CASifying share (4.2.x): Header or filter approach?

stefanthomas — Tue, 23 Jul 2013 15:56:17 GMT

Dear all, (we are new to Alfresco and this is my first post ever to the community - forgive me if I have overlooked some obvious resources to search for first)we need to provide SSO with a 3.X CAS server for Alfreso share (4.2.x). The chapter 6.5.3 in the Alfresco wiki on authentication sub-systems

Re: CASifying share (4.2.x): Header or filter approach?

stefanthomas — Tue, 23 Jul 2013 18:01:00 GMT

Dear all,

I have been able to solve the SSO authentication picking pieces from everywhere.
We are running 4.2.c with an old CAS server (Yale).
I guess the solution will also apply to a newer CAS server (Jasig).

After a fresh install of 4.2.c (and stopping the servers) we applied the following changes:

Added CAs filter to share's web.xml:


   <filter>
      <filter-name>CAS Filter</filter-name>
      <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
      <init-param>
         <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
         <param-value>…your CAS server here…/login</param-value> 
      </init-param>
      <init-param>
         <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
         <param-value>…your CAS server here…/serviceValidate</param-value> 
      </init-param>
      <init-param>
         <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
         <param-value>localhost:8080</param-value>
      </init-param>
      <init-param>
         <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name>
         <param-value>true</param-value> 
      </init-param>
   </filter>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

and


   <filter-mapping>
      <filter-name>CAS Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>
‍‍‍‍‍‍

(all the rest of the web.xml stayed untouched)

We modified \tomcat\shared\classes\alfresco-global.properties and added the following lines on top:


authentication.chain=external1:external

external.authentication.proxyUserName=
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.enabled=true
external.authentication.userIdPattern=
‍‍‍‍‍‍‍‍

Next, we edited \tomcat\shared\classes\alfresco\web-extension\share-config-custom.xml to this:


<alfresco-config>
   
   <!– Repository Library config section –>
   <config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
      <!–
         Whether the link to the Repository Library appears in the header component or not.
      –>
      <visible>true</visible>
   </config>

   <config evaluator="string-compare" condition="Remote">
      <remote>
         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
<!– We commented this because it did not appear in the other docs ..
         <endpoint>
            <id>activiti-admin</id>
            <name>Activiti Admin UI - user access</name>
            <description>Access to Activiti Admin UI, that requires user authentication</description>
            <connector-id>activiti-admin-connector</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/activiti-admin</endpoint-url>
            <identity>user</identity>
         </endpoint>
–>              
      </remote>
   </config>
   
   <config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
         
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>
         
          <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>

        <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>
   

</alfresco-config>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Finally, we dropped the cas client jar into the WEB-INF\lib of share, restarted everything and this was it!

Hope it helps someone … we took days to get it running and desperately went for this forum then. Now, we got it running within less an hour.

Cheers
Stefan

topic CASifying share (4.2.x): Header or filter approach? in Alfresco Archive

CASifying share (4.2.x): Header or filter approach?

Re: CASifying share (4.2.x): Header or filter approach?