https://connect.hyland.com/t5/alfresco-archive/problems-writing-an-sso-plugin-for-alfresco-share-3-3g/m-p/230678#M183808 <HTML><HEAD></HEAD><BODY><SPAN>I am writing an OpenSSO plugin for Alfresco Share. My spec is to check for the presence and validity of an SSO token in a cookie; if the cookie is not there, or is expired, the user should login to Share in the normal way, but if the cookie is present, and contains a valid token, then the user should be automatically signed in to Share - a little different from the normal SSO use case, but it </SPAN><EM>should</EM><SPAN> still be doable, or so I thought…</SPAN><BR /><BR /><SPAN>I used the </SPAN><A href="http://opensource.sourcesense.com/confluence/display/ALE/Alfresco+OpenSSO+integration" rel="nofollow noopener noreferrer">SourceSense OpenSSO plugin</A><SPAN> as a model, and got Web Client SSO working very quickly - I just ported the SourceSense code to 3.3g (a lot of classes seem to have moved about) and switched from the OpenSSO Java API to the REST API - I prefer the REST API as there are no jars to deploy.</SPAN><BR /><BR /><SPAN>Now, Share seems a different beast. This is the core code:</SPAN><BR /><BR /><PRE class="language-none line-numbers"><CODE><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; name = openssoClient.getPrincipal(token);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (name != null) {<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UserFactory userFactory = context.getServiceRegistry().getUserFactory();<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (userFactory.authenticate(req, name, token)) {<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AuthenticationUtil.login(req, res, name);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>Now - there seem to be a couple of issues here - to use userFactory.authenticate(req, name, token), something on the other end has to be able to interpret and validate that token - presumably some component I plug in to Alfresco Web Client? If I remove the authenticate call and just do the AuthenticationUtil.login(req, res, name), things blow up later on when Share tries to get the user profile from the Web Client - it looks like it tried to get some XML, but Wireshark tells me it got an HTML login page.</SPAN><BR /><BR /><PRE class="language-none line-numbers"><CODE><BR />SEVERE: Servlet.service() for servlet Spring Surf Dispatcher Servlet threw exception<BR />org.json.JSONException: A JSONObject text must begin with '{' at character 45<BR />&nbsp;&nbsp;&nbsp;at org.json.JSONTokener.syntaxError(JSONTokener.java:413)<BR />&nbsp;&nbsp;&nbsp;at org.json.JSONObject.&lt;init&gt;(JSONObject.java:180)<BR />&nbsp;&nbsp;&nbsp;at org.json.JSONObject.&lt;init&gt;(JSONObject.java:420)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.extensions.surf.support.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:173)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:165)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:99)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.extensions.surf.RequestContextUtil.initialiseUser(RequestContextUtil.java:202)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.extensions.surf.RequestContextUtil.populateRequestContext(RequestContextUtil.java:175)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.extensions.surf.RequestContextUtil.populateRequestContext(RequestContextUtil.java:130)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.extensions.surf.mvc.AbstractWebFrameworkView.populateRequestContext(AbstractWebFrameworkView.java:243)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.extensions.surf.mvc.AbstractWebFrameworkView.renderMergedOutputModel(AbstractWebFrameworkView.java:105)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:250)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1060)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)<BR />&nbsp;&nbsp;&nbsp;at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)<BR />&nbsp;&nbsp;&nbsp;at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)<BR />&nbsp;&nbsp;&nbsp;at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)<BR />&nbsp;&nbsp;&nbsp;at org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:67)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)<BR />&nbsp;&nbsp;&nbsp;at com.gocetech.opensso.alfresco.OpenSSOAlfrescoShareFilter.doFilter(OpenSSOAlfrescoShareFilter.java:113)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)<BR />&nbsp;&nbsp;&nbsp;at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)<BR />&nbsp;&nbsp;&nbsp;at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)<BR />&nbsp;&nbsp;&nbsp;at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)<BR />&nbsp;&nbsp;&nbsp;at java.lang.Thread.run(Thread.java:637)<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>So - does anyone have any idea how to get this working? </SPAN><A href="http://forums.alfresco.com/en/viewtopic.php?f=48&amp;t=25692" rel="nofollow noopener noreferrer">It looks like people have tried this in the past, but not got anywhere</A><SPAN>…</SPAN></BODY></HTML> Fri, 08 Oct 2010 03:36:09 GMT metadaddy 2010-10-08T03:36:09Z https://connect.hyland.com/t5/alfresco-archive/problems-writing-an-sso-plugin-for-alfresco-share-3-3g/m-p/230678#M183808 I am writing an OpenSSO plugin for Alfresco Share. My spec is to check for the presence and validity of an SSO token in a cookie; if the cookie is not there, or is expired, the user should login to Share in the normal way, but if the cookie is present, and contains a valid token, then the user shoul Fri, 08 Oct 2010 03:36:09 GMT https://connect.hyland.com/t5/alfresco-archive/problems-writing-an-sso-plugin-for-alfresco-share-3-3g/m-p/230678#M183808 metadaddy 2010-10-08T03:36:09Z https://connect.hyland.com/t5/alfresco-archive/problems-writing-an-sso-plugin-for-alfresco-share-3-3g/m-p/230679#M183809 <HTML><HEAD></HEAD><BODY><SPAN>Using OpenSSO for authentication or any other method for that matter is totally doable if the basics are understood properly.</SPAN><BR /><BR /><SPAN>a) Share never ever fully authenticates a user. All that authentication plugins can do is forward credentials to the underlying repository and that repository is responsible for the authentication. (Note: NOT the web client, although it provides some of the hooks.)</SPAN><BR /><SPAN>b) SSO filters of Share have to work in conjunction with endpoint connectors to allow SSO and normal login behaviour depending on the entry point of the user. A SSO filter alone will not work if the endpoint connector (including its authenticator) can't retain the authenticated session on the repository.</SPAN><BR /><SPAN>c) Authentication filters of the repository / web client applications have to allow for the possibility of SSO and password logins. Usually the documentation/tutorials on that matter follow a SSO-only or login-only approach where both methods can not co-exist. I can not speak to the SourceSense plugin though.</SPAN><BR /><BR /><SPAN>What you need should be these components (based on my experience with the matter of backporting some SPNEGO fixes from 3.3 to 3.2 and enabling co-existence of SSO and login):</SPAN><BR /><BR /><SPAN>a) A filter for Alfresco Share that takes the SSO token, authenticates against the repository by passing it in a call to "/touch" and sets the external authentication flag in the session. Use the SSOAuthenticationFilter as a rough guideline for your implementation.</SPAN><BR /><SPAN>b) An authenticator for Alfresco Share endpoint connections that checks both the ticket in the connector session and the external authentication flag when determining if a user has already been authenticated. Simply extend the AlfrescoAuthenticator here. (Only this authenticator will later allow your users to both use SSO or normal login.)</SPAN><BR /><BR /><SPAN>You should not need to explicitly call authenticate or login on the UserFactory or the AuthenticationUtil at all for this to work.</SPAN></BODY></HTML> Sat, 16 Oct 2010 16:41:13 GMT https://connect.hyland.com/t5/alfresco-archive/problems-writing-an-sso-plugin-for-alfresco-share-3-3g/m-p/230679#M183809 afaust 2010-10-16T16:41:13Z