03-31-2017 06:37 AM
Hello,
We are working on web application which provides documents to users. We use SSO to allow access – so we have only username of a person who is connected (we don´t have password). Documents are stored in Alfresco. We suppose we have all access information (permission) to concrete document set only in Alfresco (ACL).
We would like to connect web application to Alfresco over CMIS.
How can we get (over CMIS) documents for which have permission rights only one concrete user? Is it possible to connect over CMIS as “administrator” and get permission rights as some concrete user? Or is it possible to use some query to filter documents results based on permission rights?
Thank you for advice
05-24-2017 08:50 AM
ahhh, there is too much ticketing here and we lost context on the way 🙂
Yes, the virtual user ROLE_TICKET needs a valid alf_ticket used as password. You can obtain this ticket with a simple WebScript when you login to alfresco manually or supported by a SSO solution like CAS.
Obtain the alf_ticket from, for example .../alfresco/wcservice/autoticket.json (if you provided it to alfresco - you should be authenticated automatically via your CAS SSO when accessing a webSript over wcservice) and use the returned alf_ticket as password for the user ROLE_TICKET when opening a cmis session.
03-31-2017 08:13 AM
Hi,
this seems to be a concept, that wouldn't use alfresco's potential.
What about getting an alfresco ticket via SSO and connect over cmis with user "ROLE_TICKET" and use the ticket as password?
04-03-2017 01:54 AM
Thank you for your advice. I will try to get more information about using the ticket as a password.
04-04-2017 08:00 AM
I'm trying to find out how it works and what is neccessary to configure. We have Alfresco Community v5.1.0 and CAS SSO.
I suppose web application gets a ticket from SSO server after user login. This ticket is used to connect to Alfresco via CMIS. Alfresco connect to SSO to get information about user based on ticket.
I found an example of CAS configuration for share. But I suppose in this case Alfresco has to be configure to connect to SSO.
Is any tutorial or example available?
Thanks
04-04-2017 09:37 AM
Have you already looked at Using Alfresco with CAS authentication through Apache mod_auth_cas | Alfresco Documentation
04-05-2017 05:00 AM
I found several examples but I wasn't sure which one should work with CMIS. Thank you for link. I'm going to test it.
05-17-2017 07:56 AM
Hi,
I had a lot of problems to find working configuration but finally I use CAS SSO to login to share. It works as I expected (mod_auth_cas is used as described in documentation above).
I can also get proxy ticket from SSO. When I tryied to connect over cmis with user "ROLE_TICKET" and the ticket as password an exception was thrown: org.apache.chemistry.opencmis.commons.exceptions.CmisConnectionException: Unexpected document! Received: HTML document.
I suppose it is because sso login page is send. Therefore I changed mod_auth_cas.conf - URL to cmis is not under SSO. The exception has change to org.apache.chemistry.opencmis.commons.exceptions.CmisUnauthorizedException.
I think cmis(alfresco) has to have information where CAS SSO server is located (URL). Without this information alfresco can't send query to SSO to get user (based on ticket). But SSO server information is set only in "apache" configuration. Am I right? Is it possible to let alfresco know the SSO server URL?
Thanks
Regards
Petr
05-17-2017 09:49 AM
Try to debug it a little - try to access the cmis url directly over tomcat, avoiding apache. There it should accept the ROLE_TICKET. I think that OpenCMIS itself has no CAS Plugin, so you're on the right way when you try to avoid CAS when accessing the CMIS endpoint (you want the ROLE_TICKET user).
Is the ticket you describe a valid alf_ticket?
I use a "dummy" webscript consisting just of a free marker template to obtain a valid ticket and some user data via the configured SSO mechanism
autoticket.desc.xml
<webscript>
<shortname>AutoTicket</shortname>
<description>returns SSO ticket</description>
<url>/autoticket</url>
<format default="json">extension</format>
<authentication>user</authentication>
</webscript>
autoticket.get.json.ftl
alfUserData={
"ticket":"${sessionticket.ticket}",
"firstName":"${person.properties.firstName}",
"lastName":"${person.properties.lastName}",
"userName":"${person.properties.userName}",
"email":"${person.properties.email!''}"
};
I needed the json form, because I'm using it in an angular SPA, but you can also return XML or HTML (see WebScript documentation)
When you invoke this webscript over .../alfresco/wcservice/autoticket.json it uses the configured SSO mechanism. Then use this ticket, when accessing cmis - avoid CAS then.
${sessionticket.ticket} is only valid for new alfresco versions. In older versions it was ${session.ticket}
Maybe this helps.
05-24-2017 08:19 AM
When I read your response I think I understand everything wrong before.
I thought I have to configure alfresco/share to use CAS SSO. Then a user use SSO to connect to my web application. This application gets from CAS SSO Proxy Ticket and use it to connect Alfresco over CMIS.
Ticket which I thought has nothing with alf_ticket.
So, understand I it well now that I have to write some webscript which will return alf_ticket (the input parameter will be only user name)? My web application has information of connected user so it will call this script to get alt_ticket and then this ticket will be used to connect over CMIS.
05-24-2017 08:50 AM
ahhh, there is too much ticketing here and we lost context on the way 🙂
Yes, the virtual user ROLE_TICKET needs a valid alf_ticket used as password. You can obtain this ticket with a simple WebScript when you login to alfresco manually or supported by a SSO solution like CAS.
Obtain the alf_ticket from, for example .../alfresco/wcservice/autoticket.json (if you provided it to alfresco - you should be authenticated automatically via your CAS SSO when accessing a webSript over wcservice) and use the returned alf_ticket as password for the user ROLE_TICKET when opening a cmis session.
Explore our Alfresco products with the links below. Use labels to filter content by product module.