Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Content Management
- Nuxeo
- Nuxeo Forum
- Configuring mod_sso?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2011 08:01 AM
Is there any recent document describing the use of org.nuxeo.ecm.platform.login.mod_sso ?
1 ACCEPTED ANSWER
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2011 12:11 PM
Ok, some more information about what I'm fighting against. I installed org.nuxeo.ecm.platform.login.mod_sso (it's shown in the list after INFO [org.nuxeo.runtime.deployment.preprocessor.DeploymentPreprocessor] Preprocessing order:).
On server start, it's shown as registered and merged as an authentificator:
2011-09-16 15:03:17,730 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] merged AuthenticationPluginDescriptor: BASIC_AUTH
2011-09-16 15:03:18,959 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] registered AuthenticationPluginDescriptor: PROXY_AUTH
2011-09-16 15:03:18,960 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] merged AuthenticationPluginDescriptor: PROXY_AUTH
(among others)
I configured my extension point to read the requested header :
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="authenticators">
<authenticationPlugin
name="PROXY_AUTH"
enabled="true"
class="org.nuxeo.ecm.platform.ui.web.auth.proxy.ProxyAuthenticator">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<parameters>
<parameter name="ssoHeaderName">HTTP_AUTH_USER</parameter>
</parameters>
</authenticationPlugin>
</extension>
And I even tested - by pointing my reverse proxy on a simple PHP page showing phpinfo() - that the env var is sent. So, as far as I'm concerned, everything should work. But when I try to access the instance through the proxy, login page is shown (and working). According to my logs :
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Entering Nuxeo Authentication Filter
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Principal not found inside Request via getUserPrincipal
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Try getting authentication from cache
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin BASIC_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin FORM_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator] Looking for user/password in the request
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin WEBENGINE_FORM_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin ANONYMOUS_AUTH
2011-09-16 16:03:07,505 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin WEBSERVICES_AUTH
2011-09-16 16:03:07,505 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] user/password not found in request, try into identity cache
2011-09-16 16:03:07,538 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator] Forward to Login Screen
For the sake of completeness (sorry for the lengthy post), here is my plugin chain :
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<!-- Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
<plugin>BASIC_AUTH</plugin>
<plugin>PROXY_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
So it looks like my plugin chain (BASIC_AUTH, then PROXY_AUTH) isn't even taken into account. Any idea, anyone?
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2011 12:11 PM
Ok, some more information about what I'm fighting against. I installed org.nuxeo.ecm.platform.login.mod_sso (it's shown in the list after INFO [org.nuxeo.runtime.deployment.preprocessor.DeploymentPreprocessor] Preprocessing order:).
On server start, it's shown as registered and merged as an authentificator:
2011-09-16 15:03:17,730 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] merged AuthenticationPluginDescriptor: BASIC_AUTH
2011-09-16 15:03:18,959 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] registered AuthenticationPluginDescriptor: PROXY_AUTH
2011-09-16 15:03:18,960 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] merged AuthenticationPluginDescriptor: PROXY_AUTH
(among others)
I configured my extension point to read the requested header :
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="authenticators">
<authenticationPlugin
name="PROXY_AUTH"
enabled="true"
class="org.nuxeo.ecm.platform.ui.web.auth.proxy.ProxyAuthenticator">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<parameters>
<parameter name="ssoHeaderName">HTTP_AUTH_USER</parameter>
</parameters>
</authenticationPlugin>
</extension>
And I even tested - by pointing my reverse proxy on a simple PHP page showing phpinfo() - that the env var is sent. So, as far as I'm concerned, everything should work. But when I try to access the instance through the proxy, login page is shown (and working). According to my logs :
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Entering Nuxeo Authentication Filter
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Principal not found inside Request via getUserPrincipal
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Try getting authentication from cache
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin BASIC_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin FORM_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator] Looking for user/password in the request
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin WEBENGINE_FORM_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin ANONYMOUS_AUTH
2011-09-16 16:03:07,505 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin WEBSERVICES_AUTH
2011-09-16 16:03:07,505 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] user/password not found in request, try into identity cache
2011-09-16 16:03:07,538 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator] Forward to Login Screen
For the sake of completeness (sorry for the lengthy post), here is my plugin chain :
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<!-- Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
<plugin>BASIC_AUTH</plugin>
<plugin>PROXY_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
So it looks like my plugin chain (BASIC_AUTH, then PROXY_AUTH) isn't even taken into account. Any idea, anyone?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2011 02:13 PM
Ok, I'll be answering myself here. It was actually pretty simple, only I needed to :
- know how to force my authenticationChain to prevail (like explained here)
- forget about my PHP "knowledge" and set the ssoHeaderName to "Auth-User" instead of "HTTP_AUTH_USER".
And then, with all that, my Nuxeo instance is officially connected to LemondLDAP::NG (through a reverse-proxy, CAS/Shibboleth might come later).
Related Content
- JWT Assertion Security Concern - Missing Validation of iss and sub Claims in Nuxeo Forum
- October 2025 - Nuxeo Customer Newsletter in Nuxeo Blog
- September 2025 - Nuxeo Customer Newsletter in Nuxeo Blog
- Configuring Nuxeo to send emails with OAuth in Nuxeo Forum
- Is permission configuration for directories ignored? in Nuxeo Forum
Getting started
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
