topic Re: Share 3.3g with mod_auth_cas in Alfresco Archive

Share 3.3g with mod_auth_cas

forsetiavatar — Thu, 14 Oct 2010 21:10:15 GMT

I am having problems getting Share working with mod_auth_cas according to this guide… http://wiki.alfresco.com/wiki/Alfresco_With_mod_auth_cas(minus the x509 stuff as I have no intention of using client certificates)A few notes:I am using Alfresco 3.3g, and CAS 3.3.5 and 389DS for LDAPCAS and LDAP b

Re: Share 3.3g with mod_auth_cas

forsetiavatar — Mon, 25 Oct 2010 16:40:20 GMT

Come on….. anyone, anyone….. Bueller? Has anybody gotten this to work using the instructions on the wiki?

Re: Share 3.3g with mod_auth_cas

warren_mcdonald — Thu, 28 Oct 2010 04:35:52 GMT

Just a hint but you may have missed the point of the x509 stuff.

The certificate part of this config enables the Share web app to connect to the Alfresco repo backend using x509 trusted certs. You must implement the full config! Including enabling the x509 extension bean in CAS webapp deployer context.

Although this config could be the basis of client auth by cert, that is not it's purpose.

Cheers,

Warren

Re: Share 3.3g with mod_auth_cas

forsetiavatar — Fri, 29 Oct 2010 04:15:15 GMT

Thanks for the reply Warren. I did actually miss the point initially. But I have since gone back and followed the wiki exactly. Building CAS from source, putting everything on one server and all. I still can not get share to function however. Now alfresco explorer still functions, I can use the certificate on my computer to log in and I get the 'alfresco-system' as the remote user in the snoop.jsp test. Looking at my CAS log after remove the cert from my computer and try to go into share using a username/password, it is assigning me a ticket but it also says that there is no cert found. Like you said share uses that certificate to authenticate to alfresco explorer, so should that appear in the CAS logs as well? I am a little confused on this point, but after reading the wiki many, MANY times I am thinking that this is what it is supposed to do. I am at home right now but I will VPN into work in a few and get the relevant logs. Once again thanks for your reply. I really appreciate the help.
*Edit*

Ok, connected to the office. here are the logs….


2010-10-29 00:22:23,925 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Attempting to create TicketGrantingTicket for [username: alfuser]>
2010-10-29 00:22:23,925 DEBUG [org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler] - <User [alfuser] was successfully authenticated.>
2010-10-29 00:22:23,925 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: alfuser]>
2010-10-29 00:22:23,925 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - <Attempting to resolve a principal…>
2010-10-29 00:22:23,925 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - <Creating SimplePrincipal for [alfuser]>
2010-10-29 00:22:23,926 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [TGT-3-ukx59RFr0Fw3IgG7pf61UyDk5EGtHhEeOXe29P1ekdpPHE0Buu-cas] to registry.>
2010-10-29 00:22:23,926 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed cookie with name [CASPRIVACY]>
2010-10-29 00:22:23,926 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Added cookie with name [CASTGC] and value [TGT-3-ukx59RFr0Fw3IgG7pf61UyDk5EGtHhEeOXe29P1ekdpPHE0Buu-cas]>
2010-10-29 00:22:23,926 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-3-ukx59RFr0Fw3IgG7pf61UyDk5EGtHhEeOXe29P1ekdpPHE0Buu-cas]>
2010-10-29 00:22:23,926 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [TGT-3-ukx59RFr0Fw3IgG7pf61UyDk5EGtHhEeOXe29P1ekdpPHE0Buu-cas] found in registry.>
2010-10-29 00:22:23,927 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [ST-3-HwJd5MRIdwqXDytAjVtv-cas] to registry.>
2010-10-29 00:22:23,927 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-3-HwJd5MRIdwqXDytAjVtv-cas] for service [https://kocw-vmg-alf-002.kocw.com:443/share/] for user [alfuser]>
2010-10-29 00:22:24,289 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: https://kocw-vmg-alf-002.kocw.com:443/share/>
2010-10-29 00:22:24,289 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-3-HwJd5MRIdwqXDytAjVtv-cas]>
2010-10-29 00:22:24,289 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-3-HwJd5MRIdwqXDytAjVtv-cas] found in registry.>
2010-10-29 00:22:24,289 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [ST-3-HwJd5MRIdwqXDytAjVtv-cas] from registry>
2010-10-29 00:22:25,316 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://kocw-vmg-alf-002.kocw.com/alfresco/wcs/webframework/content/metadata?user=alfuser>
2010-10-29 00:22:25,317 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - <Action 'X509CertificateCredentialsNonInteractiveAction' beginning execution>
2010-10-29 00:22:25,317 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - <Certificates not found in request.>
2010-10-29 00:22:25,317 DEBUG [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] - <Action 'X509CertificateCredentialsNonInteractiveAction' completed execution; result is 'error'>
Oct 29, 2010 12:22:25 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet Spring Surf Dispatcher Servlet threw exception
org.json.JSONException: A JSONObject text must begin with '{' at character 9
   at org.json.JSONTokener.syntaxError(JSONTokener.java:413)
   at org.json.JSONObject.<init>(JSONObject.java:180)
   at org.json.JSONObject.<init>(JSONObject.java:420)
   at org.springframework.extensions.surf.support.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:173)
   at org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:165)
   at org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:99)
   at org.springframework.extensions.surf.RequestContextUtil.initialiseUser(RequestContextUtil.java:202)
   at org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:106)
   at org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:53)
   at org.alfresco.web.site.SlingshotPageViewResolver.lookupPage(SlingshotPageViewResolver.java:57)
   at org.springframework.extensions.surf.mvc.PageViewResolver.canHandle(PageViewResolver.java:71)
   at org.springframework.web.servlet.view.UrlBasedViewResolver.createView(UrlBasedViewResolver.java:370)
   at org.springframework.web.servlet.view.AbstractCachingViewResolver.resolveViewName(AbstractCachingViewResolver.java:77)
   at org.springframework.web.servlet.DispatcherServlet.resolveViewName(DispatcherServlet.java:1091)
   at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1040)
   at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
   at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
   at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
   at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:67)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
   at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
   at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
   at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
   at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
   at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
   at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
   at java.lang.Thread.run(Thread.java:636)
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

and the relevant section of my share-config-custom.xml …


   <config evaluator="string-compare" condition="Remote">
      <remote>

        <!– SSL client certificate + trusted CAs. Optionally used to authenticate share to an external SSO system such as CAS –>
            <keystore>
                <path>/opt/alfresco/tomcat/shared/classes/alfresco/web-extension/alfresco-system.p12</path>
                <type>pkcs12</type>
                <password>********</password>
            </keystore>

         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>
         
         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://kocw-vmg-alf-002.kocw.com/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>
   
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: Share 3.3g with mod_auth_cas

warren_mcdonald — Mon, 01 Nov 2010 04:09:31 GMT

Have you checked the CAS SSO logs?

Are you definitely getting the certificate passed in to the tomcat server (hosting cas) from the fronting httpd.

You may have to add the specific directive in the virtual host for cas or in the common ssl.conf

CAS log will tell you (very briefly) if the cert is missing from the request.

Warren

Re: Share 3.3g with mod_auth_cas

forsetiavatar — Mon, 01 Nov 2010 17:32:31 GMT

if I import the certificate into the browser on my computer I get through CAS w/o being prompted for a login. The snoop.jsp page also shows 'alfresco-system' as the remote user. However there seems to be a point where Share should authenticate with Alfresco using the certificate.This seems to be where the problem lies. I think for some reason Share is not using the certificate. I get the 'no certificate found in request' error. I have the alfresco-system certificate specified in the <keystore> section of share-config-custom.xml. Is there anywhere else the certificate needs to be called out?

Re: Share 3.3g with mod_auth_cas

warren_mcdonald — Mon, 01 Nov 2010 23:04:39 GMT

Hi,

when accessing CAS with the alf-system cert you are making a https request. The export settings in apache ssl virtual host send the cert data to tomcat.

When alfresco share is accessing the alfresco repo endpoint it should be thrown to the cas service via the url in the auth_cas.conf which is https. So this should be OK.

In your endpoint config try using the https connector. The cert may not be being requested as there is no x509 processing in the initial http exchange (before the throw to CAS).

<endpoint-url>https://kocw-vmg-alf-002.kocw.com/alfresco/wcs</endpoint-url>

Re: Share 3.3g with mod_auth_cas

forsetiavatar — Tue, 02 Nov 2010 03:54:22 GMT

Warren,

I have tried switching the endpoint to https with the same result. Is there any additional logging you could recommend turning on to debug the problem? For some reason it seems share is not sending the cert to CAS. Thanks again. Additional information, I am using Fedora 12 for my OS.

Re: Share 3.3g with mod_auth_cas

warren_mcdonald — Tue, 02 Nov 2010 06:40:00 GMT

ah ha - So we are not going mad. See http://issues.alfresco.com/jira/browse/ALF-2788

This Jira spells out that 3.3 no longer responds to the "endpoint connector with keystore" config we are trying to use. This worked in 3.2 but is no longer relevant in 3.3

There is a work around to edit shares web.xml to remove SSO filter in favour of the new external-auth enabled global filter.

It is not clear however if this is actually going to work in 3.3 or only in 3.4. The explanation of the config work around is very bad and contradicts itself.

I will give it a go anyway. Whats to lose.

For the wiki to have specific references to 3.3 config and this to be known to be obsolete is pretty bad. I sense community support to starting to slip badly.

Warren

Re: Share 3.3g with mod_auth_cas

forsetiavatar — Tue, 02 Nov 2010 18:38:52 GMT

Wow, I am such an idiot….. I saw that bug when I first started working on this and I ignored it because at the time I thought I did not need x509 auth. Then I went back and configured everything as per the kiki and forgot about it. This is one of the reasons why I thought the cert was not needed in the first place. At least that verified one of the things I was trying to determine, which is if the wiki was correct. Which is it not.
BTW, I tried setting it up as per that bug in 3.4a as well and had no luck.
Well. this may not work for everyone but we are only using Share, not Alfresco Explorer. So what I did this morning was I removed Alfresco from being protected by CAS. Meaning I took out the <Location /alfresco> section in mod_auth_cas.conf and I can now log into Share using CAS.
Of course this means we can not log into Alfresco now. But I wonder if some sort of rewrite or proxy configuration would allow access to Alfresco Explorer through CAS for instance have a CAS protected version at http://someserver.com/alfresco and a proxied version, not protected by CAS that Share authenticates to at http://someserver.com/otheralfresco.

Thanks for all the help on this matter Warren. I am going to continue doing some tests to make sure that nothing in Share is broken by this and will post back. Right now I am trying to disable the flash uploader which does not work woth CAS auth either.

Re: Share 3.3g with mod_auth_cas

warren_mcdonald — Wed, 03 Nov 2010 12:43:32 GMT

Hey,

glad you found a solution.

I have been thinking about a proxy solutions for some of our needs too. We need webdav protected by CAS for one purpose but also for hosting podcast xml files which need basic auth for iTunes. So multiple proxy directives may work (you will need rewriting as well). One possible way may be to use a more specific set of locations in the mod_auth_cas.conf file. Perhaps protecting only some /alfresco/<subdirs> will do the trick and leave others for normal auth. This will require bit of fiddling with a lot more directives, but there are not that many possible paths.

The 3.4.a solution requires a new class file. I have extracted this from a 3.4.a jar and packed it up in a jar to supplement my 3.3 install. I now have the error mentioned in the above Jira, but should be able to configure around it. I do like the aim of this solution which is the same generic external_auth handling for share as already exists for alfresco. It is unfortunate is only half baked for community as yet.

Cheers,

Warren

Re: Share 3.3g with mod_auth_cas

forsetiavatar — Sat, 06 Nov 2010 07:23:22 GMT

So is it pretty much confirmed that the wiki is wrong? Why would they go through all the time and effort to create that if the information is not accurate. Someone on the team should correct that page, or at the very least post specifically what platform those instructions run on. I am using Fedora 12 in my implementation with OpenJDK1.6 and CAS 3.3.5. I did test it with Sun JDK as well to ensure it was not some weird thing w/ OpenJDK. A few other notes…. Since the x509 portion does not function in 3.3g there is no need to build CAS from source. After x509 failed and I used the solution I described earlier I went back to using my original CAS server which was just the WAR file I downloaded from jasig. Also my solution seems to have broken task actions in the My Tasks dashlet when using a secure site. Tasks work under HTTP but does not function under HTTPS. When trying to accept a task on a secure site I get the 'failed to action task' message. I think this may be related to an active bug that has something to do with using tasks while working through a proxy.