Hyland Connect

ramjoy22 · ‎04-18-2013

I need to test external sso in alfresco share

I followed the steps

1. renamed alfresco-4.2.c/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.sample as share-config-custom.xml.
2. Uncommentd both the

 <config evaluator="string-compare" and the condition="Remote"> ‍

sections.



 <config evaluator="string-compare" condition="Remote">
      <remote>
         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not 
            require authentication
        </description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that 
                         require user authentication
        </description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via
                         the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
         
         <endpoint>
            <id>activiti-admin</id>
            <name>Activiti Admin UI - user access</name>
            <description>Access to Activiti Admin UI, that requires user 
                         authentication</description>
            <connector-id>activiti-admin-connector</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/activiti-admin
            </endpoint-url>
            <identity>user</identity>
         </endpoint>
      </remote>
    </config>

<config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
         
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based 
                          authentication
            </description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
         
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and 
             cookie-based authentication
            </description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user
             authentication
            </description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>

‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

3. modified alfrsco-global.properties like ;

   authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
   external.authentication.proxyUserName=
   external.authentication.enabled=true
   external.authentication.defaultAdministratorUserNames=admin
   external.authentication.proxyHeader=SsoUserHeader

No other changes made
Do i need to do any further modifications?

i tried to access alfresco from my JSP application as follows,



Testing SSO <br>
<%

URL url1 = new URL("http://localhost:8080/share/page"); 
URLConnection conn = url1.openConnection(); 
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setRequestProperty("SsoUserHeader", "admin"); 
for (int i = 0;; i++) { 
   String headerName = conn.getHeaderFieldKey(i);  
   String headerValue = conn.getHeaderField(i);   
   System.out.println(headerName + "===");  
   System.out.println(headerValue);  
   if (headerName == null && headerValue == null) {     break;   } 
}

%>

‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

its giving output in console :

 
***************
null===
HTTP/1.1 200 OK
Server===
Apache-Coyote/1.1
Set-Cookie===
JSESSIONID=89E6C0A9600DDA3675EEB633F5F3A248; Path=/share/; HttpOnly
Cache-Control===
no-cache
Content-Type===
text/html;charset=utf-8
Content-Language===
en-US
Transfer-Encoding===
chunked
Date===
Wed, 17 Apr 2013 13:52:24 GMT
null===
null
*************
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Connection is success here.

Now I need to test SSO.
<strong>how can i link from my jsp application to alfresco share?</strong>
<strong>when i am using response.redirect it shows login page again</strong>

afaust · ‎04-19-2013

Hello,

you can't simply link from your JSP to Alfresco and expect external authentication to work. Your test inside the JSP works because you are directly manipulating an URLConnection. Unless you provide a way for new connections (irregardless if redirected or pointed directly at Alfresco) to be authenticated and a HTTP header added transparently, external authentication will not work. You can't manipulate the HTTP headers of a request that is the result of a redirect.

For linking from an application to Alfresco without having a CAS (central authentication service) to provide real external authentication, I would evaluate the use of login tickets. I.e. have your application access Alfresco like you did in your test and obtain a ticket. Append that dynamically to the redirect URL to pass it to the client. This ticket will automatically login the user with the same context used in your JSP. You may have to provide a special SSO filter that is able to pass the ticket to the Alfresco Repository though - last I checked the default SSOAuthenticationFilter was not capable of passing a ticket.

Regards
Axel

ramjoy22 · ‎04-19-2013

Thank you for the reply.
I would like to have some clarification ,
1, when i am trying to connect using hhtp url connection or urlconnection, how the ticket get created?
2, when i make request through url connection will it return any ticket
3, how can i get ticket without giving password?

Thank you
Ram

afaust · ‎04-19-2013

Hello,

1) and 2) You need to implement a web script that generates a returns the ticket for the current user. This web script is addressed by the URI you use to setup a URLConncetion. The ticket should be contained in the response body, which you need to evaluate in your JSP (or Java code) to extract the ticket. This can be done by a simple JavaScript / FreeMarker web script, using the JavaScript session root scope object to retrieve the ticket, i.e.

session.getTicket()‍

3) By using the external authentication approach you've already shown in your original post for the request to retrieve the ticket.

Regards
Axel

shibu · ‎04-22-2013

I just created a web script to get the ticket of Alfresco Share. Steps which I done are;


 1. Created getticket.get.desc.xml

    <webscript>
      <shortname>Get User Ticket</shortname>
      <description>Personalized greeting</description>
      <url>/getticket</url>
      <authentication>user</authentication>
      <negotiate accept="text/html">html</negotiate>
      <negotiate accept="application/json">json</negotiate>
    </webscript>

   2. created getticket.get.html.ftl (Plain Text)

         ${session.getTicket()}
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Next I tried to get it in the jsp code,


<%
 
URL url1 = new URL("http://localhost:8080/alfresco/service/getticket"); 
URLConnection conn = url1.openConnection(); 
conn.setRequestProperty("SsoUserHeader", "admin"); 
for (int i = 0;; i++) { 
   String headerName = conn.getHeaderFieldKey(i);  
   String headerValue = conn.getHeaderField(i);   
   System.out.println(headerName + "===");  
   System.out.println(headerValue);  
   if (headerName == null && headerValue == null) {     break;   } 
}

%>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Output;


null===
HTTP/1.1 401 Unauthorized
Server===
Apache-Coyote/1.1
WWW-Authenticate===
Basic realm="Alfresco"
Content-Type===
text/html;charset=utf-8
Content-Length===
951
Date===
Mon, 22 Apr 2013 13:23:58 GMT
null===
null
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

1)How can I get the ticket here? Its telling unautherized. Can't provide password as it is external SSO.

shibu · ‎04-19-2013

Can you please tell, how to provide a special SSO filter that is able to pass the ticket to the Alfresco Repository?

afaust · ‎04-19-2013

Hello,

you develop a Java class that implements the Java Servlet API interface "Filter" and register it in the web.xml of Share. In that class, the doFilter method needs to take care of passing a ticket from the request URI to the backend Repository to verify / validate. Please take a look at the Alfresco class SSOAuthenticationFilter for an example of a similar filter available by default.

Regards
Axel

afaust · ‎04-24-2013

Hello,

you need to use "wcservice" not "service" in your URL, otherwise SSO will not be procesed ("/service/" and "/s/" never have SSO enabled).

Regards
Axel

shibu · ‎04-25-2013

Yes, I tried with wcservice.


<%
URL url1 = new URL("http://localhost:8080/alfresco/wcservice/getticket"); 
HttpURLConnection conn = (HttpURLConnection) url1.openConnection();
conn.setRequestProperty("SsoUserHeader", "admin"); 
for (int i = 0;; i++) { 
   String headerName = conn.getHeaderFieldKey(i);  
   String headerValue = conn.getHeaderField(i);   
   System.out.println(headerName + "===");  
   System.out.println(headerValue);  
   if (headerName == null && headerValue == null) {     break;   } 
}
‍‍‍‍‍‍‍‍‍‍‍‍‍

Its giving Internal Server error. SSO is not happening.


null===
HTTP/1.1 500 Internal Server Error
Server===
Apache-Coyote/1.1
Content-Type===
text/html;charset=UTF-8
Transfer-Encoding===
chunked
Date===
Thu, 25 Apr 2013 04:39:39 GMT
Connection===
close
null===
null
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

What I have to do here to get the ticket?

afaust · ‎04-27-2013

Hello,

what is the precise error in the logs?

Regards
Axel

Hyland Connect

External SSO in alfresco share