topic Re: User Session and Authentication Strategies in Alfresco Archive

User Session and Authentication Strategies

athrawn17 — Fri, 11 Jun 2010 16:14:42 GMT

Hi everyone,I was just wondering this forum's thoughts about Session management and user authentication.I'm doing a Proof of Concept with Alfresco and have decided to got down the CMIS route. So far, everything has been going well. Now I'm to the point where I get to start messing around with diff

Re: User Session and Authentication Strategies

athrawn17 — Fri, 11 Jun 2010 19:12:15 GMT

As I do more investigation on this, does anyone know if the external authentication subsystem can be used with CMIS? I'm trying to configure it now, but not having any luck yet, I have the header set and can see the value coming over, but it is still wanting a password.

Re: User Session and Authentication Strategies

athrawn17 — Thu, 17 Jun 2010 15:23:21 GMT

For all the pomp and circumstance around Alfresco's CMIS implementation, you are sure quiet on this forum……

Re: User Session and Authentication Strategies

gclaussn — Fri, 18 Jun 2010 17:43:57 GMT

i don't see the problem, if you have an application, which should be used by different users, you might have something like a login screen where the user is typing in a password, why not use these also for the alfresco account…

maybe you can give me more information, what you exactly planing to do.

best regards, gclaussn

Re: User Session and Authentication Strategies

athrawn17 — Fri, 18 Jun 2010 18:33:49 GMT

i don't see the problem, if you have an application, which should be used by different users, you might have something like a login screen where the user is typing in a password, why not use these also for the alfresco account…

maybe you can give me more information, what you exactly planing to do.

best regards, gclaussn

In order to send the password to alfresco, we would have to store it in plain text. This is a bad thing to do from a security perspective.

Our application never actually sees the password, since it is proxied to a SSO server. We know the username as that is returned from the proxy, but never the password.

We could send a token to alfresco, or use a header property to tell alfresco that the user has already been authenticated, but the CMIS implementation requires a username/password.

And that was my original question. When using CMIS, what Authenticaion strategies are available besides sending a username/password? I don't see any other solutions.

Re: User Session and Authentication Strategies

gclaussn — Mon, 21 Jun 2010 06:38:49 GMT

I also see no other way, than plain text…
Alfresco requires this:

<url>/api/login?u={username}&pw={password?}</url>
‍‍

Maybe there is a way to customize the login strategie by replacing classes, or manipulating webscripts, but i think that's not the sense of your work.

Re: User Session and Authentication Strategies

nicolasraoul — Wed, 23 Jun 2010 07:16:54 GMT

Hi Athrawn17,

Indeed that surprised me too, but in my CMIS browser I ended storing the username/password of the user as plain text, and sending them at each request.

Another thing that feels weird:
In my app, the username/login success screen does not use the credentials to perform anything, so I don't know if the credentials are valid or not, until the next screen. So if I enter a wrong password, I am told "logged in" but actually an authentication error will appear later. I guess this could be fixed by performing a useless CMIS operation, for instance listing the repository root.

I believe the best solution, if possible in your environment, is to setup SSO, so that no login/password is needed at all. gclaussn, am I right on this?

Cheers!
Nicolas Raoul

Re: User Session and Authentication Strategies

gclaussn — Wed, 23 Jun 2010 14:44:00 GMT

Hi Nicolas,

i don't really know if this is possible, when using Alfresco.

Performing an operation is a good way, i managed it in the same way, after creating a CMIS session in my application. But the repository root is no good idea… I used the getRepositoryInfo operation, which is running good for an administrator, but not for an normal user (they are not allowed to see these information). Also the repository root is not good I think, when having users, that can just read/write their own home directory and existing sub directories.

best regards, gclaussn