Package org.alfresco.repo.security.sync

Class ChainingUserRegistrySynchronizer

java.lang.Object
org.springframework.extensions.surf.util.AbstractLifecycleBean
org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer
All Implemented Interfaces:
EventListener, ChainingUserRegistrySynchronizerStatus, TestableChainingUserRegistrySynchronizer, UserRegistrySynchronizer, org.springframework.beans.factory.Aware, org.springframework.context.ApplicationContextAware, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.ApplicationListener
public class ChainingUserRegistrySynchronizer extends org.springframework.extensions.surf.util.AbstractLifecycleBean implements UserRegistrySynchronizer, ChainingUserRegistrySynchronizerStatus, TestableChainingUserRegistrySynchronizer, org.springframework.context.ApplicationEventPublisherAware
A ChainingUserRegistrySynchronizer is responsible for synchronizing Alfresco's local user (person) and group (authority) information with the external subsystems in the authentication chain (most typically LDAP directories). When the synchronize(boolean, boolean) method is called, it visits each UserRegistry bean in the 'chain' of application contexts, managed by a ChildApplicationContextManager, and compares its timestamped user and group information with the local users and groups last retrieved from the same source. Any updates and additions made to those users and groups are applied to the local copies. The ordering of each UserRegistry in the chain determines its precedence when it comes to user and group name collisions. The JobLockService is used to ensure that in a cluster, no two nodes actually run a synchronize at the same time.

The force argument determines whether a complete or partial set of information is queried from the UserRegistry. When true then all users and groups are queried. With this complete set of information, the synchronizer is able to identify which users and groups have been deleted, so it will delete users and groups as well as update and create them. Since processing all users and groups may be fairly time consuming, it is recommended this mode is only used by a background scheduled synchronization job. When the argument is false then only those users and groups modified since the most recent modification date of all the objects last queried from the same UserRegistry are retrieved. In this mode, local users and groups are created and updated, but not deleted (except where a name collision with a lower priority UserRegistry is detected). This 'differential' mode is much faster, and by default is triggered on subsystem startup and also by createMissingPerson(String) when a user is successfully authenticated who doesn't yet have a local person object in Alfresco. This should mean that new users and their group information are pulled over from LDAP servers as and when required.

Author:
dward

  • Field Details

    • LOCK_QNAME

      public static final QName LOCK_QNAME
      The name of the lock used to ensure that a synchronize does not run on more than one node at the same time.

    • ROOT_ATTRIBUTE_PATH

      public static final String ROOT_ATTRIBUTE_PATH
      The path in the attribute service below which we persist attributes.
      See Also:

  • Constructor Details

    • ChainingUserRegistrySynchronizer

      public ChainingUserRegistrySynchronizer()

  • Method Details

    • init

      public void init()

    • setExternalUserControl

      public void setExternalUserControl(String externalUserControl)

    • setExternalUserControlSubsystemName

      public void setExternalUserControlSubsystemName(String externalUserControlSubsystemName)

    • setNameChecker

      public void setNameChecker(NameChecker nameChecker)
      Sets name checker

    • setApplicationContextManager

      public void setApplicationContextManager(ChildApplicationContextManager applicationContextManager)
      Sets the application context manager.
      Parameters:
      applicationContextManager - the applicationContextManager to set

    • setSourceBeanName

      public void setSourceBeanName(String sourceBeanName)
      Sets the name used to look up a UserRegistry bean in each child application context.
      Parameters:
      sourceBeanName - the bean name

    • setAuthorityService

      public void setAuthorityService(AuthorityService authorityService)
      Sets the authority service.
      Parameters:
      authorityService - the new authority service

    • setPersonService

      public void setPersonService(PersonService personService)
      Sets the person service.
      Parameters:
      personService - the new person service

    • setAttributeService

      public void setAttributeService(AttributeService attributeService)
      Sets the attribute service.
      Parameters:
      attributeService - the new attribute service

    • setTransactionService

      public void setTransactionService(TransactionService transactionService)
      Sets the transaction service.
      Parameters:
      transactionService - the transaction service

    • setJobLockService

      public void setJobLockService(JobLockService jobLockService)
      Sets the job lock service.
      Parameters:
      jobLockService - the job lock service

    • setApplicationEventPublisher

      public void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
      Specified by:
      setApplicationEventPublisher in interface org.springframework.context.ApplicationEventPublisherAware

    • setAutoCreatePeopleOnLogin

      public void setAutoCreatePeopleOnLogin(boolean autoCreatePeopleOnLogin)
      Controls whether we auto create a missing person on log in.
      Parameters:
      autoCreatePeopleOnLogin - true if we should auto create a missing person on log in

    • setSyncWhenMissingPeopleLogIn

      public void setSyncWhenMissingPeopleLogIn(boolean syncWhenMissingPeopleLogIn)
      Controls whether we trigger a differential sync when missing people log in.
      Parameters:
      syncWhenMissingPeopleLogIn - true if we should trigger a sync when missing people log in

    • setSyncOnStartup

      public void setSyncOnStartup(boolean syncOnStartup)
      Controls whether we trigger a differential sync when the subsystem starts up.
      Parameters:
      syncOnStartup - true if we should trigger a sync on startup

    • setLoggingInterval

      public void setLoggingInterval(int loggingInterval)
      Sets the number of entries to process before reporting progress.
      Parameters:
      loggingInterval - the number of entries to process before reporting progress or zero to disable progress reporting.

    • setWorkerThreads

      public void setWorkerThreads(int workerThreads)
      Sets the number of worker threads.
      Parameters:
      workerThreads - the number of worker threads

    • setAllowDeletions

      public void setAllowDeletions(boolean allowDeletions)
      Controls how deleted users and groups are handled. By default is set to true.
      Parameters:
      allowDeletions - If true the entries are deleted from alfresco. If false then they are unlinked from their LDAP authentication zone but remain within alfresco.

    • setSyncDelete

      public void setSyncDelete(boolean syncDelete)
      Controls whether to query for users and groups that have been deleted in LDAP. For large LDAP directories the delete query is expensive and time consuming, needing to read the entire LDAP directory. By default is set to true.
      Parameters:
      syncDelete - If false then LDAP sync does not even attempt to search for deleted users.

    • testSynchronize

      public SynchronizeDiagnostic testSynchronize(String authenticatorName)
      Description copied from interface: TestableChainingUserRegistrySynchronizer
      runs read only diagnostic tests upon the specified user directory, does not actually do any synchronization
      Specified by:
      testSynchronize in interface TestableChainingUserRegistrySynchronizer
      Parameters:
      authenticatorName - name of the user directory to test
      Returns:
      diagnostic information @see org.alfresco.repo.security.sync.SynchronizeDiagnostic

    • synchronize

      public void synchronize(boolean forceUpdate, boolean isFullSync)
      Description copied from interface: UserRegistrySynchronizer
      Retrieves timestamped user and group information from configured external sources and compares it with the local users and groups last retrieved from the same sources. Any updates and additions made to those users and groups are applied to the local Alfresco copies. This process is always run in different transactions and threads.
      Specified by:
      synchronize in interface UserRegistrySynchronizer
      Parameters:
      forceUpdate - Should the complete set of users and groups be updated / created locally or just those known to have changed since the last sync? When true then all users and groups are queried from the user registry and updated locally. When false then each source is only queried for those users and groups modified since the most recent modification date of all the objects last queried from that same source.
      isFullSync - Should a complete set of user and group IDs be queried from the user registries in order to determine deletions? This parameter is independent of force as a separate query is run to process updates.

    • getPersonMappedProperties

      public Set<QName> getPersonMappedProperties(String username)
      Description copied from interface: UserRegistrySynchronizer
      Gets the set of property names that are auto-mapped for the user with the given user name. These should remain read-only for the user in the UI.
      Specified by:
      getPersonMappedProperties in interface UserRegistrySynchronizer
      Returns:
      the person mapped properties

    • createMissingPerson

      public boolean createMissingPerson(String userName)
      Description copied from interface: UserRegistrySynchronizer
      Creates a person object for a successfully authenticated user who does not yet have a person object, if allowed to by configuration. Depending on configuration, may trigger a partial synchronize and/or create a new person with default settings.
      Specified by:
      createMissingPerson in interface UserRegistrySynchronizer
      Parameters:
      userName - the user name
      Returns:
      true, if a person is created

    • onBootstrap

      protected void onBootstrap(org.springframework.context.ApplicationEvent event)
      Specified by:
      onBootstrap in class org.springframework.extensions.surf.util.AbstractLifecycleBean

    • onShutdown

      protected void onShutdown(org.springframework.context.ApplicationEvent event)
      Specified by:
      onShutdown in class org.springframework.extensions.surf.util.AbstractLifecycleBean

    • getSyncStartTime

      public Date getSyncStartTime()
      Description copied from interface: ChainingUserRegistrySynchronizerStatus
      Get the start date/time of the last synchronization
      Specified by:
      getSyncStartTime in interface ChainingUserRegistrySynchronizerStatus
      Returns:
      the date/time or null

    • getSyncEndTime

      public Date getSyncEndTime()
      Description copied from interface: ChainingUserRegistrySynchronizerStatus
      Get the end date/time of the last synchronization
      Specified by:
      getSyncEndTime in interface ChainingUserRegistrySynchronizerStatus
      Returns:
      the date/time or null

    • getLastErrorMessage

      public String getLastErrorMessage()
      Description copied from interface: ChainingUserRegistrySynchronizerStatus
      The last error message or null if last sync completed without error
      Specified by:
      getLastErrorMessage in interface ChainingUserRegistrySynchronizerStatus
      Returns:
      the last error message or null

    • getLastRunOnServer

      public String getLastRunOnServer()
      Description copied from interface: ChainingUserRegistrySynchronizerStatus
      Get the serverid
      Specified by:
      getLastRunOnServer in interface ChainingUserRegistrySynchronizerStatus
      Returns:
      the server id of the sever that last ran sync

    • getSynchronizationStatus

      public String getSynchronizationStatus()
      Specified by:
      getSynchronizationStatus in interface ChainingUserRegistrySynchronizerStatus
      Returns:
      String

    • getSynchronizationStatus

      public String getSynchronizationStatus(String zoneId)
      Description copied from interface: ChainingUserRegistrySynchronizerStatus
      Get the synchronization status
      Specified by:
      getSynchronizationStatus in interface ChainingUserRegistrySynchronizerStatus
      Parameters:
      zoneId - - zone id
      Returns:
      the status

    • getSynchronizationLastUserUpdateTime

      public Date getSynchronizationLastUserUpdateTime(String id)
      Description copied from interface: ChainingUserRegistrySynchronizerStatus
      Get the date/time that the last user/person update completed
      Specified by:
      getSynchronizationLastUserUpdateTime in interface ChainingUserRegistrySynchronizerStatus
      Parameters:
      id - String
      Returns:
      date or null if sync has never completed

    • getSynchronizationLastGroupUpdateTime

      public Date getSynchronizationLastGroupUpdateTime(String id)
      Description copied from interface: ChainingUserRegistrySynchronizerStatus
      Get the date/time that the last group update completed
      Specified by:
      getSynchronizationLastGroupUpdateTime in interface ChainingUserRegistrySynchronizerStatus
      Parameters:
      id - String
      Returns:
      date or null if sync has never completed

    • getSynchronizationLastError

      public String getSynchronizationLastError(String zoneId)
      Description copied from interface: ChainingUserRegistrySynchronizerStatus
      Get the last error message from synchronizing this zone
      Specified by:
      getSynchronizationLastError in interface ChainingUserRegistrySynchronizerStatus
      Parameters:
      zoneId - the zone
      Returns:
      the last error message or null if the last sync did not have an error

    • getSynchronizationSummary

      public String getSynchronizationSummary(String zoneId)
      Description copied from interface: ChainingUserRegistrySynchronizerStatus
      Get the synchronization summary message for the specified zone
      Specified by:
      getSynchronizationSummary in interface ChainingUserRegistrySynchronizerStatus
      Parameters:
      zoneId - the zone
      Returns:
      the summary or null

    • setSysAdminParams

      public void setSysAdminParams(SysAdminParams sysAdminParams)

    • getSysAdminParams

      public SysAdminParams getSysAdminParams()

    • onApplicationEvent

      public void onApplicationEvent(org.springframework.context.ApplicationEvent event)
      Specified by:
      onApplicationEvent in interface org.springframework.context.ApplicationListener
      Overrides:
      onApplicationEvent in class org.springframework.extensions.surf.util.AbstractLifecycleBean