Custom Login Page when Outside a Kerberos Domain

Document created by amukha Employee on Jul 19, 2017Last modified by resplin on Jul 19, 2017
Version 4Show Document
  • View in full screen mode

When accessing Alfresco Content Services (ACS) and Alfresco Community Edition outside of a Kerberos domain, it is necessary to direct the system to a login page when SSO fails. The correct implementation of a fallback login page depends on the specific use case, and an incorrect implementation could create an additional vector for authentication attacks. Instead of trying to put into the product a "one-size-fits-all" solution, this tutorial provides a small example that can be used to meet your specific needs.


Some setups require ACS to be configured with a composite authentication chain:


authentication.chain=kerberos:kerberos,basic:alfrescoNtlm

 

This might be useful to allow client machines outside of a Kerberos Domain to access resources like /webdav or /aos using a browser and basic authentication. When the unauthenticated client browser sends the first request to these resources, ACS will respond with 401 status containing the WWW-Authenticate: Negotiate header, meaning that Kerberos authentication is enabled. The response will also include a small HTML page with a link to a custom login page.

 

This link is configurable by using the property (available from 5.1.4 and 5.2.1):


kerberos.authentication.sso.login.page.link=/customloginpage.html

 

Let's take a small example of a login page (customloginpage.html) and place it in the root of alfresco.war file.

 

<!DOCTYPE html>
<html>
   <head>
      <title>Alfresco Custom Login Page</title>
   </head>
   <body>
      <h3>Login to WebDAV</h3>
      <div class="container">
         <label><b>Username</b></label>
         <input type="text" placeholder="Enter Username" id="username" tabindex="0">
         <label><b>Password</b></label>
         <input type="password" placeholder="Enter Password" id="password" tabindex="0">
         <button onclick="httpGet()" tabindex="0">Login</button>
      </div>

   </body>
</html>

<script>
function httpGet()
{
   var url = "http://192.168.56.102:8080/alfresco/webdav";
   var request = new XMLHttpRequest();
   request.open("GET", url, false);
   request.setRequestHeader("Authorization", "Basic " +
      btoa(document.getElementById("username").value + ":" + document.getElementById("password").value));
   request.send();
   window.location.replace(url);
}
</script>


Assuming that the server's IP address is 192.168.56.102, the credentials put into the login page will be Base64 encoded to create a Basic authentication header and sent to the ACS. The JavaScript will then redirect the user to [host]/alfresco/webdav.

1 person found this helpful

Attachments

    Outcomes