AnsweredAssumed Answered

External Auth Subsystem for SSO in Alfresco and Share

Question asked by kbonnet on Nov 29, 2009
Latest reply on Mar 22, 2010 by varunss
Hello Alfrescians,

I'm trying to get the external authentication subsystem to work with Alfresco 3.2r2. I need Alfresco Explorer and Share to authenticate users based on a http header. I use the default x-remote-alfresco-user for this. From 3.2r2 this is working for Alfresco Explorer like a dream. But i can't get Share to work based on this.

In my setup i'm running Alfresco 3.2r2 on a CentOS 5.3 with Tomcat 6.0.20 and Sun JDK 1.6.0_14. For the authentication i'm using Apache. At the moment Apache is just asking for basic authentication against a password file. When the user is authenticated, the http header is added and sent through to Alfresco. Alfresco detects the user in the header and authenticates it via the external authentication subsystem.

My Share configuration is

   <config evaluator="string-compare" condition="Remote">
                <remote>
                        <!– SSL client certificate + trusted CAs. Optionally used to authenticate share to an external SSO system such as CAS –>
                        <keystore>
                                <path>alfresco/web-extension/alfresco-system.p12</path>
                                <type>pkcs12</type>
                                <password>******</password>
                        </keystore>
                        <connector>
                                <id>alfrescoCookie</id>
                                <name>Alfresco Connector</name>
                                <description>Connects to an Alfresco instance using cookie-based authentication</description>
                                <class>org.alfresco.connector.AlfrescoConnector</class>
                        </connector>
                        <endpoint>
                                <id>alfresco</id>
                                <name>Alfresco - user access</name>
                                <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                                <connector-id>alfrescoCookie</connector-id>
                                <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
                                <identity>user</identity>
                                <external-auth>true</external-auth>
                        </endpoint>
                </remote>
        </config>

When Share recieves a request, i see the http header is added in the logging:

11:40:53,175 DEBUG [httpclient.wire.header] >> "GET /alfresco/wcs/webframework/content/metadata?user=kbonnet HTTP/1.1[\r][\n]"
11:40:53,175 DEBUG [org.apache.commons.httpclient.HttpMethodBase] Adding Host request header
11:40:53,187 DEBUG [httpclient.wire.header] >> "X-Alfresco-Remote-User: kbonnet[\r][\n]"

But on the Alfresco side, the header isnt picked up:


11:40:53,223 DEBUG [org.alfresco.web.scripts.servlet.WebScriptServlet] Processing request (GET) http://localhost:8080/alfresco/wcs/webframework/content/metadata?user=kbonnet
11:40:53,285 DEBUG [org.alfresco.web.scripts.AbstractRuntime] (Runtime=ServletRuntime, Container=Repository) Processing script url (GET) /webframework/content/metadata
11:40:53,287 DEBUG [org.alfresco.web.scripts.DeclarativeRegistry] Web Script index lookup for uri /webframework/content/metadata took 1.46ms
11:40:53,288 DEBUG [org.alfresco.web.scripts.servlet.WebScriptServletRequest] Content Type: null
11:40:53,289 DEBUG [org.alfresco.web.scripts.AbstractRuntime] Agent: null
11:40:53,289 DEBUG [org.alfresco.web.scripts.AbstractRuntime] Invoking Web Script org/alfresco/webframework/metadata.get (format html, style: argument, default: html)
11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.RepositoryContainer] Current authentication: unauthenticated
11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.RepositoryContainer] Authentication required: user
11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.RepositoryContainer] Guest login requested: false
11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
11:40:53,289 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
11:40:53,392 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Redirecting to Alfresco Login
11:40:53,393 DEBUG [org.alfresco.repo.web.scripts.RepositoryContainer] Authentication reset: unauthenticated

In the Share logging i see the login page being returned instead of the JSON-info on the user, which of course results in an exception.

Why isnt Alfresco processing the http header the same way as when it's coming from a user via Apache? When i do the request "/alfresco/wcs/webframework/content/metadata?user=kbonnet" via Apache to have the header added, i just get the JSON info. When i do the same request directly on Tomcat with wget (and including the header), i get the login page. I am sure Share is adding the header, because for debugging i changed the end-point url to a jsp page which shows all the header, and i saw the header added by Share.

I'm not implementing mod_auth_cas on purpose. I just want users to be trusted based on the http header. In the final situation there will be an authentication layer based on OpenASelect. This is a CAS like service that will authenticate users, add headers and send them through to the application layer. I feel i am so close because i see Share adding the header. Alfresco just isnt processing it.

Any clues?

Kind regards,

Koen Bonnet

Outcomes