Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- CASifying share (4.2.x): Header or filter approach...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
CASifying share (4.2.x): Header or filter approach?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2013 11:56 AM
Dear all,
(we are new to Alfresco and this is my first post ever to the community - forgive me if I have overlooked some obvious resources to search for first)
we need to provide SSO with a 3.X CAS server for Alfreso share (4.2.x). The chapter 6.5.3 in the Alfresco wiki on authentication sub-systems describes how to change the shared configuration files. In this chapter we do not find any info about changing the web.xml to add new CAS filters or to replace the existing SSO filter with a special implementation which is forwarding the CAS-authenticated user to Alfrescos authentication system.
Hence, I assume that this 'manual' only works with an Apache upfront using mod_auth_cas, so Apache is doing
the redirect and then connects to Alfresco with the CAS-authenticated user in a request header? And this is then processed by SSOAuthenticationFilter out-of-the-box?
On the one hand, we do not have Apache in front of Alfresco (yet), second mod_auth_cas seems to be rather old (which must not be bad in general of course :-)) and finally, it is not officially supported for Windows (any more) - and thats where we are evaluating Alfresco currently.
Is the header based authentication the only SSO variant documented on the Wiki for Alfresco 4.2.x? Because we found numerous blogs/posts on the internet for different versions of Alfresco on this topic but nothing official from the Alfresco community.
We tried the filter approach documented somewhere else, but ended up with the exceptions for the guest user trying to the create the CAs-authenticated user in a read-only transaction context. We already tried to set the restrictions to readwrite, but did not notice a difference.
In our naive thinking we would like to add the CAS filters to the web.xml, tell Alfresco that external authentication exists in the config files and then "hope" SSOAuthenticationFilter is picking up the CAS-authenticated user from the http session or request. But it does not seem to be that easy.
Can you point us to some 'official' resources how to setup the filter approach with the current version of Alfresco? Or maybe just shed some light on the different options available in general for CASifying share?
Thank you and best wishes
Stefan
(we are new to Alfresco and this is my first post ever to the community - forgive me if I have overlooked some obvious resources to search for first)
we need to provide SSO with a 3.X CAS server for Alfreso share (4.2.x). The chapter 6.5.3 in the Alfresco wiki on authentication sub-systems describes how to change the shared configuration files. In this chapter we do not find any info about changing the web.xml to add new CAS filters or to replace the existing SSO filter with a special implementation which is forwarding the CAS-authenticated user to Alfrescos authentication system.
Hence, I assume that this 'manual' only works with an Apache upfront using mod_auth_cas, so Apache is doing
the redirect and then connects to Alfresco with the CAS-authenticated user in a request header? And this is then processed by SSOAuthenticationFilter out-of-the-box?
On the one hand, we do not have Apache in front of Alfresco (yet), second mod_auth_cas seems to be rather old (which must not be bad in general of course :-)) and finally, it is not officially supported for Windows (any more) - and thats where we are evaluating Alfresco currently.
Is the header based authentication the only SSO variant documented on the Wiki for Alfresco 4.2.x? Because we found numerous blogs/posts on the internet for different versions of Alfresco on this topic but nothing official from the Alfresco community.
We tried the filter approach documented somewhere else, but ended up with the exceptions for the guest user trying to the create the CAs-authenticated user in a read-only transaction context. We already tried to set the restrictions to readwrite, but did not notice a difference.
In our naive thinking we would like to add the CAS filters to the web.xml, tell Alfresco that external authentication exists in the config files and then "hope" SSOAuthenticationFilter is picking up the CAS-authenticated user from the http session or request. But it does not seem to be that easy.
Can you point us to some 'official' resources how to setup the filter approach with the current version of Alfresco? Or maybe just shed some light on the different options available in general for CASifying share?
Thank you and best wishes
Stefan
Labels:
- Labels:
-
Archive
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2013 02:01 PM
Dear all,
I have been able to solve the SSO authentication picking pieces from everywhere.
We are running 4.2.c with an old CAS server (Yale).
I guess the solution will also apply to a newer CAS server (Jasig).
After a fresh install of 4.2.c (and stopping the servers) we applied the following changes:
Added CAs filter to share's web.xml:
and
(all the rest of the web.xml stayed untouched)
We modified \tomcat\shared\classes\alfresco-global.properties and added the following lines on top:
Next, we edited \tomcat\shared\classes\alfresco\web-extension\share-config-custom.xml to this:
Finally, we dropped the cas client jar into the WEB-INF\lib of share, restarted everything and this was it!
Hope it helps someone … we took days to get it running and desperately went for this forum then. Now, we got it running within less an hour.
Cheers
Stefan
I have been able to solve the SSO authentication picking pieces from everywhere.
We are running 4.2.c with an old CAS server (Yale).
I guess the solution will also apply to a newer CAS server (Jasig).
After a fresh install of 4.2.c (and stopping the servers) we applied the following changes:
Added CAs filter to share's web.xml:
<filter>
<filter-name>CAS Filter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>…your CAS server here…/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>…your CAS server here…/serviceValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost:8080</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name>
<param-value>true</param-value>
</init-param>
</filter>
and
<filter-mapping>
<filter-name>CAS Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
(all the rest of the web.xml stayed untouched)
We modified \tomcat\shared\classes\alfresco-global.properties and added the following lines on top:
authentication.chain=external1:external
external.authentication.proxyUserName=
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.enabled=true
external.authentication.userIdPattern=
Next, we edited \tomcat\shared\classes\alfresco\web-extension\share-config-custom.xml to this:
<alfresco-config>
<!– Repository Library config section –>
<config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
<!–
Whether the link to the Repository Library appears in the header component or not.
–>
<visible>true</visible>
</config>
<config evaluator="string-compare" condition="Remote">
<remote>
<endpoint>
<id>alfresco-noauth</id>
<name>Alfresco - unauthenticated access</name>
<description>Access to Alfresco Repository WebScripts that do not require authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>none</identity>
</endpoint>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>user</identity>
</endpoint>
<endpoint>
<id>alfresco-feed</id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>http</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<basic-auth>true</basic-auth>
<identity>user</identity>
</endpoint>
<!– We commented this because it did not appear in the other docs ..
<endpoint>
<id>activiti-admin</id>
<name>Activiti Admin UI - user access</name>
<description>Access to Activiti Admin UI, that requires user authentication</description>
<connector-id>activiti-admin-connector</connector-id>
<endpoint-url>http://localhost:8080/alfresco/activiti-admin</endpoint-url>
<identity>user</identity>
</endpoint>
–>
</remote>
</config>
<config evaluator="string-compare" condition="Remote">
<remote>
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>SsoUserHeader</userHeader>
</connector>
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>SsoUserHeader</userHeader>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
</config>
</alfresco-config>
Finally, we dropped the cas client jar into the WEB-INF\lib of share, restarted everything and this was it!
Hope it helps someone … we took days to get it running and desperately went for this forum then. Now, we got it running within less an hour.
Cheers
Stefan
Related Content
- Alfresco Customer Newsletter — October 2023 in Alfresco Blog
- Java Heap Space with Java class custom action in Alfresco Forum
- Alfresco configuration for SSO: are my alfresco files correct? in Alfresco Forum
- Alfresco 5 community edition CSRF error when using load balancer in AWS in Alfresco Forum
- Search Services 2.0.0 Release in Alfresco Blog
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
