topic Re: Share with mod_auth_cas not working in Alfresco Archive

Share with mod_auth_cas not working

jmwarfe — Tue, 27 Oct 2009 21:28:32 GMT

I'm in the process of trying to get Community Edition 3.2r to talk with my university's CAS server. So far I have followed the wiki page instructions for external authentication and can now log into the Alfresco explorer using SSO however Share gives me the following error below. I'm wondering if my

Re: Share with mod_auth_cas not working

matthias — Thu, 29 Oct 2009 09:08:01 GMT

I have exactly the same problem.

Logging into CAS with the alfresco-share certificate as described in the wiki works. Also does the snoop.jsp example.

Furthermore WebDAV, which is not protected by CAS, doesn't work anymore. Do I need to put LDAP authentication back in alfresco-global.properties?

dward, can you help us here?

TIA,
Matthias.

Re: Share with mod_auth_cas not working

cybertoast — Mon, 02 Nov 2009 15:33:37 GMT

I'm not even able to get Alfresco working with approach. What's happening is if I turn on the external authentication subsystem I can't even log in directly to the Alfrecso tomcat using admin/admin. If I comment out the authentication.chain, I can log in.
CAS logs in fine, but get to it from /alfresco I get redirected back to /alfresco/faces/…, as guest. At best I get the login screen on the /alfresco side.
There must be some configuration that I've got wrong, but I can't figure out what it is. This is using a fresh Alfresco 3.2r install. My logs don't show anything wrong - the state transitions in my CAS-server logs pretty much mimic what's in the login-webflow.xml. And my alfresco log pretty much has nothing in it past startup. Which I guess is not surprising since I don't have any debug entries for any authentication.

Re: Share with mod_auth_cas not working

cybertoast — Mon, 02 Nov 2009 16:52:54 GMT

I finally sort-of got /alfresco working by adding the httpRequestAuthFilter per http://forums.alfresco.com/en/viewtopic.php?f=9&t=21080&p=70120&hilit=cas+share&sid=721b39e0903cf2a03f71ffb6e5df32e6#p70120. But now when CAS redirects me back to alfresco, I get "java.lang.StackOverflowError", with the following:


java.lang.StackOverflowError

Hide Details

java.lang.StackOverflowError
at java.util.concurrent.ConcurrentHashMap$Segment.get(ConcurrentHashMap.java:338)
at java.util.concurrent.ConcurrentHashMap.get(ConcurrentHashMap.java:769)
at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedBeanDefinition(AbstractBeanFactory.java:948)
at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedBeanDefinition(AbstractBeanFactory.java:928)
at org.springframework.beans.factory.support.AbstractBeanFactory.getMergedBeanDefinition(AbstractBeanFactory.java:914)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:205)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:227)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:757)
at org.alfresco.repo.security.authentication.subsystems.SubsystemChainingAuthenticationComponent.getUsableAuthenticationComponents(SubsystemChainingAuthenticationComponent.java:84)
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Also, when I go to localhost:8080/alfresco, and try to login with admin/admin I get:

"You have no access to Alfresco."‍

Re: Share with mod_auth_cas not working

dward — Mon, 02 Nov 2009 17:29:49 GMT

Hi. Sorry for my late arrival to this discussion.

jmwarfe: it looks like share is receiving an HTML response from the server, rather than the JSON response it is expecting. That would suggest that it is seeing a login page rather than the authenticated response. So it's probably that share isn't configured correctly to send the certificate.

Could you paste in the contents of

$CATALINA_HOME/shared/classes/alfresco/web-extension/webscript-framework-config-custom.xml

make sure it has exactly the path above.

?

Regarding the other questions, yes Web DAV authentication will require Alfresco's LDAP authentication subsystem to be included in your chain.

Re: Share with mod_auth_cas not working

cybertoast — Mon, 02 Nov 2009 22:32:07 GMT

Rebuilding the Alfresco 3.2r source seems to have fixed a lot of stuff, at least making /alfresco work. I now have exactly the same condition as jmwarfe on /share:


javax.servlet.ServletException: org.alfresco.web.site.exception.RequestContextException: Exception running UserFactory in HttpRequestContextFactory
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:146)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

org.alfresco.web.site.exception.RequestContextException: Exception running UserFactory in HttpRequestContextFactory
   org.alfresco.web.site.DefaultRequestContextFactory.newInstance(DefaultRequestContextFactory.java:117)
   org.alfresco.web.site.FrameworkHelper.initRequestContext(FrameworkHelper.java:202)
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:142)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

org.alfresco.web.site.exception.UserFactoryException: Unable to retrieve user from repository
   org.alfresco.web.site.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:254)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:176)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:110)
   org.alfresco.web.site.DefaultRequestContextFactory.newInstance(DefaultRequestContextFactory.java:93)
   org.alfresco.web.site.FrameworkHelper.initRequestContext(FrameworkHelper.java:202)
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:142)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

org.json.JSONException: A JSONObject text must begin with '{' at character 9 of 







<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
   <head>
       <title>CAS &#8211; Central Authentication Service</title>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <style type="text/css" media="screen">@import 'css/cas.css'/**/;</style>
       <!–[if gte IE 6]><style type="text/css" media="screen">@import 'css/ie_cas.css';</style><![endif]–>
       <script type="text/javascript" src="js/common_rosters.js"></script>
       <link rel="icon" href="/cas/favicon.ico" type="image/x-icon" />
   </head>

   <body id="cas" onload="init();">
       <div id="header">
           <h1 id="app-name">Central Authentication Service (CAS)</h1>
       </div>

       <div id="content">

         <form id="fm1" class="fm-v clearfix" action="/cas/login;jsessionid=DDDD7EDD6EC9AB9DA3DC58BACD6B0331?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin" method="post">
             
                <div class="box" id="login">
                <!– Congratulations on bringing CAS online!  The default authentication handler authenticates where usernames equal passwords: go ahead, try it out.  –>
                    <h2>Enter your NetID and Password</h2>
                    <div class="row">
                        <label for="username"><span class="accesskey">N</span>etID:</label>
                  
                  
                  
                  
                  <input id="username" name="username" class="required" tabindex="1" accesskey="n" type="text" value="" size="25" autocomplete="false"/>
                  
                    </div>
                    <div class="row">
                        <label for="password"><span class="accesskey">P</span>assword:</label>
                  
                  
                  <input id="password" name="password" class="required" tabindex="2" accesskey="p" type="password" value="" size="25" autocomplete="off"/>
                    </div>
                    <div class="row check">
                        <input id="warn" name="warn" value="true" tabindex="3" accesskey="w" type="checkbox" />
                        <label for="warn"><span class="accesskey">W</span>arn me before logging me into other sites.</label>
                    </div>
                    <div class="row btn-row">
                  <input type="hidden" name="lt" value="_cF5CF7323-9883-82D6-C026-FE85F627D357_kCD941794-A5E2-366C-0808-3AC0BADC4BB1" />
                  <input type="hidden" name="_eventId" value="submit" />

                        <input class="btn-submit" name="submit" accesskey="l" value="LOGIN" tabindex="4" type="submit" />
                        <input class="btn-reset" name="reset" accesskey="c" value="CLEAR" tabindex="5" type="reset" />
                    </div>
                </div>
               
               <div id="sidebar">
                   <p>For security reasons, please Log Out and Exit your web browser when you are done accessing services that require authentication!</p>
                   <div id="list-languages">
                   
                  
                  
                       <h3>Languages:</h3>
                  <ul
                     ><li class="first"><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=en">English</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=es">Spanish</a></li            
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=fr">French</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=ru">Russian</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=nl">Nederlands</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=sv">Svenskt</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=it">Italiano</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=ur">Urdu</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=zh_CN">Chinese (Simplified)</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=de">Deutsch</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=ja">Japanese</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=hr">Croatian</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=cs">Czech</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=sl">Slovenian</a></li
                     ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=pl">Polish</a></li
                            ><li><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=pt_BR">Portuguese (Brazil)</a></li
                     ><li class="last"><a href="login?service=http%3a%2f%2fsundar-desktop%2falfresco%2fwcs%2fwebframework%2fcontent%2fmetadata%3fuser%3dadmin&locale=tr">Turkish</a></li
                  ></ul>
                   </div>
               </div>
           </form>
      </div>
       <div id="footer">
           <div>
               <p>Copyright &copy; 2005-2007 JA-SIG. All rights reserved.</p>
               <p>Powered by <a href="http://www.ja-sig.org/products/cas/">JA-SIG Central Authentication Service 3.3.4</a></p>
           </div>
           <a href="http://www.ja-sig.org" title="go to JA-SIG home page"><img id="logo" src="images/ja-sig-logo.gif" width="118" height="31" alt="JA-SIG" title="go to JA-SIG home page" /></a>
       </div>
   </body>
</html>


   org.json.JSONTokener.syntaxError(Unknown Source)
   org.json.JSONObject.<init>(Unknown Source)
   org.json.JSONObject.<init>(Unknown Source)
   org.alfresco.web.site.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:166)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:176)
   org.alfresco.web.site.UserFactory.faultUser(UserFactory.java:110)
   org.alfresco.web.site.DefaultRequestContextFactory.newInstance(DefaultRequestContextFactory.java:93)
   org.alfresco.web.site.FrameworkHelper.initRequestContext(FrameworkHelper.java:202)
   org.alfresco.web.site.servlet.DispatcherServlet.service(DispatcherServlet.java:142)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

My webscript-framework-config-custom.xml is:


  <config evaluator="string-compare" condition="Remote">
    <remote>
      <!– SSL client certificate + trusted CAs. Optionally used to authenticate share to an external SSO system such as CAS –>
      <keystore>
        <path>alfresco/web-extension/alfresco-system.p12</path>
        <type>pkcs12</type>
        <password>password</password>
      </keystore>
       
      <connector>
        <id>alfrescoCookie</id>
        <name>Alfresco Connector</name>
        <description>Connects to an Alfresco instance using cookie-based authentication</description>
        <class>org.alfresco.connector.AlfrescoConnector</class>
      </connector>

      <endpoint>
        <id>alfresco</id>
        <name>Alfresco - user access</name>
        <description>Access to Alfresco Repository WebScripts that require user authentication</description>
        <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://myhost/alfresco/wcs</endpoint-url>
        <identity>user</identity>
        <external-auth>true</external-auth>
      </endpoint>
            
    </remote>
  </config>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: Share with mod_auth_cas not working

cybertoast — Mon, 02 Nov 2009 23:30:53 GMT

Hi dward, The CASServer has this in its log:


2009-11-02 18:19:01,300 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://sundar-desktop/alfresco/wcs/webframework/content/metadata?user=admin>
2009-11-02 18:19:01,300 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Placing service in FlowScope: http://sundar-desktop/alfresco/wcs/webframework/content/metadata?user=admin>
2009-11-02 18:19:01,300 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Action 'InitialFlowSetupAction' completed execution; result is 'success'>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - <Action 'X509CertificateCredentialsNonInteractiveAction' beginning execution>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - <Certificates not found in request.>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - <Action 'X509CertificateCredentialsNonInteractiveAction' completed execution; result is 'error'>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action 'AuthenticationViaFormAction' beginning execution>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Executing setupForm>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Creating new form object with name 'credentials'>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Creating new instance of form object class [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials]>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Putting form object of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow with name 'credentials'>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Creating new form errors for object with name 'credentials'>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <No property editor registrar set, no custom editors to register>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Putting form errors instance in scope Flash>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action 'AuthenticationViaFormAction' completed execution; result is 'success'>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action 'AuthenticationViaFormAction' beginning execution>
2009-11-02 18:19:01,301 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Action 'AuthenticationViaFormAction' completed execution; result is 'success'>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Does the "[org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - <Certificates not found in request.>" indicate that there's a problem in certificates being handled properly? Or is this safe to ignore?

Re: Share with mod_auth_cas not working

matthias — Tue, 03 Nov 2009 09:56:54 GMT

Ok, what I have now:

- Share is authenticating properly with the certificate. I got these lines in cas.log:

2009-11-02 20:57:34,769 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - certificate was issued by t
rusted issuer
2009-11-02 20:57:34,769 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - this is an end-user certifi
cate
2009-11-02 20:57:34,769 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - Pattern Match: true [EMAILA
DDRESS=noc@company.de, CN=alfresco-system, OU=Network Operations, O=company UG, ST=somestate, C=DE] against [.*].
2009-11-02 20:57:34,770 DEBUG [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - cert[2] ok, setting as cred
entials candidate
2009-11-02 20:57:34,770 INFO [org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler] - authentication OK; SSL clien
t authentication data meets criteria for cert[2]
2009-11-02 20:57:34,770 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.x509.authentication.han
dler.support.X509CredentialsAuthenticationHandler successfully authenticated the user which provided the following credentials: org.jasig.cas.adaptors.x509.a
uthentication.principal.X509CertificateCredentials@454a8c
2009-11-02 20:57:34,770 INFO [org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver] - Creating princi
pal for: EMAILADDRESS=noc@company.de, CN=alfresco-system, OU=Network Operations, O=company, ST=somestate, C=DE
2009-11-02 20:57:34,840 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-fljp791QoR4132GIrhfC-app01.company.de] for serv
ice [https://app01.company.de/alfresco/wcs/webframework/content/metadata?user=matthias.name%40company.de] for user [alfresco-system]

‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

…but I still received the same error as jmwarfe when I try to access Share. Is it a problem with the '@' sign in my username? We use multitenancy, so the sign is mandatory.

- WebDAV is working again, thanks.

Matthias

Re: Share with mod_auth_cas not working

cybertoast — Tue, 03 Nov 2009 14:54:29 GMT

Matthias, I wonder how you got your Share to send out the certificate. It seems (based on my logs) that I'm actually failing the X509CredentialsAuthenticationHandler in login-webflow and going on to the viewLoginForm action. But can't understand why. Do you have any suggestions? Did you have this problem before and solve the certificate handling somehow? Thanks much for any help.

Re: Share with mod_auth_cas not working

dward — Tue, 03 Nov 2009 15:14:19 GMT

Matthias. It may well be that multi tenancy is stopping the feature from working. Although I still don't know why, if share is sending the certificate, it still claims to be getting HTML back from the user metadata call.

All I can suggest is that we instrument share's client with further debug logging so we can work out what sequence of redirects are happening.

Do you feel up to adding some additional logging to

org.alfresco.connector.RemoteClient.service(URL, InputStream, OutputStream, HttpServletRequest, HttpServletResponse, ResponseStatus)

?

If we could see what URLs are being called, what redirects are happening, what cookies are being returned and what status codes are being received, we might be able to work out what's going wrong!

Re: Share with mod_auth_cas not working

matthias — Wed, 04 Nov 2009 14:54:18 GMT

Matthias, I wonder how you got your Share to send out the certificate. It seems (based on my logs) that I'm actually failing the X509CredentialsAuthenticationHandler in login-webflow and going on to the viewLoginForm action. But can't understand why. Do you have any suggestions? Did you have this problem before and solve the certificate handling somehow? Thanks much for any help.

cybertoast: I configured everything as described in http://wiki.alfresco.com/wiki/Alfresco_With_mod_auth_cas (without Maven).

Except one thing: I added the following to /etc/apache2/httpd.conf:

SSLVerifyClient optional
SSLCACertificateFile /etc/ssl/certs/cacert.pem
SSLOptions +StdEnvVars +ExportCertData

This was the only way to make it work. Otherwise Apache seems not to send the incoming certificate properly.
I got the same error as you before I made these changes, so maybe that solves your problem.

Try at first if you can login to the snoop.jsp example (bottom of wiki article) via the certificate. If this works, you're on a good way.

Matthias.

Re: Share with mod_auth_cas not working

matthias — Wed, 04 Nov 2009 15:37:23 GMT

Do you feel up to adding some additional logging to

org.alfresco.connector.RemoteClient.service(URL, InputStream, OutputStream, HttpServletRequest, HttpServletResponse, ResponseStatus)

?

If we could see what URLs are being called, what redirects are happening, what cookies are being returned and what status codes are being received, we might be able to work out what's going wrong!

Ok, I tried to set the logging but I only get results if I use org.alfresco.connector.RemoteClient=debug - going further like

org.alfresco.connector.RemoteClient.service gives no result. Am I doing something wrong?

The result with RemoteClient=debug

16:25:37,223 DEBUG [org.alfresco.connector.RemoteClient] Executing (GET) https://app01.company.de/alfresco/wcs/webframework/content/metadata?user=matthias.name%40company.de
16:25:37,225 DEBUG [org.alfresco.connector.RemoteClient]  - OutputStream supplied - will stream response…
16:25:37,305 DEBUG [org.alfresco.connector.RemoteClient] Setting cookie header: MOD_AUTH_CAS_S=b5d6a2524928d27bd5ade0bed30742e6;CASTGC=TGT-25-7CNalUs5KSroXN3zXgWPcN0DchY0CSttWwqx3Wk4uniP05ZVsE-app01.company.de
16:25:37,502 DEBUG [org.alfresco.connector.RemoteClient] Response status code: 401
16:25:37,502 DEBUG [org.alfresco.connector.RemoteClient] Response encoding: Content-Type: text/html; charset=iso-8859-1‍‍‍‍‍

That's it. Not very helpful. 😕

Re: Share with mod_auth_cas not working

cybertoast — Wed, 04 Nov 2009 15:53:04 GMT

Matthias, Thanks very much for your response. I've actually tried that, but still have no success on the client authentication part.
This is what I had to do to just get things sort of working:

1. Apache default-ssl file (I'm using Ubuntu, so this may just be the httpd.conf file's :443 virtualhost on other systems):


SSLCertificateFile /etc/ssl/certs/localhost.crt
SSLCertificateKeyFile /etc/ssl/private/localhost.pem
‍‍‍‍

In mod-enabled/ssl.conf, I added the JkMount /cas .. stuff, but also had to add JkMountCopy On:


JkMountCopy On
JkMount /cas casnode
JkMount /cas/* casnode
JkMount /examples casnode
JkMount /examples/* casnode
SSLVerifyClient optional
SSLCACertificateFile /etc/ssl/certs/cacert.pem
SSLOptions +StdEnvVars + ExportCertData
‍‍‍‍‍‍‍‍‍‍

2. In my tomcat/conf/server.xml I had to add the keystore (otherwise casserver fails to start up, with errors about jsse.invalid_ssl_conf):


   <Connector port="8444" protocol="HTTP/1.1" SSLEnabled="true"
               maxHttpHeaderSize="8192" minSpareThreads="25" maxSpareThreads="75"
               maxThreads="150" scheme="https" secure="true"
               sslProtocol="TLS" connectionTimeout="20000"
               clientauth="true" 
               keystoreFile="/etc/ssl/alfresco-system.p12"
               keystoreType="PKCS12" keystorePass="password"
               truststoreFile="/etc/ssl/alfresco-system.p12" 
               truststorePass="password" truststoreType="PKCS12"
   />
‍‍‍‍‍‍‍‍‍‍‍‍

When I try to connect to the tomcat server directly (http://myhost:8444/cas/login) I get a "SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert)" from firefox. This is because I've set clientauth="true". If I set clientauth="want", then I get the CAS login form.

So basically I'm unable to get the client authentication using the pkcs12 alfresco-system.p12 keystore.

I thought maybe this was because the alfesco-system cert has a CN of alfresco-system, and so changed this to my DNS. But did not make any difference.

I also tried to import the /etc/ssl/certs/cacert.pem into my keystore using keytool:


keytool –import -alias alfresco-system -keystore /etc/ssl/keystore -file /etc/ssl/certs/cacert.pem
‍‍‍

But this caused jsse.invalid_ssl_conf and "no available certifice or key corresponds to the ssl cipher suites which are enabled" during startup of casserver.

I'm sure there's something relatively simple that I'm missing, but just can't figure out what. The fact that I've been staring at this for several days is probably not helping either

Thanks for your help, anyway!

Re: Share with mod_auth_cas not working

dward — Wed, 04 Nov 2009 16:31:29 GMT

mathias

That at least tells us that it's getting a status 401 response from alfresco, even for an authenticated request with a CAS cookie in place.

We believe this may mean that the external authentication subsystem has become broken, ironically due to recent changes made to support multi tennancy.

I have logged

https://issues.alfresco.com/jira/browse/ETHREEOH-3265

cybertoast. You are deviating away from the supported instructions and I can't help you. You shouldn't be using the keystore at all with tomcat - this should be configured in apache and you should switch tomcat authentication off as it says in the instructions. I also hope you started with a virgin tomcat zip as the installation requires and not some Ubuntu packaged version. And we don't need JkMountCopy On.

Re: Share with mod_auth_cas not working

cybertoast — Wed, 04 Nov 2009 17:32:44 GMT

dward, thanks for the response. My tomcat is the zip file from apache (apache-tomcat-6.0.20.tar.gz), not the ubuntu packaged one.
When using the standard server.xml (without keystore definitions), but with tomcatAuthentication="false", I get:


SEVERE: Failed to load keystore type JKS with path /root/.keystore due to /root/.keystore (No such file or directory)java.io.FileNotFoundException: /root/.keystore (No such file or directory)
  at java.io.FileInputStream.open(Native Method)
  at java.io.FileInputStream.<init>(FileInputStream.java:106)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:341)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:263)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:473)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:413)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:129)
  at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:503)
  at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:526)
  at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
  at org.apache.catalina.connector.Connector.start(Connector.java:1131)
  at org.apache.catalina.core.StandardService.start(StandardService.java:531)
  at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
  at org.apache.catalina.startup.Catalina.start(Catalina.java:583)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Nov 4, 2009 12:28:14 PM org.apache.coyote.http11.Http11Protocol start
SEVERE: Error starting endpoint
java.io.FileNotFoundException: /root/.keystore (No such file or directory)
  at java.io.FileInputStream.open(Native Method)
  at java.io.FileInputStream.<init>(FileInputStream.java:106)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:341)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:263)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:473)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:413)
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:129)
  at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:503)
  at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:526)
  at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
  at org.apache.catalina.connector.Connector.start(Connector.java:1131)
  at org.apache.catalina.core.StandardService.start(StandardService.java:531)
  at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
  at org.apache.catalina.startup.Catalina.start(Catalina.java:583)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

This is the ONLY reason I deviated from the wiki - I could not figure out any other way to make this work (and basically followed the tomcat instructions on the CAS site, the one where you explicitly say "don't worry about tomcat configuration steps").

Anyway, I don't have a keystore file by default (the /root/.keystore), so how to proceed?

Again, thanks. I'm completely flummoxed and have had no luck getting this to work, so any help is hugely appreciated!

Re: Share with mod_auth_cas not working

cybertoast — Wed, 04 Nov 2009 17:39:59 GMT

Crap, I'm an idiot! Sorry, I had uncommented the SSL portion of the original tomcat server.xml file. SO SO SORRY! Ok, I'm trying it all out from scratch again and let's see if it's all just because of my stupidity!

Re: Share with mod_auth_cas not working

cybertoast — Wed, 04 Nov 2009 18:23:36 GMT

Ok, starting from scratch, this is what happens:

1. If I try to navigate to http://myhost/cas/login, I get login screen. https://myhost/cas/login gives me


Not Found
the requested URL /cas/login was not found on this server
‍‍‍‍

The only way to get this to work is to add JkMountCopy On in my default-ssl virtualhost. Adding this to my ssl.conf also does not work.
I had to change the SSLCACertificatePath /etc/ssl/certs/ to SSLCACertificateFile /etc/ssl/certs/cacert.pem (like matthias suggested as well), since otherwise Firefox and Safari both just hang on "loading…" connecting to the URL.

I set the SSLCertificateFile to /etc/ssl/certs/localhost.crt and SSLCertificateKeyFile to /etc/ssl/private/localhost.key. These are the cert/key generated in Step 3 of the wiki instructions.

2. I have steps 2, 3 and 4 completed, and have Apache, CASServer and all certificates in place. mod-jk redirects my requests to /cas/login. Trying the snoop.jsp example redirects me to /cas/login and my ldap auth works.

3. Trying out client authentication by importing the alfresco-system.p12 keystore into Firefox, cleaning out cookies and going back to http://myhost/examples/jsp/snp/snoop.jsp takes me to https://myhost/cas/login?service=…
So importing the alfresco-system.p12 keystore into Firefox does not seem to have any effect

Any ideas?

Re: Share with mod_auth_cas not working

matthias — Wed, 04 Nov 2009 22:08:54 GMT

Hmm, seems you should get CAS-Server working at first.

- You don't need JkMountCopy at all. (btw: I'm using Ubuntu as well)
- Use "JkMount /cas* worker1" in your SSL VHost.
- Create /etc/apache/workers.properties with the following:

worker.list=worker1
worker.default.port=8009
worker.default.host=localhost
worker.default.type=ajp13
worker.default.lbfactor=1‍‍‍‍‍

Put the following in /etc/apache/httpd.conf

JkWorkersFile /etc/apache2/workers.properties

# Where to put jk logs
JkLogFile /var/log/apache2/mod_jk.log

# Set the jk log level [debug/error/info]
JkLogLevel info

# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize -ForwardDirectories

# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"

‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

That is enough to make Apache work with CAS.

After that you can protect some dirs with mod_auth_cas.
Try that with the /examples directory of Tomcat. Check, if you can see your username there.

Re: Share with mod_auth_cas not working

cybertoast — Wed, 04 Nov 2009 23:10:57 GMT

dward,
* Removed all JkMountCopy On
* Removed my JkMount /cas* casnode from /etc/apache2/mods-enabled/ssl.conf and moved JkMount /cas* casnode to /etc/apache2/sites-enabled/default-ssl
* Left JkMount /examples* casnode in /etc/apache2/mods-enabled/ssl.conf
* Added your suggestions to httpd.conf (basically it was an empty file, and now it only has the stuff you suggested)
* Removed JkWorkersFile and JkLogFile from /etc/apache2/mods-enabled/jk.conf (since they're now in httpd.conf)

My /etc/apache2/workers.properties file:


worker.list=ajp12, ajp13, casnode, alfnode  # I know I only need casnode and alfnode
worker.casnode.port=8009
worker.casnode.host=myhost
worker.casnode.type=ajp13
worker.casnode.lbfactor=1
worker.alfnode.port=8010
worker.alfnode.host=myhost
worker.alfnode.type=ajp13
worker.inprocess.type=jni
worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar
worker.inprocess.cmd_line=start
worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)bin$(ps)classic$(ps)jvm.dll
worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout
worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

This makes CAS work with apache. I believe the addition of the JkMount /cas* casnode into the default.ssl file is what made the difference. (Maybe because sites-enabled is what's included last in apache2.conf?).

* Ensured that there is nothing in Your Certificates in Firefox's Certificate Manager.
* Go to http://myhost/examples/jsp/snp/snoop.jsp -> Get CAS login form
* Clear all cookies, import alfresco-system.p12 into Firefox's Your Certificates, and I get the CAS login form, same as before. And in my CAS log is:


2009-11-04 18:06:19,472 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - <Certificates not found in request.>
‍‍‍

Thanks VERY VERY much for helping with this!

Re: Share with mod_auth_cas not working

matthias — Thu, 05 Nov 2009 13:24:34 GMT

* Ensured that there is nothing in Your Certificates in Firefox's Certificate Manager.
* Go to http://myhost/examples/jsp/snp/snoop.jsp -> Get CAS login form
* Clear all cookies, import alfresco-system.p12 into Firefox's Your Certificates, and I get the CAS login form, same as before. And in my CAS log is:
2009-11-04 18:06:19,472 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - <Certificates not found in request.>
‍‍‍
Thanks VERY VERY much for helping with this!

cybertoast, what you didn't tell me:
- Can you login via CAS to snoop.jsp (without certificate, only with username+pass!)?
- If yes, do you see your username there?

Do this first. After that, we can check the certificate stuff.