Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Chaining JAAS Authentication in Alfresco 2.1

rosemaryl
Champ in-the-making
Champ in-the-making

‎11-09-2007 06:19 PM

I would like to configure Alfresco so that it authenticates using JAAS/Kerebros first, then checks the Alfresco database for usernames not found (i.e. "admin"), aka chained authentication.  This type of authentication worked fine in 2.0, but has been less-than-cooperative in 2.1.

I believe the solution lies within the files jaas-authentication-context.xml and chaining-authentication-context.xml.

Contents of jaas-authentication-context.xml:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    <!– The authentication component.                                      –>

    <!– Jass authentication - most of the config goes somewhere else       –>
       
    <!–bean id="authenticationComponent" 
                 class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
        <property name="realm">
            <value>OUR.COMPANY.COM</value>
        </property>
        <property name="jaasConfigEntryName">
            <value>Alfresco</value>
        </property>
    </bean–>
      
   <!– DAO that rejects changes - JAAS is read only at the moment.      –>
    <!– It does allow users to be deleted with out warnings from the UI. –>
    <!– The user is still present in JAAS, only the personal information is removed from alfresco. –> 
    
   <!– Replaced old sample code with code from http://forums.alfresco.com/viewtopic.php?t=7132&start=0&postdays=0&postorder=asc&highlight= as noted in bug AR-1564 –> 
    <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>    
</beans>

Only change made in chaining-authentication-context.xml is filling in the realm value, everything is the same as the .sample file:

<bean id="authenticationComponentImplJAAS" class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
        <property name="realm">
            <value>OUR.COMPANY.COM</value>
        </property>
        <property name="jaasConfigEntryName">
            <value>Alfresco</value>
        </property>
    </bean>

In jaas-authentication-context.xml I have commented out the bean "authenticationComponent" because Andy in the topic http://forums.alfresco.com/viewtopic.php?t=7132&start=0&postdays=0&postorder=asc&highlight= suggests that there only  be one bean called "authenticationComponent".  I have also ensured that it is not called "authenticationComponentImpl", as it was in older versions.

With these two changes, Alfresco fails to load properly (404 error when trying to view the web client).  For now I have removed the chaining-authentication-context.xml file and uncommented the "authenticationComponent" bean in jaas-authentication-context.xml so that at least we have JAAS authentication. 

Has anyone else had any problems in chaining authentication this way?

Thanks in advance.
~Rosemary

P.S. In chaining-authentication-context.xml, is it a typo that there are two s' in <property name="authenticationComponentss">?
Labels:
0 Kudos
4 REPLIES 4

andy
Champ on-the-rise
Champ on-the-rise

‎11-13-2007 05:59 AM

Hi

Yes that is a typo.

The JAAS and alfresco beena stacks need new names for the authentication components, service and daos they use. So they do not use the normal ones wired up in other beans.  II use authenticationServiceJAAS, authenticationServiceAlfresco, … the same for auth components and DAOs.

Then in the chaining config wire these up in the authenticationService that chains and the authenticationComponent bean that chains.

It is a bit of a pain changing the bean names, particularly renaming the Alfresco beans that defined authentication found ind authentication-services-context.xml.

Andy
0 Kudos

rosemaryl
Champ in-the-making
Champ in-the-making

‎11-15-2007 07:54 PM

Thanks for getting back to me, Andy, it's much appreciated.
I'm so new to configuring Alfresco files and the Spring framework that it took a couple of reads to kind of understand what needs to be done (and I have my n00bness to blame for that).

So, from what I understand, "authenticationComponentss' is a typo.  That's easy enough to fix.

Now, it sounds like I rename beans so that they don't conflict with other named beans.  In authentication-services-context.xml there is a bean with the id "authenticationComponent" which gets overwritten by a bean with the same name in [extensions directory]\chaining-authentication-context.xml and I'm to delete the bean with the same id in jaas-authentication-context.xml so that we use the authenticationComponentImplJAAS bean and authenticationComponentImplAlfresco beans in the list?

Sorry, please bear with me…

Thanks again!
0 Kudos

andy
Champ on-the-rise
Champ on-the-rise

‎11-16-2007 05:51 AM

Hi

Copy the servce, component and dao beans from authentication-services-context.xml, put them in an xml file in the extensions directory. Rename the beans to end Alfresco. Fix the JAAS example beens to end JAAS. Wire these beans up in the chaining context - which will replace the beans already defined in authentication-services-context.xml.

Andy
0 Kudos

rosemaryl
Champ in-the-making
Champ in-the-making

‎12-18-2007 11:21 AM

Hi Andy, sorry for taking a while to get back to you – I entered in this problem with the Alfresco Call Tracking system and here are the results.

The file jaas-authentication-context.xml needs to contain:

    <bean id="authenticationComponentImplJAAS" 
                 class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
        <property name="realm">
            <value>YOURDOMAIN.COM</value>
        </property>
        <property name="jaasConfigEntryName">
            <value>Alfresco</value>
        </property>
    </bean>
    
    <bean name="authenticationDaoJAAS" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>   

and the chaining-authentication-context.xml needs to have this:
<bean id="authenticationDaoAlfresco" class="org.alfresco.repo.security.authentication. RepositoryAuthenticationDao">
…..
 <property name="searchService">
            <ref bean="searchService"/>
        </property>
changed to this:

    <bean id="authenticationDaoAlfresco" class="org.alfresco.repo.security.authentication. RepositoryAuthenticationDao">

<property name="searchService">
            <ref bean="admsearchService"/>
        </property>

and this:

<bean id="authenticationComponent" class="org.alfresco.repo.security.authentication. ChainingAuthenticationComponentImpl">
     <property name="authenticationComponents">
       <list>
           <ref bean="authenticationComponentImplJAAS"/>
       </list>
    </property>

should be this:

<bean id="authenticationComponent" class="org.alfresco.repo.security.authentication. ChainingAuthenticationComponentImpl">
     <property name="authenticationComponent">
       <list>
           <ref bean="authenticationComponentImplJAAS"/>
       </list>
    </property>
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC