Hyland Connect

mikewaters · ‎05-31-2008

We have a requirement to implement single sign on over web scripts

We want to allow a user of a third party application to click on a link to view a UI based web script and get authenticated without re-entering their credentials.

I am going to see if it can be done by implementing one of the Authentication Filters (eg CAS) over the top of the web client service context (/alfresco/wcservice)

I'll post back when I get some results but in the meantime has anyone else implemented this kind of SSO with web scripts?

jbarmash · ‎06-01-2008

Just want to point out that webscripts are accessible using two methods - /alfresco/service carries its own authentication, and /wcservice uses authentication of the web client. There are definitely examples of SSO-type functionality on the webclient side, i.e. ntlm authentication, etc.

I don't know precisely how the /service authentication works, but since we do single signon with liferay, I am sure you can implement SSO on that protocol as well.

So if your users are already logged into Alfresco UI (not sure if they are) - this could be an easy way to achieve this effect.

mikewaters · ‎06-02-2008

Thanks for the quick reply!

It seems to me that the most promising approach is to use an SSO framework like CAS or SiteMinder over /alfresco/wcservlet.

The standard /alfresco/service web script servlet uses HTTP Basic authentication which means we need to pass the username and password in the authentication headers, which is not an option for us. Firstly we don't have access to the password, since it is held in LDAP. Secondly I don't know how to pass the credentials in a hyperlink or browser redirect. (The user is not already authenticated when the webscript URL is called)

With CAS the first hurdle is that the authentication of /alfresco/wcservlet, is not done with servlet filters but inside the servlet code, so it must work differently from the standard web client authentication which does use filters. My first attempt at implementing CAS works fine for the web client, but not for /alfresco/wcservice. I think it may be that the processing of the web client login page adds some extra information into the session which is not added by the authentication filters.

So my follow up question is, is there any more information available on wcservice authentication and if so, where?
Also, is there any source code or documentation about the liferay SSO solution?

thanks!

jbarmash · ‎06-02-2008

This is now getting beyond my area of expertise a bit. Everything we have related to security is underneath here:
http://wiki.alfresco.com/wiki/Category

ecurity

Or in code / JavaDocs.

This page (which I think you already saw) is relevant.
http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration
http://wiki.alfresco.com/wiki/Central_Authentication_Service_Configuration

it's strange that code that works for web client does not for wcservice- i thought those were supposed to be equivalent.

mikewaters · ‎06-03-2008

Ultimately the same method gets called - AuthenticationHelper.authenticate() but the code path to that function is different. The web-client path goes via code in AuthenticationFilter.java (URL /alfresco/faces/* ) and the web-script path uses code within WebScriptServlet.java (URL /alfresco/wcservice/* )

Both work when native Alfresco authentication is used (ie the Alfresco login page).

When I add in the CASAuthenticationFilter, which replaces the code in the LoginBean.java and AuthenticaionFilter.java, the web-script authentication fails.

I haven't had a chance to step through the code but it looks like the CASAuthenticationFilter is not doing everything it is supposed to do, and some data is missing from the session by the time the WebScriptServlet sees the request, thus failing the authentication.

I'm keen to fix the CASAuthenticationFilter so it works with /wcservice so is there anyone who knows what LoginBean.java does that must be replicated in the SSO filters?

Or is it just me and the code…?

mikewaters · ‎06-08-2008

I tracked down the problem - both CAS and Alfresco use a URL parameter "ticket" as part of the authentication mechanism, and one clashes with the other. As a result Alfresco sees a "ticket" parameter, and fails to validate it because it is a CAS ticket not an alfresco ticket.

Heres some background.

http://forums.alfresco.com/viewtopic.php?f=9&t=9889&p=32707
http://forums.alfresco.com/viewtopic.php?f=9&t=8431&p=27829
http://issues.alfresco.com/browse/ALFCOM-705

The workaround is to change the Alfresco Java code. In 2 places

1. In BaseServlet.java change the value of ARG_TICKET to something other than "ticket" (eg "alfticket") this should get the download servlet (and others?) working.

private static final String ARG_TICKET   = "ticket";‍

2. For web scripts the parameter "ticket" is referenced in WebClientAuthenticatorFactory.java in an inner class method WebClientAuthenticator.authenticate()

String ticket = req.getParameter("ticket");‍

Change this to the same value and web script calls should get the CAS authentication working, since the Alfresco authentication code will now ignore "ticket"

WARNING - Although the Alfresco authentication checks for "alfticket" it looks suspiciously like the Alfresco code that generates URLs with a "ticket" parameter is elsewhere and will still be using "ticket". So the internal Alfresco Ticket handling might still be broken.

Hyland Connect

Web Script and Single Sign On