Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

External authentication and the user id pattern

florianhuebner
Champ in-the-making
Champ in-the-making

‎08-19-2011 09:09 AM

Hello

We wanted to switch from kerberos to external authentication.
I have set 
external.authentication.enabled=true
external.authentication.proxyHeader=REMOTE_USER
and as long as basic authentication is used on the Apache everything works fine.

Now I wanted to switch to AuthType Kerberos but I get an Alfresco Explorer - System Error when trying to log in using SSO:

org.alfresco.repo.security.authentication.AuthenticationException: 07190007 Failed to set current user huebner@MY.COMPANY

How can I get rid of the "@MY.COMPANY"?
Setting the 
external.authentication.userIdPattern=(^[-a-zA-z0-9\.]*)
seems to have no effect, no matter what RegEx I use.
Even trying to resolve the issue on the Apache side via:
# Grab the REMOTE_USER apache environment variable for HTTP forwarding
  RewriteEngine On
  RewriteCond %{LA-U:REMOTE_USER} ([-a-zA-z0-9\.]+)[@]*.*
  RewriteRule . - [E=RU:%1]
# Set the REMOTE_USER and x-user to the authenticated username
  RequestHeader set REMOTE_USER %{RU}e
  RequestHeader set x-user %{RU}e
Has no visible effect…

Am I doing anything wrong or have I missed something?
Labels:
0 Kudos
1 REPLY 1

florianhuebner
Champ in-the-making
Champ in-the-making

‎08-24-2011 02:19 AM

I found a Remote User filter that I had to put into Tomcat to make it work:

Its the "RemoteUserFilter" tool on this page: http://www.switch.ch/aai/support/tools/index.html

Just had to put the jar file into the WEB-INF/lib folder and add the following two snippets into the web.xml:

The Filter definition:
   <filter>
      <filter-name>KerberosRemoteUserFilter</filter-name>
      <filter-class>ch.SWITCH.aai.filters.KerberosRemoteUserFilter</filter-class>
   </filter>

and the filter mapping itself
   <filter-mapping>
      <filter-name>KerberosRemoteUserFilter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

It probably would have been enough if I would have placed it before the Global Authentication Filter with the "/faces/*" url pattern but I wanted to be sure so I put it right at the start of the chain.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC