Hello everybody,
we'd like to submit you the way we integrated Alfresco with our CAS, asking you for help on (at least) a couple of doubts we have.
The relevant part of web.xml we used is:
The file authentication-services-context.xml we used is:
We used the class FilterToBeanProxy to make spring load the class FilterChainProxy which can apply a filter chain.
We used the filter Cas2AlfrescoContextIntegrationFilter which extends from net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter to put into session the object ACEGI_SECURITY_CONTEXT and the ticket _alfAuthTicket.
ACEGI_SECURITY_CONTEXT is a SecureContextImpl containing as a property CasAuthenticationToken, result of the Cas authentication process. _alfAuthTicket instead contains org.alfresco.web.bean.repository.User, object required by Alfresco after authentication.
We didn't use InMemoryDaoImpl but we used Alfresco alfDaoImpl bean as the Alfresco user store. This means that a user, beside existing in the Cas repository, must be priorly created by an admin user in Alfresco.
First question: is there a way to force user creation at first login?
Here is the code of our class:
Cas2AlfrescoContextIntegrationFilter
Second question: we had to change the class org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.java at line 444 in method getAuthorizations to avoid a classCastExceptionError:
This is due, for what we can understand, to a mismatch between line 201 of casAuthenticationProvider, which state
and line 444 of org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.java where auth is of type CasAuthenticationToken and so auth.getPrincipal() returns a String and cannot be casted to User (see code inside constructor of CasAuthenticationToken.
To solve this problem we changed method getAuthorisations in PermissionServiceImpl.java this way:
Does it seem meaningful or we missed the all thing?javascript:emoticon('
')
Thank you in advance for your help?
Davide & Emanuele
we'd like to submit you the way we integrated Alfresco with our CAS, asking you for help on (at least) a couple of doubts we have.
The relevant part of web.xml we used is:
<filter> <filter-name>Acegi CAS Processing Filter</filter-name> <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class> <init-param> <param-name>targetClass</param-name> <param-value>net.sf.acegisecurity.util.FilterChainProxy</param-value> </init-param></filter> <filter-mapping> <filter-name>Acegi CAS Processing Filter</filter-name> <url-pattern>/*</url-pattern></filter-mapping>The file authentication-services-context.xml we used is:
<beans> <!– –> <!– The Acegi authentication manager. –> <!– –> <!– Provders are asked to authenticate in order. –> <!– First, is a provider that checks if an acegi authentication object –> <!– is already bound to the executing thread. If it is, and it is set –> <!– as authenticated then no further authentication is required. If –> <!– this is absent, Acegi validates the password for every method –> <!– invocation, which is too CPU expensive. If we set an –> <!– authentication based on a ticket etc …. or we want to set the –> <!– the system user as the current user … we do not have the –> <!– password. So if we have set an authentication and set it as –> <!– authenticated that is sufficient to validate the user. –> <!– –> <!– If the authentication bound to the current thread is not set as –> <!– authenticated the standard Acegi DAO Authentication provider –> <!– is used to authenticate. –> <!– –> <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /faces/**=Cas2AlfrescoContextIntegrationFilter,securityEnforcementFilter /j_acegi_cas_security_check**=Cas2AlfrescoContextIntegrationFilter,casProcessingFilter </value> </property> </bean> <bean id="Cas2AlfrescoContextIntegrationFilter" class="org.alfresco.web.app.servlet.Cas2AlfrescoContextIntegrationFilter"> <property name="context"><value>net.sf.acegisecurity.context.security.SecureContextImpl</value></property> </bean> <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref bean="authenticatedAuthenticationPassthroughProvider" /> <ref bean="casAuthenticationProvider" /> </list> </property> </bean> <bean id="serviceProperties" class="net.sf.acegisecurity.ui.cas.ServiceProperties"> <property name="service"><value>http://pc29029.csi.it:8080/alfresco/j_acegi_cas_security_check</value></property> <property name="sendRenew"><value>false</value></property> </bean> <bean id="casProcessingFilter" class="net.sf.acegisecurity.ui.cas.CasProcessingFilter"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property> <property name="defaultTargetUrl"><value>/</value></property> <property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property> </bean> <bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter"> <property name="authenticationEntryPoint"><ref bean="casProcessingFilterEntryPoint"/></property> <property name="filterSecurityInterceptor" ref="filterInvocationInterceptor"/> </bean> <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref bean="httpRequestAccessDecisionManager"/></property><!–<ref bean="accessDecisionManager"/></property–> <property name="objectDefinitionSource"> <value>CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISONPATTERN_TYPE_APACHE_ANT/**=ROLE_AUTHENTICATED </value> </property> </bean> <bean id="httpRequestAccessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions"><value>false</value></property> <property name="decisionVoters"> <list><ref bean="roleVoter"/></list> </property> </bean> <!– ~~~~~~~~~~~~~~~~~~~~ AUTHORIZATION DEFINITIONS ~~~~~~~~~~~~~~~~~~~ –> <!– An access decision voter that reads ROLE_* configuaration settings –> <!– <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/> –> <!– <bean id="ACLEntryVoter" class="org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoter"/> –> <!– An access decision manager used by the business objects –> <bean id="casProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.cas.CasProcessingFilterEntryPoint"> <property name="loginUrl"><value>https://cstvip01.csi.it/ssobart/login</value></property> <property name="serviceProperties"><ref bean="serviceProperties"/></property> </bean> <bean id="casAuthenticationProvider" class="net.sf.acegisecurity.providers.cas.CasAuthenticationProvider"> <property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property> <property name="casProxyDecider"><ref bean="casProxyDecider"/></property> <property name="ticketValidator"><ref bean="casProxyTicketValidator"/></property> <property name="statelessTicketCache"><ref bean="statelessTicketCache"/></property> <property name="key"><value>my_password_for_this_auth_provider_only</value></property> </bean> <bean id="casProxyTicketValidator" class="net.sf.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator"> <property name="casValidate"><value>http://alessandria.cst-alessandria.csi.it/ssobart/serviceValidate</value></property> <property name="proxyCallbackUrl"><value>https://localhost:8443/contacts-cas/casProxy/receptor</value></property> <property name="serviceProperties"><ref bean="serviceProperties"/></property> <!– <property name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property> –> </bean> <bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> <property name="configLocation"> <value>classpath:/ehcache-failsafe.xml</value> </property> </bean> <bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> <property name="cacheManager"> <ref local="cacheManager"/> </property> <property name="cacheName"> <value>ticketCache</value> </property> </bean> <bean id="statelessTicketCache" class="net.sf.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache"> <property name="cache"><ref local="ticketCacheBackend"/></property> </bean> <bean id="casAuthoritiesPopulator" class="net.sf.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator"> <property name="authenticationDao"><ref bean="alfDaoImpl"/></property> </bean> <bean id="casProxyDecider" class="net.sf.acegisecurity.providers.cas.proxy.RejectProxyTickets"/> <bean id="inMemoryDaoImpl" class="org.alfresco.repo.security.authentication.InMemoryDaoImpl"> <property name="userMap"> <value> AAAAAA00B77B000F=***,ROLE_ADMIN admin=***,ROLE_ADMIN gcs=***,ROLE_ADMIN mc=***,ROLE_ADMIN,ROLE_TELLER,ROLE_SUPERVISOR peter=***,disabled,ROLE_TELLER </value> </property> </bean> <!– We provide a DAO to plug into the Acegi DaoAuthenticationProvider –> <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider"> <property name="authenticationDao"> <ref bean="authenticationDao" /> </property> <property name="saltSource"> <ref bean="saltSource" /> </property> <property name="passwordEncoder"> <ref bean="passwordEncoder" /> </property> </bean> <!– An authentication Provider that just believes authentications –> <!– bound to the local thread are valid if they are set as –> <!– authenticated. –> <bean id="authenticatedAuthenticationPassthroughProvider" class="org.alfresco.repo.security.authentication.AuthenticatedAuthenticationPassthroughProvider" /> <!– The authroity DAO implements an interface extended from the Acegi –> <!– DAO that supports CRUD. –> <bean id="alfDaoImpl" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean"> <property name="proxyInterfaces"> <value>org.alfresco.repo.security.authentication.MutableAuthenticationDao</value> </property> <property name="transactionManager"> <ref bean="transactionManager" /> </property> <property name="target"> <ref bean="authenticationDao"/> </property> <property name="transactionAttributes"> <props> <prop key="*">${server.transaction.mode.default}</prop> </props> </property> </bean> <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.RepositoryAuthenticationDao"> <property name="nodeService"> <ref bean="nodeService" /> </property> <property name="dictionaryService"> <ref bean="dictionaryService" /> </property> <property name="namespaceService"> <ref bean="namespaceService" /> </property> <property name="searchService"> <ref bean="searchService" /> </property> <property name="userNamesAreCaseSensitive"> <value>${user.name.caseSensitive}</value> </property> <property name="passwordEncoder"> <ref bean="passwordEncoder" /> </property> </bean> <!– The DAO also acts as a salt provider. –> <alias alias="saltSource" name="alfDaoImpl"/> <!– Passwords are encoded using MD4 –> <!– This is not ideal and only done to be compatible with NTLM –> <!– authentication against the default authentication mechanism. –> <bean id="passwordEncoder" class="org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl"></bean> <!– A transactional wrapper around the implementation. –> <!– TODO: This should be removed. –> <bean id="authenticationService" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean"> <property name="proxyInterfaces"> <value>org.alfresco.service.cmr.security.AuthenticationService</value> </property> <property name="transactionManager"> <ref bean="transactionManager" /> </property> <property name="target"> <ref bean="authenticationServiceImpl" /> </property> <property name="transactionAttributes"> <props> <prop key="*">${server.transaction.mode.default}</prop> </props> </property> </bean> <!– The Authentication Service implementation. –> <!– –> <!– This delegates its work to two services: –> <!– an AuthenticationComponent and a MutableAuthenticationDAO. –> <!– –> <!– The permissions service is required so that permissions can be –> <!– cleaned up when a user is deleted. –> <bean id="authenticationServiceImpl" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl"> <property name="authenticationDao"> <ref bean="authenticationDao" /> </property> <property name="ticketComponent"> <ref bean="ticketComponent" /> </property> <property name="authenticationComponent"> <ref bean="authenticationComponentImpl" /> </property> </bean> <!– A transactional wrapper that should be removed. –> <bean id="authenticationComponent" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean"> <property name="proxyInterfaces"> <value>org.alfresco.repo.security.authentication.AuthenticationComponent</value> </property> <property name="transactionManager"> <ref bean="transactionManager" /> </property> <property name="target"> <ref bean="authenticationComponentImpl" /> </property> <property name="transactionAttributes"> <props> <prop key="*">${server.transaction.mode.default}</prop> </props> </property> </bean> <!– The authentication component. –> <bean id="authenticationComponentImpl" class="org.alfresco.repo.security.authentication.AuthenticationComponentImpl"> <property name="authenticationDao"> <ref bean="authenticationDao" /> </property> <property name="authenticationManager"> <ref bean="authenticationManager" /> </property> <property name="allowGuestLogin"> <value>true</value> </property> </bean> <!– Simple Authentication component that rejects all authentication requests –> <!– Use this defintion for Novell IChain integration. –> <!– It should never go to the login screen so this is not required –> <!– (Enterprise version only) –> <!– <bean id="authenticationComponentImpl" class="org.alfresco.repo.security.authentication.SimpleAcceptOrRejectAllAuthenticationComponentImpl"> </bean> –> <!– The person service. –> <bean id="personService" class="org.alfresco.repo.security.person.PersonServiceImpl"> <property name="nodeService"> <ref bean="nodeService" /> </property> <property name="searchService"> <ref bean="searchService" /> </property> <property name="permissionServiceSPI"> <ref bean="permissionServiceImpl" /> </property> <property name="authorityService"> <ref bean="authorityService" /> </property> <property name="namespacePrefixResolver"> <ref bean="namespaceService" /> </property> <!– Configurable properties. –> <!– –> <!– TODO: –> <!– Add support for creating real home spaces adn setting –> <!– permissions on the hame space and people created. –> <!– –> <!– The store in which people are persisted. –> <property name="storeUrl"> <value>${spaces.store}</value> </property> <!– The path to the company home space, used to set the –> <!– default home space for users that are created if –> <!– missing. –> <property name="companyHomePath"> <value>/${spaces.company_home.childname}</value> </property> <!– Some authentication mechanisms may need to create people –> <!– in the repository on demand. This enables that feature. –> <!– If dsiabled an error will be generated for missing –> <!– people. If enabled then a person will be created and –> <!– persisted. –> <!– –> <!– This value should be false or only true if the –> <!– repository is mutable; set from the property –> <!– ${server.transaction.allow-writes} –> <property name="createMissingPeople"> <value>${server.transaction.allow-writes}</value> </property> <!– Set is user names are case sensitive - taken from the –> <!– repository wide setting - you are advised not to change –> <!– this setting. –> <!– This value should be ${user.name.caseSensitive} –> <property name="userNamesAreCaseSensitive"> <value>${user.name.caseSensitive}</value> </property> </bean> <!– The ticket component. –> <!– Used for reauthentication –> <bean id="ticketComponent" class="org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl"> <!– The period for which tickets are valid in XML duration format. –> <!– The default is P1H for one hour. –> <property name="validDuration"> <value>P1H</value> </property> <!– Do tickets expire or live for ever? –> <property name="ticketsExpire"> <value>false</value> </property> <!– Are tickets only valid for a single use? –> <property name="oneOff"> <value>false</value> </property> </bean> </beans>We used the class FilterToBeanProxy to make spring load the class FilterChainProxy which can apply a filter chain.
We used the filter Cas2AlfrescoContextIntegrationFilter which extends from net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter to put into session the object ACEGI_SECURITY_CONTEXT and the ticket _alfAuthTicket.
ACEGI_SECURITY_CONTEXT is a SecureContextImpl containing as a property CasAuthenticationToken, result of the Cas authentication process. _alfAuthTicket instead contains org.alfresco.web.bean.repository.User, object required by Alfresco after authentication.
We didn't use InMemoryDaoImpl but we used Alfresco alfDaoImpl bean as the Alfresco user store. This means that a user, beside existing in the Cas repository, must be priorly created by an admin user in Alfresco.
First question: is there a way to force user creation at first login?
Here is the code of our class:
Cas2AlfrescoContextIntegrationFilter
package org.alfresco.web.app.servlet;import net.sf.acegisecurity.context.Context;import net.sf.acegisecurity.context.ContextHolder;import net.sf.acegisecurity.context.security.SecureContextImpl;import org.alfresco.model.ContentModel;import org.alfresco.service.ServiceRegistry;import org.alfresco.service.cmr.repository.NodeRef;import org.alfresco.service.cmr.repository.NodeService;import org.alfresco.service.cmr.security.AuthenticationService;import org.alfresco.service.cmr.security.PersonService;import org.alfresco.service.transaction.TransactionService;import org.alfresco.web.bean.repository.User;import org.apache.commons.logging.Log;import org.apache.commons.logging.LogFactory;import org.springframework.web.context.WebApplicationContext;import org.springframework.web.context.support.WebApplicationContextUtils;import java.io.IOException;import javax.servlet.FilterChain;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpSession;import javax.transaction.UserTransaction;public class Cas2AlfrescoContextIntegrationFilter extends net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter { //~ Static fields/initializers ============================================= protected static final Log logger = LogFactory.getLog(Cas2AlfrescoContextIntegrationFilter.class); private static final String FILTER_APPLIED = "__acegi_session_integration_filter_applied"; public static final String ACEGI_SECURITY_CONTEXT_KEY = "ACEGI_SECURITY_CONTEXT"; public static final String ALF_SECURITY_CONTEXT_KEY = "_alfAuthTicket"; //~ Instance fields ======================================================== private Object contextObject; /** * Indicates if this filter can create a HttpSession if needed * (sessions are always created sparingly, but setting this value to false * will prohibit sessions from ever being created). Defaults to true. */ private boolean allowSessionCreation = true; //~ Methods ================================================================ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if ((request != null) && (request.getAttribute(FILTER_APPLIED) != null)) { // ensure that filter is only applied once per request chain.doFilter(request, response); } else { if (request != null) { request.setAttribute(FILTER_APPLIED, Boolean.TRUE); } if (ContextHolder.getContext() != null) { if (logger.isWarnEnabled()) { logger.warn( "ContextHolder should have been null but contained: '" + ContextHolder.getContext() + "'; setting to null now"); } ContextHolder.setContext(null); } HttpSession httpSession = null; boolean httpSessionExistedAtStartOfRequest = false; try { httpSession = ((HttpServletRequest) request).getSession(false); } catch (IllegalStateException ignored) {} if (httpSession != null) { httpSessionExistedAtStartOfRequest = true; Object contextObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY); if (contextObject != null) { if (contextObject instanceof Context) { if (logger.isDebugEnabled()) { logger.debug( "Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: '" + contextObject + "'"); } ContextHolder.setContext((Context) contextObject); } else { if (logger.isWarnEnabled()) { logger.warn( "ACEGI_SECURITY_CONTEXT did not contain a Context but contained: '" + contextObject + "'; are you improperly modifying the HttpSession directly (you should always use ContextHolder) or using the HttpSession attribute reserved for this class?"); } } } else { if (logger.isDebugEnabled()) { logger.debug( "HttpSession returned null object for ACEGI_SECURITY_CONTEXT"); } } } else { if (logger.isDebugEnabled()) { logger.debug("No HttpSession currently exists"); } } if (ContextHolder.getContext() == null) { ContextHolder.setContext(generateNewContext()); if (logger.isDebugEnabled()) { logger.debug( "As ContextHolder null, setup ContextHolder with a fresh new instance: '" + ContextHolder.getContext() + "'"); } } // Make the HttpSession null, as we want to ensure we don't keep // a reference to the HttpSession laying around in case the // chain.doFilter() invalidates it. httpSession = null; // Proceed with chain chain.doFilter(request, response); // Store context back to HttpSession try { httpSession = ((HttpServletRequest) request).getSession(false); } catch (IllegalStateException ignored) {} if ((httpSession == null) && httpSessionExistedAtStartOfRequest) { if (logger.isDebugEnabled()) { logger.debug( "HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session"); } } // Generate a HttpSession only if we need to if ((httpSession == null) && !httpSessionExistedAtStartOfRequest) { if (!allowSessionCreation) { if (logger.isDebugEnabled()) { logger.debug( "Whilst ContextHolder contents have changed, the HttpSessionContextIntegrationFilter is prohibited from creating a HttpSession by the allowSessionCreation property being false"); } } else if (!contextObject.equals(ContextHolder.getContext())) { if (logger.isDebugEnabled()) { logger.debug( "HttpSession being created as ContextHolder contents are non-default"); } try { httpSession = ((HttpServletRequest) request).getSession(true); } catch (IllegalStateException ignored) {} } else { if (logger.isDebugEnabled()) { logger.debug( "HttpSession still null, but ContextHolder has not changed from default: ' " + ContextHolder.getContext() + "'; not creating HttpSession or storing ContextHolder contents"); } } } // If HttpSession exists, store current ContextHolder contents if (httpSession != null) { httpSession.setAttribute(ACEGI_SECURITY_CONTEXT_KEY, ContextHolder.getContext()); if (logger.isDebugEnabled()) { logger.debug("Context stored to HttpSession: '" + ContextHolder.getContext() + "'"); } SecureContextImpl sec_context = (SecureContextImpl)ContextHolder.getContext(); if (sec_context != null && (sec_context.getAuthentication() != null)) { //String username = ((UserDetails)sec_context.getAuthentication().getDetails()).getUsername().substring(0,16); String username = (String)sec_context.getAuthentication().getPrincipal(); User alfuser = null; WebApplicationContext ctx = WebApplicationContextUtils.getWebApplicationContext(httpSession.getServletContext()); ServiceRegistry serviceRegistry = (ServiceRegistry) ctx.getBean(ServiceRegistry.SERVICE_REGISTRY); AuthenticationService authService = (AuthenticationService) ctx.getBean("authenticationService"); TransactionService transactionService = serviceRegistry.getTransactionService(); UserTransaction tx = transactionService.getUserTransaction(); PersonService personService = (PersonService)ctx.getBean("personService"); try { tx.begin(); //personService.setCreateMissingPeople(true); String currentTicket = authService.getCurrentTicket(); alfuser = new User(username,currentTicket,personService.getPerson(username)); NodeService nodeService = serviceRegistry.getNodeService(); //personService.setCreateMissingPeople(false); NodeRef homeSpaceRef = (NodeRef) nodeService.getProperty(personService.getPerson(username), ContentModel.PROP_HOMEFOLDER); alfuser.setHomeSpaceId(homeSpaceRef.getId()); tx.commit(); } catch (Throwable ex) { logger.error(ex); try { tx.rollback(); } catch (Exception ex2) { logger.error( "Failed to rollback transaction", ex2); } if (ex instanceof RuntimeException) { throw (RuntimeException) ex; } else { throw new RuntimeException( "Failed to set authenticated user", ex); } } httpSession.setAttribute(ALF_SECURITY_CONTEXT_KEY,alfuser); } } // Remove ContextHolder contents ContextHolder.setContext(null); if (logger.isDebugEnabled()) { logger.debug( "ContextHolder set to null as request processing completed"); } } }}Second question: we had to change the class org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.java at line 444 in method getAuthorizations to avoid a classCastExceptionError:
java.lang.ClassCastException: java.lang.String at org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.getAuthorisations(PermissionServiceImpl.java:444) at org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.hasPermission(PermissionServiceImpl.java:363) at org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.hasPermission(PermissionServiceImpl.java:582) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:335) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:181) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:148) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:176) at $Proxy64.hasPermission(Unknown Source) at org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoter.vote(ACLEntryVoter.java:316) at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:69) at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:394) at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170) at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:40) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:176) at $Proxy66.getProperty(Unknown Source)at org.alfresco.web.app.servlet.Cas2AlfrescoContextIntegrationFilter.doFilter(Cas2AlfrescoContextIntegrationFilter.java:275) …This is due, for what we can understand, to a mismatch between line 201 of casAuthenticationProvider, which state
return new CasAuthenticationToken(this.key, response.getUser(), authentication.getCredentials(), userDetails.getAuthorities(), userDetails, response.getProxyList(), response.getProxyGrantingTicketIou());and line 444 of org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.java where auth is of type CasAuthenticationToken and so auth.getPrincipal() returns a String and cannot be casted to User (see code inside constructor of CasAuthenticationToken.
To solve this problem we changed method getAuthorisations in PermissionServiceImpl.java this way:
private Set<String> getAuthorisations(Authentication auth, NodeRef nodeRef) { HashSet<String> auths = new HashSet<String>(); // No authenticated user then no permissions if (auth == null) { return auths; } // TODO: Refactor and use the authentication service for this. //User user = (User) auth.getPrincipal(); //auths.add(user.getUsername()); auths.add((String)auth.getPrincipal()); for (GrantedAuthority authority : auth.getAuthorities()) { auths.add(authority.getAuthority()); } if (dynamicAuthorities != null) { for (DynamicAuthority da : dynamicAuthorities) { // if (da.hasAuthority(nodeRef, user.getUsername())) if (da.hasAuthority(nodeRef,(String)auth.getPrincipal())) { auths.add(da.getAuthority()); } } } auths.addAll(authorityService.getAuthorities()); return auths; }Does it seem meaningful or we missed the all thing?javascript:emoticon('
')Thank you in advance for your help?
Davide & Emanuele
