cancel
Showing results for 
Search instead for 
Did you mean: 

Difference between platform endpoints?

idwright
Star Collaborator
Star Collaborator

I haven't found any documentation about this so I thought I'd ask a question.

(I have all this working, I'm just trying to understand it all a bit better)

My aim is to have SSO set up and configured - share is relatively straightforward but I'm trying to understand the detail behind the platform/repo endpoints as the documentation doesn't really cover this.

I think the only URL I need to expose is: /alfresco/s/admin/admin-communitysummary (or /alfresco/s/enterprise/admin)

The information for configuring a proxy Configuring SSL for a production environment | Alfresco Documentation is pretty good here but I think the /alfresco mount point exposes rather more than is necessary these days

I think /alfresco would be better as:

JkMount /alfresco/s/admin alfresco-worker
JkMount /alfresco/s/admin/* alfresco-worker
JkMount /alfresco/admin/css/* alfresco-worker

(For enterprise add /service/enterprise/admin/* and /s/enterprise/admin/* ?)

(And if you're using the nice new ootb support tools extension

JkMount /alfresco/s/ootbee/* alfresco-worker
JkMount /alfresco/ootbee-support-tools/* alfresco-worker

)

The implication here is that these, or at least /alfresco/.../admin, are the endpoints that need to be covered by SSO at the alfresco level (have I missed anything?) + the ones for public API access if you want those

The authentication mappings in alfresco/WEB-INF/web.xml seem to have changed a fair bit recently

(a clue! - there is a CSRF token filter on /service/enterprise/admin/* and /s/enterprise/admin/*)

There appear to be authentication filters around /wcs and /wcservice, as well as /api, /webdav and /cmisatom

The documentation on configuration the SSO endpoint (incidentally the examples don't even all have the same number of endpoints listed...) Configuring Alfresco Share to use an external SSO | Alfresco Documentation (code doesn't match text...), Configuring the Share default port | Alfresco Documentation  and Configuring the Share default port | Alfresco Documentation has for a long time said to use the wcs endpoint in share-custom-config.xml when external auth is being used, however now I believe that the s endpoint is recommended (although it's not entirely clear) e.g. [ACE-5661] External authentication Problem with CAS - Alfresco JIRA (and other issues) see the comment from Kevin Roast

So this is a rather long winded way of asking what is the purpose of the /wcs endpoint and how does it differ from the /s endpoint? (obviously there are authentication filters in front of /wcs)

1 ACCEPTED ANSWER

afaust
Legendary Innovator
Legendary Innovator

The /wcs endpoint is essentially the same as the /s endpoint, but only with a different HTTP authentication factory being used during the dispatch to the web script layer. The /s endpoint (actually, the /service endpoint - /s is just an alias) uses a simple authentication factory that only supports HTTP BASIC. /wcs (or to be more precise /wcservice) uses an authentication factory that ties in with the Repository-tier SSO handling and thus is required to be used by Share when enabling SSO there.

View answer in original post

2 REPLIES 2

cesarista
World-Class Innovator
World-Class Innovator

Hi Ian:

I have the same question. First, I agree that Share SSO is quite straightfoward, configuring external auth subsystem and enabling the Remote configuration in Share. For old Alfresco Explorer, we needed to add additional cas client library in /alfresco/WEB-INF/lib and to change web.xml as you commented, which is not necessary for Alfresco 5, except in Admin Console (and maybe for /alfresco/webdav).

On the other hand, I can only say that I have seen the WCS endpoint, when activating Remote config in Alfresco Share configured for an external or NTLM based SSO. I understood that Alfresco Share needed /wcs endpoint to pass NTML challenge for Alfresco Repository Services (in case of AlfrescoNtlm with SSO). I would expect in this case, that once enabled /wcs you can go directly to admin console via /alfresco/wcs instead of /alfresco/s. Maybe it is not the case with an external web SSO like CAS.

Regards.

--C.

afaust
Legendary Innovator
Legendary Innovator

The /wcs endpoint is essentially the same as the /s endpoint, but only with a different HTTP authentication factory being used during the dispatch to the web script layer. The /s endpoint (actually, the /service endpoint - /s is just an alias) uses a simple authentication factory that only supports HTTP BASIC. /wcs (or to be more precise /wcservice) uses an authentication factory that ties in with the Repository-tier SSO handling and thus is required to be used by Share when enabling SSO there.