Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- External Authentication only possible with SSO?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
External Authentication only possible with SSO?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2012 08:36 PM
Hello, I am new here and since the forum just ate my initial post I will be brief.
I have successfully managed to set up Alfresco 4.0.e to accept external authentication using Shibboleth. My front-end consists of an Apache webserver running mod_shib and mod_proxy_ajp. After authenticating at my Shibboleth IdP I am logged in at both /alfresco and /share. So no problem here.
Since we would like to use a custom external authentication method, I started to play around a little using basic authentication. I am not referring to AlfrescoNtlm, but to external authentication based on mod_auth_basic and mod_authn_file. Although the alfresco configuration was not modified and Apache correctly provides a REMOTE_USER variable, I can no longer access /share. I still get logged in into the alfresco repository, but when accessing the /share location I only get an HTTP 200 status code with Content-Length 0, i.e. no HTML is returned.
I am currently suspecting that external authentication in share only works with Single-Sign-On systems. Is my assumption correct or is this behaviour caused by something else. Any explanation will be highly appreciated.
I have successfully managed to set up Alfresco 4.0.e to accept external authentication using Shibboleth. My front-end consists of an Apache webserver running mod_shib and mod_proxy_ajp. After authenticating at my Shibboleth IdP I am logged in at both /alfresco and /share. So no problem here.
Since we would like to use a custom external authentication method, I started to play around a little using basic authentication. I am not referring to AlfrescoNtlm, but to external authentication based on mod_auth_basic and mod_authn_file. Although the alfresco configuration was not modified and Apache correctly provides a REMOTE_USER variable, I can no longer access /share. I still get logged in into the alfresco repository, but when accessing the /share location I only get an HTTP 200 status code with Content-Length 0, i.e. no HTML is returned.
I am currently suspecting that external authentication in share only works with Single-Sign-On systems. Is my assumption correct or is this behaviour caused by something else. Any explanation will be highly appreciated.
Labels:
- Labels:
-
Archive
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2012 12:01 PM
hi,
I have the same problem on my instance 4.0.d (apache -> basic_auth -> ajp_proxy -> alfresco) 200 with blank screen. External sso on share with basic auth works for me on enterprise version 4.1.1.3 only. I tried 4.2.b but there is another problem with "Read-Write transaction started within read-only transaction" while share is trying access /wcs api. Can you paste your configuration for apache and alfresco which works for you with Shibboleth?
exception from 4.2.b (and 4.2.a) with the same configuration as 4.1.1.3 which woks:
I have the same problem on my instance 4.0.d (apache -> basic_auth -> ajp_proxy -> alfresco) 200 with blank screen. External sso on share with basic auth works for me on enterprise version 4.1.1.3 only. I tried 4.2.b but there is another problem with "Read-Write transaction started within read-only transaction" while share is trying access /wcs api. Can you paste your configuration for apache and alfresco which works for you with Shibboleth?
exception from 4.2.b (and 4.2.a) with the same configuration as 4.1.1.3 which woks:
2012-11-06 17:40:42,554 ERROR [extensions.webscripts.AbstractRuntime] [http-apr-8080-exec-4] Exception from executeScript - redirecting to status template error: 10060297 Failed to authenticate as Guest user.
org.alfresco.error.AlfrescoRuntimeException: 10060297 Failed to authenticate as Guest user.
at org.alfresco.web.app.servlet.AuthenticationHelper.authenticate(AuthenticationHelper.java:249)
at org.alfresco.web.app.servlet.AuthenticationHelper.authenticate(AuthenticationHelper.java:155)
at org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator.authenticate(WebClientAuthenticatorFactory.java:135)
at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:304)
at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:301)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:433)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:323)
at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:341)
at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:377)
at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:209)
at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:118)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.alfresco.repo.web.filter.beans.NullFilter.doFilter(NullFilter.java:68)
at sun.reflect.GeneratedMethodAccessor374.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:116)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy241.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter.doFilter(WebScriptSSOAuthenticationFilter.java:140)
at sun.reflect.GeneratedMethodAccessor374.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:103)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy241.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1771)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Caused by: org.alfresco.error.AlfrescoRuntimeException: 10060296 Read-Write transaction started within read-only transaction
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:360)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:304)
at org.alfresco.web.app.servlet.AuthenticationHelper.createUser(AuthenticationHelper.java:421)
at org.alfresco.web.app.servlet.AuthenticationHelper.setUser(AuthenticationHelper.java:375)
at org.alfresco.web.app.servlet.AuthenticationHelper.authenticate(AuthenticationHelper.java:217)
… 52 more
2012-11-06 17:40:42,578 ERROR [extensions.webscripts.AbstractRuntime] [http-apr-8080-exec-5] Exception from executeScript - redirecting to status template error: 10060300 Failed to authenticate as Guest user.
org.alfresco.error.AlfrescoRuntimeException: 10060300 Failed to authenticate as Guest user.
at org.alfresco.web.app.servlet.AuthenticationHelper.authenticate(AuthenticationHelper.java:249)
at org.alfresco.web.app.servlet.AuthenticationHelper.authenticate(AuthenticationHelper.java:155)
at org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator.authenticate(WebClientAuthenticatorFactory.java:135)
at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:304)
at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:301)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:433)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:323)
at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:341)
at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:377)
at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:209)
at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:118)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.alfresco.repo.web.filter.beans.NullFilter.doFilter(NullFilter.java:68)
at sun.reflect.GeneratedMethodAccessor374.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:116)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy241.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter.doFilter(WebScriptSSOAuthenticationFilter.java:140)
at sun.reflect.GeneratedMethodAccessor374.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:103)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy241.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1771)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Caused by: org.alfresco.error.AlfrescoRuntimeException: 10060299 Read-Write transaction started within read-only transaction
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:360)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:304)
at org.alfresco.web.app.servlet.AuthenticationHelper.createUser(AuthenticationHelper.java:421)
at org.alfresco.web.app.servlet.AuthenticationHelper.setUser(AuthenticationHelper.java:375)
at org.alfresco.web.app.servlet.AuthenticationHelper.authenticate(AuthenticationHelper.java:217)
… 52 more
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2012 06:22 AM
This is my share-config-custom.xml:
As you can see, I was using the ApacheConnector class and not the SlingshotApacheConnector class. Based on what I have read online, the latter one is supposed to address certain issues, but it made no difference for me regarding this problem.
And here is my tomcat ssl configuration file, the shibboleth-protected locations have been commented out:
alfresco-config>
<!– Repository Library config section –>
<config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
<!–
Whether the link to the Repository Library appears in the header component or not.
–>
<visible>true</visible>
</config>
<config evaluator="string-compare" condition="Remote">
<remote>
<endpoint>
<id>alfresco-noauth</id>
<name>Alfresco - unauthenticated access</name>
<description>Access to Alfresco Repository WebScripts that do not require authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>none</identity>
</endpoint>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>user</identity>
</endpoint>
<endpoint>
<id>alfresco-feed</id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>http</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<basic-auth>true</basic-auth>
<identity>user</identity>
</endpoint>
<endpoint>
<id>activiti-admin</id>
<name>Activiti Admin UI - user access</name>
<description>Access to Activiti Admin UI, that requires user authentication</description>
<connector-id>activiti-admin-connector</connector-id>
<endpoint-url>http://localhost:8080/alfresco/activiti-admin</endpoint-url>
<identity>user</identity>
</endpoint>
</remote>
</config>
<config evaluator="string-compare" condition="Remote">
<remote>
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoCookie</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
</config>
</alfresco-config>
As you can see, I was using the ApacheConnector class and not the SlingshotApacheConnector class. Based on what I have read online, the latter one is supposed to address certain issues, but it made no difference for me regarding this problem.
And here is my tomcat ssl configuration file, the shibboleth-protected locations have been commented out:
NameVirtualHost *:443
<virtualhost *:443>
DocumentRoot /var/www
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite RC4-SHA:HIGH:!ADH:!EXPORT56:+RSA:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/certs/***.pem
SSLCertificateKeyFile /etc/ssl/private/***.key
SSLCACertificatePath /etc/ssl/certs
SSLVerifyClient optional_no_ca
SSLVerifyDepth 10
SSLOptions +ExportCertData +StrictRequire
ServerName ***
UseCanonicalName On
ProxyRequests Off
# Alfresco Explorer
ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco
ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco
# Share
ProxyPass /share ajp://127.0.0.1:8009/share
ProxyPassReverse /share ajp://127.0.0.1:8009/share
# <Location /share>
# AuthType shibboleth
# ShibRequireSession On
# require valid-user
# ShibUseHeaders On
# </Location>
# <Location /alfresco>
# AuthType shibboleth
# ShibRequireSession On
# require valid-user
# ShibUseHeaders On
# </Location>
<Location /share>
AuthType Basic
AuthName "private area"
AuthBasicProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
</Location>
<Location /alfresco>
AuthType Basic
AuthName "private area"
AuthBasicProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
</Location>
</virtualhost>
Related Content
- Alfresco Community Edition 23.4 Release Notes in Alfresco Blog
- How to authenticate at API in Alfresco 23.2.0 Comminity addition in Alfresco Forum
- ldapS configuration for samba-ad in Alfresco Forum
- fileServersNG 24.3 Released - SMB2/SMB3 file server in Alfresco Forum
- azure ad integration with alfresco community version in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
