Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

State of CAS and Share in 3.4b?

piercehanley
Champ in-the-making
Champ in-the-making

‎11-29-2010 04:46 PM

Has anyone tried integrating Alfresco Share with CAS in 3.4b?  I find a lot of conflicting and outdated info when I'm searching about how to set it up correctly.

Specifically, I'm wondering what, if anything, is still necessary to do the X509 setup.  this thread has a bunch of people (quite recently) having issues with it, and the last poster indicates that compiling CAS from source is no longer necessary.  Does that mean that 3.4 has a way around that requirement?

In my particular case, the CAS environment is not owned by our group and is used by several other applications which apparently don't need X509 functionality.  As a result, it's going to be hard to convince them that they need to reconfigure the server, let alone recompile it per the instructions in the wiki.  Is it strictly necessary to do so?  Is there a way to set up Share 3.4b to connect to Alfresco without it?  What if we weren't actually using the Explorer application?  Could we just disable mod_auth_cas for /alfresco and leave it enabled for /share?  (this isn't ideal, since we do sometimes use explorer… just grasping at straws here)

Any advice or experiences would be very handy.  Seems like a decent number of people want this to work but the documentation is not actively maintained or newbie-friendly.
Labels:
0 Kudos
4 REPLIES 4

piercehanley
Champ in-the-making
Champ in-the-making

‎12-02-2010 02:18 PM

Okay, so the Explorer application works fine with CAS at the moment.  I've been trying to piece together what exactly I'm supposed to do to get the Share application working as well, from the various forum posts and JIRA comments out there.  My current share-config-custom.xml is:

<alfresco-config>
   
   <!– Repository Library config section –>
   <config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
      <!–
         Whether the link to the Repository Library appears in the header component or not.
      –>
      <visible>true</visible>
   </config>
   
      <config evaluator="string-compare" condition="Remote">
        <remote>
            <!– SSL client certificate + trusted CAs. Optionally used to authenticate share to an external SSO system such as CAS –>
            <keystore>
                <path>alfresco/web-extension/alfresco-system.p12</path>
                <type>pkcs12</type>
                <password>alfresco-system</password>
            </keystore>
         
            <connector>
                <id>alfrescoCookie</id>
                <name>Alfresco Connector</name>
                <description>Connects to an Alfresco instance using cookie-based authentication</description>
                <class>org.alfresco.connector.AlfrescoConnector</class>
            </connector>

            <endpoint>
                <id>alfresco</id>
                <name>Alfresco - user access</name>
                <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                <connector-id>alfrescoCookie</connector-id>
                <endpoint-url>http://tomcathost:8080/alfresco/wcs</endpoint-url>
                <identity>user</identity>
                <external-auth>true</external-auth>
            </endpoint>
            
        </remote>
    </config>

</alfresco-config>

…and my Share web.xml comments out the Share SSO Authentication filter and its mappings, per this JIRA comment

When I try to access Share with no CAS cookies, mod_auth_cas redirects me to the login form appropriately.  But when I log in, I get the following exception page:

org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.extensions.surf.exception.PlatformRuntimeException: 11020001 Failed to init Request Context: Unable to fault user as safeguard during init request context
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:659)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)

root cause

org.springframework.extensions.surf.exception.PlatformRuntimeException: 11020001 Failed to init Request Context: Unable to fault user as safeguard during init request context
   org.alfresco.web.site.SlingshotPageViewResolver.lookupPage(SlingshotPageViewResolver.java:61)
   org.springframework.extensions.surf.mvc.PageViewResolver.canHandle(PageViewResolver.java:97)
   org.springframework.web.servlet.view.UrlBasedViewResolver.createView(UrlBasedViewResolver.java:370)
   org.springframework.web.servlet.view.AbstractCachingViewResolver.resolveViewName(AbstractCachingViewResolver.java:77)
   org.springframework.web.servlet.DispatcherServlet.resolveViewName(DispatcherServlet.java:1091)
   org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1040)
   org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
   org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)

root cause

org.springframework.extensions.surf.exception.RequestContextException: Unable to fault user as safeguard during init request context
   org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:110)
   org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:53)
   org.alfresco.web.site.SlingshotPageViewResolver.lookupPage(SlingshotPageViewResolver.java:57)
   org.springframework.extensions.surf.mvc.PageViewResolver.canHandle(PageViewResolver.java:97)
   org.springframework.web.servlet.view.UrlBasedViewResolver.createView(UrlBasedViewResolver.java:370)
   org.springframework.web.servlet.view.AbstractCachingViewResolver.resolveViewName(AbstractCachingViewResolver.java:77)
   org.springframework.web.servlet.DispatcherServlet.resolveViewName(DispatcherServlet.java:1091)
   org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1040)
   org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
   org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)

root cause

org.springframework.extensions.surf.exception.UserFactoryException: Unable to retrieve user from repository
   org.springframework.extensions.surf.support.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:179)
   org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:176)
   org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:99)
   org.springframework.extensions.surf.RequestContextUtil.initialiseUser(RequestContextUtil.java:202)
   org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:106)
   org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:53)
   org.alfresco.web.site.SlingshotPageViewResolver.lookupPage(SlingshotPageViewResolver.java:57)
   org.springframework.extensions.surf.mvc.PageViewResolver.canHandle(PageViewResolver.java:97)
   org.springframework.web.servlet.view.UrlBasedViewResolver.createView(UrlBasedViewResolver.java:370)
   org.springframework.web.servlet.view.AbstractCachingViewResolver.resolveViewName(AbstractCachingViewResolver.java:77)
   org.springframework.web.servlet.DispatcherServlet.resolveViewName(DispatcherServlet.java:1091)
   org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1040)
   org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
   org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)

root cause

org.springframework.extensions.surf.exception.UserFactoryException: Unable to create user - failed to retrieve user metadata: 
   org.springframework.extensions.surf.support.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:168)
   org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:176)
   org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:99)
   org.springframework.extensions.surf.RequestContextUtil.initialiseUser(RequestContextUtil.java:202)
   org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:106)
   org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:53)
   org.alfresco.web.site.SlingshotPageViewResolver.lookupPage(SlingshotPageViewResolver.java:57)
   org.springframework.extensions.surf.mvc.PageViewResolver.canHandle(PageViewResolver.java:97)
   org.springframework.web.servlet.view.UrlBasedViewResolver.createView(UrlBasedViewResolver.java:370)
   org.springframework.web.servlet.view.AbstractCachingViewResolver.resolveViewName(AbstractCachingViewResolver.java:77)
   org.springframework.web.servlet.DispatcherServlet.resolveViewName(DispatcherServlet.java:1091)
   org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1040)
   org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
   org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
   org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
   org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
   javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)

Does anyone have any idea whether what I'm trying to do is even possible in the current version of Alfresco?  Is mod_auth_cas broken?  Has anyone tried the alternative solution described here with success in 3.4?

I'd really appreciate any feedback or advice; if what I'm trying to do isn't possible then I'd like to know sooner rather than later.  Thanks!
0 Kudos

garyhodgson
Champ in-the-making
Champ in-the-making

‎12-05-2010 02:11 PM

Hi there,

I too have arrived at this point (Explorer with CAS works fine, but the X509 integration with Share seems not to work) and would also like to hear if anyone has more information about whether CAS integration is broken with 3.4b, or is there a step that we're missing?

Cheers,
Gary
0 Kudos

piercehanley
Champ in-the-making
Champ in-the-making

‎12-06-2010 04:04 PM

So I see that as of today, ALF-3941 has been fixed and seems to be related to at least some of the CAS integration issues (David Ward notes this on ALF-2788 as well).

I'm almost afraid to ask, is this going to make it into a stable community release sometime soon?  Is it an easy change that can be patched into 3.4b, or alternatively is there a working workaround for the 3.4 versions that have this bug?  What can I do to follow this issue and its fix now that the JIRA bugs are closed?
0 Kudos

piercehanley
Champ in-the-making
Champ in-the-making

‎01-03-2011 03:38 PM

Okay, the saga continues.

I did get CAS integrated with Alfresco Share after some updates to the Wiki page (see the bottom sections "Fedoras Core 14 install notes" and "Share wiring strategies").

Now that it's implemented and deployed, we find out that there were some documents linked from a separate website, which still need to be publicly available (i.e. to an unauthenticated user, via the "http://myhost/alfresco/d/…" addressing system).  Unfortunately, mod_auth_cas now sits in front of Alfresco and has no way of knowing if a URL requires an authenticated user or not, so it just directs all users to the CAS login page.

Does anyone have any idea how I can re-enable "Guest" access to Alfresco while also allowing the use of mod_auth_cas?

I was thinking something funky with mod_rewrite, such as the following.  However, I don't have any previous experience with mod_rewrite and may be doing it wrong:

   <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteLog c:/temp/rewrite.log
      RewriteLogLevel 9
      RewriteCond %{LA-U:REMOTE_USER} ^$
      RewriteRule ^/alfresco/?.*$ - [env=REMOTE_USER:Guest]
   </IfModule>

   <Location /alfresco>
      AuthType CAS
      AuthName "CAS"
#      require valid-user
      CASScope /alfresco
   
      ProxyPass balancer://balancer-alfresco/alfresco
      ProxyPassReverse balancer://balancer-alfresco/alfresco
   </Location>
What I want this to do is this:
1. When a URL is requested, look ahead to see what their username would be (%{LA-U:REMOTE_USER}).  This checks to see if they already authenticate successfully with mod_auth_cas.
2. If the user is empty (^$), rewrite the environment variable REMOTE_USER to be "Guest".
3. Forward the modified request to /alfresco, skipping mod_auth_cas's redirect because a REMOTE_USER has already been set

This seems to almost work, except for step 3… nothing in my configuration seems to indicate that it should skip the mod_auth_cas check and go directly to /alfresco, and I don't know how to short-circuit that behavior.

I'm a bit stuck as to how to proceed here.  This is just the idea I came up with, but it may not be possible or the best solution.  Does anyone have Guest access working with the Alfresco Explorer application, and if so how did you implement it?

Thanks.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC