cancel
Showing results for 
Search instead for 
Did you mean: 

Testing External Authentication

arbitraryname
Champ in-the-making
Champ in-the-making
Hello;

I am trying to configure external authentication.


authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm

external.authentication.proxyUserName=secretAccount
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyHeader=X-Alfresco-Remote-User



Then I used a simple rest client to make a few calls to

/alfresco/service/api/login?u={1}&pw={2}


First I made a call as a user to get a ticket. This resulted in 123

Then I made a call with the secret account to get their ticket. 321

Then I made a call with the secret account and with the header set to the original user's username. I still got 321.

This tells me the external authentication is not working; or my test is flawed.

Can someone help me diagnose this?
7 REPLIES 7

niketapatel
Star Contributor
Star Contributor
I think, Your test is flawed.

First this login script /api/login doesnt require any authentication. Any user can hit it and can get ticket. And its logic is to get ticket for provided user ID and pwd NOT for one which is there in header.

To verify external authentication - Try some other script like /alfresco/wcservice/slingshot/dashlets/my-contents. pass userid in header and verify.

Other thing - You need to user wcservice NOT service. Please check this link for detail - https://wiki.alfresco.com/wiki/Web_Scripts

/service => HTTP Basic Authentication e.g. http://localhost:8080/service/api/path/Workspace/SpacesStore/Company%20Home/children
/wcservice => Alfresco Explorer Authentication e.g. http://localhost:8080/wcservice/api/path/Workspace/SpacesStore/Company%20Home/children

Hope this help!

arbitraryname
Champ in-the-making
Champ in-the-making
I can not seem to authenticate to that URL…

I turned on external auth, and still support Alfresco NTLM…

But when I set the authentication header to the base64 encoded value IE: Authorization | Basic {base64 usernameSmiley Tongueassword}

It won't authenticate that user. Am i doing that right?

I guess i don't know how to authenticate with my external user and set the header for another user.

arbitraryname
Champ in-the-making
Champ in-the-making
So I had to abandon my community in addition I was running on a VM the test with.

What I did was enable external authentication through the admin console and left the alfresco and NTLM turned on.  Next  I created an account named secret via share. I set the external authentication config to trust that secret account 

I can see the account work if I hit /service/ using an authorization header previously configured to be Basic {base 64 encode usernameSmiley Tongueasswd}

But I can't seem to make that work on the wsservice end point. I even tried getting a ticket from /service and using that as ?alf_ticket=TICKET_blahblah.

So I guess my summary question is how do I actually now authenticate with that secret account when I am calling the WS service end point? Setting the header value to another's username is no problem; but I can't seem to figure out how to authenticate the requester.

arbitraryname
Champ in-the-making
Champ in-the-making
I think I made a lot of progress. But I still don't seem to be triggering the sub system (this time I configured it via the admin console)

We used service/api/login?u=secretProxyUser&pw=password to get the ticket which was TICKET_000000000000000000

Then we tried to talk to /wcservice/api/activities/feed/user?ticket=TICKET_000000000000000000 which successfully gave us a response of:

*Parens for xml tags*

(link rel="self" href=""/)
(title)Alfresco Activities User Feed for secretProxyUser(/title)
(/feed)

Good news! We successfully authenticated as the secretProxyUser since we saw the user name in the xm.

Then we tried setting the "X-Alfresco-Remote-User" header as another user name in the system.

Sad news! the response came back as the same 'User Feed for secretProxyUser'

Any tips anyone?

mrogers
Star Contributor
Star Contributor
Why are you trying to use a ticket with external authentication?

I'm trying to use that ticket to authenticate the proxy user that is called out in the external authentication configuration.

After getting help to call under /wcservice to invoke the Alfresco authentication chain; I'm pretty lost as how to actually now authenticate as the proxy user configured for external authentication

I thought perhaps I could get a ticket from/service for the proxy user, and then use that to authenticate the call,then call out another user in the header, in hopes the external with chain would run it as the user in the header value.

Eventually I want to use a web script to get back a ticket for another user in the system (the one called out in the header) and then I can use that ticket to make calls on their behalf.

In effect all I really need to do is be able to get a ticket for another user based on knowing the username. In a alfresco and NTLM forms/basic username and password stored in the repo scheme.

arbitraryname
Champ in-the-making
Champ in-the-making
I got external authentication to work; but only if I set the proxyUserName property to an empty string ""

In that case I can set the x-alfresco-header to a username and see the request run as that user.

I still think the root cause is my inability to authenticate the proxyUser account. Can anyone help me understand how to do that? All I have found is using a Ticket, but that bypasses the rest of the authentication chain.