21035: ALF-2588: RM: Export and import of file plan causes disposition errors
When content is imported from acp the actionId that points to the action NodeRef is old in the imported content and NullPointerExcepption appears.
To avoid this we changed DispositionScheduleImpl. Now it stores the action that has different name and ID (when action is create it name equals id) in a separate map. And when getDispositionActionDefinition(String id) method is called it tries to retrieve the action from this map, if it hasn’t been found earlier.
22325: Fix for ALF-4428: Incorrect behaviour of Consumer and Contributor permissions with Quickr
- unit test pass
22334: Merged HEAD to V3.3
22331: Fixes: ALF-3558: Input and variable encoding issues in Share Calendar & API JSON data.
22355: ALF-4489: Special Characters Create Stack Overflow Exception in the Group Admin Console for Share in Internet Explorer.
Fixed missing encoding and also added guard code to prevent stack overflow problem in case of future error.
22356: Fix for ALF-4384 - missing JSP page directive
22360: Fix for ALF-4428: Incorrect behaviour of Consumer and Contributor permissions with Quickr
- unit test pass
- no abstain allowed
22365: Merged DEV/TEMPORARY to V3.3
21874: ALF-2641: WebDav Permission Issues - MAC OSX Finder
The createExclusive field was introduced instead of m_scope. New algorithm of lockscope determination was added.
Also ALF-4008 compliant fix provided with this.
21812: ALF-4008: save a MS Word change over webdav after a 2-3 minutes delay causes the error 'XXX.doc is currently in use. Please try again later.'
Modified LOCK method, it gets a scope from NodeRef property if m_scope field is not defined.
22367: Merged DEV/TEMPORARY to V3.3
21442: ALF-2587: WEBDAV error in Windows 7
- variant generateLockDiscoveryXML methods were factored into a single one capable of generating a namespaced LOCK response compatible with Windows 7 when its user agent header is detected.
22368: Merged DEV/TEMPORARY to V3.3
20919: ALF-2834: All day events created in Outlook not appearing in Meeting Workspace
Different date format is used by Outlook when creating all day meeting request and meeting request specifying date and time. The code was changed to handle both situations accordingly.
22369: Merged DEV/TEMPORARY to V3.3 (With simplifications)
21470: ALF-3796: Locale is not always set/reset on every request thread
- A GlobalLocalizationFilter sits in front of ALL requests and sets a default fallback locale on I18NUtil
- Moved BaseServlet.setLanguageFromRequestHeader into this filter and made sure it always falls back to a default locale
- Subsequent filters / servlets in faces chain may override this with user preferred locale after authentication
22370: ALF-3868: Fix for compatibility with Sun Directory Server
22371: Merged DEV/TEMPORARY to V3.3
21811: ALF-4067: Display Value for Action Constraint breaking a java eval in Share
When a node doesn't have a ContentModel.PROP_TITLE property it is added to AllowableValues with PROP_NAME value.
21795: ALF-4067: Display Value for Action Constraint breaking a java eval in Share
The fix introduces the code which doesn't add a node to AllowableValues if it doesn't have a ContentModel.PROP_TITLE property.
22378: ALF-3796: Fixed compilation error - BaseServlet.setLanguageFromRequestHeader replaced by global filter
22380: ALF-3761: War bundles + extension samples now include alfresco-global.properties in correct position in hierarchy
22386: ALF-3887: Two versions of geronimo-activation are shipped
- Removed the older version
22402: WCM - add more debug logging only
22405: Change notification handler not enabled by the server configuration bean. ALF-4715.
22407: Merged DEV/TEMPORARY to V3.3
22231: ALF-4096: Share point module is causing file descriptor leaks.
The following changes were added to VtiIfHeaderAction and GetDocumentMethod:
- code that copies data between streams was replaced by org.apache.commons.io.IOUtils.copy()
- correct stream closing was added for all cases including exceptions while copying
22411: Merged DEV/TEMPORARY to V3.3
21864: ALF-4371: Error occurs if user try to find event from meeting place
Replaced incorrect NamespaceService.CONTENT_MODEL_PREFIX with NamespaceService.CONTENT_MODEL_1_0_URI in QName creation.
22412: Merged DEV/TEMPORARY to V3.3
22018: ALF-4403: Search on users in JSF client and SHARE do not specify "cm:person" type clause in the query leading to incorrect results in user searching.
People searches in Alfresco and share are restricted by “cm:person” type.
21988: ALF-4403: Search on users in JSF client and SHARE do not specify "cm:person" type clause in the query leading to incorrect results in user searching.
People searches in Alfresco and share are restricted by “cm:person” type.
22418: ALF-4578: Avoid ConcurrentModificationException in AVMDeploymentTarget
22420: Fixed ALF-958: Target associations aren't copied
- Added CopyBehaviourCallback. getAssociationCopyAction
- Default behaviour:
- Remove existing associations of same type when copying OVER an existing node (e.g. check-in)
- Copy the association using a new target if the target is copied in the same call
- Copy the association to the original target if the target is not copied in the same call
- Abstract behaviour (for those that have implemented a CopyBehaviourCallback):
- Remove existing associations of same type when copying OVER an existing node (e.g. check-in)
- Only copy the association to a new target if the original target is copied
22421: ALF-4641: Strip ticket parameter on login page redirect to avoid endless redirect loop
22422: Merged DEV/TEMPORARY to V3.3
21201: ALF-1804: Passthru server check gets confused when a server goes offline
22423: Merged DEV/TEMPORARY to V3.3
21891: ALF-3356: Error changing own user role from coordinator to consumer
When a user changes the Roles, all Permissions are immediately deleted and new selected permissions are created. If all permissions are deleted then the user doesn't have access for permissions creation.
If the user currently has permission change permission the currently set of permissions is cleared and new permissions are added from a System User authority.
22424: Merged DEV/TEMPORARY to V3.3
21182: ALF-1786: Remote Opensearch request mimetype missing
SearchProxy was changed to provide original User-Agent header. HTTPProxy was extended to set request headers. New overridable method setRequestHeaders was added to provide ability of setting headers.
22425: Merged DEV/TEMPORARY to V3.3
22165: ALF-197: When returning to the first step of Advanced Workflow creation from second or third steps it's always Adhoc Task chosen there
The selectedWorkflow variable was reseting every time on "Choose Workflow" step
22426:Merged DEV/TEMPORARY to V3.3
21323: ALF-687: Error when invoking webservices via SSL repository location url.
Add a new overload of ContentUtils.putContent() method with the isSSL argument at the end.
If this parameter value is true then SSLSocket is used and Socket otherwise.
22428: ALF-3490: Unfriendly error messages from WebDAV when content doesn't exist
- Generalized ALF-4207 solution so that the error page instead displays a status 404 message
22429: Merged DEV/TEMPORARY to V3.3
21325: ALF-3502: Logging in FacesHelper.getManagedBean on failure to create bean
Detailed logging of the EvaluationException for ValueBinding was added.
22430: Merged DEV/TEMPORARY to V3.3
20974: ALF-2695: mimetypes-extension-context.xml.sample does not use the correct classes
Changed the type of the bean id="mimetypeConfigService" from “"org.alfresco.config.xml.XMLConfigService” to “org.springframework.extensions.config.xml.XMLConfigService”
Renamed mimetypes-extension-context.xml.sample file to file mimetypes-extension.xml.sample. The file mimetypes-extension-context.xml.sample was interpreted like spring context file. It wasn’t correct.
22431: Merged DEV/TEMPORARY to V3.3
21099: ALF-3046: UI - Import feature not available to contributor user
The fix also covers related bug ALF-2802.
Permission ‘Write’ was replaced by ‘CreateChildren’ for import action because contributor has ‘AddChildren’ (not ‘Write’) permission.
22432: Merged DEV/TEMPORARY to V3.3
20973: ALF-3244: alfresco-sample-website.war does not deploy to bundled Tomcat
The cause of the corrupted alfresco-sample-website.war deployment is the usage of the SSIFilter in the application.
Only Contexts which are marked as privileged may use SSI features. For this reason, the context has been marked as privileged in META-INF/context.xml
22433: Merged DEV/TEMPORARY to V3.3
21190: ALF-3751: Unintentional copy/remove of 'Web Forms' space removes form associations in Web Projects
Parent validation before deleting was added. Now deleted web form is removed from Web Project only if this form is located in original Web Form folder.
22434: Merged DEV/TEMPORARY to V3.3
21490: ALF-4099: Customer concern about String comparison operators == vs equals
Comparison operator was replaced by equals/EqualsHelper.nullSafeEquals in the ContentFilterLanguagesMap DocumentNavigator UIAjaxTagPicker Presence classes.
DocumentNavigator.getAttributeName() method was changed because the previous method's logic always returned escapedLocalName in any case.
22436: Merged DEV/TEMPORARY to V3.3
22063: ALF-4494 : Share show error if versionable document has no version history.
1. evaluator.lib.js was modified to prevent NPE if no version history exists for document.
2. Result was manually tested.
22437: ALF-2796: java.naming.referral is set to "follow" in the LDAP contexts to avoid PartialResultExceptions on LDAP sync
22466: Merge from V3.2 to V3.3. Fix for ALF-4741.
V3.2: 22465 Fix for ALF-4741. Repository Web Scripts can produce a corrupted response after a transaction collision/retry.
22469: Fix for CIFS long directory path results in duplicate folder displays. ALF-3938.
Removed (hopefully) last of the hardcoded buffer length limits.
22472: Fixed ALF-4670: XAM retainUntil value does not propagate down the space hierarchy
22473: Fixed ALF-4656: Deleted Content Backup should ignore unrecognised URLs
- Also fixes ALF-4657: Content stored on XAM is not cleaned up correctly
- Errors in the listeners are logged only
- ContentStoreCleanerListener checks and warns if the URL is unsupported
22474: Fix to web.xml to correctly validate and therefore deploy on JBoss5.1.0
22485: Fix for NFS losing contents during edit or copy. ALF-4737.
22492: ALF-4652 XAM bug fixes and improvements: Respect 0 'retentionPeriodDays'
22501: Fixed ALF-4763 XAM-enabled nodes must not go to the archive://SpacesStore
22504: Fix for MS Word mimetype is changed when editing via CIFS. ALF-3772.
22520: ALF-4768: WCM (w/ virt svr) - submit (no need to virtualize direct submit workflows)
22526: Externalised setting of BINARIES, plus added bin with jars and dlls
22561: ALF-4792: WCM virt svr - add experimental option for lazy deployment (defer startup of dependent webapps until accessed)
22611: Fixed ALF-1893: Windows 7 SSP Read-only.
Note: Relies on the patched Excel and PowerPoint mimetypes, but also falls back to file exension.
22612: Merged HEAD to BRANCHES/V3.3:
22609: Resolve ALF4822, ALF4818
22628: ALF-3239: Added encoding elements to mysql db url
22656: Fix for Solaris/Gedit problem, keep a mapping for the original file handle to the new path after a rename. ALF-4843.
22673: ALF-4845: Person and Group member deletion performance fix
- Don't batch load all a group's members when trying to delete one of them!
- Can result in infeasibly large hibernate sessions when trying to delete a person / LDAP sync in a repository with very large groups
- Switched off batch loading in NodeService.removeChild()
- Avoided unnecessary use of removeAuthority in PersonService.deletePerson()
22674: Merged DEV/TEMPORARY to V3.3
22653: ALF-661: There is no way to determine the protocol, hostname and port from a javascript kicked off by JBPM
These variables are now available for use in workflow and action javascript and they are wired to the corresponding parameters that already exist in the sysAdmin subsystem.
urls.alfresco.protocol
urls.alfresco.host
urls.alfresco.port
urls.alfresco.context
urls.share.protocol
urls.share.host
urls.share.port
urls.share.context
See bug for example usage
22676: Merged HEAD to V3.3:
20306: Google Doc integration fixes:
- Fixed up inconsistancies in powerpoint and excel mimetypes set throughout the code
- Unit tests failures for excel sheets fixed
- Able to now create and checkout docs, sheets and presentations successfullly
- Docs, sheets and presentations downloadable and viewable
- Fixed ALF-2700
(See ALF-4827)
22715: Merge from V3.2 to V3.3.
r. 22713. Fix for ALF-4946 Possible NullPointerException during creation of thumbnails whose names are null-valued.
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@22725 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
608 lines
24 KiB
Java
608 lines
24 KiB
Java
/*
|
|
* Copyright (C) 2005-2010 Alfresco Software Limited.
|
|
*
|
|
* This file is part of Alfresco
|
|
*
|
|
* Alfresco is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Alfresco is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
package org.alfresco.web.app.servlet;
|
|
|
|
import java.io.IOException;
|
|
import java.io.UnsupportedEncodingException;
|
|
|
|
import javax.faces.context.FacesContext;
|
|
import javax.servlet.ServletContext;
|
|
import javax.servlet.http.Cookie;
|
|
import javax.servlet.http.HttpServletRequest;
|
|
import javax.servlet.http.HttpServletResponse;
|
|
import javax.servlet.http.HttpSession;
|
|
|
|
import org.alfresco.error.AlfrescoRuntimeException;
|
|
import org.alfresco.model.ContentModel;
|
|
import org.alfresco.repo.SessionUser;
|
|
import org.alfresco.repo.management.subsystems.ActivateableBean;
|
|
import org.alfresco.repo.security.authentication.AuthenticationComponent;
|
|
import org.alfresco.repo.security.authentication.AuthenticationException;
|
|
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
|
import org.alfresco.repo.security.permissions.AccessDeniedException;
|
|
import org.alfresco.repo.transaction.RetryingTransactionHelper;
|
|
import org.alfresco.repo.webdav.auth.RemoteUserMapper;
|
|
import org.alfresco.service.ServiceRegistry;
|
|
import org.alfresco.service.cmr.repository.InvalidNodeRefException;
|
|
import org.alfresco.service.cmr.repository.NodeRef;
|
|
import org.alfresco.service.cmr.repository.NodeService;
|
|
import org.alfresco.service.cmr.security.AuthenticationService;
|
|
import org.alfresco.service.cmr.security.PersonService;
|
|
import org.alfresco.web.app.Application;
|
|
import org.alfresco.web.app.portlet.AlfrescoFacesPortlet;
|
|
import org.alfresco.web.bean.LoginBean;
|
|
import org.alfresco.web.bean.repository.User;
|
|
import org.alfresco.web.bean.users.UserPreferencesBean;
|
|
import org.apache.commons.logging.Log;
|
|
import org.apache.commons.logging.LogFactory;
|
|
import org.springframework.extensions.surf.util.Base64;
|
|
import org.springframework.extensions.surf.util.I18NUtil;
|
|
import org.springframework.web.context.WebApplicationContext;
|
|
import org.springframework.web.context.support.WebApplicationContextUtils;
|
|
|
|
/**
|
|
* Helper to authenticate the current user using available Ticket information.
|
|
* <p>
|
|
* User information is looked up in the Session. If found the ticket is retrieved and validated.
|
|
* If the ticket is invalid then a redirect is performed to the login page.
|
|
* <p>
|
|
* If no User info is found then a search will be made for a previous username stored in a Cookie
|
|
* value. If the username if found then a redirect to the Login page will occur. If no username
|
|
* is found then Guest access login will be attempted by the system. Guest access can be forced
|
|
* with the appropriate method call.
|
|
*
|
|
* @author Kevin Roast
|
|
*/
|
|
public final class AuthenticationHelper
|
|
{
|
|
/** session variables */
|
|
public static final String AUTHENTICATION_USER = "_alfAuthTicket";
|
|
public static final String SESSION_USERNAME = "_alfLastUser";
|
|
public static final String SESSION_INVALIDATED = "_alfSessionInvalid";
|
|
|
|
/** JSF bean IDs */
|
|
public static final String LOGIN_BEAN = "LoginBean";
|
|
|
|
/** public service bean IDs **/
|
|
private static final String AUTHENTICATION_SERVICE = "AuthenticationService";
|
|
private static final String AUTHENTICATION_COMPONENT = "AuthenticationComponent";
|
|
private static final String REMOTE_USER_MAPPER = "RemoteUserMapper";
|
|
private static final String UNPROTECTED_AUTH_SERVICE = "authenticationService";
|
|
private static final String PERSON_SERVICE = "personService";
|
|
|
|
/** cookie names */
|
|
private static final String COOKIE_ALFUSER = "alfUser0";
|
|
|
|
private static Log logger = LogFactory.getLog(AuthenticationHelper.class);
|
|
|
|
|
|
/**
|
|
* Does all the stuff you need to do after successfully authenticating/validating a user ticket to set up the request
|
|
* thread. A useful utility method for an authentication filter.
|
|
*
|
|
* @param sc
|
|
* the servlet context
|
|
* @param req
|
|
* the request
|
|
* @param res
|
|
* the response
|
|
*/
|
|
public static void setupThread(ServletContext sc, HttpServletRequest req, HttpServletResponse res)
|
|
{
|
|
// setup faces context
|
|
FacesContext fc = Application.inPortalServer() ? AlfrescoFacesPortlet.getFacesContext(req) : FacesHelper
|
|
.getFacesContext(req, res, sc);
|
|
|
|
// Set the current locale and language
|
|
if (Application.getClientConfig(fc).isLanguageSelect())
|
|
{
|
|
I18NUtil.setLocale(Application.getLanguage(req.getSession()));
|
|
}
|
|
|
|
// Programatically retrieve the UserPreferencesBean from JSF
|
|
UserPreferencesBean userPreferencesBean = (UserPreferencesBean) fc.getApplication().createValueBinding(
|
|
"#{UserPreferencesBean}").getValue(fc);
|
|
if (userPreferencesBean != null)
|
|
{
|
|
String contentFilterLanguageStr = userPreferencesBean.getContentFilterLanguage();
|
|
if (contentFilterLanguageStr != null)
|
|
{
|
|
// Set the locale for the method interceptor for MLText properties
|
|
I18NUtil.setContentLocale(I18NUtil.parseLocale(contentFilterLanguageStr));
|
|
}
|
|
else
|
|
{
|
|
// Nothing has been selected, so remove the content filter
|
|
I18NUtil.setContentLocale(null);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Helper to authenticate the current user using session based Ticket information.
|
|
* <p>
|
|
* User information is looked up in the Session. If found the ticket is retrieved and validated.
|
|
* If no User info is found or the ticket is invalid then a redirect is performed to the login page.
|
|
*
|
|
* @param forceGuest True to force a Guest login attempt
|
|
*
|
|
* @return AuthenticationStatus result.
|
|
*/
|
|
public static AuthenticationStatus authenticate(
|
|
ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean forceGuest)
|
|
throws IOException
|
|
{
|
|
return authenticate(sc, req, res, forceGuest, true);
|
|
}
|
|
|
|
/**
|
|
* Helper to authenticate the current user using session based Ticket information.
|
|
* <p>
|
|
* User information is looked up in the Session. If found the ticket is retrieved and validated.
|
|
* If no User info is found or the ticket is invalid then a redirect is performed to the login page.
|
|
*
|
|
* @param forceGuest True to force a Guest login attempt
|
|
* @param allowGuest True to allow the Guest user if no user object represent
|
|
*
|
|
* @return AuthenticationStatus result.
|
|
*/
|
|
public static AuthenticationStatus authenticate(
|
|
ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean forceGuest, boolean allowGuest)
|
|
throws IOException
|
|
{
|
|
// retrieve the User object
|
|
User user = getUser(sc, req, res);
|
|
|
|
HttpSession session = req.getSession();
|
|
|
|
// get the login bean if we're not in the portal
|
|
LoginBean loginBean = null;
|
|
if (Application.inPortalServer() == false)
|
|
{
|
|
loginBean = (LoginBean)session.getAttribute(LOGIN_BEAN);
|
|
}
|
|
|
|
// setup the authentication context
|
|
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
|
|
AuthenticationService auth = (AuthenticationService)wc.getBean(AUTHENTICATION_SERVICE);
|
|
|
|
if (user == null || forceGuest)
|
|
{
|
|
// Check for the session invalidated flag - this is set by the Logout action in the LoginBean
|
|
// it signals a forced Logout and means we should not immediately attempt a relogin as Guest.
|
|
// The attribute is removed from the session by the login.jsp page after the Cookie containing
|
|
// the last stored username string is cleared.
|
|
if (session.getAttribute(AuthenticationHelper.SESSION_INVALIDATED) == null)
|
|
{
|
|
Cookie authCookie = getAuthCookie(req);
|
|
if (allowGuest == true && (authCookie == null || forceGuest))
|
|
{
|
|
// no previous authentication or forced Guest - attempt Guest access
|
|
try
|
|
{
|
|
auth.authenticateAsGuest();
|
|
|
|
// if we get here then Guest access was allowed and successful
|
|
setUser(sc, req, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket(), false);
|
|
|
|
// Set up the thread context
|
|
setupThread(sc, req, res);
|
|
|
|
// remove the session invalidated flag
|
|
session.removeAttribute(AuthenticationHelper.SESSION_INVALIDATED);
|
|
|
|
// it is the responsibilty of the caller to handle the Guest return status
|
|
return AuthenticationStatus.Guest;
|
|
}
|
|
catch (AuthenticationException guestError)
|
|
{
|
|
// Expected if Guest access not allowed - continue to login page as usual
|
|
}
|
|
catch (AccessDeniedException accessError)
|
|
{
|
|
// Guest is unable to access either properties on Person
|
|
AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
logger.warn("Unable to login as Guest: " + accessError.getMessage());
|
|
}
|
|
catch (Throwable e)
|
|
{
|
|
// Some other kind of serious failure to report
|
|
AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
throw new AlfrescoRuntimeException("Failed to authenticate as Guest user.", e);
|
|
}
|
|
}
|
|
}
|
|
|
|
// session invalidated - return to login screen
|
|
return AuthenticationStatus.Failure;
|
|
}
|
|
else
|
|
{
|
|
// set last authentication username cookie value
|
|
String loginName;
|
|
if (loginBean != null && (loginName = loginBean.getUsernameInternal()) != null)
|
|
{
|
|
setUsernameCookie(req, res, loginName);
|
|
}
|
|
|
|
// Set up the thread context
|
|
setupThread(sc, req, res);
|
|
|
|
return AuthenticationStatus.Success;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Helper to authenticate the current user using the supplied Ticket value.
|
|
*
|
|
* @return true if authentication successful, false otherwise.
|
|
*/
|
|
public static AuthenticationStatus authenticate(
|
|
ServletContext context, HttpServletRequest httpRequest, HttpServletResponse httpResponse, String ticket)
|
|
throws IOException
|
|
{
|
|
// setup the authentication context
|
|
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
|
|
AuthenticationService auth = (AuthenticationService)wc.getBean(AUTHENTICATION_SERVICE);
|
|
HttpSession session = httpRequest.getSession();
|
|
try
|
|
{
|
|
// If we already have a cached user, make sure it is for the right ticket
|
|
SessionUser user = (SessionUser)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
|
|
if (user != null && !user.getTicket().equals(ticket))
|
|
{
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
session.invalidate();
|
|
session = httpRequest.getSession();
|
|
}
|
|
user = null;
|
|
}
|
|
|
|
// Validate the ticket and associate it with the session
|
|
auth.validate(ticket);
|
|
|
|
// Cache a new user in the session if required
|
|
if (user == null)
|
|
{
|
|
setUser(context, httpRequest, auth.getCurrentUserName(), ticket, false);
|
|
}
|
|
}
|
|
catch (AuthenticationException authErr)
|
|
{
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
session.invalidate();
|
|
}
|
|
return AuthenticationStatus.Failure;
|
|
}
|
|
catch (Throwable e)
|
|
{
|
|
// Some other kind of serious failure
|
|
AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
return AuthenticationStatus.Failure;
|
|
}
|
|
|
|
// Set up the thread context
|
|
setupThread(context, httpRequest, httpResponse);
|
|
|
|
return AuthenticationStatus.Success;
|
|
}
|
|
|
|
/**
|
|
* Creates an object for an authenticated user and stores it in the session.
|
|
*
|
|
* @param context
|
|
* the servlet context
|
|
* @param req
|
|
* the request
|
|
* @param currentUsername
|
|
* the current user name
|
|
* @param ticket
|
|
* a validated ticket
|
|
* @param externalAuth
|
|
* was this user authenticated externally?
|
|
* @return the user object
|
|
*/
|
|
public static User setUser(ServletContext context, HttpServletRequest req, String currentUsername,
|
|
String ticket, boolean externalAuth)
|
|
{
|
|
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
|
|
|
|
User user = createUser(wc, currentUsername, ticket);
|
|
// store the User object in the Session - the authentication servlet will then proceed
|
|
HttpSession session = req.getSession(true);
|
|
session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user);
|
|
setExternalAuth(session, externalAuth);
|
|
return user;
|
|
}
|
|
|
|
/**
|
|
* Sets or clears the external authentication flag on the session
|
|
*
|
|
* @param session
|
|
* the session
|
|
* @param externalAuth
|
|
* was the user authenticated externally?
|
|
*/
|
|
private static void setExternalAuth(HttpSession session, boolean externalAuth)
|
|
{
|
|
if (externalAuth)
|
|
{
|
|
session.setAttribute(LoginBean.LOGIN_EXTERNAL_AUTH, Boolean.TRUE);
|
|
}
|
|
else
|
|
{
|
|
session.removeAttribute(LoginBean.LOGIN_EXTERNAL_AUTH);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Creates an object for an authentication user.
|
|
*
|
|
* @param wc
|
|
* the web application context
|
|
* @param currentUsername
|
|
* the current user name
|
|
* @param ticket
|
|
* a validated ticket
|
|
* @return the user object
|
|
*/
|
|
private static User createUser(final WebApplicationContext wc, final String currentUsername, final String ticket)
|
|
{
|
|
final ServiceRegistry services = (ServiceRegistry) wc.getBean(ServiceRegistry.SERVICE_REGISTRY);
|
|
return services.getTransactionService().getRetryingTransactionHelper().doInTransaction(
|
|
new RetryingTransactionHelper.RetryingTransactionCallback<User>()
|
|
{
|
|
|
|
public User execute() throws Throwable
|
|
{
|
|
NodeService nodeService = services.getNodeService();
|
|
PersonService personService = (PersonService) wc.getBean(PERSON_SERVICE);
|
|
NodeRef personRef = personService.getPerson(currentUsername);
|
|
User user = new User(currentUsername, ticket, personRef);
|
|
NodeRef homeRef = (NodeRef) nodeService.getProperty(personRef, ContentModel.PROP_HOMEFOLDER);
|
|
|
|
// check that the home space node exists - else Login cannot proceed
|
|
if (nodeService.exists(homeRef) == false)
|
|
{
|
|
throw new InvalidNodeRefException(homeRef);
|
|
}
|
|
user.setHomeSpaceId(homeRef.getId());
|
|
return user;
|
|
}
|
|
});
|
|
}
|
|
|
|
/**
|
|
* For no previous authentication or forced Guest - attempt Guest access
|
|
*
|
|
* @param ctx
|
|
* WebApplicationContext
|
|
* @param auth
|
|
* AuthenticationService
|
|
*/
|
|
public static User portalGuestAuthenticate(WebApplicationContext ctx, AuthenticationService auth)
|
|
{
|
|
try
|
|
{
|
|
auth.authenticateAsGuest();
|
|
|
|
return createUser(ctx, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket());
|
|
}
|
|
catch (AuthenticationException guestError)
|
|
{
|
|
// Expected if Guest access not allowed - continue to login page as usual
|
|
}
|
|
catch (AccessDeniedException accessError)
|
|
{
|
|
// Guest is unable to access either properties on Person
|
|
AuthenticationService unprotAuthService = (AuthenticationService) ctx.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
logger.warn("Unable to login as Guest: " + accessError.getMessage());
|
|
}
|
|
catch (Throwable e)
|
|
{
|
|
// Some other kind of serious failure to report
|
|
AuthenticationService unprotAuthService = (AuthenticationService) ctx.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
throw new AlfrescoRuntimeException("Failed to authenticate as Guest user.", e);
|
|
}
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* Attempts to retrieve the User object stored in the current session.
|
|
*
|
|
* @param sc
|
|
* the servlet context
|
|
* @param httpRequest
|
|
* The HTTP request
|
|
* @param httpResponse
|
|
* The HTTP response
|
|
* @return The User object representing the current user or null if it could not be found
|
|
*/
|
|
public static User getUser(final ServletContext sc, final HttpServletRequest httpRequest, HttpServletResponse httpResponse)
|
|
{
|
|
String userId = null;
|
|
|
|
// If the remote user mapper is configured, we may be able to map in an externally authenticated user
|
|
final WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
|
|
RemoteUserMapper remoteUserMapper = (RemoteUserMapper) wc.getBean(REMOTE_USER_MAPPER);
|
|
if (!(remoteUserMapper instanceof ActivateableBean) || ((ActivateableBean) remoteUserMapper).isActive())
|
|
{
|
|
userId = remoteUserMapper.getRemoteUser(httpRequest);
|
|
}
|
|
|
|
HttpSession session = httpRequest.getSession();
|
|
User user = null;
|
|
|
|
// examine the appropriate session to try and find the User object
|
|
SessionUser sessionUser = Application.getCurrentUser(session);
|
|
|
|
// Make sure the ticket is valid, the person exists, and the cached user is of the right type (WebDAV users have
|
|
// been known to leak in but shouldn't now)
|
|
if (sessionUser != null)
|
|
{
|
|
AuthenticationService auth = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
|
|
try
|
|
{
|
|
auth.validate(sessionUser.getTicket());
|
|
if (sessionUser instanceof User)
|
|
{
|
|
user = (User)sessionUser;
|
|
setExternalAuth(session, userId != null);
|
|
}
|
|
else
|
|
{
|
|
user = setUser(sc, httpRequest, sessionUser.getUserName(), sessionUser.getTicket(), userId != null);
|
|
}
|
|
}
|
|
catch (AuthenticationException authErr)
|
|
{
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
session.invalidate();
|
|
}
|
|
}
|
|
}
|
|
|
|
// If the remote user mapper is configured, we may be able to map in an externally authenticated user
|
|
if (userId != null)
|
|
{
|
|
// We have a previously-cached user with the wrong identity - replace them
|
|
if (user != null && !user.getUserName().equals(userId))
|
|
{
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
session.invalidate();
|
|
}
|
|
user = null;
|
|
}
|
|
|
|
if (user == null)
|
|
{
|
|
// If we have been authenticated by other means, just propagate through the user identity
|
|
AuthenticationComponent authenticationComponent = (AuthenticationComponent) wc
|
|
.getBean(AUTHENTICATION_COMPONENT);
|
|
authenticationComponent.setCurrentUser(userId);
|
|
AuthenticationService authenticationService = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
|
|
user = setUser(sc, httpRequest, userId, authenticationService.getCurrentTicket(), true);
|
|
}
|
|
}
|
|
return user;
|
|
}
|
|
|
|
/**
|
|
* Setup the Alfresco auth cookie value.
|
|
*
|
|
* @param httpRequest
|
|
* @param httpResponse
|
|
* @param username
|
|
*/
|
|
public static void setUsernameCookie(HttpServletRequest httpRequest, HttpServletResponse httpResponse, String username)
|
|
{
|
|
Cookie authCookie = getAuthCookie(httpRequest);
|
|
// Let's Base 64 encode the username so it is a legal cookie value
|
|
String encodedUsername;
|
|
try
|
|
{
|
|
encodedUsername = Base64.encodeBytes(username.getBytes("UTF-8"));
|
|
}
|
|
catch (UnsupportedEncodingException e)
|
|
{
|
|
throw new RuntimeException(e);
|
|
}
|
|
if (authCookie == null)
|
|
{
|
|
authCookie = new Cookie(COOKIE_ALFUSER, encodedUsername);
|
|
}
|
|
else
|
|
{
|
|
authCookie.setValue(encodedUsername);
|
|
}
|
|
authCookie.setPath(httpRequest.getContextPath());
|
|
// TODO: make this configurable - currently 7 days (value in seconds)
|
|
authCookie.setMaxAge(60*60*24*7);
|
|
httpResponse.addCookie(authCookie);
|
|
}
|
|
|
|
/**
|
|
* Helper to return the Alfresco auth cookie. The cookie saves the last used username value.
|
|
*
|
|
* @param httpRequest
|
|
*
|
|
* @return Cookie if found or null if not present
|
|
*/
|
|
public static Cookie getAuthCookie(HttpServletRequest httpRequest)
|
|
{
|
|
Cookie authCookie = null;
|
|
Cookie[] cookies = httpRequest.getCookies();
|
|
if (cookies != null)
|
|
{
|
|
for (int i=0; i<cookies.length; i++)
|
|
{
|
|
if (COOKIE_ALFUSER.equals(cookies[i].getName()))
|
|
{
|
|
// found cookie
|
|
authCookie = cookies[i];
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
return authCookie;
|
|
}
|
|
|
|
/**
|
|
* Gets the decoded auth cookie value.
|
|
*
|
|
* @param authCookie
|
|
* the auth cookie
|
|
* @return the auth cookie value
|
|
*/
|
|
public static String getAuthCookieValue(Cookie authCookie)
|
|
{
|
|
String authCookieValue = authCookie.getValue();
|
|
if (authCookieValue == null)
|
|
{
|
|
return null;
|
|
}
|
|
try
|
|
{
|
|
return new String(Base64.decode(authCookieValue), "UTF-8");
|
|
}
|
|
catch (UnsupportedEncodingException e)
|
|
{
|
|
throw new RuntimeException(e);
|
|
}
|
|
}
|
|
}
|