08-16-2017 05:16 PM
Hi all,
Just curious... if I have a web script with no <authentication> tag in the definition XML, and let's say this web script is responsible for updating document properties, how is the user that the web script runs as chosen? I have seen some very inconsistent results and I'm curious as to what is going on.
Thanks,
Tom
08-17-2017 01:45 PM
Normally, if you use authentication "none", then there will be no authenticated user active and there should not be a "random user" being picked for modifier etc. BUT, I have seen a lot of 3rd-party code that messes up authentication handling.
E.g. if you do a AuthenticationUtil.setRunAsUser(xy) then you are setting that user in the thread context. If that context is not reset at the end of handling a request, then it stays tied to the thread. Since Tomcat reuses threads for HTTP calls (non-predictively, so you could call it "random"), any future request that does not explicitly authenticate a user (like your "none" authentication web script) may "accidentally" run in that user context if it gets processed by the affected thread.
I have rarely seen a valid use case for working with authentication "none". If you do, always use the callback-based AuthenticationUtil.runAsUser(callback, user) variant. NEVER EVER use AuthenticationUtil.setRunAsUser(user) code because chances are - once in a while - you will forget to properly clean up that context.
08-17-2017 06:04 AM
Hello.
When you write your webscript's code, at least using Java, you can use the AuthenticationUtil to run your code as a named user, or as System, with higher privileges.
You said you are seeing inconsistent results. Is this a custom webscript or one of the OOTB ones?
08-17-2017 06:20 AM
This is a custom webscript using Javascript. I assume AuthenticationUtil is similar to specifying <authentication>{none, user, admin, etc.}</authentication> in the desc.xml file.
08-17-2017 06:35 AM
Take a look at this link authentication | Alfresco Documentation
As you can see, you can have an webscript the does not enforce the authentication (with the none) parameter, but that is executed as a nominated user, using the runas parameter.
08-17-2017 06:40 AM
Yes, I'm wondering specifically how a user is chosen if the <authentication> element (which is optional in the first place) is not provided at all.
Explore our Alfresco products with the links below. Use labels to filter content by product module.