https://connect.hyland.com/t5/alfresco-forum/difference-between-platform-endpoints/m-p/3209#M1089 <HTML><HEAD></HEAD><BODY><P>I haven't found any documentation about this so I thought I'd ask a question.</P><P></P><P>(I have all this working, I'm just trying to understand it all a bit better)</P><P></P><P>My aim is to have SSO set up and configured - share is relatively straightforward but I'm trying to understand the detail behind the platform/repo endpoints as the documentation doesn't really cover this.</P><P></P><P>I think the only URL I need to expose is:&nbsp;/alfresco/s/admin/admin-communitysummary (or /alfresco/s/enterprise/admin)</P><P></P><P>The information for configuring a proxy&nbsp;<A class="link-titled" href="http://docs.alfresco.com/5.1/tasks/configure-ssl-prod.html" title="http://docs.alfresco.com/5.1/tasks/configure-ssl-prod.html" rel="nofollow noopener noreferrer">Configuring SSL for a production environment | Alfresco Documentation</A>&nbsp;is pretty good here but I think the /alfresco mount point exposes rather more than is necessary these days</P><P>I think /alfresco would be better as:</P><P>JkMount /alfresco/s/admin alfresco-worker<BR /> JkMount /alfresco/s/admin/* alfresco-worker<BR />JkMount /alfresco/admin/css/* alfresco-worker</P><P></P><P>(For enterprise add /service/enterprise/admin/* and /s/enterprise/admin/* ?)</P><P></P><P>(And if you're using the nice new ootb support tools extension</P><P>JkMount /alfresco/s/ootbee/* alfresco-worker<BR /> JkMount /alfresco/ootbee-support-tools/* alfresco-worker</P><P>)</P><P></P><P>The implication here is that these, or at least /alfresco/.../admin, are the endpoints that need to be covered by SSO at the alfresco level (have I missed anything?) + the ones for public API access if you want those</P><P></P><P>The authentication mappings in alfresco/WEB-INF/web.xml seem to have changed a fair bit recently</P><P>(a clue! - there is a CSRF token filter on&nbsp;/service/enterprise/admin/* and&nbsp;/s/enterprise/admin/*)</P><P>There appear to be authentication filters around /wcs and /wcservice, as well as /api, /webdav and /cmisatom</P><P></P><P>The documentation on configuration the SSO endpoint (incidentally the examples don't even all have the same number of endpoints listed...)&nbsp;<A class="link-titled" href="http://docs.alfresco.com/community/tasks/auth-alfrescoexternal-sso.html" title="http://docs.alfresco.com/community/tasks/auth-alfrescoexternal-sso.html" rel="nofollow noopener noreferrer">Configuring Alfresco Share to use an external SSO | Alfresco Documentation</A>&nbsp;(code doesn't match text...), <A class="link-titled" href="http://docs.alfresco.com/5.2/tasks/share-change-port.html" title="http://docs.alfresco.com/5.2/tasks/share-change-port.html" rel="nofollow noopener noreferrer">Configuring the Share default port | Alfresco Documentation</A>&nbsp;&nbsp;and&nbsp;<A class="link-titled" href="http://docs.alfresco.com/community5.1/tasks/share-change-port.html" title="http://docs.alfresco.com/community5.1/tasks/share-change-port.html" rel="nofollow noopener noreferrer">Configuring the Share default port | Alfresco Documentation</A>&nbsp;has for a long time said to use the wcs endpoint in share-custom-config.xml when external auth is being used, however now I believe that the s endpoint is recommended (although it's not entirely clear) e.g.&nbsp;<A class="link-titled" href="https://issues.alfresco.com/jira/browse/ACE-5661" title="https://issues.alfresco.com/jira/browse/ACE-5661" rel="nofollow noopener noreferrer">[ACE-5661] External authentication Problem with CAS - Alfresco JIRA</A>&nbsp;(and other issues) see the comment from&nbsp;<B>Kevin Roast</B>.&nbsp;</P><P>So this is a rather long winded way of asking what is the purpose of the /wcs endpoint and how does it differ from the /s endpoint? (obviously there are authentication filters in front of /wcs)</P></BODY></HTML> Fri, 13 Jan 2017 10:44:14 GMT idwright 2017-01-13T10:44:14Z https://connect.hyland.com/t5/alfresco-forum/difference-between-platform-endpoints/m-p/3209#M1089 I haven't found any documentation about this so I thought I'd ask a question.(I have all this working, I'm just trying to understand it all a bit better)My aim is to have SSO set up and configured - share is relatively straightforward but I'm trying to understand the detail behind the platform/repo Fri, 13 Jan 2017 10:44:14 GMT https://connect.hyland.com/t5/alfresco-forum/difference-between-platform-endpoints/m-p/3209#M1089 idwright 2017-01-13T10:44:14Z https://connect.hyland.com/t5/alfresco-forum/difference-between-platform-endpoints/m-p/3210#M1090 <HTML><HEAD></HEAD><BODY><P>Hi Ian:</P><P></P><P>I have the same question.&nbsp;First, I&nbsp;agree that Share SSO is quite straightfoward, configuring external auth subsystem and enabling the Remote configuration in Share. For old Alfresco Explorer, we needed to add&nbsp;additional cas client library in /alfresco/WEB-INF/lib and to change web.xml as you commented, which is not necessary for Alfresco 5, except in Admin Console (and maybe for&nbsp;/alfresco/webdav).</P><P>On the other hand, I can only say that I have seen&nbsp;the WCS&nbsp;endpoint, when activating&nbsp;Remote config in Alfresco Share configured for an external or NTLM based SSO. I understood&nbsp;that Alfresco Share needed /wcs endpoint to pass NTML challenge for&nbsp;Alfresco Repository Services (in case of AlfrescoNtlm with SSO). I would expect in this case, that once enabled /wcs you can go directly to admin console via /alfresco/wcs instead of /alfresco/s. Maybe it is not the case with an external web SSO like CAS.</P><P></P><P>Regards.</P><P></P><P>--C.</P></BODY></HTML> Fri, 13 Jan 2017 14:35:34 GMT https://connect.hyland.com/t5/alfresco-forum/difference-between-platform-endpoints/m-p/3210#M1090 cesarista 2017-01-13T14:35:34Z https://connect.hyland.com/t5/alfresco-forum/difference-between-platform-endpoints/m-p/3211#M1091 <HTML><HEAD></HEAD><BODY><P>The /wcs endpoint is essentially the same as the /s endpoint, but only with a different HTTP authentication factory being used during the dispatch to the web script layer. The /s endpoint (actually, the /service endpoint - /s is just an alias) uses a simple authentication factory that only supports HTTP BASIC. /wcs (or to be more precise /wcservice) uses an authentication factory that ties in with the Repository-tier SSO handling and thus is required to be used by Share when enabling SSO there.</P></BODY></HTML> Fri, 13 Jan 2017 16:10:28 GMT https://connect.hyland.com/t5/alfresco-forum/difference-between-platform-endpoints/m-p/3211#M1091 afaust 2017-01-13T16:10:28Z