can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer

sanzoghenzo — Wed, 18 Mar 2020 16:45:22 GMT

I'm trying to make my custom application (an excel addin written with Office JS api and react) connect to our alfresco deployment.

If I try to login using the app, via alfresco js api, i get a 403 response with the following body:

{
  "error": {
    "errorKey": "Login failed",
    "statusCode": 403,
    "briefSummary": "02180006 Login failed",
    "stackTrace": "Per motivi di sicurezza l'analisi dello stack non viene più visualizzata, ma viene mantenuta la proprietà per le versioni precedenti",
    "descriptionURL": "https://api-explorer.alfresco.com"
  }
}

Here the request header:

Spoiler

Accept: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en-GB, en; q=0.8, it-IT; q=0.5, it; q=0.3
Authorization: Basic aXM0V2FpMWV4aWUwOmFuZHJlYS5naGVuc2k=
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 52
Content-Type: application/json
Host: dms.sws-digital.com
Origin: https://localhost:3000
Referer: https://localhost:3000/taskpane.html?_host_Info=Excel$Win32$16.01$it-IT$$$$0
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

Accept: application/json Accept-Encoding: gzip, deflate Accept-Language: en-GB, en; q=0.8, it-IT; q=0.5, it; q=0.3 Authorization: Basic aXM0V2FpMWV4aWUwOmFuZHJlYS5naGVuc2k= Cache-Control: no-cache Connection: Keep-Alive Content-Length: 52 Content-Type: application/json Host: dms.sws-digital.com Origin: https://localhost:3000 Referer: https://localhost:3000/taskpane.html?_host_Info=Excel$Win32$16.01$it-IT$$$$0 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

(localhost:3000 is the domain of the excel addin, I'm running it on my pc and sideloading it in excel desktop app)

And here the response headers:

Spoiler

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://localhost:3000
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Date: Wed, 18 Mar 2020 16:19:47 GMT
Server: nginx/1.13.8
Transfer-Encoding: chunked
Vary: Origin

Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://localhost:3000 Connection: keep-alive Content-Type: application/json; charset=UTF-8 Date: Wed, 18 Mar 2020 16:19:47 GMT Server: nginx/1.13.8 Transfer-Encoding: chunked Vary: Origin

I got the same result with the API explorer with the POST tickets endpoint.

If I use postman to test the same endpoint, everything is ok.

I already solved (or so I think) the CORS issues by allowing * origin in CORS filters of web.xml

Spoiler

web.xml CORS portion

    <filter>
      <filter-name>CORS</filter-name>
      <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
      <init-param>
         <param-name>cors.allowGenericHttpRequests</param-name>
      <init-param>
         <param-name>cors.allowGenericHttpRequests</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.allowOrigin</param-name>
         <param-value>*</param-value>
         <!--param-value>http://localhost:8081,https://localhost:3000,https://dms.sws-digital.com</param-value-->
      </init-param>
      <init-param>
         <param-name>cors.allowSubdomains</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportedMethods</param-name>
         <param-value>GET, HEAD, POST, PUT, DELETE, OPTIONS</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportedHeaders</param-name>
         <param-value>origin, authorization, x-file-size, x-file-name, content-type, accept, x-file-type</param-valu$      </init-param>
      <init-param>
         <param-name>cors.supportsCredentials</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.maxAge</param-name>
         <param-value>3600</param-value>
      </init-param>
   </filter>
[...]
<filter-mapping>
    <filter-name>CORS</filter-name>
    <url-pattern>/api/*</url-pattern>
    <url-pattern>/service/*</url-pattern>
    <url-pattern>/s/*</url-pattern>
    <url-pattern>/cmisbrowser/*</url-pattern>
</filter-mapping>

web.xml CORS portion <filter> <filter-name>CORS</filter-name> <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class> <init-param> <param-name>cors.allowGenericHttpRequests</param-name> <init-param> <param-name>cors.allowGenericHttpRequests</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>cors.allowOrigin</param-name> <param-value>*</param-value>  </init-param> <init-param> <param-name>cors.allowSubdomains</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>cors.supportedMethods</param-name> <param-value>GET, HEAD, POST, PUT, DELETE, OPTIONS</param-value> </init-param> <init-param> <param-name>cors.supportedHeaders</param-name> <param-value>origin, authorization, x-file-size, x-file-name, content-type, accept, x-file-type</param-valu$ </init-param> <init-param> <param-name>cors.supportsCredentials</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>cors.maxAge</param-name> <param-value>3600</param-value> </init-param> </filter>[...]<filter-mapping> <filter-name>CORS</filter-name> <url-pattern>/api/*</url-pattern> <url-pattern>/service/*</url-pattern> <url-pattern>/s/*</url-pattern> <url-pattern>/cmisbrowser/*</url-pattern></filter-mapping>

My alfresco dockers are behind an ngnix https proxy, that is configured like this:

Spoiler

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    rewrite ^ https://$host$request_uri? permanent;
}
[...]
server {
        listen 443 ssl;
        listen [::]:443 ssl;

        ssl_certificate         /etc/ssl/certs/sws-digital.com.crt;
        ssl_certificate_key     /etc/ssl/private/sws-digital.com.key;
        ssl_protocols           TLSv1.2;

        root                    /var/www/html;

        server_name             dms.sws-digital.com;

        rewrite                 ^/$     /share;

        location /share {
                proxy_pass              http://share:8080;
                #proxy_redirect         off;

                proxy_pass_header       Set-Cookie;

                proxy_set_header        Origin                  "";
                proxy_set_header        Proxy                   "";
                proxy_set_header        X-Forwarded-Server      $host;
                proxy_set_header        X-Forwarded-Host        $http_host;
                proxy_set_header        X-Real-IP               $remote_addr;
                proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
                proxy_set_header        X-Frowarded-Proto       $scheme;
                proxy_set_header        Referer                 "";

                # Allow large file upload
                client_max_body_size    0;

        }

        location /alfresco {
                proxy_pass              http://alfresco:8080;
                #proxy_redirect         off;

                proxy_pass_header       Set-Cookie;
                proxy_set_header        Proxy                   "";
                proxy_set_header        Host                    $http_host;
                proxy_set_header        X-Forwarded-Host        $http_host;
                proxy_set_header        X-Forwarded-Server      $host;
                proxy_set_header        X-Real-IP               $remote_addr;
                proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
                #proxy_set_header       X-Frowarded-Proto       $scheme;
                proxy_set_header        Referer                 "";

                # large files upload
                client_max_body_size    0;
        }
}

server { listen 80 default_server; listen [::]:80 default_server; server_name _; rewrite ^ https://$host$request_uri? permanent;}[...]server { listen 443 ssl; listen [::]:443 ssl; ssl_certificate /etc/ssl/certs/sws-digital.com.crt; ssl_certificate_key /etc/ssl/private/sws-digital.com.key; ssl_protocols TLSv1.2; root /var/www/html; server_name dms.sws-digital.com; rewrite ^/$ /share; location /share { proxy_pass http://share:8080; #proxy_redirect off; proxy_pass_header Set-Cookie; proxy_set_header Origin ""; proxy_set_header Proxy ""; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Frowarded-Proto $scheme; proxy_set_header Referer ""; # Allow large file upload client_max_body_size 0; } location /alfresco { proxy_pass http://alfresco:8080; #proxy_redirect off; proxy_pass_header Set-Cookie; proxy_set_header Proxy ""; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Frowarded-Proto $scheme; proxy_set_header Referer ""; # large files upload client_max_body_size 0; } }

I tried to add the following to the shared/classes/alfresco-global.properties:

Spoiler

alfresco.context=alfresco
alfresco.host=dms.sws-digital.com
alfresco.port=443
alfresco.protocol=https
share.context=share
share.host=dms.sws-digital.com
share.port=443
share.protocol=https
opencmis.context.override=false
opencmis.context.value=
opencmis.servletpath.override=false
opencmis.servletpath.value=
opencmis.server.override=true
opencmis.server.value=https://dms.sws-digital.com
aos.baseUrlOverwrite=https://dms.sws-digital.com/alfresco/aos

alfresco.context=alfresco alfresco.host=dms.sws-digital.com alfresco.port=443 alfresco.protocol=https share.context=share share.host=dms.sws-digital.com share.port=443 share.protocol=https opencmis.context.override=false opencmis.context.value= opencmis.servletpath.override=false opencmis.servletpath.value= opencmis.server.override=true opencmis.server.value=https://dms.sws-digital.com aos.baseUrlOverwrite=https://dms.sws-digital.com/alfresco/aos

but nothing changed.

I'm banging my head on this for three days now, and I'm officially lost.

Alfresco dockers are based on acs-deployment from January 2019 modified to use ACS community 6.1.2-ga with a custom content model and the configuration shown above.

Re: can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer

narkuss — Thu, 19 Mar 2020 06:28:56 GMT

You should look at the Alfresco logs. It will probably give you a clue about what is the problem.

Re: can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer

sanzoghenzo — Thu, 19 Mar 2020 09:05:23 GMT

Oh boy, what a shame... there was a bug in my javascript, I swapped the username and password parameters in the login call!

I overlooked the body check, and thanks to your help I enabled the logs:

At first I enabled the debug level of log4j.logger.org.alfresco.rest and it pointed to this line
then, browsing the source code, I figured out that i had to enable the debug level of log4j.logger.org.alfresco.repo.security.authentication, and with this I saw that the user that I tried to log in with was actually the password.

Is there somewhere a list of the logger used by alfresco with a description? I had to spend quite some time in the source code to figure out what logger to enable/set to debug level...

Re: can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer

EddieMay — Thu, 19 Mar 2020 09:13:59 GMT

Hi @sanzoghenzo,

Glad to hear you got it sorted and thanks for reporting how you fixed it - really helpful to other users in a similar situation.

Best wishes,

topic Re: can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer in Alfresco Forum

can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer

Re: can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer

Re: can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer

Re: can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer