Hyland Connect

kbonnet · ‎11-29-2009

Hello Alfrescians,

I'm trying to get the external authentication subsystem to work with Alfresco 3.2r2. I need Alfresco Explorer and Share to authenticate users based on a http header. I use the default x-remote-alfresco-user for this. From 3.2r2 this is working for Alfresco Explorer like a dream. But i can't get Share to work based on this.

In my setup i'm running Alfresco 3.2r2 on a CentOS 5.3 with Tomcat 6.0.20 and Sun JDK 1.6.0_14. For the authentication i'm using Apache. At the moment Apache is just asking for basic authentication against a password file. When the user is authenticated, the http header is added and sent through to Alfresco. Alfresco detects the user in the header and authenticates it via the external authentication subsystem.

My Share configuration is

   <config evaluator="string-compare" condition="Remote">
                <remote>
                        <!– SSL client certificate + trusted CAs. Optionally used to authenticate share to an external SSO system such as CAS –>
                        <keystore>
                                <path>alfresco/web-extension/alfresco-system.p12</path>
                                <type>pkcs12</type>
                                <password>******</password>
                        </keystore>
                        <connector>
                                <id>alfrescoCookie</id>
                                <name>Alfresco Connector</name>
                                <description>Connects to an Alfresco instance using cookie-based authentication</description>
                                <class>org.alfresco.connector.AlfrescoConnector</class>
                        </connector>
                        <endpoint>
                                <id>alfresco</id>
                                <name>Alfresco - user access</name>
                                <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                                <connector-id>alfrescoCookie</connector-id>
                                <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
                                <identity>user</identity>
                                <external-auth>true</external-auth>
                        </endpoint>
                </remote>
        </config>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

When Share recieves a request, i see the http header is added in the logging:

11:40:53,175 DEBUG [httpclient.wire.header] >> "GET /alfresco/wcs/webframework/content/metadata?user=kbonnet HTTP/1.1[\r][\n]"
11:40:53,175 DEBUG [org.apache.commons.httpclient.HttpMethodBase] Adding Host request header
11:40:53,187 DEBUG [httpclient.wire.header] >> "X-Alfresco-Remote-User: kbonnet[\r][\n]"
‍‍‍‍

But on the Alfresco side, the header isnt picked up:


11:40:53,223 DEBUG [org.alfresco.web.scripts.servlet.WebScriptServlet] Processing request (GET) http://localhost:8080/alfresco/wcs/webframework/content/metadata?user=kbonnet
11:40:53,285 DEBUG [org.alfresco.web.scripts.AbstractRuntime] (Runtime=ServletRuntime, Container=Repository) Processing script url (GET) /webframework/content/metadata
11:40:53,287 DEBUG [org.alfresco.web.scripts.DeclarativeRegistry] Web Script index lookup for uri /webframework/content/metadata took 1.46ms
11:40:53,288 DEBUG [org.alfresco.web.scripts.servlet.WebScriptServletRequest] Content Type: null
11:40:53,289 DEBUG [org.alfresco.web.scripts.AbstractRuntime] Agent: null
11:40:53,289 DEBUG [org.alfresco.web.scripts.AbstractRuntime] Invoking Web Script org/alfresco/webframework/metadata.get (format html, style: argument, default: html)
11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.RepositoryContainer] Current authentication: unauthenticated
11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.RepositoryContainer] Authentication required: user
11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.RepositoryContainer] Guest login requested: false
11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
11:40:53,392 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Redirecting to Alfresco Login
11:40:53,393 DEBUG [org.alfresco.repo.web.scripts.RepositoryContainer] Authentication reset: unauthenticated
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

In the Share logging i see the login page being returned instead of the JSON-info on the user, which of course results in an exception.

Why isnt Alfresco processing the http header the same way as when it's coming from a user via Apache? When i do the request "/alfresco/wcs/webframework/content/metadata?user=kbonnet" via Apache to have the header added, i just get the JSON info. When i do the same request directly on Tomcat with wget (and including the header), i get the login page. I am sure Share is adding the header, because for debugging i changed the end-point url to a jsp page which shows all the header, and i saw the header added by Share.

I'm not implementing mod_auth_cas on purpose. I just want users to be trusted based on the http header. In the final situation there will be an authentication layer based on OpenASelect. This is a CAS like service that will authenticate users, add headers and send them through to the application layer. I feel i am so close because i see Share adding the header. Alfresco just isnt processing it.

Any clues?

Kind regards,

Koen Bonnet

dward · ‎11-30-2009

I recently found a problem in this area and will be merging a fix to HEAD shortly.

The trouble is that in order to use just the header to provide the user ID to the alfresco web app, without using a secured connection and a 'proxy user' you would need to set the external.authentication.proxyUserName property to the empty string, as follows

external.authentication.proxyUserName=

The trouble is, there appears to be a problem with the overriding of property values to be the empty string. At the moment you would have no option but to edit this value in

$TOMCAT_HOME/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-filter.properties

kbonnet · ‎11-30-2009

Hi David,

Thanks for your reply! I will try this and let you know. I dont have big problems with this workaround, since i can override the subsystem configuration in the extension root, right?

Thanks.
Koen

dward · ‎11-30-2009

No. I am trying to tell you that the extension based override mechanism doesn't work in this instance. I will fix it so that it does ASAP.

kbonnet · ‎11-30-2009

🙂 Got it. When the property gets a value it cannot be overridden to have no value.

It worked for me. For now i will do with this workaround. Thanks a lot!

Koen

kbonnet · ‎12-03-2009

I moved my followup question about logging into share based on HTTP headers to the Share topic, because it's slightly different from the question above.

http://forums.alfresco.com/en/viewtopic.php?f=47&t=23657

varunss · ‎03-22-2010

I came across the same situation..having the same requirement to authenticate using external system and came across the same error….I changed the ProxyUsername to empty..Still i get the exception.. What should be done…

Hyland Connect

External Auth Subsystem for SSO in Alfresco and Share