Hi Ben
I am glad to hear you like the new subsystems. We are attempting to make it easier to configure the Alfresco server in general and authentication is one of our biggest challenges. By separating out the different authentication stacks into their own coordinated subsystems we now have the possibility of setting up the required SSO filters, file server authenticators and authentication components for each type of authentication via a few property overrides (rather than having to edit web.xml, file-servers.xml and a bunch of custom spring config).
I see from your stack trace that you are using ChainingAuthenticationServiceImpl, i.e. chained authentication. However, I am not sure what the members of your 'chain' are. If you were simply trying to use NTLM+passthru authentication on Alfresco and CIFS, then the pre-configured default authenticationService plus the passthruAuthentication subsystem should work OK without chaining. That subsystem used passthru for both Alfresco sign and CIFS and FTP authentication. As you will note there is no editing of web.xml or file-servers.xml required!
I'm afraid you were actually one step ahead of me with chained authentication. The experimental code on HEAD had all the different authentication stacks separated out into subsystems, but did not easily support chaining of these subsystems.
I have now refactored the code with authentication chaining in mind and hope that it is now flexible enough to cope with any circumstance. I have also introduced a new extension classpath override mechanism to make it easier to configure and customize in the Community edition (in the Enterprise edition it will one day be editable through JMX). I have also reorganized the subsystem folder structure to be two levels deep, so that e.g. the new home for passthruAuthentication is config/alfresco/subsystems/Authentication/passthru.
So using the very latest code on HEAD, you might declare your authentication chain in custom-repository.properties like this
authentication.chain=mypassthru1
assthru
This says that you have one subsystem instance in your chain called "mypassthru1" of type "passthru". The application context for this subsystem will be initialized from the following resources in the classpath
alfresco/subsystems/Authentication/passthru/*-context.xml and
alfresco/extension/subsystems/Authentication/passthru/mypassthru1/*-context.xml
So this means that you can customize the default passthru settings (from alfresco/subsystems/Authentication/passthru/passthru-authentication-context.properties and alfresco/subsystems/Authentication/passthru/ntlm-filter-context.properties) in alfresco/extension/subsystems/Authentication/passthru/mypassthru1/custom-passthru-authentication.properties
E.g.
passthru.authentication.servers=MYDOMAIN\\myserver1,MYDOMAIN\\myserver2
passthru.authentication.defaultAdministratorUserNames=Administrator
passthru.authentication.authenticateCIFS=true
ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=false
Now suppose you wanted to authenticate Alfresco via LDAP but still wanted CIFS to use passthru (since LDAP can't support CIFS)
You could set up a more complex chain like this:
authentication.chain=ldap1:ldap,mypassthru1assthru
This chain now uses LDAP in preference to passthru. But because LDAP doesn't support SSO or CIFS, these will still pass through directly to mypassthru1, because it has ntlm.authentication.sso.enabled=true and passthru.authentication.authenticateCIFS=true.
But what if you wanted to sign on via the login dialog and ldap1?
Then you would just have to set
ntlm.authentication.sso.enabled=false
for mypassthru1. The chain will then no longer find an SSO-enabled filter and fall back to the default one.
Similarly if you set
passthru.authentication.authenticateCIFS=false
for mypassthru1 then the CIFS server will no longer be available, as there is no enabled CIFS authenticator in the chain.
So in short you can chain any number of authentication subsystems of any type (e.g. multiple LDAP directories). The first subsystem in the chain that supports CIFS (alfrescoNtlm, passthru, kerberos) and has its CIFS support turned on will be used for CIFS. And the first subsystem in the chain that supports SSO (alfrescoNtlm, passthru, kerberos) and has its SSO support turned on will be used for CIFS.
The aim was to avoid the need for any custom spring configuration - only property overrides.
Hope that makes sense! Let us know how you get on.
Dave
I am glad to hear you like the new subsystems. We are attempting to make it easier to configure the Alfresco server in general and authentication is one of our biggest challenges. By separating out the different authentication stacks into their own coordinated subsystems we now have the possibility of setting up the required SSO filters, file server authenticators and authentication components for each type of authentication via a few property overrides (rather than having to edit web.xml, file-servers.xml and a bunch of custom spring config).
I see from your stack trace that you are using ChainingAuthenticationServiceImpl, i.e. chained authentication. However, I am not sure what the members of your 'chain' are. If you were simply trying to use NTLM+passthru authentication on Alfresco and CIFS, then the pre-configured default authenticationService plus the passthruAuthentication subsystem should work OK without chaining. That subsystem used passthru for both Alfresco sign and CIFS and FTP authentication. As you will note there is no editing of web.xml or file-servers.xml required!
I'm afraid you were actually one step ahead of me with chained authentication. The experimental code on HEAD had all the different authentication stacks separated out into subsystems, but did not easily support chaining of these subsystems.
I have now refactored the code with authentication chaining in mind and hope that it is now flexible enough to cope with any circumstance. I have also introduced a new extension classpath override mechanism to make it easier to configure and customize in the Community edition (in the Enterprise edition it will one day be editable through JMX). I have also reorganized the subsystem folder structure to be two levels deep, so that e.g. the new home for passthruAuthentication is config/alfresco/subsystems/Authentication/passthru.
So using the very latest code on HEAD, you might declare your authentication chain in custom-repository.properties like this
authentication.chain=mypassthru1
assthruThis says that you have one subsystem instance in your chain called "mypassthru1" of type "passthru". The application context for this subsystem will be initialized from the following resources in the classpath
alfresco/subsystems/Authentication/passthru/*-context.xml and
alfresco/extension/subsystems/Authentication/passthru/mypassthru1/*-context.xml
So this means that you can customize the default passthru settings (from alfresco/subsystems/Authentication/passthru/passthru-authentication-context.properties and alfresco/subsystems/Authentication/passthru/ntlm-filter-context.properties) in alfresco/extension/subsystems/Authentication/passthru/mypassthru1/custom-passthru-authentication.properties
E.g.
passthru.authentication.servers=MYDOMAIN\\myserver1,MYDOMAIN\\myserver2
passthru.authentication.defaultAdministratorUserNames=Administrator
passthru.authentication.authenticateCIFS=true
ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=false
Now suppose you wanted to authenticate Alfresco via LDAP but still wanted CIFS to use passthru (since LDAP can't support CIFS)
You could set up a more complex chain like this:
authentication.chain=ldap1:ldap,mypassthru1
assthruThis chain now uses LDAP in preference to passthru. But because LDAP doesn't support SSO or CIFS, these will still pass through directly to mypassthru1, because it has ntlm.authentication.sso.enabled=true and passthru.authentication.authenticateCIFS=true.
But what if you wanted to sign on via the login dialog and ldap1?
Then you would just have to set
ntlm.authentication.sso.enabled=false
for mypassthru1. The chain will then no longer find an SSO-enabled filter and fall back to the default one.
Similarly if you set
passthru.authentication.authenticateCIFS=false
for mypassthru1 then the CIFS server will no longer be available, as there is no enabled CIFS authenticator in the chain.
So in short you can chain any number of authentication subsystems of any type (e.g. multiple LDAP directories). The first subsystem in the chain that supports CIFS (alfrescoNtlm, passthru, kerberos) and has its CIFS support turned on will be used for CIFS. And the first subsystem in the chain that supports SSO (alfrescoNtlm, passthru, kerberos) and has its SSO support turned on will be used for CIFS.
The aim was to avoid the need for any custom spring configuration - only property overrides.
Hope that makes sense! Let us know how you get on.
Dave
So using the very latest code on HEAD, you might declare your authentication chain in custom-repository.properties like this
authentication.chain=mypassthru1
This says that you have one subsystem instance in your chain called "mypassthru1" of type "passthru". The application context for this subsystem will be initialized from the following resources in the classpath
alfresco/subsystems/Authentication/passthru/*-context.xml and
alfresco/extension/subsystems/Authentication/passthru/mypassthru1/*-context.xml
So this means that you can customize the default passthru settings (from alfresco/subsystems/Authentication/passthru/passthru-authentication-context.properties and alfresco/subsystems/Authentication/passthru/ntlm-filter-context.properties) in alfresco/extension/subsystems/Authentication/passthru/mypassthru1/custom-passthru-authentication.properties
I've checked out and built HEAD (R14079) to play around with this myself, and I'm running into a few issues. I wanted to try setting up Kerberos for CIFS, and leave the default alfrescoNtlm for the webapp using your comments here as a guide.
First, added the following to alfresco/extension/custom-repository.properties:
authentication.chain=mykerb1:kerberos,alfrescoNtlm1:alfrescoNtlm
Next, created extension/subsytems/Authentication/kerberos/mykerb1, and made copies of alfresco/subsystems/Authentication/kerberos/kerberos-authentication.properties and alfresco/subsystem/kerberos/kerberos-filter.properties (as custom-kerberos-authentication.properties and custom-kerberos-filter.properties, respectively), and modified according to my environment.
kerberos.authentication.realm=MYDOMAIN.COM
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=knmarch
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=mysecret
kerberos.authentication.authenticateCIFS=true
and
kerberos.authentication.sso.enabled=false
However, it didn't work. I can't remember how I noticed (if there was an exception or something I don't seem to have the logs anymore), but it seemed like it wasn't actually picking up any of the settings I had specified in the property files. I enabled remote debugging, set a few breakpoints, and noticed the following in DefaultChildApplicationContextManager.updateOrder():
this.childApplicationContexts.put(id, new ChildApplicationContextFactory(this.parent,
getRegistry(), getCategory(), typeName, "managed$" + id));
So, I renamed alfresco/extension/subsystems/Authentication/kerberos/mykerb1 to alfresco/extension/subsystems/Authentication/kerberos/managed$mykerb1, and tried again. This time, I got:
javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.afterPropertiesSet(BaseKerberosAuthenticationFilter.java:174)
at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.afterPropertiesSet(KerberosAuthenticationFilter.java:88)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1203)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1172)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:427)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:249)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:155)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:246)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:291)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:352)
at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.start(ChildApplicationContextFactory.java:327)
at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.getApplicationContext(ChildApplicationContextFactory.java:351)
at org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager.getApplicationContext(DefaultChildApplicationContextManager.java:256)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:102)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy182.isActive(Unknown Source)
at org.alfresco.filesys.config.ServerConfigurationBean.processCIFSServerConfig(ServerConfigurationBean.java:178)
at org.alfresco.filesys.AbstractServerConfigurationBean.init(AbstractServerConfigurationBean.java:486)
at org.alfresco.filesys.AbstractServerConfigurationBean.onApplicationEvent(AbstractServerConfigurationBean.java:840)
at org.springframework.context.event.SimpleApplicationEventMulticaster$1.run(SimpleApplicationEventMulticaster.java:77)
at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:49)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:75)
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:246)
at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:617)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:355)
at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.start(ChildApplicationContextFactory.java:327)
at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.getApplicationContext(ChildApplicationContextFactory.java:351)
at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.onApplicationEvent(ChildApplicationContextFactory.java:366)
at org.springframework.context.event.SimpleApplicationEventMulticaster$1.run(SimpleApplicationEventMulticaster.java:77)
at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:49)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:75)
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:246)
at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:617)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:355)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:246)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:189)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:69)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:627)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:553)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:488)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Caused by: KrbException: Integrity check on decrypted field failed (31)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
… 75 more
07:47:58,242 User:System ERROR [org.alfresco.fileserver] CIFS server configuration error, Error creating bean with name 'authenticationFilter' defined in file [/opt/alfresco-3.2/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-filter-context.xml]: Invocation of init method failed; nested exception is javax.servlet.ServletException: Failed to login HTTP server service
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationFilter' defined in file [/opt/alfresco-3.2/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/kerberos-filter-context.xml]: Invocation of init method failed; nested exception is javax.servlet.ServletException: Failed to login HTTP server service
Caused by: javax.servlet.ServletException: Failed to login HTTP server service
at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.afterPropertiesSet(BaseKerberosAuthenticationFilter.java:188)
at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.afterPropertiesSet(KerberosAuthenticationFilter.java:88)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1203)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1172)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:427)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:249)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:155)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:246)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:291)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:352)
at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.start(ChildApplicationContextFactory.java:327)
at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.getApplicationContext(ChildApplicationContextFactory.java:351)
at org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager.getApplicationContext(DefaultChildApplicationContextManager.java:256)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:102)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy182.isActive(Unknown Source)
at org.alfresco.filesys.config.ServerConfigurationBean.processCIFSServerConfig(ServerConfigurationBean.java:178)
at org.alfresco.filesys.AbstractServerConfigurationBean.init(AbstractServerConfigurationBean.java:486)
at org.alfresco.filesys.AbstractServerConfigurationBean.onApplicationEvent(AbstractServerConfigurationBean.java:840)
at org.springframework.context.event.SimpleApplicationEventMulticaster$1.run(SimpleApplicationEventMulticaster.java:77)
at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:49)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:75)
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:246)
at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:617)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:355)
at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.start(ChildApplicationContextFactory.java:327)
at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.getApplicationContext(ChildApplicationContextFactory.java:351)
at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.onApplicationEvent(ChildApplicationContextFactory.java:366)
at org.springframework.context.event.SimpleApplicationEventMulticaster$1.run(SimpleApplicationEventMulticaster.java:77)
at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:49)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:75)
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:246)
at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:617)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:355)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:246)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:189)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:69)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:627)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:553)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:488)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Basically, it looks as though even though I've got 'kerberos.authentiation.sso.enabled=false', it's still creating the kerberos HTTP beans/filters, and consequently failing as I don't have the HTTP password specified.
If I set the correct password, the exceptions go away and Alfresco appears to start, but I'm unable to login using either a valid kerberos login or the alfresco admin/admin. I can't seem to connect to the CIFS server either; kerberos debugging shows the session being authenticated fine but the client returns an error saying I don't have permissions (tried from Vista and OS X).
Looks to me like the 'active' property on 'authenticationFilter' in alfresco/subsystems/Authentication/kerberos/kerberos-filter-context.xml is being ignored? As for why kerberos logins aren't working for either CIFS or HTTP, I'm not sure either. As I mentioned, it appears as through it's authenticating me correctly according to the kerberos debug logs, however, HTTP gives me a nasty exception (org.alfresco.error.AlfrescoRuntimeException: 03240005 Not implemented) with a massive stack trace, and the CIFS side doesn't really say anything at all after I'm authenticated (even turned debug on).
Am I missing something, or just running into issues because it's bleeding edge code and not quite there yet?
