topic Re: Web Script and Single Sign On in Alfresco Archive

Web Script and Single Sign On

mikewaters — Sat, 31 May 2008 10:15:34 GMT

We have a requirement to implement single sign on over web scriptsWe want to allow a user of a third party application to click on a link to view a UI based web script and get authenticated without re-entering their credentials.I am going to see if it can be done by implementing one of the Authentic

Re: Web Script and Single Sign On

jbarmash — Sun, 01 Jun 2008 13:59:09 GMT

Just want to point out that webscripts are accessible using two methods - /alfresco/service carries its own authentication, and /wcservice uses authentication of the web client. There are definitely examples of SSO-type functionality on the webclient side, i.e. ntlm authentication, etc.

I don't know precisely how the /service authentication works, but since we do single signon with liferay, I am sure you can implement SSO on that protocol as well.

So if your users are already logged into Alfresco UI (not sure if they are) - this could be an easy way to achieve this effect.

Re: Web Script and Single Sign On

mikewaters — Mon, 02 Jun 2008 11:02:14 GMT

Thanks for the quick reply!

It seems to me that the most promising approach is to use an SSO framework like CAS or SiteMinder over /alfresco/wcservlet.

The standard /alfresco/service web script servlet uses HTTP Basic authentication which means we need to pass the username and password in the authentication headers, which is not an option for us. Firstly we don't have access to the password, since it is held in LDAP. Secondly I don't know how to pass the credentials in a hyperlink or browser redirect. (The user is not already authenticated when the webscript URL is called)

With CAS the first hurdle is that the authentication of /alfresco/wcservlet, is not done with servlet filters but inside the servlet code, so it must work differently from the standard web client authentication which does use filters. My first attempt at implementing CAS works fine for the web client, but not for /alfresco/wcservice. I think it may be that the processing of the web client login page adds some extra information into the session which is not added by the authentication filters.

So my follow up question is, is there any more information available on wcservice authentication and if so, where?
Also, is there any source code or documentation about the liferay SSO solution?

thanks!

Re: Web Script and Single Sign On

jbarmash — Mon, 02 Jun 2008 18:24:21 GMT

This is now getting beyond my area of expertise a bit. Everything we have related to security is underneath here:
http://wiki.alfresco.com/wiki/Categoryecurity

Or in code / JavaDocs.

This page (which I think you already saw) is relevant.
http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration
http://wiki.alfresco.com/wiki/Central_Authentication_Service_Configuration

it's strange that code that works for web client does not for wcservice- i thought those were supposed to be equivalent.

Re: Web Script and Single Sign On

mikewaters — Tue, 03 Jun 2008 05:33:47 GMT

Ultimately the same method gets called - AuthenticationHelper.authenticate() but the code path to that function is different. The web-client path goes via code in AuthenticationFilter.java (URL /alfresco/faces/* ) and the web-script path uses code within WebScriptServlet.java (URL /alfresco/wcservice/* )

Both work when native Alfresco authentication is used (ie the Alfresco login page).

When I add in the CASAuthenticationFilter, which replaces the code in the LoginBean.java and AuthenticaionFilter.java, the web-script authentication fails.

I haven't had a chance to step through the code but it looks like the CASAuthenticationFilter is not doing everything it is supposed to do, and some data is missing from the session by the time the WebScriptServlet sees the request, thus failing the authentication.

I'm keen to fix the CASAuthenticationFilter so it works with /wcservice so is there anyone who knows what LoginBean.java does that must be replicated in the SSO filters?

Or is it just me and the code…?

Re: Web Script and Single Sign On

mikewaters — Sun, 08 Jun 2008 07:53:30 GMT

I tracked down the problem - both CAS and Alfresco use a URL parameter "ticket" as part of the authentication mechanism, and one clashes with the other. As a result Alfresco sees a "ticket" parameter, and fails to validate it because it is a CAS ticket not an alfresco ticket.

Heres some background.

http://forums.alfresco.com/viewtopic.php?f=9&t=9889&p=32707
http://forums.alfresco.com/viewtopic.php?f=9&t=8431&p=27829
http://issues.alfresco.com/browse/ALFCOM-705

The workaround is to change the Alfresco Java code. In 2 places

1. In BaseServlet.java change the value of ARG_TICKET to something other than "ticket" (eg "alfticket") this should get the download servlet (and others?) working.

private static final String ARG_TICKET   = "ticket";‍

2. For web scripts the parameter "ticket" is referenced in WebClientAuthenticatorFactory.java in an inner class method WebClientAuthenticator.authenticate()

String ticket = req.getParameter("ticket");‍

Change this to the same value and web script calls should get the CAS authentication working, since the Alfresco authentication code will now ignore "ticket"

WARNING - Although the Alfresco authentication checks for "alfticket" it looks suspiciously like the Alfresco code that generates URLs with a "ticket" parameter is elsewhere and will still be using "ticket". So the internal Alfresco Ticket handling might still be broken.