topic Re: HTTP authentication with 3.2? in Alfresco Archive

HTTP authentication with 3.2?

fo1337 — Fri, 26 Jun 2009 18:35:28 GMT

Has the way to setup HTTP authentication changed in 3.2? With 3.1, I authenticate my users via mod_auth_cas on a front-end Apache, which sets REMOTE_USER for use by Alfresco. For that I had to change the authenticator in both web.xml to HTTP authenticator (it's all in the Wiki).With the new subsyste

Re: HTTP authentication with 3.2?

fo1337 — Mon, 29 Jun 2009 14:23:08 GMT

Nobody?

Re: HTTP authentication with 3.2?

dward — Tue, 30 Jun 2009 09:23:21 GMT

I'm afraid there isn't yet a built-in subsystem that supports CAS authentication. However, the steps outlined in the Wiki should still work

http://wiki.alfresco.com/wiki/Central_Authentication_Service_Configuration

I'm afraid you would still have to manually change the filters in web.xml.

If you get this working, please feel free to bring the Wiki up to date with any v3.2 specific details. And perhaps you would like to try applying the subsystem pattern to create a CAS subsystem?

Re: HTTP authentication with 3.2?

fo1337 — Mon, 13 Jul 2009 18:46:26 GMT

Thanks for your reply. The same instructions work with 3.2 apparently. I got it working by changing web.xml. As you said, I wish there was a HTTP filter in the auth subsystem, but I'm not yet ready to submit that code given my poor skills and lack of time atm.

Anyway, I couldn't get the same thing working in Share though… Somehow applying that filter in Share's web.xml doesn't work and I get a 404 error when trying to load Share (?). Any throughts?

Re: HTTP authentication with 3.2?

dward — Mon, 13 Jul 2009 19:22:09 GMT

I don't think that HTTPRequestAuthenticationFilter will be compatible with share, because it has to run in a full-blown repository Spring container. There is currently only one share-enabled SSO filter, which is the special Share NTLM variant. As share is a client to the alfresco app, we would need a filter that proxies through alfresco.

Re: HTTP authentication with 3.2?

fo1337 — Mon, 13 Jul 2009 19:29:58 GMT

Mmh OK. This is unfortunate! I wish this could be added in 3.3, as I think a lot of companies are using CAS and would like to replace Sharepoint with Alfresco Share. OK, I only know of mine but it's a big one Thank you.

Re: HTTP authentication with 3.2?

mikef — Tue, 14 Jul 2009 08:18:59 GMT

Here's some information/code on adding support for CAS with Share:

In French: http://blog.atolcd.com/?p=115
English translation: http://translate.google.com/translate?u=http://blog.atolcd.com/%3Fp%3D115&sl=fr&tl=en

FYI. I haven't tried it myself.

Re: HTTP authentication with 3.2?

warren_mcdonald — Sat, 18 Jul 2009 23:00:44 GMT

Here's some information/code on adding support for CAS with Share:

In French: http://blog.atolcd.com/?p=115
English translation: http://translate.google.com/translate?u=http://blog.atolcd.com/%3Fp%3D115&sl=fr&tl=en

FYI. I haven't tried it myself.

I have used the atolcd code and method successfully with Share and Web client, although it is cumbersome and requires a lot of work when upgrading. I am not looking forward to the 3.2 upgrade which I have planned for the next few weeks. The atolcd code needs extending to support external configuration as at present it requires hard coded pointers, so I have several different versions of the compiled classes on hand for dev, test and live instances. I also could not get it configured using the web extension class path so I now have quite a few custom files to reapply after upgrade, not just web.xml.

I am not a java developer and this was just within my scope to hack into my installations.

I echo the request to have an Alfresco standard, more easily supported way of enabling alternative SSO (other than NTLM) for Share. Given the emphasis on Share for this release, I am surprised this has not been prioritised in some way.

We have a 16000 member database all CAS SSO enabled across our web presence and we are considering moving from Alfresco Community to Enterprise next calendar year so this will definitely require a supported Share CAS SSO implementation.