09-16-2011 08:01 AM
Is there any recent document describing the use of org.nuxeo.ecm.platform.login.mod_sso ?
09-16-2011 12:11 PM
Ok, some more information about what I'm fighting against. I installed org.nuxeo.ecm.platform.login.mod_sso (it's shown in the list after INFO [org.nuxeo.runtime.deployment.preprocessor.DeploymentPreprocessor] Preprocessing order:).
On server start, it's shown as registered and merged as an authentificator:
2011-09-16 15:03:17,730 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] merged AuthenticationPluginDescriptor: BASIC_AUTH
2011-09-16 15:03:18,959 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] registered AuthenticationPluginDescriptor: PROXY_AUTH
2011-09-16 15:03:18,960 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] merged AuthenticationPluginDescriptor: PROXY_AUTH
(among others)
I configured my extension point to read the requested header :
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="authenticators">
<authenticationPlugin
name="PROXY_AUTH"
enabled="true"
class="org.nuxeo.ecm.platform.ui.web.auth.proxy.ProxyAuthenticator">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<parameters>
<parameter name="ssoHeaderName">HTTP_AUTH_USER</parameter>
</parameters>
</authenticationPlugin>
</extension>
And I even tested - by pointing my reverse proxy on a simple PHP page showing phpinfo() - that the env var is sent. So, as far as I'm concerned, everything should work. But when I try to access the instance through the proxy, login page is shown (and working). According to my logs :
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Entering Nuxeo Authentication Filter
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Principal not found inside Request via getUserPrincipal
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Try getting authentication from cache
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin BASIC_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin FORM_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator] Looking for user/password in the request
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin WEBENGINE_FORM_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin ANONYMOUS_AUTH
2011-09-16 16:03:07,505 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin WEBSERVICES_AUTH
2011-09-16 16:03:07,505 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] user/password not found in request, try into identity cache
2011-09-16 16:03:07,538 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator] Forward to Login Screen
For the sake of completeness (sorry for the lengthy post), here is my plugin chain :
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<!-- Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
<plugin>BASIC_AUTH</plugin>
<plugin>PROXY_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
So it looks like my plugin chain (BASIC_AUTH, then PROXY_AUTH) isn't even taken into account. Any idea, anyone?
09-16-2011 12:11 PM
Ok, some more information about what I'm fighting against. I installed org.nuxeo.ecm.platform.login.mod_sso (it's shown in the list after INFO [org.nuxeo.runtime.deployment.preprocessor.DeploymentPreprocessor] Preprocessing order:).
On server start, it's shown as registered and merged as an authentificator:
2011-09-16 15:03:17,730 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] merged AuthenticationPluginDescriptor: BASIC_AUTH
2011-09-16 15:03:18,959 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] registered AuthenticationPluginDescriptor: PROXY_AUTH
2011-09-16 15:03:18,960 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] merged AuthenticationPluginDescriptor: PROXY_AUTH
(among others)
I configured my extension point to read the requested header :
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="authenticators">
<authenticationPlugin
name="PROXY_AUTH"
enabled="true"
class="org.nuxeo.ecm.platform.ui.web.auth.proxy.ProxyAuthenticator">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<parameters>
<parameter name="ssoHeaderName">HTTP_AUTH_USER</parameter>
</parameters>
</authenticationPlugin>
</extension>
And I even tested - by pointing my reverse proxy on a simple PHP page showing phpinfo() - that the env var is sent. So, as far as I'm concerned, everything should work. But when I try to access the instance through the proxy, login page is shown (and working). According to my logs :
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Entering Nuxeo Authentication Filter
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Principal not found inside Request via getUserPrincipal
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Try getting authentication from cache
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin BASIC_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin FORM_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator] Looking for user/password in the request
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin WEBENGINE_FORM_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin ANONYMOUS_AUTH
2011-09-16 16:03:07,505 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin WEBSERVICES_AUTH
2011-09-16 16:03:07,505 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] user/password not found in request, try into identity cache
2011-09-16 16:03:07,538 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator] Forward to Login Screen
For the sake of completeness (sorry for the lengthy post), here is my plugin chain :
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<!-- Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
<plugin>BASIC_AUTH</plugin>
<plugin>PROXY_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
So it looks like my plugin chain (BASIC_AUTH, then PROXY_AUTH) isn't even taken into account. Any idea, anyone?
09-23-2011 02:13 PM
Ok, I'll be answering myself here. It was actually pretty simple, only I needed to :
And then, with all that, my Nuxeo instance is officially connected to LemondLDAP::NG (through a reverse-proxy, CAS/Shibboleth might come later).
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.