Hyland Connect

draymer · ‎08-14-2008

Hello,
I would like to implement secure login.

I am deploying Alfresco Labs 3 in a reverse proxy configuration using Apache.
My current plan is to force any requests to
http://example.com/alfresco/faces/jsp/login.jsp
to be rewritten and redirected to
https://example.com/alfresco/faces/jsp/login.jsp

My constraints are:
1) use https to display login form and post credentials
2) use http for everything else

The problem is the Login(guest) link at
http://example.edu/alfresco/faces/jsp/dashboards/container.jsp

sends the browser to the login page, but the url remains
http://example.edu/alfresco/faces/jsp/dashboards/container.jsp

This makes it impossible to satisfy both of my constraints; there is no way for apache rewrite to determine what the context is based on the url alone.

My question is, how can I make alfresco *always* show the url as
http://example.com/alfresco/faces/jsp/login.jsp

whenever a login link is clicked?

Also, if there is an alternative to achieving secure login, I am open to suggestions.

Thank you for any help in advance,
-Dorian

zaizi · ‎08-15-2008

HI,

My constraints are:
1) use https to display login form and post credentials
2) use http for everything else

This opens up another security hole. Once the user is logged in their session information in the cookie will be transmitted over insecure http. The session is then open to hijacking. There are well documented methods to deal with this with secure and non-secure cookies.

However, if you still want to do the login over https, check out org.alfresco.web.app.servlet.AuthenticationFilter. This does the redirecting to the login page (assuming the default Alfresco authentication). Update it to check the if the request is secure and to redirect it over the correct scheme.

Hyland Connect

Secure Login