mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
ac683161de
43944: Fixes: ALF-16090: fixes view mode for control param showTime.
43964: Fixes: ALF-14758. Adds distinct styling for menus nested 4 levels or deeper to prevent confusion if there's an overlap.
44029: MNT-180 - Clone for Hotfix: Word document on Windows via CIFS becomes locked (Read Only) when network drops temporarily
44040: Merged V3.4-BUF-GIX (3.4.12) to V4.1-BUG-FIX (4.1.3)
44039: Minor changes to TransformerDebug to make output more readable when there are exceptions.
- NPE when there is no exception message
44046: MERGE DEV to V4.1-BUG-FIX
ALF-16562 : CIFS: Excel document version history lost after saving content in Excel:mac 2011 on Mac Mountain Lion
44115: Changes to standalone file state cache access mode checks to bring them into line with the clustered file state cache.
44160: Fix for ALF-13129, checks to see if the child association already exists on the versioned node. If it exists it doesn't add it again.
44239: ALF-16977: InstallerBuilder 8.5.1 2012-11-29 with layout fix from Bitrock
44319: Latest installer translations from Gloria
44343: Merged V4.1 (4.1.2) to V4.1-BUG-FIX (4.1.3)
44339: ALF-17070: Merged to V4.1 (4.1.2) from V4.1-BUG-FIX (3.4.12)
<< Regression introduced into 4.0.2 on 12/4/12 r35201 >>
44337: Merged DEV to V3.4-BUG-FIX (3.4.12)
44297: ALF-16935: wcm/avm file picker fails to render selection from folders navigation only works with 127.0.0.1 url
- Fix for regression from ALF-11956, connected with setting titles for file picker controls
44316: Merged DEV to V4.1
44094: ALF-16794: CLONE - Webdav: Version history lost after editing content with Mac Word 2011 in Finder
Add WebDAV MOVE handling for case when backup is enabled in Mac 2011 Word
44285: ALF-16794: CLONE - Webdav: Version history lost after editing content with Mac Word 2011 in Finder
Handle Mac 2011 Word backup in scope of RenameShuffle
44312: Part 3 for ALF-16895 SOLR: Cannot find files after restart and reindex solr
- fix incremental cache state to cope with duplicate leaf/aux doc entries.
44283: Encoding fix by David Webster
44275: Part 2 for ALF-16895 SOLR: Cannot find files after restart and reindex solr
- fix initial cache state to cope with duplicate leaf/aux doc entries.
44252: Russian fix from Gloria
44200: Probable fix for ALF-16895 SOLR: Cannot find files after restart and reindex solr
- still difficult to reproduce
44149: Merged HEAD to V4.1
44037: ALF-16947: prevent dependency to web-framework-commons war to be transitive: this artifact is not generated in Ant build
44039: Version in parent-pom was not changed properly when deploying to Maven repo
44142: ITALIAN: Translation update based on EN r43623, fixes ALF-16609
44107: ALF-16016, ALF-15991, ALF-16180: Russian fixes by Gloria
44078: ALF-16620: Out of memory Error applying CopiedFromAspectPatch
- CopiedFromAspectPatch.WorkProvider.getNextWork() was fetching discrete managable chunks
- and then blowing up as it continually fetched into the same in-memory HashSet!
44404: Merged DEV to V4.1-BUG-FIX
44378: ALF-16791 : resource bundle deployement for localization does not work with the dynamic approach
1. Split out MessageService message lookup methods into new interface MessageLookup that lives in DataModel
2. Added a simple implementation for SOLR to use
3. Made M2Label look up model labels via a supplied MessageLookup argument
4. Make DictionaryService extend MessageLookup so that it's easy to find a MessageLookup if you've got a DictionaryService
5. Accounted for interface changes throughout.
44421: ALF-17114: Merged V3.4-BUG-FIX (3.4.12) to V4.1-BUG-FIX (4.1.3)
44419: ALF-17045 If GhostScript is not installed, deletion of content is not working
- Not just Ghostscript but any thumbnail failure
44422: ALF-16123: "CheckOutCheckInService.checkout fails with DuplicateChildNodeNameException if no working copy label message found in current locale"
44424: Merged V4.1 (4.1.2) to V4.1-BUG-FIX (4.1.3) RECORD ONLY
44423: ALF-17114: Merged V4.1-BUG-FIX (4.1.3) to V4.1 (4.1.2)
- got the wrong branch
44421: ALF-17114: Merged V3.4-BUG-FIX (3.4.12) to V4.1-BUG-FIX (4.1.3)
44419: ALF-17045 If GhostScript is not installed, deletion of content is not working
- Not just Ghostscript but any thumbnail failure
44447: Merged V4.0.2 (4.0.0.22) to V4.1-BUG-FIX (4.1.3) RECORD ONLY
<< Recording this as RECORD ONLY as it turns out the DEV code came form V4.1-BUG-FIX r42431 >>
44435: Merged DEV to V4.0.2 (4.0.2.22)
44429: MNT-232: Upgrade from 3.4.9 to 4.0.2 - FAILED
- Initialize rootRefs in the property definition to prevent NPE.
44468: Merged V3.4-PATCHES to V4.1-BUG-FIX
MNT-211 (Still needs implementing on 4.1)
44470: Fixes: ALF-16878 - don't use IE8's native JSON stringify method.
44511: ALF-16791: Added missing class.
44519: ALF-16791: Fixed broken unit tests
44541: Fix for ALF-17151 SOLR - add support to disable permission checks
44542: MNT-211 Re-implement on 4.1
44548: ALF-16791: Fixed broken SOLR
44559: ALF-17075: "Exporting and importing null MLText values does not work."
44577: Final part for ALF-16558 SOLR tracking does not do incremental updates but one single chunk
- fixed code so SolrSearchers are held for as little time as possible
44590: ALF-14523 (Share - Metadata constraint on workflow creation)
44594: ALF-16310: "Calling CancelCheckout() on the original document deletes the document."
44596: ALF-17075: "Exporting and importing null MLText values does not work." - change test name to something more meaningful
44599: ALF-16310: "Calling CancelCheckout() on the original document deletes the document."
44600: ALF-16791: Another omission not covered by unit tests
44603: ALF-14201: upgrade activiti to 5.7-20121211
44605: Added missing vti.server.url.path.prefix property required by commit 43471
Missing due to cherry picked commit, this is implemented as part of 39309 on HEAD.
44606: ALF-14201: upgrade activiti to 5.7-20121211 in Maven poms
44613: ALF-13690 (Share - It's possible to delete site groups via the UI)
44618: ALF-16939: "Error "importStatus.batchWeight is undefined" is thrown when Bulk Importer status webscript is run for XML format"
44621: Merged PATCHES/V4.1.1 to V4.1-BUG-FIX
44620: MNT-247: Merged DEV to PATCHES/V4.1.1 with corrections
44526: ALF-16964: Share alfrescoCookie connector fails when alfresco.authentication.allowGuestLogin=false, use case proxy between share and alfresco
Check if external authentication is active in BaseServlet
44628: Solution for ALF-3780 - Dashboard settings not deleted for deleted user.
Initial implementation by Dmitry Velichkevich.
Surf user config folder and user Surf dynamic component references are removed when user node is deleted via a Delete Node policy.
44632: addition of validation of NetworkFile isClosed property.
44648: Merge V3.4-BUG-FIX to V4.1-BUG-FIX (4.1.3)
44566: ALF-17164: Add SVN revision in version.properties when building in continuous mode
44602: ALF-17164: adding the SCM revision in version.build so that it is displayed
also, sneak in the SVN path, so that tracability is complete
44650: BDE-111: Stop creating installers in parallel, it fails on pbld02. Also, revert to zip compression to gain build time
44651: ALF-14348 (Unable to update external blog configuration details)
44654: Merged DEV to V4.1-BUG-FIX
44614: ALF-17119: Possible UI bug - "$$" chars added to permissions for IMAP Attachments folder
Added a message bundles for FullControll access role.
44655: Merged DEV to V4.1-BUG-FIX
44593: ALF-14154: Encoding problem when open a file via webdav on Windows XP
Ignore user credentials for the OPTIONS request.
44612: ALF-14154 : Encoding problem when open a file via webdav on Windows XP
Ignore user credentials for the OPTIONS request.
44666: ALF-12001: Privacy: blog activities - activity is seen for draft blogs
- Wrong node was being used for access checks
- Fix by Andrey Chernov
44671: Merged V3.4-BUG-FIX to V4.1-BUG-FIX
43939: ALF-17197 / ALF-16917: Merged PATCHES/V3.4.11 to V3.4-BUG-FIX
43896: MNT-198: Activity feeds get not generated in private sites for added files if username in LDAP-AD contains uppercase letters
- Now we can cope with a runAs where the username is in the wrong case
44296: ALF-17203 / ALF-17201 / MNT-216 : error saving versionable word documents
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@44675 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
758 lines
32 KiB
Java
758 lines
32 KiB
Java
/*
|
|
* Copyright (C) 2005-2012 Alfresco Software Limited.
|
|
*
|
|
* This file is part of Alfresco
|
|
*
|
|
* Alfresco is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Alfresco is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
package org.alfresco.web.app.servlet;
|
|
|
|
import java.io.IOException;
|
|
import java.io.UnsupportedEncodingException;
|
|
|
|
import javax.faces.context.FacesContext;
|
|
import javax.servlet.ServletContext;
|
|
import javax.servlet.http.Cookie;
|
|
import javax.servlet.http.HttpServletRequest;
|
|
import javax.servlet.http.HttpServletResponse;
|
|
import javax.servlet.http.HttpSession;
|
|
|
|
import org.alfresco.error.AlfrescoRuntimeException;
|
|
import org.alfresco.model.ContentModel;
|
|
import org.alfresco.repo.SessionUser;
|
|
import org.alfresco.repo.management.subsystems.ActivateableBean;
|
|
import org.alfresco.repo.security.authentication.AuthenticationComponent;
|
|
import org.alfresco.repo.security.authentication.AuthenticationException;
|
|
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
|
import org.alfresco.repo.security.permissions.AccessDeniedException;
|
|
import org.alfresco.repo.transaction.RetryingTransactionHelper;
|
|
import org.alfresco.repo.webdav.auth.RemoteUserMapper;
|
|
import org.alfresco.service.ServiceRegistry;
|
|
import org.alfresco.service.cmr.repository.InvalidNodeRefException;
|
|
import org.alfresco.service.cmr.repository.NodeRef;
|
|
import org.alfresco.service.cmr.repository.NodeService;
|
|
import org.alfresco.service.cmr.security.AuthenticationService;
|
|
import org.alfresco.service.cmr.security.PersonService;
|
|
import org.alfresco.web.app.Application;
|
|
import org.alfresco.web.app.portlet.AlfrescoFacesPortlet;
|
|
import org.alfresco.web.bean.LoginBean;
|
|
import org.alfresco.web.bean.repository.User;
|
|
import org.alfresco.web.bean.users.UserPreferencesBean;
|
|
import org.apache.commons.logging.Log;
|
|
import org.apache.commons.logging.LogFactory;
|
|
import org.springframework.extensions.surf.util.Base64;
|
|
import org.springframework.extensions.surf.util.I18NUtil;
|
|
import org.springframework.web.context.WebApplicationContext;
|
|
import org.springframework.web.context.support.WebApplicationContextUtils;
|
|
|
|
/**
|
|
* Helper to authenticate the current user using available Ticket information.
|
|
* <p>
|
|
* User information is looked up in the Session. If found the ticket is retrieved and validated.
|
|
* If the ticket is invalid then a redirect is performed to the login page.
|
|
* <p>
|
|
* If no User info is found then a search will be made for a previous username stored in a Cookie
|
|
* value. If the username if found then a redirect to the Login page will occur. If no username
|
|
* is found then Guest access login will be attempted by the system. Guest access can be forced
|
|
* with the appropriate method call.
|
|
*
|
|
* @author Kevin Roast
|
|
*/
|
|
public final class AuthenticationHelper
|
|
{
|
|
/** session variables */
|
|
public static final String AUTHENTICATION_USER = "_alfAuthTicket";
|
|
public static final String SESSION_USERNAME = "_alfLastUser";
|
|
public static final String SESSION_INVALIDATED = "_alfSessionInvalid";
|
|
|
|
/** JSF bean IDs */
|
|
public static final String LOGIN_BEAN = "LoginBean";
|
|
|
|
/** public service bean IDs **/
|
|
private static final String AUTHENTICATION_SERVICE = "AuthenticationService";
|
|
private static final String AUTHENTICATION_COMPONENT = "AuthenticationComponent";
|
|
private static final String REMOTE_USER_MAPPER = "RemoteUserMapper";
|
|
private static final String UNPROTECTED_AUTH_SERVICE = "authenticationService";
|
|
private static final String PERSON_SERVICE = "personService";
|
|
|
|
/** cookie names */
|
|
private static final String COOKIE_ALFUSER = "alfUser0";
|
|
|
|
private static Log logger = LogFactory.getLog(AuthenticationHelper.class);
|
|
|
|
|
|
/**
|
|
* Does all the stuff you need to do after successfully authenticating/validating a user ticket to set up the request
|
|
* thread. A useful utility method for an authentication filter.
|
|
*
|
|
* @param sc
|
|
* the servlet context
|
|
* @param req
|
|
* the request
|
|
* @param res
|
|
* the response
|
|
*/
|
|
public static void setupThread(ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean useInterfaceLanguage)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Setting up the request thread.");
|
|
// setup faces context
|
|
FacesContext fc = Application.inPortalServer() ? AlfrescoFacesPortlet.getFacesContext(req) : FacesHelper
|
|
.getFacesContext(req, res, sc);
|
|
|
|
// Set the current locale and language (overriding the one already decoded from the Accept-Language header
|
|
I18NUtil.setLocale(Application.getLanguage(req.getSession(), Application.getClientConfig(fc).isLanguageSelect() && useInterfaceLanguage));
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("The general locale is : " + I18NUtil.getLocale());
|
|
|
|
// Programatically retrieve the UserPreferencesBean from JSF
|
|
UserPreferencesBean userPreferencesBean = (UserPreferencesBean) FacesHelper.getManagedBean(fc, "UserPreferencesBean");
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("The UserPreferencesBean is : " + userPreferencesBean);
|
|
if (userPreferencesBean != null)
|
|
{
|
|
String contentFilterLanguageStr = userPreferencesBean.getContentFilterLanguage();
|
|
if (contentFilterLanguageStr != null)
|
|
{
|
|
// Set the locale for the method interceptor for MLText properties
|
|
I18NUtil.setContentLocale(I18NUtil.parseLocale(contentFilterLanguageStr));
|
|
}
|
|
else
|
|
{
|
|
// Nothing has been selected, so remove the content filter
|
|
I18NUtil.setContentLocale(null);
|
|
}
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("The content locale is : " + I18NUtil.getContentLocale());
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Helper to authenticate the current user using session based Ticket information.
|
|
* <p>
|
|
* User information is looked up in the Session. If found the ticket is retrieved and validated.
|
|
* If no User info is found or the ticket is invalid then a redirect is performed to the login page.
|
|
*
|
|
* @param forceGuest True to force a Guest login attempt
|
|
*
|
|
* @return AuthenticationStatus result.
|
|
*/
|
|
public static AuthenticationStatus authenticate(
|
|
ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean forceGuest)
|
|
throws IOException
|
|
{
|
|
return authenticate(sc, req, res, forceGuest, true);
|
|
}
|
|
|
|
/**
|
|
* Helper to authenticate the current user using session based Ticket information.
|
|
* <p>
|
|
* User information is looked up in the Session. If found the ticket is retrieved and validated.
|
|
* If no User info is found or the ticket is invalid then a redirect is performed to the login page.
|
|
*
|
|
* @param forceGuest True to force a Guest login attempt
|
|
* @param allowGuest True to allow the Guest user if no user object represent
|
|
*
|
|
* @return AuthenticationStatus result.
|
|
*/
|
|
public static AuthenticationStatus authenticate(
|
|
ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean forceGuest, boolean allowGuest)
|
|
throws IOException
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Authenticating the current user using session based Ticket information.");
|
|
// retrieve the User object
|
|
User user = getUser(sc, req, res);
|
|
|
|
HttpSession session = req.getSession();
|
|
|
|
// get the login bean if we're not in the portal
|
|
LoginBean loginBean = null;
|
|
if (Application.inPortalServer() == false)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("We're not in the portal, getting the login bean.");
|
|
loginBean = (LoginBean)session.getAttribute(LOGIN_BEAN);
|
|
}
|
|
|
|
// setup the authentication context
|
|
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
|
|
AuthenticationService auth = (AuthenticationService)wc.getBean(AUTHENTICATION_SERVICE);
|
|
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Force guest is: " + forceGuest);
|
|
if (user == null || forceGuest)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("The user is null.");
|
|
// Check for the session invalidated flag - this is set by the Logout action in the LoginBean
|
|
// it signals a forced Logout and means we should not immediately attempt a relogin as Guest.
|
|
// The attribute is removed from the session by the login.jsp page after the Cookie containing
|
|
// the last stored username string is cleared.
|
|
if (session.getAttribute(AuthenticationHelper.SESSION_INVALIDATED) == null)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("The session is not invalidated.");
|
|
Cookie authCookie = getAuthCookie(req);
|
|
if (allowGuest == true && (authCookie == null || forceGuest))
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("No previous authentication or forced Guest - attempt Guest access.");
|
|
try
|
|
{
|
|
auth.authenticateAsGuest();
|
|
|
|
// if we get here then Guest access was allowed and successful
|
|
setUser(sc, req, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket(), false);
|
|
|
|
// Set up the thread context
|
|
setupThread(sc, req, res, true);
|
|
|
|
// remove the session invalidated flag
|
|
session.removeAttribute(AuthenticationHelper.SESSION_INVALIDATED);
|
|
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Successfully authenticated as guest.");
|
|
// it is the responsibilty of the caller to handle the Guest return status
|
|
return AuthenticationStatus.Guest;
|
|
}
|
|
catch (AuthenticationException guestError)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("An AuthenticationException occurred, expected if Guest access not allowed - continue to login page as usual", guestError);
|
|
}
|
|
catch (AccessDeniedException accessError)
|
|
{
|
|
// Guest is unable to access either properties on Person
|
|
AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
logger.warn("Unable to login as Guest: ", accessError);
|
|
}
|
|
catch (Throwable e)
|
|
{
|
|
// Some other kind of serious failure to report
|
|
AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
throw new AlfrescoRuntimeException("Failed to authenticate as Guest user.", e);
|
|
}
|
|
}
|
|
}
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Session invalidated - return to login screen.");
|
|
return AuthenticationStatus.Failure;
|
|
}
|
|
else
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("The user is: " + user.getUserName());
|
|
// set last authentication username cookie value
|
|
String loginName;
|
|
if (loginBean != null && (loginName = loginBean.getUsernameInternal()) != null)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Set last authentication username cookie value");
|
|
setUsernameCookie(req, res, loginName);
|
|
}
|
|
|
|
// Set up the thread context
|
|
setupThread(sc, req, res, true);
|
|
|
|
return AuthenticationStatus.Success;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Helper to authenticate the current user using the supplied Ticket value.
|
|
*
|
|
* @return true if authentication successful, false otherwise.
|
|
*/
|
|
public static AuthenticationStatus authenticate(
|
|
ServletContext context, HttpServletRequest httpRequest, HttpServletResponse httpResponse, String ticket)
|
|
throws IOException
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Authenticate the current user using the supplied Ticket value.");
|
|
// setup the authentication context
|
|
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
|
|
AuthenticationService auth = (AuthenticationService)wc.getBean(AUTHENTICATION_SERVICE);
|
|
HttpSession session = httpRequest.getSession();
|
|
try
|
|
{
|
|
// If we already have a cached user, make sure it is for the right ticket
|
|
SessionUser user = (SessionUser)session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
|
|
if (user != null && !user.getTicket().equals(ticket))
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Found a previously-cached user with the wrong identity.");
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("The server is not running in a portal, invalidating session.");
|
|
session.invalidate();
|
|
session = httpRequest.getSession();
|
|
}
|
|
user = null;
|
|
}
|
|
|
|
// Validate the ticket and associate it with the session
|
|
auth.validate(ticket);
|
|
|
|
if (user == null)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Ticket is valid; caching a new user in the session.");
|
|
setUser(context, httpRequest, auth.getCurrentUserName(), ticket, false);
|
|
}
|
|
else if (logger.isDebugEnabled())
|
|
logger.debug("Ticket is valid; retaining cached user in session.");
|
|
}
|
|
catch (AuthenticationException authErr)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("An AuthenticationException occured: ", authErr);
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("The server is not running in a portal, invalidating session.");
|
|
session.invalidate();
|
|
}
|
|
return AuthenticationStatus.Failure;
|
|
}
|
|
catch (Throwable e)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Authentication failed due to unexpected error", e);
|
|
// Some other kind of serious failure
|
|
AuthenticationService unprotAuthService = (AuthenticationService)wc.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
return AuthenticationStatus.Failure;
|
|
}
|
|
|
|
// As we are authenticating via a ticket, establish the session locale using request headers rather than web client preferences
|
|
setupThread(context, httpRequest, httpResponse, false);
|
|
|
|
return AuthenticationStatus.Success;
|
|
}
|
|
|
|
/**
|
|
* Creates an object for an authenticated user and stores it in the session.
|
|
*
|
|
* @param context
|
|
* the servlet context
|
|
* @param req
|
|
* the request
|
|
* @param currentUsername
|
|
* the current user name
|
|
* @param ticket
|
|
* a validated ticket
|
|
* @param externalAuth
|
|
* was this user authenticated externally?
|
|
* @return the user object
|
|
*/
|
|
public static User setUser(ServletContext context, HttpServletRequest req, String currentUsername,
|
|
String ticket, boolean externalAuth)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Creating an object for " + currentUsername + " and storing it in the session");
|
|
WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(context);
|
|
|
|
User user = createUser(wc, currentUsername, ticket);
|
|
// store the User object in the Session - the authentication servlet will then proceed
|
|
HttpSession session = req.getSession(true);
|
|
session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user);
|
|
setExternalAuth(session, externalAuth);
|
|
return user;
|
|
}
|
|
|
|
/**
|
|
* Sets or clears the external authentication flag on the session
|
|
*
|
|
* @param session
|
|
* the session
|
|
* @param externalAuth
|
|
* was the user authenticated externally?
|
|
*/
|
|
private static void setExternalAuth(HttpSession session, boolean externalAuth)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Settings the external authentication flag on the session to " + externalAuth);
|
|
if (externalAuth)
|
|
{
|
|
session.setAttribute(LoginBean.LOGIN_EXTERNAL_AUTH, Boolean.TRUE);
|
|
}
|
|
else
|
|
{
|
|
session.removeAttribute(LoginBean.LOGIN_EXTERNAL_AUTH);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Creates an object for an authentication user.
|
|
*
|
|
* @param wc
|
|
* the web application context
|
|
* @param currentUsername
|
|
* the current user name
|
|
* @param ticket
|
|
* a validated ticket
|
|
* @return the user object
|
|
*/
|
|
private static User createUser(final WebApplicationContext wc, final String currentUsername, final String ticket)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Creating an object for " + currentUsername + " with ticket: " + ticket);
|
|
final ServiceRegistry services = (ServiceRegistry) wc.getBean(ServiceRegistry.SERVICE_REGISTRY);
|
|
return services.getTransactionService().getRetryingTransactionHelper().doInTransaction(
|
|
new RetryingTransactionHelper.RetryingTransactionCallback<User>()
|
|
{
|
|
|
|
public User execute() throws Throwable
|
|
{
|
|
NodeService nodeService = services.getNodeService();
|
|
PersonService personService = (PersonService) wc.getBean(PERSON_SERVICE);
|
|
NodeRef personRef = personService.getPerson(currentUsername);
|
|
User user = new User(currentUsername, ticket, personRef);
|
|
NodeRef homeRef = (NodeRef) nodeService.getProperty(personRef, ContentModel.PROP_HOMEFOLDER);
|
|
|
|
// check that the home space node exists - else Login cannot proceed
|
|
if (nodeService.exists(homeRef) == false)
|
|
{
|
|
throw new InvalidNodeRefException(homeRef);
|
|
}
|
|
user.setHomeSpaceId(homeRef.getId());
|
|
return user;
|
|
}
|
|
});
|
|
}
|
|
|
|
/**
|
|
* For no previous authentication or forced Guest - attempt Guest access
|
|
*
|
|
* @param ctx
|
|
* WebApplicationContext
|
|
* @param auth
|
|
* AuthenticationService
|
|
*/
|
|
public static User portalGuestAuthenticate(WebApplicationContext ctx, AuthenticationService auth)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Authenticating the current user as Guest in a portal.");
|
|
try
|
|
{
|
|
auth.authenticateAsGuest();
|
|
|
|
return createUser(ctx, AuthenticationUtil.getGuestUserName(), auth.getCurrentTicket());
|
|
}
|
|
catch (AuthenticationException guestError)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("An AuthenticationException occurred, expected if Guest access not allowed - continue to login page as usual", guestError);
|
|
}
|
|
catch (AccessDeniedException accessError)
|
|
{
|
|
// Guest is unable to access either properties on Person
|
|
AuthenticationService unprotAuthService = (AuthenticationService) ctx.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
logger.warn("Unable to login as Guest: " + accessError.getMessage());
|
|
}
|
|
catch (Throwable e)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Unexpected error authenticating as Guest in a portal.", e);
|
|
// Some other kind of serious failure to report
|
|
AuthenticationService unprotAuthService = (AuthenticationService) ctx.getBean(UNPROTECTED_AUTH_SERVICE);
|
|
unprotAuthService.invalidateTicket(unprotAuthService.getCurrentTicket());
|
|
unprotAuthService.clearCurrentSecurityContext();
|
|
throw new AlfrescoRuntimeException("Failed to authenticate as Guest user.", e);
|
|
}
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* Uses the remote user mapper, if one is configured, to extract a user ID from the request
|
|
*
|
|
* @param sc
|
|
* the servlet context
|
|
* @param httpRequest
|
|
* The HTTP request
|
|
* @return the user ID if a user has been externally authenticated or <code>null</code> otherwise.
|
|
*/
|
|
public static String getRemoteUser(final ServletContext sc, final HttpServletRequest httpRequest)
|
|
{
|
|
String userId = null;
|
|
|
|
// If the remote user mapper is configured, we may be able to map in an externally authenticated user
|
|
RemoteUserMapper remoteUserMapper = getRemoteUserMapper(sc);
|
|
if (remoteUserMapper != null)
|
|
{
|
|
userId = remoteUserMapper.getRemoteUser(httpRequest);
|
|
}
|
|
if (logger.isDebugEnabled())
|
|
{
|
|
if (userId == null)
|
|
{
|
|
logger.debug("No external user ID in request.");
|
|
}
|
|
else
|
|
{
|
|
logger.debug("Extracted external user ID from request: " + userId);
|
|
}
|
|
}
|
|
|
|
return userId;
|
|
}
|
|
|
|
/**
|
|
* Gets the remote user mapper if one is configured and active (i.e. external authentication is in use).
|
|
* @param sc
|
|
* the servlet context
|
|
* @return the remote user mapper if one is configured and active; otherwise <code>null</code>
|
|
*/
|
|
public static RemoteUserMapper getRemoteUserMapper(final ServletContext sc)
|
|
{
|
|
final WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
|
|
RemoteUserMapper remoteUserMapper = (RemoteUserMapper) wc.getBean(REMOTE_USER_MAPPER);
|
|
if (remoteUserMapper != null && !(remoteUserMapper instanceof ActivateableBean) || ((ActivateableBean) remoteUserMapper).isActive())
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
{
|
|
logger.debug("Remote user mapper configured and active.");
|
|
}
|
|
return remoteUserMapper;
|
|
}
|
|
if (logger.isDebugEnabled())
|
|
{
|
|
logger.debug("No active remote user mapper.");
|
|
}
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* Attempts to retrieve the User object stored in the current session.
|
|
*
|
|
* @param sc
|
|
* the servlet context
|
|
* @param httpRequest
|
|
* The HTTP request
|
|
* @param httpResponse
|
|
* The HTTP response
|
|
* @return The User object representing the current user or null if it could not be found
|
|
*/
|
|
public static User getUser(final ServletContext sc, final HttpServletRequest httpRequest, HttpServletResponse httpResponse)
|
|
{
|
|
// If the remote user mapper is configured, we may be able to map in an externally authenticated user
|
|
String userId = getRemoteUser(sc, httpRequest);
|
|
|
|
final WebApplicationContext wc = WebApplicationContextUtils.getRequiredWebApplicationContext(sc);
|
|
HttpSession session = httpRequest.getSession();
|
|
User user = null;
|
|
|
|
// examine the appropriate session to try and find the User object
|
|
SessionUser sessionUser = Application.getCurrentUser(session);
|
|
|
|
// Make sure the ticket is valid, the person exists, and the cached user is of the right type (WebDAV users have
|
|
// been known to leak in but shouldn't now)
|
|
if (sessionUser != null)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("SessionUser is: " + sessionUser.getUserName());
|
|
AuthenticationService auth = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
|
|
try
|
|
{
|
|
auth.validate(sessionUser.getTicket());
|
|
if (sessionUser instanceof User)
|
|
{
|
|
user = (User)sessionUser;
|
|
setExternalAuth(session, userId != null);
|
|
}
|
|
else
|
|
{
|
|
user = setUser(sc, httpRequest, sessionUser.getUserName(), sessionUser.getTicket(), userId != null);
|
|
}
|
|
}
|
|
catch (AuthenticationException authErr)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("An authentication error occured while setting the session user", authErr);
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Invalidating the session.");
|
|
session.invalidate();
|
|
}
|
|
}
|
|
}
|
|
|
|
// If the remote user mapper is configured, we may be able to map in an externally authenticated user
|
|
if (userId != null)
|
|
{
|
|
// We have a previously-cached user with the wrong identity - replace them
|
|
if (user != null && !user.getUserName().equals(userId))
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("We have a previously-cached user with the wrong identity - replace them");
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Invalidating session.");
|
|
session.invalidate();
|
|
}
|
|
user = null;
|
|
}
|
|
|
|
if (user == null)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("There are no previously-cached users.");
|
|
// If we have been authenticated by other means, just propagate through the user identity
|
|
AuthenticationComponent authenticationComponent = (AuthenticationComponent) wc
|
|
.getBean(AUTHENTICATION_COMPONENT);
|
|
try
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("We have been authenticated by other means, authenticating the user: " + userId);
|
|
authenticationComponent.setCurrentUser(userId);
|
|
AuthenticationService authenticationService = (AuthenticationService) wc.getBean(AUTHENTICATION_SERVICE);
|
|
user = setUser(sc, httpRequest, userId, authenticationService.getCurrentTicket(), true);
|
|
}
|
|
catch (AuthenticationException authErr)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("An authentication error occured while setting the session user" , authErr);
|
|
// Allow for an invalid external user ID to be indicated
|
|
session.removeAttribute(AUTHENTICATION_USER);
|
|
if (!Application.inPortalServer())
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Invalidating the session.");
|
|
session.invalidate();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return user;
|
|
}
|
|
|
|
/**
|
|
* Setup the Alfresco auth cookie value.
|
|
*
|
|
* @param httpRequest
|
|
* @param httpResponse
|
|
* @param username
|
|
*/
|
|
public static void setUsernameCookie(HttpServletRequest httpRequest, HttpServletResponse httpResponse, String username)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Setting up the Alfresco auth cookie for " + username);
|
|
Cookie authCookie = getAuthCookie(httpRequest);
|
|
// Let's Base 64 encode the username so it is a legal cookie value
|
|
String encodedUsername;
|
|
try
|
|
{
|
|
encodedUsername = Base64.encodeBytes(username.getBytes("UTF-8"));
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Base 64 encode the username: " + encodedUsername);
|
|
}
|
|
catch (UnsupportedEncodingException e)
|
|
{
|
|
throw new RuntimeException(e);
|
|
}
|
|
if (authCookie == null)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("No Alfresco auth cookie wa found, creating new one.");
|
|
authCookie = new Cookie(COOKIE_ALFUSER, encodedUsername);
|
|
}
|
|
else
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Updating the previous Alfresco auth cookie value.");
|
|
authCookie.setValue(encodedUsername);
|
|
}
|
|
authCookie.setPath(httpRequest.getContextPath());
|
|
// TODO: make this configurable - currently 7 days (value in seconds)
|
|
authCookie.setMaxAge(60*60*24*7);
|
|
httpResponse.addCookie(authCookie);
|
|
}
|
|
|
|
/**
|
|
* Helper to return the Alfresco auth cookie. The cookie saves the last used username value.
|
|
*
|
|
* @param httpRequest
|
|
*
|
|
* @return Cookie if found or null if not present
|
|
*/
|
|
public static Cookie getAuthCookie(HttpServletRequest httpRequest)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Searching for Alfresco auth cookie.");
|
|
Cookie authCookie = null;
|
|
Cookie[] cookies = httpRequest.getCookies();
|
|
if (cookies != null)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Cookies present.");
|
|
for (int i=0; i<cookies.length; i++)
|
|
{
|
|
if (COOKIE_ALFUSER.equals(cookies[i].getName()))
|
|
{
|
|
// found cookie
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Found Alfresco auth cookie: " + cookies[i].toString());
|
|
authCookie = cookies[i];
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
return authCookie;
|
|
}
|
|
|
|
/**
|
|
* Gets the decoded auth cookie value.
|
|
*
|
|
* @param authCookie
|
|
* the auth cookie
|
|
* @return the auth cookie value
|
|
*/
|
|
public static String getAuthCookieValue(Cookie authCookie)
|
|
{
|
|
String authCookieValue = authCookie.getValue();
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("Decoding auth cookie: " + authCookieValue);
|
|
if (authCookieValue == null)
|
|
{
|
|
return null;
|
|
}
|
|
try
|
|
{
|
|
String decodedAuthCoockieValue = new String(Base64.decode(authCookieValue), "UTF-8");
|
|
if (logger.isDebugEnabled())
|
|
logger.debug("The auth cookie is: " + decodedAuthCoockieValue);
|
|
return decodedAuthCoockieValue;
|
|
}
|
|
catch (UnsupportedEncodingException e)
|
|
{
|
|
throw new RuntimeException(e);
|
|
}
|
|
}
|
|
}
|