Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Custom authentication filter port

castle
Champ in-the-making
Champ in-the-making

‎07-07-2010 05:48 AM

Hi,

I'm trying to migrate our alfresco 3.0 to 3.3 but I'm facing difficulties to set up a custom Authentication filter in Alfresco Share.
The one for alfresco explorer worked directly without much trouble but I can't port the one in alfresco Share.

The reason is that I have to use the spring-surf libraries instead of alfresco-webscript-framework.jar and alfresco-web-framework.jar.

In my current version for 3.0 I got this lines:


    UserFactory userFactory = FrameworkHelper.getUserFactory();
    boolean authenticated = userFactory.authenticate(req, userName,user_guid);

and in 3.3 I can't find FrameworkHelper class. I tried to use this instead


    UserFactory userFactory = FrameworkUtil.getServiceRegistry().getUserFactory();
    boolean authenticated = userFactory.authenticate(req, userName,user_guid);

but it's not working … FrameworkUtil.getServiceRegistry() is giving null, I also tried getting the RequestContext without success.

Can someone point me to the right direction?

Thanks in advance
Labels:
0 Kudos
4 REPLIES 4

castle
Champ in-the-making
Champ in-the-making

‎07-07-2010 11:17 AM

I'm thinking that it's maybe the configuration files that are wrong.

I've put this into share-config-custom.xml

<config evaluator="string-compare" condition="Remote">
      <remote>

         <!– Connector Implementations –>
         <connector>
            <id>http</id>
            <name>Simple Http Connector</name>
            <description>Simple HTTP Connector</description>
            <class>org.alfresco.connector.HttpConnector</class>
         </connector>

         <connector>
            <id>alfresco</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using ticket-based authentication</description>
            <class>org.alfresco.connector.AlfrescoConnector</class>
            <authenticator-id>alfresco-ticket</authenticator-id>
         </connector>

         <!– Authenticator Implementations –>
         <authenticator>
            <id>alfresco-ticket</id>
            <name>Alfresco Authenticator</name>
            <description>Alfresco Authenticator</description>
            <!–<class>org.alfresco.connector.AlfrescoAuthenticator</class>–>
                  <class>org.alfresco.web.app.servlet.custom.OSSOAlfrescoAuthenticator</class>
         </authenticator>

         <!– Endpoints –>
         

         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8081/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8081/alfresco/s</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:8081/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
         
         
         <!– The default endpoint –>
         <default-endpoint-id>alfresco</default-endpoint-id>

         <!– The default credential vault –>
         <default-credential-vault-provider-id>credential.vault.provider</default-credential-vault-provider-id>

      </remote>
   </config>

just in case someone sees the problem
0 Kudos

skarvenz
Champ in-the-making
Champ in-the-making

‎08-04-2010 02:08 PM

We found lots of issues when trying to make this work. We looked at the same CAS filter stuff and were able to make everything work on Afresco very easily. Share was much more of an issue. What we ended up doing with share was something very similar to CAS solution you mentioned for the earlier version. We ran into the same problems when trying to implement it. What we eventually did was take a look at the org.alfresco.web.site.servlet.NTLMAuthenticationFilter.java class and try to mimic it but making adjustment for where the credentials were used. What they do in the beginning to initialize their filter is:
//Field declarations
private ConnectorService connectorService;
    private String endpoint;
    private ServletContext servletContext;

//init method which takes args
public void init(FilterConfig args) throws ServletException
    {
        // get the endpoint id to use
        this.endpoint = args.getInitParameter("endpoint");
       
        // get reference to our ServletContext
        this.servletContext = args.getServletContext();
       
        if (logger.isInfoEnabled())
            logger.info("NTLMAuthenticationFilter initialised.");
    }


Then when processing the filter they use the following to create the connection:
Connector conn = getConnector(this.endpoint, session);
                ConnectorContext ctx = new ConnectorContext(null, getConnectionHeaders(conn));
                Response remoteRes = conn.call("/touch", ctx, req, null);

The problem we had here was that even though the session is supplied to the connector, it doesn't take the parameters or cookies that are in the session or request.
We added in an additional line to inject the cookie we needed into the session:

               Connector conn = getConnector(this.endpoint, session);
                conn.getConnectorSession().setCookie(theCookie.getName(), theCookie.getValue());
                ConnectorContext ctx = new ConnectorContext(null, getConnectionHeaders(conn));
                Response remoteRes = conn.call("/touch", ctx, req, null);





For the share-custom-config.xml file, we uncommented the items that were in there for the NTLM filter. All we needed was the alfresco endpoint and the alfrescoCookie as the connector. We did not need to do anything else:
   <config evaluator="string-compare" condition="Remote">
      <remote>
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>


Also note, the endpoint goes to wcs. There seemed to be many different options out there when we did out searching. I did not try the s or service or wcservice endings as the wcs worked for us.

Hope that helps!
0 Kudos

zaccret
Champ in-the-making
Champ in-the-making

‎08-05-2010 03:14 PM

Hi castle,

I had the same problem. The following seems to fix the issue :

In init() method, save the servlet context in an attribute :
        
this.servletContext = config.getServletContext();

In the doFilter() method :
        // initialize a new request context
        RequestContext context = FrameworkUtil.getCurrentRequestContext();
        if(context == null){
           try{
               // perform a "silent" init - i.e. no user creation or remote connections
               context = RequestContextUtil.initRequestContext(getApplicationContext(), (HttpServletRequest)sreq, true);
           }
           catch (RequestContextException ex)
           {
               throw new ServletException(ex);
           }
        }

And add :
    private ApplicationContext getApplicationContext()
    {
       return WebApplicationContextUtils.getWebApplicationContext(servletContext);
    }
0 Kudos

castle
Champ in-the-making
Champ in-the-making

‎09-16-2010 11:00 AM

Thanks to both.

Better late than never

I finally used the solution of zaccret.

Now I'm struggling with another think. I've just realised that if I'm logged in share with wathever user I can use the webservices to requests documents that I'm not theorically entitled to according to the permissions in share.

I think this is because we use an endpoint alfresco/s instead of alfresco/wcs. I tried you change it but I got an ugly error and sarchign around I found this

http://issues.alfresco.com/jira/browse/ALF-2788

At least the error and the situation is similar to what I'm getting.

Is someone else having the same problem? skarvenz, it's your alfresco version 3.3?

Thanks
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC