Hyland Connect

ramjoy22 · ‎04-18-2013

I need to test external sso in alfresco share

I followed the steps

1. renamed alfresco-4.2.c/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.sample as share-config-custom.xml.
2. Uncommentd both the

 <config evaluator="string-compare" and the condition="Remote"> ‍

sections.



 <config evaluator="string-compare" condition="Remote">
      <remote>
         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not 
            require authentication
        </description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that 
                         require user authentication
        </description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via
                         the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
         
         <endpoint>
            <id>activiti-admin</id>
            <name>Activiti Admin UI - user access</name>
            <description>Access to Activiti Admin UI, that requires user 
                         authentication</description>
            <connector-id>activiti-admin-connector</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/activiti-admin
            </endpoint-url>
            <identity>user</identity>
         </endpoint>
      </remote>
    </config>

<config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
         
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based 
                          authentication
            </description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
         
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and 
             cookie-based authentication
            </description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user
             authentication
            </description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>

‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

3. modified alfrsco-global.properties like ;

   authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
   external.authentication.proxyUserName=
   external.authentication.enabled=true
   external.authentication.defaultAdministratorUserNames=admin
   external.authentication.proxyHeader=SsoUserHeader

No other changes made
Do i need to do any further modifications?

i tried to access alfresco from my JSP application as follows,



Testing SSO <br>
<%

URL url1 = new URL("http://localhost:8080/share/page"); 
URLConnection conn = url1.openConnection(); 
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setRequestProperty("SsoUserHeader", "admin"); 
for (int i = 0;; i++) { 
   String headerName = conn.getHeaderFieldKey(i);  
   String headerValue = conn.getHeaderField(i);   
   System.out.println(headerName + "===");  
   System.out.println(headerValue);  
   if (headerName == null && headerValue == null) {     break;   } 
}

%>

‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

its giving output in console :

 
***************
null===
HTTP/1.1 200 OK
Server===
Apache-Coyote/1.1
Set-Cookie===
JSESSIONID=89E6C0A9600DDA3675EEB633F5F3A248; Path=/share/; HttpOnly
Cache-Control===
no-cache
Content-Type===
text/html;charset=utf-8
Content-Language===
en-US
Transfer-Encoding===
chunked
Date===
Wed, 17 Apr 2013 13:52:24 GMT
null===
null
*************
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Connection is success here.

Now I need to test SSO.
how can i link from my jsp application to alfresco share?
when i am using response.redirect it shows login page again

afaust · ‎05-30-2013

Hello,

the (last) hurdle why this is not working (yet) seems to be the following lines of code from AlfrescoConnector (which is used to connect to the Repository based on "Remote"-config in share-config.xml / share-config-custom.xml):


        if (getCredentials() != null)
        {
            // if this connector is managing session info
            if (getConnectorSession() != null)
            {
                // apply alfresco ticket from connector session - i.e. previous login attempt
                alfTicket = (String)getConnectorSession().getParameter(AlfrescoAuthenticator.CS_PARAM_ALF_TICKET);
            }
        }
‍‍‍‍‍‍‍‍‍‍‍

The <blockcode>getCredentials() != null</blockcode> is preventing the connector from using the ticket you put into the connector session. You've got two choices here: 1) set "dummy" credentials to satisfy this check or 2) provide a custom connector (simply copy the AlfrescoConnector class, remove the check and adjust "Remote"-config to use your new class) that uses the ticket regardless.

I'd recommend alternative #2, since #1 is a more complex operation and fakeing credentials should not be considered good practice.

Regards
Axel

shibu · ‎06-06-2013

Because of some issues I reinstalled Alfresco and tried to finish all the steps which I have already done. But i got stuck in one place.
I have updated both share-config-custom.xml and alfresco-global.properties as I mentioned in first comment of this post to achieve external SSO. Then I created webscript to get the ticket.


1. getticket.get.desc.xml
  <webscript>
  <shortname>GET QDRIVE TICKET</shortname>
  <description>Getting QdriveTicket</description>
  <url>/getticket</url>
  <authentication>user</authentication>
  <negotiate accept="text/html">html</negotiate>
  <negotiate accept="application/json">json</negotiate>
  </webscript>
2.getticket.get.json.ftl
  ${session.getTicket()} 
‍‍‍‍‍‍‍‍‍‍‍‍‍

Then I restarted Alfresco. In logs I am getting following errors.


 org.springframework.extensions.webscripts.WebScriptException: 05060001 Web Script org/alfresco/repository/store/remoteadm.post 
requires user authentication; however, a guest has attempted access.
   at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:321)
   at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:303)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:433)
   at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:345)
   at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:377)
   at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:209)
   at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:118)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
   at org.alfresco.repo.web.filter.beans.NullFilter.doFilter(NullFilter.java:68)
   at sun.reflect.GeneratedMethodAccessor384.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:601)
   at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:116)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   at $Proxy236.doFilter(Unknown Source)
   at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
   at org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter.doFilter(WebScriptSSOAuthenticationFilter.java:140)
   at sun.reflect.GeneratedMethodAccessor384.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:601)
   at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:103)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   at $Proxy236.doFilter(Unknown Source)
   at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
   at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
   at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1813)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
   at java.lang.Thread.run(Thread.java:722)
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Why this error is coming now?

shibu · ‎06-07-2013

Replaced "org.alfresco.web.site.servlet.SlingshotAlfrescoConnector" class with my new Connector class in both connectors (alfrescoCookie and alfrescoHeader) defined in share-config-custom.xml.
Still the log in page is coming when I click the URL with appended ticket.

The modified class I am using is;


public class SlingshotAlfrescoConnector extends RequestCachingConnector
{
    private static final String CD_USER_HEADER = "userHeader";
    public static final String CS_PARAM_USER_HEADER = "userHeader";
    public SlingshotAlfrescoConnector(ConnectorDescriptor descriptor, String endpoint) {
        super(descriptor, endpoint);
    }
    private String getUserHeader() {
        String userHeader = descriptor.getStringProperty(CD_USER_HEADER);
        System.out.println("userHeader : " + userHeader);
        if (userHeader != null && userHeader.trim().length() == 0) {
            userHeader = null;
        }
        return userHeader;
    }
    @Override
    public void setConnectorSession(ConnectorSession connectorSession) {
        super.setConnectorSession(connectorSession);
        connectorSession.setParameter(CS_PARAM_USER_HEADER, getUserHeader());
        System.out.println(" connectorSession : " + connectorSession);
    }
    protected void applyRequestHeaders(RemoteClient remoteClient, ConnectorContext context) {
        super.applyRequestHeaders(remoteClient, context);   
        Map<String, String> headers = new HashMap<String, String>(8);
        if (context != null) {
            headers.putAll(context.getHeaders());
        }
        if (getCredentials() != null) {
            String user = (String) getCredentials().getProperty(Credentials.CREDENTIAL_USERNAME);
            String pass = (String) getCredentials().getProperty(Credentials.CREDENTIAL_PASSWORD);
            if (pass == null) {
                headers.put("X-Alfresco-Remote-User", user);
                System.out.println("X-Alfresco-Remote-User " + user);
            }
            String userHeader = getUserHeader();
            if (userHeader != null) {
               System.out.println("getUserHeader Not NULL: " + userHeader);
                headers.put(userHeader, user);
            }
        }
        String alfTicket = null;
        if (getConnectorSession() != null) {
            System.out.println("getConnectorSession() not NULL");
            // apply alfresco ticket from connector session - i.e. previous login attempt
   alfTicket = (String)getConnectorSession().getParameter(AlfrescoAuthenticator.CS_PARAM_ALF_TICKET);

       // added some codes here written in above if condition :- if (getCredentials() != null).
            System.out.println("alfTicket : " + alfTicket);
            String user = "admin";
            headers.put("X-Alfresco-Remote-User", user);
            System.out.println("X-Alfresco-Remote-User Now : " + user);
            String userHeader = getUserHeader();
            if (userHeader != null) {
               System.out.println("getUserHeader NOW : "  + userHeader);
                headers.put(userHeader, "admin");
            }
        }

// Additionally Setting ticket in the remoteClient as done in AlfrescoConnector.java class

        if (alfTicket != null) {
            System.out.println("Setting alf_ticket : " + alfTicket);
            remoteClient.setTicket(alfTicket);
            remoteClient.setTicketName("alf_ticket");
        }
        // stamp all headers onto the remote client
        if (headers.size() != 0) {
            System.out.println("size!=0");
            remoteClient.setRequestProperties(headers);
        }
    }
}
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

It prints following lines in catalina.out fle when clicks on link.


FILTER IS EXECUTING-PRE
Initializing the SpecialSSOFilter. Ticket : TICKET_b5df0646f39c9b3bed6f29838990af7fbe1143d3
connectorService : org.springframework.extensions.webscripts.connector.ConnectorService@4ec4073f
connectorSession : org.springframework.extensions.webscripts.connector.ConnectorSession@3022d2c1
ALF_TICKET  TICKET_b5df0646f39c9b3bed6f29838990af7fbe1143d3
userHeader : SsoUserHeader
connectorSession : org.springframework.extensions.webscripts.connector.ConnectorSession@3022d2c1
getConnectorSession() not NULL
alfTicket : TICKET_b5df0646f39c9b3bed6f29838990af7fbe1143d3
X-Alfresco-Remote-User Now : admin
getUserHeader NOW : SsoUserHeader
Setting alf_ticket : TICKET_b5df0646f39c9b3bed6f29838990af7fbe1143d3
size!=0
FILTER IS EXECUTING-POST
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Why is it still standing in the log in page itself?

sumantapakira · ‎06-03-2013

Were you able to resolve this issue?

afaust · ‎06-10-2013

Hello,

At some point you should add some log output from the Repository into the mix so it is easier to determine what might be the problem here. I suggest setting the Log4J logger org.alfresco.repo.web.scripts.servlet to DEBUG, which should show you what is being read from the Share request on the Repository side.
Also, if you have configured Remote to point at /alfresco/wcs, the ticket name of Alfresco is in fact just "ticket" (a gross inconsistency, I know, but unfortunately this is the case if you compare WebClientAuthenticator with BasicHttpAuthenticator).

Regards
Axel

shibu · ‎06-11-2013

Yes I have configured Remote to point at /alfresco/wcs.
**Please have a look into the very first post, I have pasted my share-config-custom.xml there.
At the end of share-config-custom.xml, you can see;


<endpoint>
       <id>alfresco</id>
       <name>Alfresco - user access</name>
       <description>Access to Alfresco Repository WebScripts that require user
             authentication
       </description>
       <connector-id>alfrescoHeader</connector-id>
       <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
       <identity>user</identity>
       <external-auth>true</external-auth>
 </endpoint>
‍‍‍‍‍‍‍‍‍‍‍‍‍

Added following code in my connector class to test by setting alfresco ticket to the name "ticket";


remoteClient.setTicket(alfTicket);
remoteClient.setTicketName("ticket");
‍‍‍‍

But, it didn't make any change.
**What else I can do here if I am using Remote to point at /alfresco/wcs?

I added
"log4j.logger.org.alfresco.repo.web.scripts.servlet=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory.WebClientAuthenticator=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory.BasicHttpAuthenticator=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.AuthenticatorServlet=debug
" in both share/WEB-INF/classes/log4j.properties and alfresco/WEB-INF/classes/log4j.properties under "# Repository" section.
Do I need to enable any more classes to show debug logs?
If yes, let me know the name of those classes. I am using alfresco.4.2.c.

While clicking on the URL appended with the ticket; I got following logs in alfresco.log

12:19:35,427 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
12:19:35,427 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
12:19:35,455 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
12:19:35,455 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
12:19:35,471 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
12:19:35,472 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
12:19:35,513 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
12:19:35,514 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
12:19:35,525 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
12:19:35,525 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
12:19:35,566 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
12:19:35,566 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
12:19:35,653 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: true
12:19:35,653 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating ticket TICKET_3f345f7d803d5446b8319b3d18d72fe9101981cb
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

It shows, "Alfresco ticket provided: true" and "Authenticating ticket TICKET_3f345f7d803d5446b8319b3d18d72fe9101981cb" in the last line of above log.
Reloading of redirected URL "http://localhost:8080/share/page/user/admin/dashboard?ticket=TICKET_3f345f7d803d5446b8319b3d18d72fe9..." adding last two lines of logs[Alfresco ticket provided: true and Authenticating ticket TICKET_3f345f7d803d5446b8319b3d18d72fe9101981cb] in alfresco.log file each time.

Added "log4j.logger.org.alfresco.repo.security.authentication.AuthenticationUtil=debug" also in log4j.properties.
It adds following logs in "alfresco.log" file when redirecting to the URL appended with the ticket.


16:25:45,514 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: true
16:25:45,514 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating ticket TICKET_140e281e0d7423399353d111a7620b65d57699c7
16:25:45,514 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Removing the current security information.
16:25:45,514 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@33e0c1ff: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
16:25:45,514 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Creating new secure context.
16:25:45,515 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@68e066f4: Username: System; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SYSTEM
16:25:45,515 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@33e0c1ff: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
16:25:45,515 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@33e0c1ff: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
16:25:45,515 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@648752f6: Username: System; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SYSTEM
16:25:45,515 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@33e0c1ff: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
16:25:45,515 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@33e0c1ff: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
16:25:45,517 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Removing the current security information.
‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I am not getting any debug logs in share.log file. Logs are coming only in alfresco.log file.
I have added org.alfresco.repo.web.scripts.servlet to DEBUG in share/WEB-INF/classes/log4j.properties also.
As I am trying to implement SSO in an installed bundle, I cant add code in existing class files.
Please help me to find out the reason for not happening SSO?

afaust · ‎06-18-2013

Hello,

you can't use Repository classes for logging configuration in Share. In the Share log4j configuration, you might get some log results by enabling debug for org.alfresco.web.site / org.alfresco.web.scripts.

I don't really understand what the problem is at the moment. You are clearly being authenticated correctly on the Repository tier, so all the Connector/Authenticator-related modifications seem to work correctly. Without information on what is going on in Share (not just "sits on login page"), we won't be getting any further.

Regards
Axel

shibu · ‎06-18-2013

Thanx AFaust,
I couldn't see any classes which are belongs to org.alfresco.web.site / org.alfresco.web.scripts.
Could you please list out the class names which are being used in this case? Then I can see the logs by setting to DEBUG mode.
Currently I had set for following classes only;


log4j.logger.org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory.WebClientAuthenticator=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory.BasicHttpAuthenticator=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.AuthenticatorServlet=debug
log4j.logger.org.alfresco.repo.security.authentication.AuthenticationUtil=debug
‍‍‍‍‍‍‍‍

Please let me know rest of the classes using in this case for Authentication.

Printed all headers after putting each value in my custom alfresco-connector;

headers.toString()‍

It prints ;

{Accept-Language=en-us,en;q=0.5, ticket=TICKET_d8bd7c178ff04530ed2a7bbf09bae5e3ccff3da3, SsoUserHeader=admin, X-Alfresco-Remote-User=admin, alfTicket=TICKET_d8bd7c178ff04530ed2a7bbf09bae5e3ccff3da3, userHeader=SsoUserHeader, user=admin, alf_ticket=TICKET_d8bd7c178ff04530ed2a7bbf09bae5e3ccff3da3}‍

And, please let me know, How can I get more information on what is going on in Share?

shibu · ‎07-18-2013

The default "AlfrescoConnector" class in alfresco SVN is setting the ticket in the remoteClient with the ticket name "alf_ticket". If I am doing the same thing in my custom connector , the ticket is not getting in the repository side.
remoteClient.setTicketName("alf_ticket");
It results :


10:43:53,398 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] 
Alfresco ticket provided: false
‍‍‍‍

But, Setting the ticket name to only "ticket" is able to provide the ticket.
Will it make any inconsistency any where in the authentication root?
remoteClient.setTicketName("ticket");
It results :


10:50:18,696 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] 
Alfresco ticket provided: true
10:50:18,696 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating ticket TICKET_d08252d8da4774ba40ee1b569150222e878a8085
net.sf.acegisecurity.providers.dao.User@1f27c908: 
Username: System; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SYSTEM
10:50:18,704 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@66a5ec39: 
Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
10:50:18,704 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@66a5ec39: 
Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
10:50:18,705 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil]
 Removing the current security information.
‍‍‍‍‍‍‍‍‍‍‍‍‍

The above logs are printing repeatedly and atlast "Removing the current security information."
Seems like the authentication is correctly happening on the Repository tier. But, why username is changing to "System" sometimes?
Please let me know the reasoon for not happening SSO here… What can I do here?

Alfresco 4.2.c is using "org.alfresco.web.site.servlet.SlingshotAlfrescoConnector" instead of "org.springframework.extensions.webscripts.connector.AlfrescoConnector".

I tried by mixing functionality of these two classes in my new custom connector by overriding applyRequestHeaders and applyRequestAuthentication methods.
My new connector class extended AlfrescoConnector class.
And over-ridden two methods,
1.applyRequestHeaders
2.applyRequestAuthentication


@Override
protected void applyRequestHeaders(RemoteClient remoteClient,
         ConnectorContext context) {
      super.applyRequestHeaders(remoteClient, context);
      Map<String, String> headers = new HashMap<String, String>(8);
      if (context != null) {
         headers.putAll(context.getHeaders());
      }    
      String user = "admin";
                headers.put("X-Alfresco-Remote-User", user);
      String userHeader = getUserHeader();
           if (userHeader != null) {
         headers.put(userHeader, user);
      }
      if (headers.size() != 0) {
        remoteClient.setRequestProperties(headers);
      }      
   }
   @Override
    protected void applyRequestAuthentication(RemoteClient remoteClient, ConnectorContext context)
    {
        String alfTicket = null;
        if (context != null)
        {
            alfTicket = context.getParameters().get(PARAM_TICKETNAME_ALF_TICKET);
        }
        if (getConnectorSession() != null)
        {
    alfTicket = (String)getConnectorSession().getParameter(AlfrescoAuthenticator.CS_PARAM_ALF_TICKET);
        }
    if (alfTicket != null)
        {
            remoteClient.setTicket(alfTicket);
            remoteClient.setTicketName("ticket");
        }
        else
        {
           System.out.println("Guesttt…");
        }
    }
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Please help me to find the reason for not logging in…

afaust · ‎07-19-2013

Hello,

Alfresco unfortunately uses both "ticket" and "alf_ticket" in various instances. It depends on the Repository configuration which one is actually being used. The "alf_ticket" is used in a configuration where the Repository does not use SSO, and "ticket" seems to be used in a scenario where it does. This makes it a bit hard to copy experiences from one project to another with a different configuration.

The change of user name to "System" is part of Alfresco standard processing logic and to be expected. It just means that some of the code is executed in a higher security level / with an enhanced permission set than the user actually has. E.g. if a user does not exist, Alfresco may create that user dynamically and needs "System" privileges to do that. "Removing the current security information" is also in 99.9 % of all cases to be expected - when a specific request has been served / completed, Alfresco removes the authentication information, e.g. cleans up before handling the next request.

"Please let me know the reasoon for not happening SSO here… What can I do here?"

At the moment, I don't know what your current problems are. The Repository seems to be authenticating just fine - what is the action / response provided to you in the Share UI after these log messages?

Regards
Axel

Hyland Connect

External SSO in alfresco share