AnsweredAssumed Answered

Chaining JAAS Authentication in Alfresco 2.1

Question asked by rosemaryl on Nov 9, 2007
Latest reply on Dec 18, 2007 by rosemaryl
I would like to configure Alfresco so that it authenticates using JAAS/Kerebros first, then checks the Alfresco database for usernames not found (i.e. "admin"), aka chained authentication.  This type of authentication worked fine in 2.0, but has been less-than-cooperative in 2.1.

I believe the solution lies within the files jaas-authentication-context.xml and chaining-authentication-context.xml.

Contents of jaas-authentication-context.xml:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    <!– The authentication component.                                      –>

    <!– Jass authentication - most of the config goes somewhere else       –>
      
    <!–bean id="authenticationComponent"
                 class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
        <property name="realm">
            <value>OUR.COMPANY.COM</value>
        </property>
        <property name="jaasConfigEntryName">
            <value>Alfresco</value>
        </property>
    </bean–>
      
   <!– DAO that rejects changes - JAAS is read only at the moment.      –>
    <!– It does allow users to be deleted with out warnings from the UI. –>
    <!– The user is still present in JAAS, only the personal information is removed from alfresco. –>
   
   <!– Replaced old sample code with code from http://forums.alfresco.com/viewtopic.php?t=7132&start=0&postdays=0&postorder=asc&highlight= as noted in bug AR-1564 –>
    <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>   
</beans>

Only change made in chaining-authentication-context.xml is filling in the realm value, everything is the same as the .sample file:

<bean id="authenticationComponentImplJAAS" class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
        <property name="realm">
            <value>OUR.COMPANY.COM</value>
        </property>
        <property name="jaasConfigEntryName">
            <value>Alfresco</value>
        </property>
    </bean>

In jaas-authentication-context.xml I have commented out the bean "authenticationComponent" because Andy in the topic http://forums.alfresco.com/viewtopic.php?t=7132&start=0&postdays=0&postorder=asc&highlight= suggests that there only  be one bean called "authenticationComponent".  I have also ensured that it is not called "authenticationComponentImpl", as it was in older versions.

With these two changes, Alfresco fails to load properly (404 error when trying to view the web client).  For now I have removed the chaining-authentication-context.xml file and uncommented the "authenticationComponent" bean in jaas-authentication-context.xml so that at least we have JAAS authentication. 

Has anyone else had any problems in chaining authentication this way?

Thanks in advance.
~Rosemary

P.S. In chaining-authentication-context.xml, is it a typo that there are two s' in <property name="authenticationComponentss">?

Outcomes