Hyland Community
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

External Auth Subsystem for SSO in Alfresco and Share

kbonnet
Champ in-the-making
Champ in-the-making

‎11-29-2009 06:39 AM

Hello Alfrescians,

I'm trying to get the external authentication subsystem to work with Alfresco 3.2r2. I need Alfresco Explorer and Share to authenticate users based on a http header. I use the default x-remote-alfresco-user for this. From 3.2r2 this is working for Alfresco Explorer like a dream. But i can't get Share to work based on this.

In my setup i'm running Alfresco 3.2r2 on a CentOS 5.3 with Tomcat 6.0.20 and Sun JDK 1.6.0_14. For the authentication i'm using Apache. At the moment Apache is just asking for basic authentication against a password file. When the user is authenticated, the http header is added and sent through to Alfresco. Alfresco detects the user in the header and authenticates it via the external authentication subsystem.

My Share configuration is 

   <config evaluator="string-compare" condition="Remote">                <remote>                        <!– SSL client certificate + trusted CAs. Optionally used to authenticate share to an external SSO system such as CAS –>                        <keystore>                                <path>alfresco/web-extension/alfresco-system.p12</path>                                <type>pkcs12</type>                                <password>******</password>                        </keystore>                        <connector>                                <id>alfrescoCookie</id>                                <name>Alfresco Connector</name>                                <description>Connects to an Alfresco instance using cookie-based authentication</description>                                <class>org.alfresco.connector.AlfrescoConnector</class>                        </connector>                        <endpoint>                                <id>alfresco</id>                                <name>Alfresco - user access</name>                                <description>Access to Alfresco Repository WebScripts that require user authentication</description>                                <connector-id>alfrescoCookie</connector-id>                                <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>                                <identity>user</identity>                                <external-auth>true</external-auth>                        </endpoint>                </remote>        </config>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

When Share recieves a request, i see the http header is added in the logging:

11:40:53,175 DEBUG [httpclient.wire.header] >> "GET /alfresco/wcs/webframework/content/metadata?user=kbonnet HTTP/1.1[\r][\n]"11:40:53,175 DEBUG [org.apache.commons.httpclient.HttpMethodBase] Adding Host request header11:40:53,187 DEBUG [httpclient.wire.header] >> "X-Alfresco-Remote-User: kbonnet[\r][\n]"‍‍‍‍

But on the Alfresco side, the header isnt picked up:

11:40:53,223 DEBUG [org.alfresco.web.scripts.servlet.WebScriptServlet] Processing request (GET) http://localhost:8080/alfresco/wcs/webframework/content/metadata?user=kbonnet11:40:53,285 DEBUG [org.alfresco.web.scripts.AbstractRuntime] (Runtime=ServletRuntime, Container=Repository) Processing script url (GET) /webframework/content/metadata11:40:53,287 DEBUG [org.alfresco.web.scripts.DeclarativeRegistry] Web Script index lookup for uri /webframework/content/metadata took 1.46ms11:40:53,288 DEBUG [org.alfresco.web.scripts.servlet.WebScriptServletRequest] Content Type: null11:40:53,289 DEBUG [org.alfresco.web.scripts.AbstractRuntime] Agent: null11:40:53,289 DEBUG [org.alfresco.web.scripts.AbstractRuntime] Invoking Web Script org/alfresco/webframework/metadata.get (format html, style: argument, default: html)11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.RepositoryContainer] Current authentication: unauthenticated11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.RepositoryContainer] Authentication required: user11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.RepositoryContainer] Guest login requested: false11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session11:40:53,392 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Redirecting to Alfresco Login11:40:53,393 DEBUG [org.alfresco.repo.web.scripts.RepositoryContainer] Authentication reset: unauthenticated‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

In the Share logging i see the login page being returned instead of the JSON-info on the user, which of course results in an exception.

Why isnt Alfresco processing the http header the same way as when it's coming from a user via Apache? When i do the request "/alfresco/wcs/webframework/content/metadata?user=kbonnet" via Apache to have the header added, i just get the JSON info. When i do the same request directly on Tomcat with wget (and including the header), i get the login page. I am sure Share is adding the header, because for debugging i changed the end-point url to a jsp page which shows all the header, and i saw the header added by Share.

I'm not implementing mod_auth_cas on purpose. I just want users to be trusted based on the http header. In the final situation there will be an authentication layer based on OpenASelect. This is a CAS like service that will authenticate users, add headers and send them through to the application layer. I feel i am so close because i see Share adding the header. Alfresco just isnt processing it.

Any clues?

Kind regards,

Koen Bonnet
Labels:
0 Kudos
6 REPLIES 6

dward
Champ on-the-rise
Champ on-the-rise

‎11-30-2009 05:39 AM

I recently found a problem in this area and will be merging a fix to HEAD shortly.

The trouble is that in order to use just the header to provide the user ID to the alfresco web app, without using a secured connection and a 'proxy user' you would need to set the external.authentication.proxyUserName property to the empty string, as follows

external.authentication.proxyUserName=

The trouble is, there appears to be a problem with the overriding of property values to be the empty string. At the moment you would have no option but to edit this value in

$TOMCAT_HOME/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-filter.properties
0 Kudos

kbonnet
Champ in-the-making
Champ in-the-making

‎11-30-2009 05:44 AM

Hi David,

Thanks for your reply! I will try this and let you know. I dont have big problems with this workaround, since i can override the subsystem configuration in the extension root, right?

Thanks.
Koen
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎11-30-2009 05:48 AM

No. I am trying to tell you that the extension based override mechanism doesn't work in this instance. I will fix it so that it does ASAP.
0 Kudos

kbonnet
Champ in-the-making
Champ in-the-making

‎11-30-2009 06:20 AM

🙂 Got it. When the property gets a value it cannot be overridden to have no value.

It worked for me. For now i will do with this workaround. Thanks a lot!

Koen
0 Kudos

kbonnet
Champ in-the-making
Champ in-the-making

‎12-03-2009 04:48 AM

I moved my followup question about logging into share based on HTTP headers to the Share topic, because it's slightly different from the question above.

http://forums.alfresco.com/en/viewtopic.php?f=47&t=23657
0 Kudos

varunss
Champ in-the-making
Champ in-the-making

‎03-22-2010 06:24 AM

I came across the same situation..having the same requirement to authenticate using external system and came across the same error….I changed the ProxyUsername to empty..Still i get the exception.. What should be done…
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC
Top