org.alfresco.repo.security.sync

Class ChainingUserRegistrySynchronizer

java.lang.Object

org.springframework.extensions.surf.util.AbstractLifecycleBean

org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer

All Implemented Interfaces:

EventListener, ChainingUserRegistrySynchronizerStatus, TestableChainingUserRegistrySynchronizer, UserRegistrySynchronizer, org.springframework.beans.factory.Aware, org.springframework.context.ApplicationContextAware, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.ApplicationListener

public class ChainingUserRegistrySynchronizer
extends org.springframework.extensions.surf.util.AbstractLifecycleBean
implements UserRegistrySynchronizer, ChainingUserRegistrySynchronizerStatus, TestableChainingUserRegistrySynchronizer, org.springframework.context.ApplicationEventPublisherAware

A ChainingUserRegistrySynchronizer is responsible for synchronizing Alfresco's local user (person) and group (authority) information with the external subsystems in the authentication chain (most typically LDAP directories). When the synchronize(boolean, boolean) method is called, it visits each UserRegistry bean in the 'chain' of application contexts, managed by a ChildApplicationContextManager, and compares its timestamped user and group information with the local users and groups last retrieved from the same source. Any updates and additions made to those users and groups are applied to the local copies. The ordering of each UserRegistry in the chain determines its precedence when it comes to user and group name collisions. The JobLockService is used to ensure that in a cluster, no two nodes actually run a synchronize at the same time.

The force argument determines whether a complete or partial set of information is queried from the UserRegistry. When true then all users and groups are queried. With this complete set of information, the synchronizer is able to identify which users and groups have been deleted, so it will delete users and groups as well as update and create them. Since processing all users and groups may be fairly time consuming, it is recommended this mode is only used by a background scheduled synchronization job. When the argument is false then only those users and groups modified since the most recent modification date of all the objects last queried from the same UserRegistry are retrieved. In this mode, local users and groups are created and updated, but not deleted (except where a name collision with a lower priority UserRegistry is detected). This 'differential' mode is much faster, and by default is triggered on subsystem startup and also by createMissingPerson(String) when a user is successfully authenticated who doesn't yet have a local person object in Alfresco. This should mean that new users and their group information are pulled over from LDAP servers as and when required.

Author:

dward

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected class	ChainingUserRegistrySynchronizer.BaseBatchProcessWorker<T>

Field Summary

Fields

Modifier and Type	Field and Description
static String	ROOT_ATTRIBUTE_PATH The path in the attribute service below which we persist attributes.

Fields inherited from class org.springframework.extensions.surf.util.AbstractLifecycleBean

log

Constructor Summary

Constructors

Constructor and Description
ChainingUserRegistrySynchronizer()

Method Summary

Modifier and Type	Method and Description
boolean	createMissingPerson(String userName) Creates a person object for a successfully authenticated user who does not yet have a person object, if allowed to by configuration.
String	getLastErrorMessage() The last error message or null if last sync completed without error
String	getLastRunOnServer() Get the serverid
Set<org.alfresco.service.namespace.QName>	getPersonMappedProperties(String username) Gets the set of property names that are auto-mapped for the user with the given user name.
Date	getSyncEndTime() Get the end date/time of the last synchronization
String	getSynchronizationLastError(String zoneId) Get the last error message from synchronizing this zone
Date	getSynchronizationLastGroupUpdateTime(String id) Get the date/time that the last group update completed
Date	getSynchronizationLastUserUpdateTime(String id) Get the date/time that the last user/person update completed
String	getSynchronizationStatus()
String	getSynchronizationStatus(String zoneId) Get the synchronization status
String	getSynchronizationSummary(String zoneId) Get the synchronization summary message for the specified zone
Date	getSyncStartTime() Get the start date/time of the last synchronization
SysAdminParams	getSysAdminParams()
void	init()
void	onApplicationEvent(org.springframework.context.ApplicationEvent event)
protected void	onBootstrap(org.springframework.context.ApplicationEvent event)
protected void	onShutdown(org.springframework.context.ApplicationEvent event)
void	setAllowDeletions(boolean allowDeletions) Controls how deleted users and groups are handled.
void	setApplicationContextManager(ChildApplicationContextManager applicationContextManager) Sets the application context manager.
void	setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
void	setAttributeService(AttributeService attributeService) Sets the attribute service.
void	setAuthorityService(AuthorityService authorityService) Sets the authority service.
void	setAutoCreatePeopleOnLogin(boolean autoCreatePeopleOnLogin) Controls whether we auto create a missing person on log in.
void	setExternalUserControl(String externalUserControl)
void	setExternalUserControlSubsystemName(String externalUserControlSubsystemName)
void	setJobLockService(JobLockService jobLockService) Sets the job lock service.
void	setLoggingInterval(int loggingInterval) Sets the number of entries to process before reporting progress.
void	setNameChecker(org.alfresco.repo.dictionary.constraint.NameChecker nameChecker) Sets name checker
void	setPersonService(PersonService personService) Sets the person service.
void	setSourceBeanName(String sourceBeanName) Sets the name used to look up a UserRegistry bean in each child application context.
void	setSyncDelete(boolean syncDelete) Controls whether to query for users and groups that have been deleted in LDAP.
void	setSyncOnStartup(boolean syncOnStartup) Controls whether we trigger a differential sync when the subsystem starts up.
void	setSyncWhenMissingPeopleLogIn(boolean syncWhenMissingPeopleLogIn) Controls whether we trigger a differential sync when missing people log in.
void	setSysAdminParams(SysAdminParams sysAdminParams)
void	setTransactionService(TransactionService transactionService) Sets the transaction service.
void	setWorkerThreads(int workerThreads) Sets the number of worker threads.
void	synchronize(boolean forceUpdate, boolean isFullSync) Retrieves timestamped user and group information from configured external sources and compares it with the local users and groups last retrieved from the same sources.
SynchronizeDiagnostic	testSynchronize(String authenticatorName) runs read only diagnostic tests upon the specified user directory, does not actually do any synchronization

Methods inherited from class org.springframework.extensions.surf.util.AbstractLifecycleBean

getApplicationContext, setApplicationContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ROOT_ATTRIBUTE_PATH

public static final String ROOT_ATTRIBUTE_PATH

The path in the attribute service below which we persist attributes.

See Also:

Constant Field Values

Constructor Detail

ChainingUserRegistrySynchronizer

public ChainingUserRegistrySynchronizer()

Method Detail

init

public void init()

setExternalUserControl

public void setExternalUserControl(String externalUserControl)

setExternalUserControlSubsystemName

public void setExternalUserControlSubsystemName(String externalUserControlSubsystemName)

setNameChecker

public void setNameChecker(org.alfresco.repo.dictionary.constraint.NameChecker nameChecker)

Sets name checker

setApplicationContextManager

public void setApplicationContextManager(ChildApplicationContextManager applicationContextManager)

Sets the application context manager.

Parameters:

applicationContextManager - the applicationContextManager to set

setSourceBeanName

public void setSourceBeanName(String sourceBeanName)

Sets the name used to look up a UserRegistry bean in each child application context.

Parameters:

sourceBeanName - the bean name

setAuthorityService

public void setAuthorityService(AuthorityService authorityService)

Sets the authority service.

Parameters:

authorityService - the new authority service

setPersonService

public void setPersonService(PersonService personService)

Sets the person service.

Parameters:

personService - the new person service

setAttributeService

public void setAttributeService(AttributeService attributeService)

Sets the attribute service.

Parameters:

attributeService - the new attribute service

setTransactionService

public void setTransactionService(TransactionService transactionService)

Sets the transaction service.

Parameters:

transactionService - the transaction service

setJobLockService

public void setJobLockService(JobLockService jobLockService)

Sets the job lock service.

Parameters:

jobLockService - the job lock service

setApplicationEventPublisher

public void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)

Specified by:

setApplicationEventPublisher in interface org.springframework.context.ApplicationEventPublisherAware

setAutoCreatePeopleOnLogin

public void setAutoCreatePeopleOnLogin(boolean autoCreatePeopleOnLogin)

Controls whether we auto create a missing person on log in.

Parameters:

autoCreatePeopleOnLogin - true if we should auto create a missing person on log in

setSyncWhenMissingPeopleLogIn

public void setSyncWhenMissingPeopleLogIn(boolean syncWhenMissingPeopleLogIn)

Controls whether we trigger a differential sync when missing people log in.

Parameters:

syncWhenMissingPeopleLogIn - true if we should trigger a sync when missing people log in

setSyncOnStartup

public void setSyncOnStartup(boolean syncOnStartup)

Controls whether we trigger a differential sync when the subsystem starts up.

Parameters:

syncOnStartup - true if we should trigger a sync on startup

setLoggingInterval

public void setLoggingInterval(int loggingInterval)

Sets the number of entries to process before reporting progress.

Parameters:

loggingInterval - the number of entries to process before reporting progress or zero to disable progress reporting.

setWorkerThreads

public void setWorkerThreads(int workerThreads)

Sets the number of worker threads.

Parameters:

workerThreads - the number of worker threads

setAllowDeletions

public void setAllowDeletions(boolean allowDeletions)

Controls how deleted users and groups are handled. By default is set to true.

Parameters:

allowDeletions - If true the entries are deleted from alfresco. If false then they are unlinked from their LDAP authentication zone but remain within alfresco.

setSyncDelete

public void setSyncDelete(boolean syncDelete)

Controls whether to query for users and groups that have been deleted in LDAP. For large LDAP directories the delete query is expensive and time consuming, needing to read the entire LDAP directory. By default is set to true.

Parameters:

syncDelete - If false then LDAP sync does not even attempt to search for deleted users.

testSynchronize

public SynchronizeDiagnostic testSynchronize(String authenticatorName)

Description copied from interface: TestableChainingUserRegistrySynchronizer

runs read only diagnostic tests upon the specified user directory, does not actually do any synchronization

Specified by:

testSynchronize in interface TestableChainingUserRegistrySynchronizer

Parameters:

authenticatorName - name of the user directory to test

Returns:

diagnostic information @see org.alfresco.repo.security.sync.SynchronizeDiagnostic

synchronize

public void synchronize(boolean forceUpdate,
                        boolean isFullSync)

Description copied from interface: UserRegistrySynchronizer

Retrieves timestamped user and group information from configured external sources and compares it with the local users and groups last retrieved from the same sources. Any updates and additions made to those users and groups are applied to the local Alfresco copies. This process is always run in different transactions and threads.

Specified by:

synchronize in interface UserRegistrySynchronizer

Parameters:

forceUpdate - Should the complete set of users and groups be updated / created locally or just those known to have changed since the last sync? When true then all users and groups are queried from the user registry and updated locally. When false then each source is only queried for those users and groups modified since the most recent modification date of all the objects last queried from that same source.

isFullSync - Should a complete set of user and group IDs be queried from the user registries in order to determine deletions? This parameter is independent of force as a separate query is run to process updates.

getPersonMappedProperties

public Set<org.alfresco.service.namespace.QName> getPersonMappedProperties(String username)

Description copied from interface: UserRegistrySynchronizer

Gets the set of property names that are auto-mapped for the user with the given user name. These should remain read-only for the user in the UI.

Specified by:

getPersonMappedProperties in interface UserRegistrySynchronizer

Returns:

the person mapped properties

createMissingPerson

public boolean createMissingPerson(String userName)

Description copied from interface: UserRegistrySynchronizer

Creates a person object for a successfully authenticated user who does not yet have a person object, if allowed to by configuration. Depending on configuration, may trigger a partial synchronize and/or create a new person with default settings.

Specified by:

createMissingPerson in interface UserRegistrySynchronizer

Parameters:

userName - the user name

Returns:

true, if a person is created

onBootstrap

protected void onBootstrap(org.springframework.context.ApplicationEvent event)

Specified by:

onBootstrap in class org.springframework.extensions.surf.util.AbstractLifecycleBean

onShutdown

protected void onShutdown(org.springframework.context.ApplicationEvent event)

Specified by:

onShutdown in class org.springframework.extensions.surf.util.AbstractLifecycleBean

getSyncStartTime

public Date getSyncStartTime()

Description copied from interface: ChainingUserRegistrySynchronizerStatus

Get the start date/time of the last synchronization

Specified by:

getSyncStartTime in interface ChainingUserRegistrySynchronizerStatus

Returns:

the date/time or null

getSyncEndTime

public Date getSyncEndTime()

Description copied from interface: ChainingUserRegistrySynchronizerStatus

Get the end date/time of the last synchronization

Specified by:

getSyncEndTime in interface ChainingUserRegistrySynchronizerStatus

Returns:

the date/time or null

getLastErrorMessage

public String getLastErrorMessage()

Description copied from interface: ChainingUserRegistrySynchronizerStatus

The last error message or null if last sync completed without error

Specified by:

getLastErrorMessage in interface ChainingUserRegistrySynchronizerStatus

Returns:

the last error message or null

getLastRunOnServer

public String getLastRunOnServer()

Description copied from interface: ChainingUserRegistrySynchronizerStatus

Get the serverid

Specified by:

getLastRunOnServer in interface ChainingUserRegistrySynchronizerStatus

Returns:

the server id of the sever that last ran sync

getSynchronizationStatus

public String getSynchronizationStatus()

Specified by:

getSynchronizationStatus in interface ChainingUserRegistrySynchronizerStatus

Returns:

String

getSynchronizationStatus

public String getSynchronizationStatus(String zoneId)

Description copied from interface: ChainingUserRegistrySynchronizerStatus

Get the synchronization status

Specified by:

getSynchronizationStatus in interface ChainingUserRegistrySynchronizerStatus

Parameters:

zoneId - - zone id

Returns:

the status

getSynchronizationLastUserUpdateTime

public Date getSynchronizationLastUserUpdateTime(String id)

Description copied from interface: ChainingUserRegistrySynchronizerStatus

Get the date/time that the last user/person update completed

Specified by:

getSynchronizationLastUserUpdateTime in interface ChainingUserRegistrySynchronizerStatus

Parameters:

id - String

Returns:

date or null if sync has never completed

getSynchronizationLastGroupUpdateTime

public Date getSynchronizationLastGroupUpdateTime(String id)

Description copied from interface: ChainingUserRegistrySynchronizerStatus

Get the date/time that the last group update completed

Specified by:

getSynchronizationLastGroupUpdateTime in interface ChainingUserRegistrySynchronizerStatus

Parameters:

id - String

Returns:

date or null if sync has never completed

getSynchronizationLastError

public String getSynchronizationLastError(String zoneId)

Description copied from interface: ChainingUserRegistrySynchronizerStatus

Get the last error message from synchronizing this zone

Specified by:

getSynchronizationLastError in interface ChainingUserRegistrySynchronizerStatus

Parameters:

zoneId - the zone

Returns:

the last error message or null if the last sync did not have an error

getSynchronizationSummary

public String getSynchronizationSummary(String zoneId)

Description copied from interface: ChainingUserRegistrySynchronizerStatus

Get the synchronization summary message for the specified zone

Specified by:

getSynchronizationSummary in interface ChainingUserRegistrySynchronizerStatus

Parameters:

zoneId - the zone

Returns:

the summary or null

setSysAdminParams

public void setSysAdminParams(SysAdminParams sysAdminParams)

getSysAdminParams

public SysAdminParams getSysAdminParams()

onApplicationEvent

public void onApplicationEvent(org.springframework.context.ApplicationEvent event)

Specified by:

onApplicationEvent in interface org.springframework.context.ApplicationListener

Overrides:

onApplicationEvent in class org.springframework.extensions.surf.util.AbstractLifecycleBean