cancel
Showing results for 
Search instead for 
Did you mean: 

How is the user chosen for no authentication web scripts?

thmsdrew
Champ in-the-making
Champ in-the-making

Hi all,

Just curious... if I have a web script with no <authentication> tag in the definition XML, and let's say this web script is responsible for updating document properties, how is the user that the web script runs as chosen? I have seen some very inconsistent results and I'm curious as to what is going on.

Thanks,

Tom

1 ACCEPTED ANSWER

afaust
Legendary Innovator
Legendary Innovator

Normally, if you use authentication "none", then there will be no authenticated user active and there should not be a "random user" being picked for modifier etc. BUT, I have seen a lot of 3rd-party code that messes up authentication handling.

E.g. if you do a AuthenticationUtil.setRunAsUser(xy) then you are setting that user in the thread context. If that context is not reset at the end of handling a request, then it stays tied to the thread. Since Tomcat reuses threads for HTTP calls (non-predictively, so you could call it "random"), any future request that does not explicitly authenticate a user (like your "none" authentication web script) may "accidentally" run in that user context if it gets processed by the affected thread.

I have rarely seen a valid use case for working with authentication "none". If you do, always use the callback-based AuthenticationUtil.runAsUser(callback, user) variant. NEVER EVER use AuthenticationUtil.setRunAsUser(user) code because chances are - once in a while - you will forget to properly clean up that context.

View answer in original post

12 REPLIES 12

douglascrp
World-Class Innovator
World-Class Innovator

Hello.

When you write your webscript's code, at least using Java, you can use the AuthenticationUtil to run your code as a named user, or as System, with higher privileges.

You said you are seeing inconsistent results. Is this a custom webscript or one of the OOTB ones?

thmsdrew
Champ in-the-making
Champ in-the-making

This is a custom webscript using Javascript. I assume AuthenticationUtil is similar to specifying <authentication>{none, user, admin, etc.}</authentication> in the desc.xml file.

douglascrp
World-Class Innovator
World-Class Innovator

Take a look at this link authentication | Alfresco Documentation 

As you can see, you can have an webscript the does not enforce the authentication (with the none) parameter, but that is executed as a nominated user, using the runas parameter.

thmsdrew
Champ in-the-making
Champ in-the-making

Yes, I'm wondering specifically how a user is chosen if the <authentication> element (which is optional in the first place) is not provided at all.