Two approaches spring to mind:
.
Cheers,
Peter
- Implement some kind of SSO (NTLM, CAS, Siteminder, what-have-you) across both Alfresco and the third party applications, then ensure that all Web Scripts are called via /alfresco/wcservice (which uses whatever authentication mechanism the Web Client has been configured with ie. SSO. /alfresco/service always uses HTTP basic auth).
- Implement the Web Script in Java with authentication set to "none" or "guest", then internally have the code call the AuthenticationUtil.runAs() method (http://dev.alfresco.com/resource/docs/java/repository/org/alfresco/repo/security/authentication/Auth...) with a different user id to change the authenticated context mid-stream (this API doesn't require knowledge of the password). Note that with this option you may have to figure out how to pass the user id to the Web Script in a way that can't be spoofed by users of the Web Script.
.Cheers,
Peter
I had a go at #1 - using CAS Client to filter /wcservice by following http://wiki.alfresco.com/wiki/Central_Authentication_Service_Configuration and adding some filter-mappings on /wcservice
I made a bit of progress, SSO is working fine for the web client but not for web scripts.
Webscript requests do get redirected to CAS and back but then the Alfresco login page is displayed, and even then I can't log in. I just get redirected back to the same page (even carefully typing the creds).
I had a look at the code in the SVN HEAD, but it seems that the AuthenticationHelper code is called differently from the web client. ie not from the filter but from deep within WebScriptServlet.java.This might be where the authenticaton is failing, causing a redirect to the login page…
I'm happy to keep digging with this, but it would be good to get some pointers into the documentation, if there are any wiki pages describing the authentication architecture at this level of detail, and should I be reconfiguring the Spring framework to modify the behaviour or just go in and fix the existing code?
thanks
-Mike
I made a bit of progress, SSO is working fine for the web client but not for web scripts.
Webscript requests do get redirected to CAS and back but then the Alfresco login page is displayed, and even then I can't log in. I just get redirected back to the same page (even carefully typing the creds).
I had a look at the code in the SVN HEAD, but it seems that the AuthenticationHelper code is called differently from the web client. ie not from the filter but from deep within WebScriptServlet.java.This might be where the authenticaton is failing, causing a redirect to the login page…
I'm happy to keep digging with this, but it would be good to get some pointers into the documentation, if there are any wiki pages describing the authentication architecture at this level of detail, and should I be reconfiguring the Spring framework to modify the behaviour or just go in and fix the existing code?
thanks
-Mike
Interesting thread; permit me to revive it! 
ops: I am trying to figure out how authentication can work in my Java backed web-scripts. Most of my Javascript work in Web Scripts is authenticating as "guest", so I would like to do that in Java backed web script too. Can someone explain what I am observing below?
In a regular Javascript webscript, I can access this repository space which is open to the guest user. Here is the 1 line of Javascript code that returns a valid noderef.
Exception net.sf.acegisecurity.BadCredentialsException: Bad credentials presented. It fails on the call to resolveNamePath().
Would DeclarativeWebScript behave any differently than AbstractWebScript? Thanks for any insight you can shed on this!
ops: I am trying to figure out how authentication can work in my Java backed web-scripts. Most of my Javascript work in Web Scripts is authenticating as "guest", so I would like to do that in Java backed web script too. Can someone explain what I am observing below?In a regular Javascript webscript, I can access this repository space which is open to the guest user. Here is the 1 line of Javascript code that returns a valid noderef.
model.nodeTest = companyhome.childByNamePath( "/Projects/Applications/sessions/1234.txt" );Exception net.sf.acegisecurity.BadCredentialsException: Bad credentials presented. It fails on the call to resolveNamePath().
NodeRef companyHomeRef = getRepositoryContext().getCompanyHome();
FileInfo fi = getServiceRegistry().getFileFolderService().resolveNamePath(companyHomeRef, pathElements);Would DeclarativeWebScript behave any differently than AbstractWebScript? Thanks for any insight you can shed on this!
