inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-06-30 18:15:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
alfresco-community-repo/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java
Derek Hulley 69249332d3 Merged V3.2 to HEAD 
15579: Merged V3.1 to V3.2
      14048: Fixed ETHREEOH-1612: Unable to modify the 'guest' username(s)
      14093: Build/test fix - fallout from recent guest changes
   15581: Removed reference to 'alfresco.messages.portlets' resource bundle
   15582: Fixed merge errors after guest user changes
   15583: Merged V3.1 to V3.2
      14049: Minor addition to ETHREEOH-1612 fix: Guest and Admin usernames should not be changed AFTER INSTALLATION
      14060: Handle null username in calls to authenticate
      14086: Removed references to non-existent GROUP_ALFRESCO_GUESTS.
   15584: Merged V3.1 to V3.2
      14103: Build/test fix - fallout from recent guest changes (revert previous change + move makeHomeFolderIfRequired out of getPersonOrNull)
   15585: Merged V3.1 to V3.2
      14110: Build/test fix (CMISTest) - fallout from recent guest changes (test server ctx must be init'ed before calling runAs)
      14166: Fixed ETHREEOH-2016: Usernames with domain-name separators lead to "bad filename" errors
      14184: *RECORD ONLY* Fixed ETHREEOH-2018: NTLM SSO fails with NPE
      14495: *RECORD ONLY*
      14511: *RECORD ONLY*
      14516: ETHREEOH-2162 (DB2 script key rename)
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /alfresco/BRANCHES/V3.0:r14494
   Merged /alfresco/BRANCHES/V3.1:r14048-14049,14060,14086,14093,14103,14110,14166,14184,14495,14511,14516
   Merged /alfresco/BRANCHES/V3.2:r15579,15581-15585


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16859 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2009-10-13 11:51:40 +00:00

599 lines
18 KiB
Java
Raw Blame History

/*
* Copyright (C) 2005-2009 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing"
*/
package org.alfresco.repo.security.authentication;
import java.util.Arrays;
import java.util.Collections;
import java.util.Set;
import java.util.TreeSet;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.GrantedAuthorityImpl;
import net.sf.acegisecurity.UserDetails;
import net.sf.acegisecurity.providers.dao.User;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.sync.UserRegistrySynchronizer;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.repo.transaction.RetryingTransactionHelper;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport.TxnReadState;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.transaction.TransactionService;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* This class abstract the support required to set up and query the Acegi context for security enforcement. There are
* some simple default method implementations to support simple authentication.
*
* @author Andy Hind
*/
public abstract class AbstractAuthenticationComponent implements AuthenticationComponent
{
/**
* The abstract class keeps track of support for guest login
*/
private Boolean allowGuestLogin = null;
private Set<String> defaultAdministratorUserNames = Collections.emptySet();
private Set<String> defaultGuestUserNames = Collections.emptySet();
private AuthenticationContext authenticationContext;
private PersonService personService;
private NodeService nodeService;
private TransactionService transactionService;
private UserRegistrySynchronizer userRegistrySynchronizer;
private final Log logger = LogFactory.getLog(getClass());
public AbstractAuthenticationComponent()
{
super();
}
/**
* Set if guest login is supported.
*
* @param allowGuestLogin
*/
public void setAllowGuestLogin(Boolean allowGuestLogin)
{
this.allowGuestLogin = allowGuestLogin;
}
public void setAuthenticationContext(AuthenticationContext authenticationContext)
{
this.authenticationContext = authenticationContext;
}
public void setPersonService(PersonService personService)
{
this.personService = personService;
}
public void setNodeService(NodeService nodeService)
{
this.nodeService = nodeService;
}
public void setTransactionService(TransactionService transactionService)
{
this.transactionService = transactionService;
}
public void setUserRegistrySynchronizer(UserRegistrySynchronizer userRegistrySynchronizer)
{
this.userRegistrySynchronizer = userRegistrySynchronizer;
}
public TransactionService getTransactionService()
{
return transactionService;
}
public Boolean getAllowGuestLogin()
{
return allowGuestLogin;
}
public NodeService getNodeService()
{
return nodeService;
}
public PersonService getPersonService()
{
return personService;
}
public void authenticate(String userName, char[] password) throws AuthenticationException
{
if (logger.isDebugEnabled())
{
logger.debug("Authenticating user \"" + userName + '"');
}
if (userName == null)
{
throw new AuthenticationException("Null user name");
}
// Support guest login from the login screen
if (isGuestUserName(userName))
{
if (logger.isDebugEnabled())
{
logger.debug("User \"" + userName + "\" recognized as a guest user");
}
setGuestUserAsCurrentUser(getUserDomain(userName));
}
else
{
try
{
authenticateImpl(userName, password);
}
catch (RuntimeException e)
{
if (logger.isDebugEnabled())
{
logger.debug("Failed to authenticate user \"" + userName + '"', e);
}
throw e;
}
}
if (logger.isDebugEnabled())
{
logger.debug("User \"" + userName + "\" authenticated successfully");
}
}
/**
* Default unsupported authentication implementation - as of 2.1 this is the best way to implement your own
* authentication component as it will support guest login - prior to this direct over ride for authenticate(String ,
* char[]) was used. This will still work.
*
* @param userName
* @param password
*/
protected void authenticateImpl(String userName, char[] password)
{
throw new UnsupportedOperationException();
}
public Authentication setCurrentUser(String userName, UserNameValidationMode validationMode)
{
switch (validationMode)
{
case NONE:
return setCurrentUserImpl(userName);
case CHECK_AND_FIX:
default:
return setCurrentUser(userName);
}
}
public Authentication setCurrentUser(final String userName) throws AuthenticationException
{
if (isSystemUserName(userName))
{
return setCurrentUserImpl(userName);
}
else
{
SetCurrentUserCallback callback = new SetCurrentUserCallback(userName);
Authentication auth;
// If the repository is read only, we have to settle for a read only transaction. Auto user creation will
// not be possible.
if (transactionService.isReadOnly())
{
auth = transactionService.getRetryingTransactionHelper().doInTransaction(callback, true, false);
}
// Otherwise, we want a writeable transaction, so if the current transaction is read only we set the
// requiresNew flag to true
else
{
auth = transactionService.getRetryingTransactionHelper().doInTransaction(callback, false,
AlfrescoTransactionSupport.getTransactionReadState() == TxnReadState.TXN_READ_ONLY);
}
if ((auth == null) || (callback.ae != null))
{
throw callback.ae;
}
return auth;
}
}
/**
* Explicitly set the current user to be authenticated.
*
* @param userName
* String
* @return Authentication
*/
private Authentication setCurrentUserImpl(String userName) throws AuthenticationException
{
if (userName == null)
{
throw new AuthenticationException("Null user name");
}
if (isSystemUserName(userName))
{
return setSystemUserAsCurrentUser(getUserDomain(userName));
}
try
{
UserDetails ud = null;
if (isGuestUserName(userName))
{
String tenantDomain = getUserDomain(userName);
if (logger.isDebugEnabled())
{
logger.debug("Setting the current user to the guest user of tenant domain \"" + tenantDomain + '"');
}
GrantedAuthority[] gas = new GrantedAuthority[0];
ud = new User(getGuestUserName(tenantDomain), "", true, true, true, true, gas);
}
else
{
if (logger.isDebugEnabled())
{
logger.debug("Setting the current user to \"" + userName + '"');
}
ud = getUserDetails(userName);
}
return setUserDetails(ud);
}
catch (net.sf.acegisecurity.AuthenticationException ae)
{
throw new AuthenticationException(ae.getMessage(), ae);
}
}
/**
* Default implementation that makes an ACEGI object on the fly
*
* @param userName
* @return
*/
protected UserDetails getUserDetails(String userName)
{
GrantedAuthority[] gas = new GrantedAuthority[1];
gas[0] = new GrantedAuthorityImpl("ROLE_AUTHENTICATED");
UserDetails ud = new User(userName, "", true, true, true, true, gas);
return ud;
}
/**
* {@inheritDoc}
*/
public Authentication setCurrentAuthentication(Authentication authentication)
{
return this.authenticationContext.setCurrentAuthentication(authentication);
}
/**
* Get the current authentication context
*
* @return Authentication
* @throws AuthenticationException
*/
public Authentication getCurrentAuthentication() throws AuthenticationException
{
return authenticationContext.getCurrentAuthentication();
}
/**
* Get the current user name.
*
* @return String
* @throws AuthenticationException
*/
public String getCurrentUserName() throws AuthenticationException
{
return authenticationContext.getCurrentUserName();
}
/**
* Set the system user as the current user note: for MT, will set to default domain only
*
* @return Authentication
*/
public Authentication setSystemUserAsCurrentUser()
{
return authenticationContext.setSystemUserAsCurrentUser();
}
/**
* Get the name of the system user note: for MT, will get system for default domain only
*
* @return String
*/
public String getSystemUserName()
{
return authenticationContext.getSystemUserName();
}
/**
* Is this the system user ?
*
* @return boolean
*/
public boolean isSystemUserName(String userName)
{
return authenticationContext.isSystemUserName(userName);
}
/**
* Is the current user the system user?
*
* @return boolean
*/
public boolean isCurrentUserTheSystemUser()
{
return authenticationContext.isCurrentUserTheSystemUser();
}
/**
* Get the name of the Guest User note: for MT, will get guest for default domain only
*
* @return String
*/
public String getGuestUserName()
{
return authenticationContext.getGuestUserName();
}
public String getGuestUserName(String tenantDomain)
{
return authenticationContext.getGuestUserName(tenantDomain);
}
/**
* Set the guest user as the current user. note: for MT, will set to default domain only
*/
public Authentication setGuestUserAsCurrentUser() throws AuthenticationException
{
return setGuestUserAsCurrentUser(TenantService.DEFAULT_DOMAIN);
}
/**
* Set the guest user as the current user.
*/
private Authentication setGuestUserAsCurrentUser(String tenantDomain) throws AuthenticationException
{
if (allowGuestLogin == null)
{
if (implementationAllowsGuestLogin())
{
return setCurrentUser(getGuestUserName(tenantDomain));
}
else
{
throw new AuthenticationException("Guest authentication is not allowed");
}
}
else
{
if (allowGuestLogin.booleanValue())
{
return setCurrentUser(getGuestUserName(tenantDomain));
}
else
{
throw new AuthenticationException("Guest authentication is not allowed");
}
}
}
public boolean isGuestUserName(String userName)
{
return authenticationContext.isGuestUserName(userName);
}
protected abstract boolean implementationAllowsGuestLogin();
/**
* @return true if Guest user authentication is allowed, false otherwise
*/
public boolean guestUserAuthenticationAllowed()
{
if (allowGuestLogin == null)
{
return (implementationAllowsGuestLogin());
}
else
{
return (allowGuestLogin.booleanValue());
}
}
/**
* Remove the current security information
*/
public void clearCurrentSecurityContext()
{
authenticationContext.clearCurrentSecurityContext();
}
class SetCurrentUserCallback implements RetryingTransactionHelper.RetryingTransactionCallback<Authentication>
{
AuthenticationException ae = null;
String userName;
SetCurrentUserCallback(String userName)
{
this.userName = userName;
}
public Authentication execute() throws Throwable
{
try
{
String name = AuthenticationUtil.runAs(new RunAsWork<String>()
{
public String doWork() throws Exception
{
if (!personService.personExists(userName))
{
if (logger.isDebugEnabled())
{
logger.debug("User \"" + userName
+ "\" does not exist in Alfresco. Attempting to import / create the user.");
}
if (!userRegistrySynchronizer.createMissingPerson(userName))
{
if (logger.isDebugEnabled())
{
logger.debug("Failed to import / create user \"" + userName + '"');
}
throw new AuthenticationException("User \"" + userName
+ "\" does not exist in Alfresco");
}
}
NodeRef userNode = personService.getPerson(userName);
// Get the person name and use that as the current user to line up with permission
// checks
return (String) nodeService.getProperty(userNode, ContentModel.PROP_USERNAME);
}
}, getSystemUserName(getUserDomain(userName)));
return setCurrentUserImpl(name);
}
catch (AuthenticationException ae)
{
this.ae = ae;
return null;
}
}
}
/**
* {@inheritDoc}
*/
public Set<String> getDefaultAdministratorUserNames()
{
return this.defaultAdministratorUserNames;
}
/**
* Sets the user names who for this particular authentication system should be considered administrators by default.
*
* @param defaultAdministratorUserNames
* a set of user names
*/
public void setDefaultAdministratorUserNames(Set<String> defaultAdministratorUserNames)
{
this.defaultAdministratorUserNames = defaultAdministratorUserNames;
}
/**
* Convenience method to allow the administrator user names to be specified as a comma separated list
*
* @param defaultAdministratorUserNames
*/
public void setDefaultAdministratorUserNameList(String defaultAdministratorUserNames)
{
Set<String> nameSet = new TreeSet<String>();
if (defaultAdministratorUserNames.length() > 0)
{
nameSet.addAll(Arrays.asList(defaultAdministratorUserNames.split(",")));
}
setDefaultAdministratorUserNames(nameSet);
}
/**
* {@inheritDoc}
*/
public Set<String> getDefaultGuestUserNames()
{
return this.defaultGuestUserNames;
}
/**
* Sets the user names who for this particular authentication system should be considered administrators by default.
*
* @param defaultAdministratorUserNames
* a set of user names
*/
public void setDefaultGuestUserNames(Set<String> defaultGuestUserNames)
{
this.defaultGuestUserNames = defaultGuestUserNames;
}
/**
* Convenience method to allow the administrator user names to be specified as a comma separated list
*
* @param defaultAdministratorUserNames
*/
public void setDefaultGuestUserNameList(String defaultGuestUserNames)
{
Set<String> nameSet = new TreeSet<String>();
if (defaultGuestUserNames.length() > 0)
{
nameSet.addAll(Arrays.asList(defaultGuestUserNames.split(",")));
}
setDefaultGuestUserNames(nameSet);
}
public String getSystemUserName(String tenantDomain)
{
return authenticationContext.getSystemUserName(tenantDomain);
}
public String getUserDomain(String userName)
{
return authenticationContext.getUserDomain(userName);
}
public Authentication setSystemUserAsCurrentUser(String tenantDomain)
{
if (logger.isDebugEnabled())
{
logger.debug("Setting the current user to the system user of tenant domain \"" + tenantDomain + '"');
}
return authenticationContext.setSystemUserAsCurrentUser(tenantDomain);
}
public Authentication setUserDetails(UserDetails ud)
{
return authenticationContext.setUserDetails(ud);
}
}
Reference in New Issue View Git Blame Copy Permalink