topic Re: Is External authentication subsystem safe? How does it work? in Alfresco Archive

Is External authentication subsystem safe? How does it work?

iblanco — Tue, 16 Nov 2010 19:18:10 GMT

It migth sound like a stupid question but I'm using it for CAS (through apache's mod_auth_cas) authentication and there are some points I don't understand.I do understand that Apache's httpd server negotiates the session with CAS after checking it's certificate, so I do understand that Apache can ge

Re: Is External authentication subsystem safe? How does it work?

mrogers — Wed, 17 Nov 2010 20:41:20 GMT

Yes you will need to set up firewalls to prevent "rogue" access to your instance of Alfresco.

The external authentication subsystem makes alfresco accept an external authentication token so you need to make sure that its not possible to abuse or subvert that trust.

Re: Is External authentication subsystem safe? How does it work?

iblanco — Thu, 18 Nov 2010 08:45:21 GMT

Thank you mrogers:

That's a clear answer, thank you very much.
I'll take some time to update the wiki I think this must be made very very clear in the wiki.
What about protecting with CAS only "/faces/jsp/login.jsp", would it be enough ?

Thanks.

Re: Is External authentication subsystem safe? How does it work?

iblanco — Fri, 03 Dec 2010 13:57:26 GMT

Finally I changed the Location Apache directive and instead used LocationMatch:

<LocationMatch ^/alfresco/(?!service/|service$|webdav/|webdav$|s/|s$).*>
 …your config here
</LocationMatch>‍‍‍

That should protect whole /alfresco/ urls except service, s and webdav. Probably I miss some other exceptions but adding them would be trivial and forgetting one just means that yo overprotect something, not that you miss something.

Re: Is External authentication subsystem safe? How does it work?

goldmar — Sun, 19 Jun 2011 12:32:58 GMT

The Wiki says:

The direct strategy is easier to set up and have one network hop less than the indirectstrategy (and that hop involves encryption using certs). It should in theory thus be a bit faster than the indirect strategy. However, to use the direct strategy you need to make sure that yoru alfresco server is well locked down, i.e. that no direct connection to port 8080 are possible. In other words, you have to enforce that all connections have to go through apache. This can be achieved easily with a firewall rule (like iptables on Linux). If the setup is not well locked, then a malicious user could log as any user just forging the auth header with the user he wants to log in as.

At least for me, limiting port 8080 to localhost was not enough. When I accessed alfresco via Apache with AJP, Apache still passed the X-Alfresco-Remote-User header to Alfresco and thus made it possible for any user to authenticate as admin.

Therefore, I've now added the following setting in Apache:

<LocationMatch ^/alfresco/(?!service/|service$|webdav/|webdav$|s/|s$).*>
  […]
  RequestHeader unset X-Alfresco-Remote-User
  […]
</LocationMatch>
‍‍‍‍‍‍

This should be safe. I think the Wiki should be adjusted to account for this issue. Or did I miss something and there is an easier way to lock down Alfresco?

Re: Is External authentication subsystem safe? How does it work?

iblanco — Tue, 21 Jun 2011 07:12:30 GMT

goldmar, I didn't have to deal with Share when I made this configuration, but what you comment sound reasonable to me.
I propose you to update the wiki yourself.

Re: Is External authentication subsystem safe? How does it work?

goldmar — Tue, 21 Jun 2011 11:14:27 GMT

I'm a bit confused right now… if you don't use Share, then you don't need to do all the steps written in the Wiki. You only need to protect /alfresco with mod_auth_cas and that's it. You don't need to deal with certificates and you don't have to (or even should not!) make Alfresco Explorer accept the X-Alfresco-Remote-User header because the authentification in Explorer works via the HttpServletRequest.getRemoteUser() method (which is not related to the header modification). You only need to accept the header in Explorer if you want to use proxy authentification (e.g. if you use Share, then Share is the proxy because you authenticate to Share and Share forwards the authentication to Explorer).

Re: Is External authentication subsystem safe? How does it work?

iblanco — Tue, 21 Jun 2011 12:04:26 GMT

That's it I only protect Apache with mod_auth_cas, but you have to make sure that Tomcat or AJP is not exposed directly for example through 8080 port. If I expose AJP port or tomcat's 8080 port publicly someone else could "chain" their apache with their mod_auth_cas configuration to MY alfresco, isn't it?

Re: Is External authentication subsystem safe? How does it work?

goldmar — Tue, 21 Jun 2011 13:02:48 GMT

Yeah, you're right - I did not think about it. I've probably been too focused on the header issue :wink: