Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How do I integrate with nuxeo-platform-login-portal-sso in my portal?

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator

‎12-22-2011 12:10 PM

I want to use nuxeo-platform-login-portal-sso for authentication, but how do I communicate the client authentication info exactly?

1 ACCEPTED ANSWER

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator

‎12-22-2011 12:58 PM

First, note that nuxeo-platform-login-portal-sso is a bit of a misnomer, what this module really does is establish a shared-secret method of authenticating between the Nuxeo server and a client.

Server

On the server side, you establish it using something like:

<extension
    target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
    point="authenticators">
  <authenticationPlugin name="PORTAL_AUTH">
    <loginModulePlugin>Trusting_LM</loginModulePlugin>
    <parameters>
      <parameter name="secret">MySharedSecret</parameter>
      <parameter name="maxAge">60</parameter>
    </parameters>
  </authenticationPlugin>
</extension>

<!-- Include Portal Auth into authentication chain -->
<extension
    target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
    point="chain">
  <authenticationChain>
    <plugins>
      <!--  Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
      <plugin>BASIC_AUTH</plugin>
      <plugin>PORTAL_AUTH</plugin>
      <plugin>FORM_AUTH</plugin>
    </plugins>
  </authenticationChain>
</extension>

Here we've chosen to name this authentication method PORTAL_AUTH. Note that the secret parameter contains the shared secret that the client will have to know.

Client

On the client side, you could use one of the existing clients:

Using nuxeo-http-client

nuxeo-http-client is a sample Java client to do REST calls to Nuxeo. You can configure it connect to a server that uses nuxeo-platform-login-portal-sso by doing:

NuxeoServer nxServer = new NuxeoServer("http://127.0.0.1:8080/nuxeo");
nxServer.setAuthType(NuxeoServer.AUTH_TYPE_SECRET);
nxServer.setSharedSecretAuthentication("Administrator", "MySharedSecret");

See src/test/java/org/nuxeo/ecm/http/client/remote/tests/RemoteTests.java in nuxeo-http-client for more.

Using nuxeo-automation-client

nuxeo-automation-client is a more modern Nuxeo Java client using high-level Document abstractions. You can configure it to connect to a server that uses platform-login-portal-sso by doing:

HttpAutomationClient client = new HttpAutomationClient("http://localhost:8080/nuxeo/site/automation");
client.setRequestInterceptor(new PortalSSOAuthInterceptor("MySharedSecret", "Administrator"));
Session session = client.getSession();

See src/test/java/org/nuxeo/ecm/automation/client/jaxrs/test/SampleSSOPortal.java in nuxeo-automation-client for more.

Manual HTTP calls

If you want to do all the calls to Nuxeo yourself, you'll have to decide which HTTP requests to make, and in addition you'll have to send some specific headers to authenticate. The HTTP headers are:

  • NX_TS: the timestamp, in milliseconds since epoch, when you're generating the request.
  • NX_RD: a few some random characters.
  • NX_USER: the user as whom you want to authenticate.
  • NX_TOKEN: a token proving authentication generated using the algorithm BASE64_MD5(timestamp + ":" + random + ":" + secret + ":" + user)

The token contains the secret but in a hashed form which cannot be reversed by an eavesdropper to generate new requests. The timestamp is used to avoid replay attacks (the delta with the real time on the server cannot be more than the maxAge specified on the server). The random characters are used to avoid pre-computed dictionary attacks.

The following Java code can be used:

import java.security.MessageDigest;
import javax.xml.bind.DatatypeConverter;

public String makeToken(String timestamp, String random, String secret,
        String user) throws Exception {
    String clearToken = timestamp + ":" + random + ":" + secret + ":"
            + user;
    byte[] md5 = MessageDigest.getInstance("MD5").digest(
            clearToken.getBytes());
    return DatatypeConverter.printBase64Binary(md5);
}

As a validation of your code, check that makeToken("1324572561000", "qwertyuiop", "secret", "bob") returns 8y4yXfms/iKge/OtG6d2zg==

View answer in original post

6 REPLIES 6

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator

‎12-22-2011 12:58 PM

First, note that nuxeo-platform-login-portal-sso is a bit of a misnomer, what this module really does is establish a shared-secret method of authenticating between the Nuxeo server and a client.

Server

On the server side, you establish it using something like:

<extension
    target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
    point="authenticators">
  <authenticationPlugin name="PORTAL_AUTH">
    <loginModulePlugin>Trusting_LM</loginModulePlugin>
    <parameters>
      <parameter name="secret">MySharedSecret</parameter>
      <parameter name="maxAge">60</parameter>
    </parameters>
  </authenticationPlugin>
</extension>

<!-- Include Portal Auth into authentication chain -->
<extension
    target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
    point="chain">
  <authenticationChain>
    <plugins>
      <!--  Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
      <plugin>BASIC_AUTH</plugin>
      <plugin>PORTAL_AUTH</plugin>
      <plugin>FORM_AUTH</plugin>
    </plugins>
  </authenticationChain>
</extension>

Here we've chosen to name this authentication method PORTAL_AUTH. Note that the secret parameter contains the shared secret that the client will have to know.

Client

On the client side, you could use one of the existing clients:

Using nuxeo-http-client

nuxeo-http-client is a sample Java client to do REST calls to Nuxeo. You can configure it connect to a server that uses nuxeo-platform-login-portal-sso by doing:

NuxeoServer nxServer = new NuxeoServer("http://127.0.0.1:8080/nuxeo");
nxServer.setAuthType(NuxeoServer.AUTH_TYPE_SECRET);
nxServer.setSharedSecretAuthentication("Administrator", "MySharedSecret");

See src/test/java/org/nuxeo/ecm/http/client/remote/tests/RemoteTests.java in nuxeo-http-client for more.

Using nuxeo-automation-client

nuxeo-automation-client is a more modern Nuxeo Java client using high-level Document abstractions. You can configure it to connect to a server that uses platform-login-portal-sso by doing:

HttpAutomationClient client = new HttpAutomationClient("http://localhost:8080/nuxeo/site/automation");
client.setRequestInterceptor(new PortalSSOAuthInterceptor("MySharedSecret", "Administrator"));
Session session = client.getSession();

See src/test/java/org/nuxeo/ecm/automation/client/jaxrs/test/SampleSSOPortal.java in nuxeo-automation-client for more.

Manual HTTP calls

If you want to do all the calls to Nuxeo yourself, you'll have to decide which HTTP requests to make, and in addition you'll have to send some specific headers to authenticate. The HTTP headers are:

  • NX_TS: the timestamp, in milliseconds since epoch, when you're generating the request.
  • NX_RD: a few some random characters.
  • NX_USER: the user as whom you want to authenticate.
  • NX_TOKEN: a token proving authentication generated using the algorithm BASE64_MD5(timestamp + ":" + random + ":" + secret + ":" + user)

The token contains the secret but in a hashed form which cannot be reversed by an eavesdropper to generate new requests. The timestamp is used to avoid replay attacks (the delta with the real time on the server cannot be more than the maxAge specified on the server). The random characters are used to avoid pre-computed dictionary attacks.

The following Java code can be used:

import java.security.MessageDigest;
import javax.xml.bind.DatatypeConverter;

public String makeToken(String timestamp, String random, String secret,
        String user) throws Exception {
    String clearToken = timestamp + ":" + random + ":" + secret + ":"
            + user;
    byte[] md5 = MessageDigest.getInstance("MD5").digest(
            clearToken.getBytes());
    return DatatypeConverter.printBase64Binary(md5);
}

As a validation of your code, check that makeToken("1324572561000", "qwertyuiop", "secret", "bob") returns 8y4yXfms/iKge/OtG6d2zg==

Go to answer
hachicha_
Champ in-the-making
Champ in-the-making
In response to Florent_Guillau

‎01-31-2012 09:39 AM

With Nuxeo DM 5.5, I tried to use <i>nuxeo-platform-login-portal-sso</i> for authentication using <i>nuxeo-http-client</i> but I have always 401 reponse when calling <i>client.getSession()</i>. Inside server.log, I have this lines

0 Kudos

Go to answer
OlivierM_
Star Contributor
Star Contributor
In response to Florent_Guillau

‎02-01-2012 11:38 AM

How does that integrate with other SSO uses? Like if I want to authenticate nuxeo through REMOTE_USER-like environment variable, but still connecting clients to it like you described above?

0 Kudos

Go to answer
mike_frey
Champ in-the-making
Champ in-the-making
In response to Florent_Guillau

‎08-24-2012 09:19 PM

Does this approach work if I do not have the user's name/password in LDAP, SQL, or a config file or do I need to have the user name defined somewhere? Is there a need for a "user" entity for documentation ownership, ACls, etc?

0 Kudos

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator
In response to Florent_Guillau

‎08-30-2012 03:45 PM

This (the first long comment) was posted as an answer but is not an answer. Please ask questions as new questions.

0 Kudos

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator
In response to Florent_Guillau

‎08-30-2012 03:47 PM

mike

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC