Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

External SSO in alfresco share

ramjoy22
Champ on-the-rise
Champ on-the-rise

‎04-18-2013 12:50 AM

I need to test external sso in alfresco share

I followed the steps

1. renamed alfresco-4.2.c/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.sample as share-config-custom.xml.
2. Uncommentd both the 
 <config evaluator="string-compare" and the condition="Remote">
sections.



 <config evaluator="string-compare" condition="Remote">
      <remote>
         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not 
            require authentication
        </description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that 
                         require user authentication
        </description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via
                         the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
         
         <endpoint>
            <id>activiti-admin</id>
            <name>Activiti Admin UI - user access</name>
            <description>Access to Activiti Admin UI, that requires user 
                         authentication</description>
            <connector-id>activiti-admin-connector</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/activiti-admin
            </endpoint-url>
            <identity>user</identity>
         </endpoint>
      </remote>
    </config>

<config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
         
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based 
                          authentication
            </description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
         
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and 
             cookie-based authentication
            </description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user
             authentication
            </description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>



3. modified alfrsco-global.properties like ;

   authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
   external.authentication.proxyUserName=
   external.authentication.enabled=true
   external.authentication.defaultAdministratorUserNames=admin
   external.authentication.proxyHeader=SsoUserHeader

No other changes made
Do i need to do any further modifications?


i tried to access alfresco from my JSP application as follows,



Testing SSO <br>
<%

URL url1 = new URL("http://localhost:8080/share/page"); 
URLConnection conn = url1.openConnection(); 
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setRequestProperty("SsoUserHeader", "admin"); 
for (int i = 0;; i++) { 
   String headerName = conn.getHeaderFieldKey(i);  
   String headerValue = conn.getHeaderField(i);   
   System.out.println(headerName + "===");  
   System.out.println(headerValue);  
   if (headerName == null && headerValue == null) {     break;   } 
}

%>


its giving output in console : 

 
***************
null===
HTTP/1.1 200 OK
Server===
Apache-Coyote/1.1
Set-Cookie===
JSESSIONID=89E6C0A9600DDA3675EEB633F5F3A248; Path=/share/; HttpOnly
Cache-Control===
no-cache
Content-Type===
text/html;charset=utf-8
Content-Language===
en-US
Transfer-Encoding===
chunked
Date===
Wed, 17 Apr 2013 13:52:24 GMT
null===
null
*************



Connection is success here.

Now I need to test SSO.
<strong>how can i link from my jsp application to alfresco share?</strong>
<strong>when i am using response.redirect  it shows login page again</strong>

Labels:
32 REPLIES 32

afaust
Legendary Innovator
Legendary Innovator

‎04-19-2013 04:01 AM

Hello,

you can't simply link from your JSP to Alfresco and expect external authentication to work. Your test inside the JSP works because you are directly manipulating an URLConnection. Unless you provide a way for new connections (irregardless if redirected or pointed directly at Alfresco) to be authenticated and a HTTP header added transparently, external authentication will not work. You can't manipulate the HTTP headers of a request that is the result of a redirect.

For linking from an application to Alfresco without having a CAS (central authentication service) to provide real external authentication, I would evaluate the use of login tickets. I.e. have your application access Alfresco like you did in your test and obtain a ticket. Append that dynamically to the redirect URL to pass it to the client. This ticket will automatically login the user with the same context used in your JSP. You may have to provide a special SSO filter that is able to pass the ticket to the Alfresco Repository though - last I checked the default SSOAuthenticationFilter was not capable of passing a ticket.

Regards
Axel
0 Kudos

ramjoy22
Champ on-the-rise
Champ on-the-rise
In response to afaust

‎04-19-2013 05:10 AM

Thank you for the reply.
I would like to have some clarification ,
1, when i am trying to connect using hhtp url connection or urlconnection, how the ticket get created?
2, when i make request through url connection will it return any ticket
3, how can i get ticket without giving password?

Thank you
Ram

0 Kudos

afaust
Legendary Innovator
Legendary Innovator
In response to ramjoy22

‎04-19-2013 09:46 AM

Hello,

1) and 2) You need to implement a web script that generates a returns the ticket for the current user. This web script is addressed by the URI you use to setup a URLConncetion. The ticket should be contained in the response body, which you need to evaluate in your JSP (or Java code) to extract the ticket. This can be done by a simple JavaScript / FreeMarker web script, using the JavaScript session root scope object to retrieve the ticket, i.e. 
session.getTicket()


3) By using the external authentication approach you've already shown in your original post for the request to retrieve the ticket.

Regards
Axel
0 Kudos

shibu
Champ in-the-making
Champ in-the-making
In response to afaust

‎04-22-2013 09:30 AM

I just created a web script to get the ticket of Alfresco Share. Steps which I done are;


 1. Created getticket.get.desc.xml

    <webscript>
      <shortname>Get User Ticket</shortname>
      <description>Personalized greeting</description>
      <url>/getticket</url>
      <authentication>user</authentication>
      <negotiate accept="text/html">html</negotiate>
      <negotiate accept="application/json">json</negotiate>
    </webscript>

   2. created getticket.get.html.ftl (Plain Text)

         ${session.getTicket()}


Next I tried to get it in the jsp code,


<%
 
URL url1 = new URL("http://localhost:8080/alfresco/service/getticket"); 
URLConnection conn = url1.openConnection(); 
conn.setRequestProperty("SsoUserHeader", "admin"); 
for (int i = 0;; i++) { 
   String headerName = conn.getHeaderFieldKey(i);  
   String headerValue = conn.getHeaderField(i);   
   System.out.println(headerName + "===");  
   System.out.println(headerValue);  
   if (headerName == null && headerValue == null) {     break;   } 
}

%>


Output;

null===
HTTP/1.1 401 Unauthorized
Server===
Apache-Coyote/1.1
WWW-Authenticate===
Basic realm="Alfresco"
Content-Type===
text/html;charset=utf-8
Content-Length===
951
Date===
Mon, 22 Apr 2013 13:23:58 GMT
null===
null


1)How can I get the ticket here? Its telling unautherized. Can't provide password as it is external SSO.
0 Kudos

shibu
Champ in-the-making
Champ in-the-making

‎04-19-2013 07:11 AM

Can you please tell, how to provide a special SSO filter that is able to pass the ticket to the Alfresco Repository?
0 Kudos

afaust
Legendary Innovator
Legendary Innovator
In response to shibu

‎04-19-2013 09:39 AM

Hello,

you develop a Java class that implements the Java Servlet API interface "Filter" and register it in the web.xml of Share. In that class, the doFilter method needs to take care of passing a ticket from the request URI to the backend Repository to verify / validate. Please take a look at the Alfresco class SSOAuthenticationFilter for an example of a similar filter available by default.

Regards
Axel
0 Kudos

afaust
Legendary Innovator
Legendary Innovator

‎04-24-2013 05:55 PM

Hello,

you need to use "wcservice" not "service" in your URL, otherwise SSO will not be procesed ("/service/" and "/s/" never have SSO enabled).

Regards
Axel
0 Kudos

shibu
Champ in-the-making
Champ in-the-making
In response to afaust

‎04-25-2013 12:40 AM

Yes, I tried with wcservice. 

<%
URL url1 = new URL("http://localhost:8080/alfresco/wcservice/getticket"); 
HttpURLConnection conn = (HttpURLConnection) url1.openConnection();
conn.setRequestProperty("SsoUserHeader", "admin"); 
for (int i = 0;; i++) { 
   String headerName = conn.getHeaderFieldKey(i);  
   String headerValue = conn.getHeaderField(i);   
   System.out.println(headerName + "===");  
   System.out.println(headerValue);  
   if (headerName == null && headerValue == null) {     break;   } 
}


Its giving Internal Server error. SSO is not happening.


null===
HTTP/1.1 500 Internal Server Error
Server===
Apache-Coyote/1.1
Content-Type===
text/html;charset=UTF-8
Transfer-Encoding===
chunked
Date===
Thu, 25 Apr 2013 04:39:39 GMT
Connection===
close
null===
null


What I have to do here to get the ticket?
0 Kudos

afaust
Legendary Innovator
Legendary Innovator

‎04-27-2013 03:39 PM

Hello,

what is the precise error in the logs?

Regards
Axel
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC