inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-06-30 18:15:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
alfresco-community-repo/source/java/org/alfresco/repo/template/People.java
Dave Ward 85c1b71826 Merged V3.2 to HEAD 
16662: LDAP sync: improved group association filtering, referential integrity checking, deletion strategy and performance tuning of batch sizes
   16648: ETHREEOH-2752: Improved ticket validation fix
      - Invalidate user's tickets during person deletion rather than validation or it can mess up chained validation
   16647: ETHREEOH-2534: Fixed Sharepoint NTLM authentication
      - user details were never getting cached in the session
   16579: Small improvement to LDAP error reporting
      - Committed errors counted before successes in a logging interval
   16515: LDAP sync performance
      - Improved full sync strategy - run differential queries to work out required updates/additions and full queries to work out required deletions. Saves updating unchanged nodes.
      - Use a TreeSet rather than a HashSet to gather group associations in an attempt to avoid blowing the heap size
   16498: More LDAP performance improvements
      - Uses thread pool with 4 worker threads and blocking queue to process returned results. The number of worker threads can be controlled by the synchronization.workerThreads property.
      - Switched LDAP connection pooling back on again
      - Group Associations processsed individually so that errors are collated and we get a better idea of their throughput
      - Fixed potential bug. Group membership resolution done with isolated LDAP context to avoid cookies from paging creeping in.
   16424: Try switching off LDAP connection pooling to see if it works better with our flaky server.
   16414: Further LDAP fault tolerance
      - Log causes of group member resolution failures where possible
   16413: More fault tolerance for LDAP sync
      - Always commit last sync times before overall sync is complete to avoid the 'forgetting' of differential sync information
      - DN comparisons should be case insensitive to avoid issues resolving DNs to user and group IDs
   16398: Improved monitoring and fault tolerance for LDAP sync
      - When the batch is complete a summary of the number of errors and the last error stack trace will be logged at ERROR level
      - Each individual error is logged at WARN level and progress information (including % complete) is collated and logged at INFO level after a configurable interval
      - In the Enterprise Edition all metrics can be monitored in real time through JMX
      - Sanity testing to be performed by Mike!
   16319: Merged HEAD to V3.2
      16316: ALFCOM-3397: JBoss 5 compatibility fix
         - Relative paths used by LDAP subsystem configuration weren't being resolved correctly
         - See also https://jira.jboss.org/jira/browse/JBAS-6548 and https://jira.springsource.org/browse/SPR-5120
   16272: ETHREEOH-2752: Once more with feeling!
   16261: ETHREEOH-2752: Correct exception propagation.
   16260: ETHREEOH-2752: Fix ticket validation
      - Current ticket was getting forgotten by previous fix
      - Person validation in CHECK mode now done AFTER the current user is set, so that the current ticket is remembered
   16243: ETHREEOH-2752: Improve ticket validation used by all authentication filters
      - Now takes into account whether person actually exists or not
      - Tickets for non-nonexistent persons are now considered invalid and cached session information is invalidated
      - New BaseAuthenticationFilter superclass for all authentication filters
      - Improved fix to ETHREEOH-2839: WebDAV user is cached consistently using a different session attribute from the Web Client
   16233: ETHREEOH-2754: Correction to previous checkin.
      - relogin for SSO authentication, logout for normal login page
      - logout is default
   16232: ETHREEOH-2754: Log Out Action outcome passed as a parameter
      - relogin for SSO authentication, login for normal login page
      - Means the log out link always leads to the correct place, even when the session has expired
      - Also lowered ticket validation error logging to DEBUG level to avoid unnecessary noise in the logs from expired sessions
   16220: ETHREEOH-2839: Fixed potential ClassCastExceptions when Alfresco accessed via WebDAV and Web Client links in same browser
      - WebDAV side no longer directly casts session user to a WebDAVUser
      - ContextListener no longer casts session user to web client user
      - Web client side will 'promote' session user to a web client User if necessary via AuthenticationHelper
      - All authentication filters made to use appropriate AuthenticationHelper methods
   16211: ETHREEOH-2835: LDAP sync batches user and group deletions as well as creations
      - Also improved logging of sync failures
   16197: ETHREEOH-2782: LDAP subsystems now support search-based user DN resolution
      - When ldap.authentication.userNameFormat isn't set (now the default) converts a user ID to a DN by running ldap.synchronization.personQuery with an extra condition tacked on the end to find the user by ID
      - Structured directories and authentication by attributes not in the DN such as email address now supported
   16189: ALFCOM-3283: Prevent errors when user accepts an invite when not logged in
      - new isGuest attribute propagated to user object
      - header component (used by accept-invite page) needs to avoid calling prefs and site webscripts for guest user
      - Conditional stuff in header template changed to use user.isGuest


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@16896 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2009-10-14 09:24:13 +00:00

304 lines
10 KiB
Java
Raw Blame History

/*
* Copyright (C) 2005-2009 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have received a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing"
*/
package org.alfresco.repo.template;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authority.AuthorityDAO;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.util.ParameterCheck;
/**
* People and users support in FreeMarker templates.
*
* @author Kevin Roast
*/
public class People extends BaseTemplateProcessorExtension
{
/** Repository Service Registry */
private ServiceRegistry services;
private AuthorityDAO authorityDAO;
private AuthorityService authorityService;
private AuthenticationService authenticationService;
private PersonService personService;
private StoreRef storeRef;
/**
* Set the default store reference
*
* @param storeRef the default store reference
*/
public void setStoreUrl(String storeRef)
{
// ensure this is not set again
if (this.storeRef != null)
{
throw new IllegalStateException("Default store URL can only be set once.");
}
this.storeRef = new StoreRef(storeRef);
}
/**
* Set the service registry
*
* @param serviceRegistry the service registry
*/
public void setServiceRegistry(ServiceRegistry serviceRegistry)
{
this.services = serviceRegistry;
}
/**
* Set the authority DAO
*
* @param authorityDAO authority dao
*/
public void setAuthorityDAO(AuthorityDAO authorityDAO)
{
this.authorityDAO = authorityDAO;
}
/**
* Set the authority service
*
* @param authorityService The authorityService to set.
*/
public void setAuthorityService(AuthorityService authorityService)
{
this.authorityService = authorityService;
}
/**
* Set the person service
*
* @param personService The personService to set.
*/
public void setPersonService(PersonService personService)
{
this.personService = personService;
}
/**
* Sets the authentication service.
*
* @param authenticationService
* the new authentication service
*/
public void setAuthenticationService(AuthenticationService authenticationService)
{
this.authenticationService = authenticationService;
}
/**
* Gets the Person given the username
*
* @param username the username of the person to get
* @return the person node (type cm:person) or null if no such person exists
*/
public TemplateNode getPerson(String username)
{
ParameterCheck.mandatoryString("Username", username);
TemplateNode person = null;
if (personService.personExists(username))
{
NodeRef personRef = personService.getPerson(username);
person = new TemplateNode(personRef, services, getTemplateImageResolver());
}
return person;
}
/**
* Gets the Group given the group name
*
* @param groupName name of group to get
* @return the group node (type usr:authorityContainer) or null if no such group exists
*/
public TemplateNode getGroup(String groupName)
{
ParameterCheck.mandatoryString("GroupName", groupName);
TemplateNode group = null;
NodeRef groupRef = authorityDAO.getAuthorityNodeRefOrNull(groupName);
if (groupRef != null)
{
group = new TemplateNode(groupRef, services, getTemplateImageResolver());
}
return group;
}
/**
* Gets the members (people) of a group (including all sub-groups)
*
* @param group the group to retrieve members for
* @param recurse recurse into sub-groups
*
* @return list of nodes representing the group members
*/
public List<TemplateNode> getMembers(TemplateNode group)
{
ParameterCheck.mandatory("Group", group);
return getContainedAuthorities(group, AuthorityType.USER, true);
}
/**
* Gets the members (people) of a group
*
* @param group the group to retrieve members for
* @param recurse recurse into sub-groups
*
* @return list of nodes representing the group members
*/
public List<TemplateNode> getMembers(TemplateNode group, boolean recurse)
{
ParameterCheck.mandatory("Group", group);
return getContainedAuthorities(group, AuthorityType.USER, recurse);
}
/**
* Gets the groups that contain the specified authority
*
* @param person the user (cm:person) to get the containing groups for
*
* @return the containing groups as a JavaScript array, can be null
*/
public List<TemplateNode> getContainerGroups(TemplateNode person)
{
ParameterCheck.mandatory("Person", person);
List<TemplateNode> parents;
Set<String> authorities = this.authorityService.getContainingAuthorities(
AuthorityType.GROUP,
(String)person.getProperties().get(ContentModel.PROP_USERNAME),
false);
parents = new ArrayList<TemplateNode>(authorities.size());
for (String authority : authorities)
{
TemplateNode group = getGroup(authority);
if (group != null)
{
parents.add(group);
}
}
return parents;
}
/**
* Return true if the specified user is an Administrator authority.
*
* @param person to test
*
* @return true if an admin, false otherwise
*/
public boolean isAdmin(TemplateNode person)
{
ParameterCheck.mandatory("Person", person);
return this.authorityService.isAdminAuthority((String)person.getProperties().get(ContentModel.PROP_USERNAME));
}
/**
* Return true if the specified user is an Administrator authority.
*
* @param person to test
*
* @return true if an admin, false otherwise
*/
public boolean isGuest(TemplateNode person)
{
ParameterCheck.mandatory("Person", person);
return this.authorityService.isGuestAuthority((String)person.getProperties().get(ContentModel.PROP_USERNAME));
}
/**
* Return true if the specified user account is enabled.
*
* @param person to test
*
* @return true if account enabled, false if disabled
*/
public boolean isAccountEnabled(TemplateNode person)
{
// Only admins have rights to check authentication enablement
if (this.authorityService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()))
{
return this.authenticationService.getAuthenticationEnabled((String) person.getProperties().get(
ContentModel.PROP_USERNAME));
}
return true;
}
/**
* Get Contained Authorities
*
* @param container authority containers
* @param type authority type to filter by
* @param recurse recurse into sub-containers
*
* @return contained authorities
*/
private List<TemplateNode> getContainedAuthorities(TemplateNode container, AuthorityType type, boolean recurse)
{
List<TemplateNode> members = null;
if (container.getType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
{
String groupName = (String)container.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
Set<String> authorities = authorityService.getContainedAuthorities(type, groupName, !recurse);
members = new ArrayList<TemplateNode>(authorities.size());
for (String authority : authorities)
{
AuthorityType authorityType = AuthorityType.getAuthorityType(authority);
if (authorityType.equals(AuthorityType.GROUP))
{
TemplateNode group = getGroup(authority);
if (group != null)
{
members.add(group);
}
}
else if (authorityType.equals(AuthorityType.USER))
{
TemplateNode person = getPerson(authority);
if (person != null)
{
members.add(person);
}
}
}
}
return members != null ? members : Collections.<TemplateNode>emptyList();
}
}
Reference in New Issue View Git Blame Copy Permalink