Hyland Connect

package gov.doi.usgs.alfresco.security;import java.io.IOException;import java.util.Map;import javax.faces.context.FacesContext;import javax.portlet.ActionRequest;import javax.portlet.ActionResponse;import javax.portlet.PortletException;import javax.portlet.RenderRequest;import javax.portlet.RenderResponse;import javax.portlet.PortletRequest;import javax.portlet.PortletSession;import javax.servlet.http.Cookie;import javax.transaction.UserTransaction;import org.apache.portals.bridges.portletfilter.PortletFilter;import org.apache.portals.bridges.portletfilter.PortletFilterChain;import org.apache.portals.bridges.portletfilter.PortletFilterConfig;import org.apache.commons.lang.StringUtils;import org.apache.commons.logging.Log;import org.apache.commons.logging.LogFactory;import org.springframework.web.context.WebApplicationContext;import org.alfresco.model.ContentModel;import org.alfresco.repo.security.authentication.AuthenticationComponent;import org.alfresco.service.ServiceRegistry;import org.alfresco.service.cmr.repository.NodeService;import org.alfresco.service.cmr.repository.NodeRef;import org.alfresco.service.cmr.security.AuthenticationService;import org.alfresco.service.cmr.security.PersonService;import org.alfresco.service.transaction.TransactionService;import org.alfresco.web.app.servlet.AuthenticationHelper;import org.alfresco.web.bean.LoginBean;import org.alfresco.web.bean.repository.User;import org.josso.Lookup;import org.josso.gateway.Constants;import org.josso.gateway.session.SSOSession;import org.josso.gateway.session.service.SSOSessionManager;/** * Filters every request for the Alfresco portlet and makes sure that the correct * user PortletSession environment exists so that the user is not asked to re-authenticate *  * <h5>Initialization Parameters</h5> *  * <b>alfrescoExternalAuth</b>: true/false [default true]. Configures Alfresco to use  * external authentication or not. If true, certain user controls are not available in Alfresco *  * @author Jon French */ public class AuthenticationPortletFilter implements PortletFilter {    private static final Log LOG = LogFactory.getLog(AuthenticationPortletFilter.class);    private AuthenticationService fAuthService;    private AuthenticationComponent fAuthComponent;    private PersonService fPersonService;    private NodeService fNodeService;    private TransactionService fTransactionService;    private Boolean fAlfrescoExternalAuthentication = Boolean.TRUE;        public void init(PortletFilterConfig filterConfig) throws PortletException{        WebApplicationContext ctx = (WebApplicationContext)filterConfig.getPortletConfig().getPortletContext().getAttribute(              WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE);        ServiceRegistry serviceRegistry = (ServiceRegistry) ctx.getBean(ServiceRegistry.SERVICE_REGISTRY);        fNodeService = serviceRegistry.getNodeService();        fTransactionService = serviceRegistry.getTransactionService();        fAuthService = (AuthenticationService) ctx.getBean("authenticationService");        fAuthComponent = (AuthenticationComponent) ctx.getBean("authenticationComponent");        fPersonService = (PersonService) ctx.getBean("personService");        String alfrescoExternalAuth = filterConfig.getInitParameter("alfrescoExternalAuth");         if (alfrescoExternalAuth != null) {            fAlfrescoExternalAuthentication = Boolean.valueOf(alfrescoExternalAuth);            if (LOG.isDebugEnabled()) {                LOG.debug("Alfresco is configured to external authentication: " + fAlfrescoExternalAuthentication);            }        }        if (LOG.isDebugEnabled()) {            LOG.debug(getClass().getName() + " initialized");        }    }    public void renderFilter(RenderRequest request, RenderResponse response, PortletFilterChain chain)            throws PortletException, IOException{        if (LOG.isDebugEnabled()) {            LOG.debug("here in renderFilter");        }        ensureLogin(request);        chain.renderFilter(request,response);    }    public void processActionFilter(ActionRequest request, ActionResponse response, PortletFilterChain chain)            throws PortletException, IOException{        if (LOG.isDebugEnabled()) {            LOG.debug("here in renderFilter.");        }        ensureLogin(request);        chain.processActionFilter(request,response);    }    public void destroy(){    }    private void ensureLogin(PortletRequest request)    throws PortletException,IOException {        PortletSession session = request.getPortletSession();        User user = (User) session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);        String ssosessionId = retreiveSSOId(request);        if (ssosessionId == null) {            /* If the a SSO session id is not stored as a cookie, something is            wrong since the user should always have to go through JOSSO to get to             this filter. */            throw new PortletException("SSO session cookie is not present");        }        SSOSession ssoSession = retrieveSSOSession(ssosessionId);        /* Case 1:        The Alfresco user is NOT null, but the SSOSession is null or not valid.        In this case, something happened (the user logged out, the SSOSession timed out)         which ended the SSOSession.         Case 2:        The user name associated with the Alfresco session and SSOSession are NOT the same.         This can happen if the user logs out and logs in as a different user.                 In either case, I need to end the Alfresco user session.        I copied the code to end the Alfresco user's sesseion from the         org.alfresco.web.bean.LoginBean.logout() method from Alfresco community 1.3        */        if (LOG.isDebugEnabled()) {            LOG.debug("Determining if alfresco user is valid. \n" +                       "((ssoSession == null || !ssoSession.isValid()) && user != null): " + ((ssoSession == null || !ssoSession.isValid()) && user != null) + "\n" +                      "(ssoSession != null && user != null && !user.getUserName().equals(ssoSession.getUsername())): " + (ssoSession != null && user != null && !user.getUserName().equals(ssoSession.getUsername()))                      );        }        if (((ssoSession == null || !ssoSession.isValid()) && user != null) || // case 1            (ssoSession != null && user != null && !user.getUserName().equals(ssoSession.getUsername()))) // case 2        {            LOG.debug("Disabling alfresco user.");            // invalidate ticket and clear the Security context for this thread            fAuthService.invalidateTicket(user.getTicket());            fAuthService.clearCurrentSecurityContext();            // remove all objects from our session by hand            // we do this as invalidating the Portal session would invalidate all other portlets!            if (FacesContext.getCurrentInstance() != null &&                FacesContext.getCurrentInstance().getExternalContext() != null                ) {                Map sesMap = FacesContext.getCurrentInstance().getExternalContext().getSessionMap();                for (Object key : sesMap.keySet())                {                   sesMap.remove(key);                }            }            // Set the user equal to null             user = null;        }        if (user == null)        {            if (LOG.isDebugEnabled()) {                LOG.debug("session user attribute is null.");            }              if (ssoSession == null || !ssoSession.isValid()) {                throw new PortletException("SSO Session not valid");            }            /* Make sure the user is loaded into the PortletSession environment.            The code below is modeled on the Alfresco org.alfresco.web.app.servlet.NTLMAuthenticationFilter */            UserTransaction tx = fTransactionService.getUserTransaction();            NodeRef homeSpaceRef = null;              try            {                tx.begin();                  // Get user details for the authenticated user                fAuthComponent.setCurrentUser(ssoSession.getUsername().toLowerCase());                  // The user name used may be a different case to the NTLM supplied user name, read the current                // user and use that name                String userName = fAuthComponent.getCurrentUserName();                  // Setup User object and Home space ID etc.                NodeRef personNodeRef = fPersonService.getPerson(userName);                String currentTicket = fAuthService.getCurrentTicket();                user = new User(userName, currentTicket, personNodeRef);                  homeSpaceRef = (NodeRef) fNodeService.getProperty(                        personNodeRef,                        ContentModel.PROP_HOMEFOLDER);                user.setHomeSpaceId(homeSpaceRef.getId());                  tx.commit();            }            catch (Throwable ex)            {                try                {                    tx.rollback();                }                catch (Exception ex2)                {                    LOG.error("Failed to rollback transaction", ex2);                }                if(ex instanceof RuntimeException)                {                    throw (RuntimeException)ex;                }                else if(ex instanceof IOException)                {                    throw (IOException)ex;                }                else if(ex instanceof PortletException)                {                    throw (PortletException)ex;                }                else                {                    throw new RuntimeException("Authentication setup failed", ex);                }            }              // Store the user              session.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user);            /* This parameter tells Alfresco if you are using external authentication.             If true, one thing it will do is remove the "create user" button            Note that there seems to be a bug in Alfresco in that Alfresco only checks for            the presence/absence of the the LoginBean.LOGIN_EXTERNAL_AUTH session attribute            instead of its value. This means that the attribute can equal Boolean.FALSE but            NOT display the "Create user" button.             */            if (Boolean.TRUE.equals(fAlfrescoExternalAuthentication)) {                session.setAttribute(LoginBean.LOGIN_EXTERNAL_AUTH,Boolean.TRUE);            }            // Note! If you wanted to do any fancy Locale stuff, you should do it here.              if ( LOG.isDebugEnabled()){                LOG.debug("User logged on via JOSSO");            }              return;        }        else{            if (LOG.isDebugEnabled()) {                LOG.debug("session user attribute is NOT null: \n\n" +                          "username: " + user.getUserName() + "\n");            }        }    }    /**     * Retreives the JOSSO single sign on cookie from the PortletRequest     */    private String retreiveSSOId(PortletRequest request){        String ssosessionId = null;        String cookies1 = request.getProperty("cookie");         String[] cookies2 = StringUtils.split(cookies1,";");        if (cookies2 != null) {            for (int i = 0;i<cookies2.length;i++) {                String[] c = StringUtils.split(cookies2[i],"=");                if (Constants.JOSSO_SINGLE_SIGN_ON_COOKIE.equals(c[0].trim())) {                    ssosessionId = c[1];                    break;                }            }        }        if (LOG.isDebugEnabled()) {            LOG.debug("SSO cookie found. value: " + ssosessionId);        }        return ssosessionId;    }    /**     * Retreive the JOSSO session from JOSSO.      */    private SSOSession retrieveSSOSession(String ssosessionId)    throws PortletException{        try{            SSOSessionManager manager = Lookup.getInstance().lookupSecurityDomain().getSessionManager();            return manager.getSession(ssosessionId);        }catch(Exception e){            throw new PortletException("Problem obtaining SSOSession",e);        }    }}‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

    <portlet id="FilteredAlfresco">        <portlet-name>FilteredAlfresco</portlet-name>        <display-name>Document management</display-name>        <portlet-class>org.apache.portals.bridges.portletfilter.FilterPortlet</portlet-class>        <init-param>            <name>portlet-class</name>            <value>org.alfresco.web.app.portlet.AlfrescoFacesPortlet</value>        </init-param>        <!– Important! The default view is where the MyFacesPortlet will take the user        in absence of any species view id in the users session. This should be the browse page,        not the login page –>        <init-param>            <name>default-view</name>            <value>/jsp/browse/browse.jsp</value>        </init-param>        <init-param>            <name>portlet-filters</name>            <value>gov.doi.usgs.alfresco.security.AuthenticationPortletFilter</value>        </init-param>        <init-param>            <name>gov.doi.usgs.alfresco.security.AuthenticationPortletFilter:alfrescoExternalAuth</name>            <value>false</value>        </init-param>        <expiration-cache>0</expiration-cache>        <supports>            <mime-type>text/html</mime-type>            <portlet-mode>VIEW</portlet-mode>        </supports>        <supported-locale>en</supported-locale>        <supported-locale>ja</supported-locale>        <portlet-info>            <title>Filtered Alfresco</title>            <short-title>This is a filtered portlet for alfresco</short-title>        </portlet-info>    </portlet></portlet-app>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍