Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Associating the auth ticket with a resource/ single use ?

shikarishambu
Champ in-the-making
Champ in-the-making

‎11-24-2009 11:58 AM

I have a custom application that is calling into Alfresco to retrieve the documents from Alfresco. The custom client manages all the user authentication and authorization and interfaces with Alfresco using a single login. We are using webscripts to do the login and search. I would like to ensure that users cannot access Alfresco documents that are not presented to them via the application by trying to pass a different filename in the GET.

I noticed that the authentication-services-context.xml has a few properties under ticketComponent for ticketsExpire, oneOff, and expiryMode. I tried setting ticketsExpire to true and oneOff to true, too. Setting oneOff to true seems to cause issues on the web UI. In some cases I keep prompted for the login on every click. Is there a way to specify expiryMode etc… as part of the webscript call so that the user cannot use the same ticket to get a different document? Or, is there a different way to achieve this?

TIA
Labels:
0 Kudos
2 REPLIES 2

mrogers
Star Contributor
Star Contributor

‎11-24-2009 12:14 PM

If you didn't use a proxy account you would not need to jump through hoops.  

Can you get some sort of SSO working between your application and alfresco?
0 Kudos

shikarishambu
Champ in-the-making
Champ in-the-making

‎11-24-2009 02:26 PM

The reason why we decided to use a proxy account rather than have user accounts in Alfresco is our application/ solution treats ECM as a pluggable component. So, we want the ability to manage access to the documents in our application (and, not have it replicated/ setup in the different ECM flavors that are out there). I realize that it does not make full use of an ECM's capabilities.

I could possibly get a SSO solution in place but it still will have to be a proxy/service account. I do think this is a valid integration scenario - accessing an external resource through a single service account. What I am trying to achieve is nothing more than stopping a replay attack in case of a web/ web service application.

Thanks
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC