State of CAS and Share in 3.4b?

piercehanley — Mon, 29 Nov 2010 21:46:15 GMT

Has anyone tried integrating Alfresco Share with CAS in 3.4b? I find a lot of conflicting and outdated info when I'm searching about how to set it up correctly.Specifically, I'm wondering what, if anything, is still necessary to do the X509 setup. this thread has a bunch of people (quite recently)

Re: State of CAS and Share in 3.4b?

piercehanley — Thu, 02 Dec 2010 19:18:55 GMT

Okay, so the Explorer application works fine with CAS at the moment. I've been trying to piece together what exactly I'm supposed to do to get the Share application working as well, from the various forum posts and JIRA comments out there. My current share-config-custom.xml is:

<alfresco-config>
   
   <!– Repository Library config section –>
   <config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
      <!–
         Whether the link to the Repository Library appears in the header component or not.
      –>
      <visible>true</visible>
   </config>
   
      <config evaluator="string-compare" condition="Remote">
        <remote>
            <!– SSL client certificate + trusted CAs. Optionally used to authenticate share to an external SSO system such as CAS –>
            <keystore>
                <path>alfresco/web-extension/alfresco-system.p12</path>
                <type>pkcs12</type>
                <password>alfresco-system</password>
            </keystore>
         
            <connector>
                <id>alfrescoCookie</id>
                <name>Alfresco Connector</name>
                <description>Connects to an Alfresco instance using cookie-based authentication</description>
                <class>org.alfresco.connector.AlfrescoConnector</class>
            </connector>

            <endpoint>
                <id>alfresco</id>
                <name>Alfresco - user access</name>
                <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                <connector-id>alfrescoCookie</connector-id>
                <endpoint-url>http://tomcathost:8080/alfresco/wcs</endpoint-url>
                <identity>user</identity>
                <external-auth>true</external-auth>
            </endpoint>
            
        </remote>
    </config>

</alfresco-config>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

…and my Share web.xml comments out the Share SSO Authentication filter and its mappings, per this JIRA comment

When I try to access Share with no CAS cookies, mod_auth_cas redirects me to the login form appropriately. But when I log in, I get the following exception page:

org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.extensions.surf.exception.PlatformRuntimeException: 11020001 Failed to init Request Context: Unable to fault user as safeguard during init request context
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:659)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)

root cause

org.springframework.extensions.surf.exception.PlatformRuntimeException: 11020001 Failed to init Request Context: Unable to fault user as safeguard during init request context
   org.alfresco.web.site.SlingshotPageViewResolver.lookupPage(SlingshotPageViewResolver.java:61)
   org.springframework.extensions.surf.mvc.PageViewResolver.canHandle(PageViewResolver.java:97)
   org.springframework.web.servlet.view.UrlBasedViewResolver.createView(UrlBasedViewResolver.java:370)
   org.springframework.web.servlet.view.AbstractCachingViewResolver.resolveViewName(AbstractCachingViewResolver.java:77)
   org.springframework.web.servlet.DispatcherServlet.resolveViewName(DispatcherServlet.java:1091)
   org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1040)
   org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
   org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)

root cause

org.springframework.extensions.surf.exception.RequestContextException: Unable to fault user as safeguard during init request context
   org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:110)
   org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:53)
   org.alfresco.web.site.SlingshotPageViewResolver.lookupPage(SlingshotPageViewResolver.java:57)
   org.springframework.extensions.surf.mvc.PageViewResolver.canHandle(PageViewResolver.java:97)
   org.springframework.web.servlet.view.UrlBasedViewResolver.createView(UrlBasedViewResolver.java:370)
   org.springframework.web.servlet.view.AbstractCachingViewResolver.resolveViewName(AbstractCachingViewResolver.java:77)
   org.springframework.web.servlet.DispatcherServlet.resolveViewName(DispatcherServlet.java:1091)
   org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1040)
   org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
   org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)

root cause

org.springframework.extensions.surf.exception.UserFactoryException: Unable to retrieve user from repository
   org.springframework.extensions.surf.support.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:179)
   org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:176)
   org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:99)
   org.springframework.extensions.surf.RequestContextUtil.initialiseUser(RequestContextUtil.java:202)
   org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:106)
   org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:53)
   org.alfresco.web.site.SlingshotPageViewResolver.lookupPage(SlingshotPageViewResolver.java:57)
   org.springframework.extensions.surf.mvc.PageViewResolver.canHandle(PageViewResolver.java:97)
   org.springframework.web.servlet.view.UrlBasedViewResolver.createView(UrlBasedViewResolver.java:370)
   org.springframework.web.servlet.view.AbstractCachingViewResolver.resolveViewName(AbstractCachingViewResolver.java:77)
   org.springframework.web.servlet.DispatcherServlet.resolveViewName(DispatcherServlet.java:1091)
   org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1040)
   org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
   org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)

root cause

org.springframework.extensions.surf.exception.UserFactoryException: Unable to create user - failed to retrieve user metadata: 
   org.springframework.extensions.surf.support.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:168)
   org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:176)
   org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:99)
   org.springframework.extensions.surf.RequestContextUtil.initialiseUser(RequestContextUtil.java:202)
   org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:106)
   org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:53)
   org.alfresco.web.site.SlingshotPageViewResolver.lookupPage(SlingshotPageViewResolver.java:57)
   org.springframework.extensions.surf.mvc.PageViewResolver.canHandle(PageViewResolver.java:97)
   org.springframework.web.servlet.view.UrlBasedViewResolver.createView(UrlBasedViewResolver.java:370)
   org.springframework.web.servlet.view.AbstractCachingViewResolver.resolveViewName(AbstractCachingViewResolver.java:77)
   org.springframework.web.servlet.DispatcherServlet.resolveViewName(DispatcherServlet.java:1091)
   org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1040)
   org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
   org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Does anyone have any idea whether what I'm trying to do is even possible in the current version of Alfresco? Is mod_auth_cas broken? Has anyone tried the alternative solution described here with success in 3.4?

I'd really appreciate any feedback or advice; if what I'm trying to do isn't possible then I'd like to know sooner rather than later. Thanks!

Re: State of CAS and Share in 3.4b?

garyhodgson — Sun, 05 Dec 2010 19:11:01 GMT

Hi there,

I too have arrived at this point (Explorer with CAS works fine, but the X509 integration with Share seems not to work) and would also like to hear if anyone has more information about whether CAS integration is broken with 3.4b, or is there a step that we're missing?

Cheers,
Gary

Re: State of CAS and Share in 3.4b?

piercehanley — Mon, 06 Dec 2010 21:04:26 GMT

So I see that as of today, ALF-3941 has been fixed and seems to be related to at least some of the CAS integration issues (David Ward notes this on ALF-2788 as well).

I'm almost afraid to ask, is this going to make it into a stable community release sometime soon? Is it an easy change that can be patched into 3.4b, or alternatively is there a working workaround for the 3.4 versions that have this bug? What can I do to follow this issue and its fix now that the JIRA bugs are closed?

Re: State of CAS and Share in 3.4b?

piercehanley — Mon, 03 Jan 2011 20:38:03 GMT

Okay, the saga continues.

I did get CAS integrated with Alfresco Share after some updates to the Wiki page (see the bottom sections "Fedoras Core 14 install notes" and "Share wiring strategies").

Now that it's implemented and deployed, we find out that there were some documents linked from a separate website, which still need to be publicly available (i.e. to an unauthenticated user, via the "http://myhost/alfresco/d/…" addressing system). Unfortunately, mod_auth_cas now sits in front of Alfresco and has no way of knowing if a URL requires an authenticated user or not, so it just directs all users to the CAS login page.

Does anyone have any idea how I can re-enable "Guest" access to Alfresco while also allowing the use of mod_auth_cas?

I was thinking something funky with mod_rewrite, such as the following. However, I don't have any previous experience with mod_rewrite and may be doing it wrong:

   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteLog c:/temp/rewrite.log
      RewriteLogLevel 9
      RewriteCond %{LA-U:REMOTE_USER} ^$
      RewriteRule ^/alfresco/?.*$ - [env=REMOTE_USER:Guest]
   </IfModule>

   <Location /alfresco>
      AuthType CAS
      AuthName "CAS"
#      require valid-user
      CASScope /alfresco
   
      ProxyPass balancer://balancer-alfresco/alfresco
      ProxyPassReverse balancer://balancer-alfresco/alfresco
   </Location>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

What I want this to do is this:
1. When a URL is requested, look ahead to see what their username would be (%{LA-U:REMOTE_USER}). This checks to see if they already authenticate successfully with mod_auth_cas.
2. If the user is empty (^$), rewrite the environment variable REMOTE_USER to be "Guest".
3. Forward the modified request to /alfresco, skipping mod_auth_cas's redirect because a REMOTE_USER has already been set

This seems to almost work, except for step 3… nothing in my configuration seems to indicate that it should skip the mod_auth_cas check and go directly to /alfresco, and I don't know how to short-circuit that behavior.

I'm a bit stuck as to how to proceed here. This is just the idea I came up with, but it may not be possible or the best solution. Does anyone have Guest access working with the Alfresco Explorer application, and if so how did you implement it?

Thanks.

topic Re: State of CAS and Share in 3.4b? in Alfresco Archive

State of CAS and Share in 3.4b?

Re: State of CAS and Share in 3.4b?

Re: State of CAS and Share in 3.4b?

Re: State of CAS and Share in 3.4b?

Re: State of CAS and Share in 3.4b?