Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User Session and Authentication Strategies

athrawn17
Champ on-the-rise
Champ on-the-rise

‎06-11-2010 12:14 PM

Hi everyone,
I was just wondering this forum's thoughts about Session management and user authentication.

I'm doing a Proof of Concept with Alfresco and have decided to got down the CMIS route.  So far, everything has been going well.  Now I'm to the point where I get to start messing around with different users and I'm realizing that I've hit a roadblock.

The Session requires a password for the user to connect via CMIS.  Most applications that I've used don't actually store a user's password.  They either have the hash of the password, or they use a third party authentication system such as LDAP.  So I can't send a password over, and I don't see any other way to authenticate remotely with Alfresco via the CMIS Specification.

So….my next thought is to use the old "system user" strategy to authenticate once with the CMIS provider and then set the CREATED_BY and MODIFIED_BY property of the documents.  The downside of this is that I loose the ACL mechanisms because the provider sees all requests as one person.  The other downside that I'm seeing with Alfresco is that it ignores these properties and uses the authenticated user as the values for the CREATED/MODIFIED_BY properties.

At this point I'm stuck, I cannot see a way to use CMIS to manage multiple Sessions with different users.  Can anyone provide any guidance for me?
Labels:
0 Kudos
7 REPLIES 7

athrawn17
Champ on-the-rise
Champ on-the-rise

‎06-11-2010 03:12 PM

As I do more investigation on this, does anyone know if the external authentication subsystem can be used with CMIS?  I'm trying to configure it now, but not having any luck yet, I have the header set and can see the value coming over, but it is still wanting a password.
0 Kudos

athrawn17
Champ on-the-rise
Champ on-the-rise

‎06-17-2010 11:23 AM

For all the pomp and circumstance around Alfresco's CMIS implementation, you are sure quiet on this forum……
0 Kudos

gclaussn
Champ in-the-making
Champ in-the-making

‎06-18-2010 01:43 PM

i don't see the problem, if you have an application, which should be used by different users, you might have something like a login screen where the user is typing in a password, why not use these also for the alfresco account…

maybe you can give me more information, what you exactly planing to do.

best regards, gclaussn
0 Kudos

athrawn17
Champ on-the-rise
Champ on-the-rise

‎06-18-2010 02:33 PM

i don't see the problem, if you have an application, which should be used by different users, you might have something like a login screen where the user is typing in a password, why not use these also for the alfresco account…

maybe you can give me more information, what you exactly planing to do.

best regards, gclaussn

  • In order to send the password to alfresco, we would have to store it in plain text.  This is a bad thing to do from a security perspective.

  • Our application never actually sees the password, since it is proxied to a SSO server.  We know the username as that is returned from the proxy, but never the password.

  • We could send a token to alfresco, or use a header property to tell alfresco that the user has already been authenticated, but the CMIS implementation requires a username/password.
And that was my original question.  When using CMIS, what Authenticaion strategies are available besides sending a username/password?  I don't see any other solutions.
0 Kudos

gclaussn
Champ in-the-making
Champ in-the-making

‎06-21-2010 02:38 AM

I also see no other way, than plain text…
Alfresco requires this: 
<url>/api/login?u={username}&pw={password?}</url>
Maybe there is a way to customize the login strategie by replacing classes, or manipulating webscripts, but i think that's not the sense of your work.
0 Kudos

nicolasraoul
Star Contributor
Star Contributor

‎06-23-2010 03:16 AM

Hi Athrawn17,

Indeed that surprised me too, but in my CMIS browser I ended storing the username/password of the user as plain text, and sending them at each request.

Another thing that feels weird:
In my app, the username/login success screen does not use the credentials to perform anything, so I don't know if the credentials are valid or not, until the next screen. So if I enter a wrong password, I am told "logged in" but actually an authentication error will appear later. I guess this could be fixed by performing a useless CMIS operation, for instance listing the repository root.

I believe the best solution, if possible in your environment, is to setup SSO, so that no login/password is needed at all. gclaussn, am I right on this?

Cheers!
Nicolas Raoul
0 Kudos

gclaussn
Champ in-the-making
Champ in-the-making

‎06-23-2010 10:44 AM

Hi Nicolas,

i don't really know if this is possible, when using Alfresco.

Performing an operation is a good way, i managed it in the same way, after creating a CMIS session in my application. But the repository root is no good idea… I used the getRepositoryInfo operation, which is running good for an administrator, but not for an normal user (they are not allowed to see these information). Also the repository root is not good I think, when having users, that can just read/write their own home directory and existing sub directories.

best regards, gclaussn
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC