topic Re: Share + Alfresco with SSO in Alfresco Archive

Share + Alfresco with SSO

mboorshtein — Tue, 17 May 2011 15:18:27 GMT

All,I'm integrating Alfresco and Share with an SSO system that uses a reverse proxy and a filter that creates a header with the user's id and creates the UserPrincipal object with the user's Id. This works great for Alfresco, however Share isn't working. When I access share a few things happen:1.

Re: Share + Alfresco with SSO

bbougon — Tue, 24 May 2011 15:41:34 GMT

Hello,

up

I do have the same kind of problems.

While trying to login to Share via SSO (Shibboleth uses SAML) I have theses Exceptions thrown :

org.springframework.extensions.surf.exception.UserFactoryException: Unable to retrieve user from repository
   org.springframework.extensions.surf.support.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:188)
   org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:176)
   org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:99)
   org.springframework.extensions.surf.RequestContextUtil.initialiseUser(RequestContextUtil.java:203)
   org.springframework.extensions.surf.RequestContextUtil.populateRequestContext(RequestContextUtil.java:176)
   org.springframework.extensions.surf.RequestContextUtil.populateRequestContext(RequestContextUtil.java:131)
   org.springframework.extensions.surf.mvc.AbstractWebFrameworkView.populateRequestContext(AbstractWebFrameworkView.java:349)
   org.springframework.extensions.surf.mvc.AbstractWebFrameworkView.renderMergedOutputModel(AbstractWebFrameworkView.java:259)
   org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:250)
   org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1060)
   org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
   org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)
   fr.cvf.web.site.servlet.CVFSSOAuthenticationFilter.doFilter(CVFSSOAuthenticationFilter.java:343)
cause mère

org.json.JSONException: A JSONObject text must begin with '{' at character 8
   org.json.JSONTokener.syntaxError(JSONTokener.java:413)
   org.json.JSONObject.<init>(JSONObject.java:180)
   org.json.JSONObject.<init>(JSONObject.java:420)
   org.springframework.extensions.surf.support.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:182)
   org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:176)
   org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:99)
   org.springframework.extensions.surf.RequestContextUtil.initialiseUser(RequestContextUtil.java:203)
   org.springframework.extensions.surf.RequestContextUtil.populateRequestContext(RequestContextUtil.java:176)
   org.springframework.extensions.surf.RequestContextUtil.populateRequestContext(RequestContextUtil.java:131)
   org.springframework.extensions.surf.mvc.AbstractWebFrameworkView.populateRequestContext(AbstractWebFrameworkView.java:349)
   org.springframework.extensions.surf.mvc.AbstractWebFrameworkView.renderMergedOutputModel(AbstractWebFrameworkView.java:259)
   org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:250)
   org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1060)
   org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
   org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)
   fr.cvf.web.site.servlet.CVFSSOAuthenticationFilter.doFilter(CVFSSOAuthenticationFilter.java:343)
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Everything works perfectly on Explorer but not on Share and while I am debugging, it seems everything work fine for the Authentication part (see the bold part near the end) :

private void challengeOrPassThrough(FilterChain chain, HttpServletRequest req, HttpServletResponse res, HttpSession session) throws IOException, ServletException
    {
        try
        {
            // In this mode we can only use vaulted credentials. Do not proxy any request headers.
            Connector conn = connectorService.getConnector(this.endpoint, AuthenticationUtil.getUserId(req), session);
            ConnectorContext ctx = new ConnectorContext();
            Response remoteRes = conn.call("/touch", ctx);
            if (Status.STATUS_UNAUTHORIZED == remoteRes.getStatus().getCode())
            {
                if (logger.isDebugEnabled())
                {
                    logger.debug("Repository session timed out - restarting auth process…");
                }

                String authHdr = remoteRes.getStatus().getHeaders().get(HEADER_WWWAUTHENTICATE);
                if (authHdr != null)
                {
                    // restart SSO login as the repo has timed us out
                    restartAuthProcess(session, req, res, authHdr);
                }
                else
                {
                    // restart manual login
                    session.invalidate();
                    redirectToLoginPage(req, res);
                }
                return;
            }
            else
            {
                // we have local auth in the session and the repo session is also valid
                // this means we do not need to perform any further auth handshake
                if (logger.isDebugEnabled())
                {
                    logger.debug("Authentication not required, chaining …");
                }

               chain.doFilter(req, res); => my breakpoint stops here and then it's impossible to know what's comming next
                return;
            }
        }
        catch (ConnectorServiceException cse)
        {
            throw new PlatformRuntimeException("Incorrectly configured endpoint ID: " + this.endpoint);
        }
    }

Info : this code is part of the CVFSSOAuthenticationFilter class that is an exact copy of SSOAuthenticationFilter class used by default in Share.
It shows that the user coming from our SSO seems to be authenticated as "Authentication not required" message inside the method says.

Thank you by advance for your help

Re: Share + Alfresco with SSO

bbougon — Wed, 25 May 2011 14:21:47 GMT

Finnaly I have a solution (for an Alfresco Share / SSO authentication with Shibboleth).

First you have to set this two variables in your external-authentication.properties :


external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.proxyUserName
‍‍‍‍

Then you have to configure your shibboleth (shibboleth2.xml) as followed :


<Host name="HOSTNAME" authType="shibboleth" applicationId="APPLICATION_ID" requireSession="true" >
   <Path name="wcs" requireSession="false" />
</Host>
‍‍‍‍‍

The path means your shibboleth authentication won't be call when pointing to the folder wcs (ie HOSTNAME/wcs).

A brief explanation of the problem :
While we were trying to connect to Share via Shibboleth we noticed that during all the authentication process (after calling the wcs/webframework/content/metadata?user=MY_NAME) a redirection was done to shibboleth (That's the reason why we had this Json exception thrown : org.json.JSONException: A JSONObject text must begin with '{' at character 8…) and the result returned was like <html><body>… Some messages… => not the Json data awaited by Share!!!.
Actually it is the default shibboleth processing (that's why we say we do not want any Shibboleth process pointing in wcs directory).

hope this will help

Re: Share + Alfresco with SSO

loftux — Wed, 25 May 2011 15:41:13 GMT

Been watching your case in jira https://issues.alfresco.com/jira/browse/ALF-8758, and I just cant see how this works in Share.
To test this, I have in alfresco-global.properties

external.authentication.proxyUserName=
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.enabled=true
external.authentication.userIdPattern=
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm‍‍‍‍‍

Then I use Firefox with Modify-Headers plugin, setting X-Alfresco-Remote-User to admin.
Browsing http://localhost:8080/alfresco I get logged in as admin
Browsing http://localhost:8080/share -Not automatically logged in, redirected to forms login.
Also tried setting the share-custom-config.xml and the alfresco endpoint <external-auth>true</external-auth>, neither true or false makes you SSO:ed in Share.

What am I missing? The case was closed, so apparently it works, but I cannot see how. The wiki article http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#External talks about the need of setting the REMOTE_USER cgi variable, but do not understand how.

For Share external SSO to work, doesn't it need to be able to pick up the user id from a Header variable and pass it on?

Re: Share + Alfresco with SSO

cling09 — Tue, 15 May 2012 01:17:00 GMT

Been watching your case in jira https://issues.alfresco.com/jira/browse/ALF-8758, and I just cant see how this works in Share.
Browsing http://localhost:8080/alfresco I get logged in as admin
Browsing http://localhost:8080/share -Not automatically logged in, redirected to forms login.
What am I missing?

hello all,
i have the same problem,

http://localhost:8080/alfresco can easy login,
but http://localhost:8080/share web site is down,

i am using alfresco SSO with cookie
http://stackoverflow.com/questions/7517122/alfresco-sso-with-cookie

anyone can help?

Re: Share + Alfresco with SSO

afaust — Tue, 15 May 2012 07:04:27 GMT

Hello,

header based external authentication does not work in Share since headers are not copied into the request to /wcs/touch by the SSOAuthenticationFilter (at least as far as 3.4.4 and 4.0.0 code that I know of is concerned). There is another topic (dealing with SiteMinder in particular) that addresses the need for a specific SSO filter which transfers the headers to the Repository in order to achieve working external authentication.

The comment above is meant "in general" with regards to external authentication - I have not yet tackled a Shibboleth authentication integration.

Regards
Axel