AnsweredAssumed Answered

Since Kerberos SSO can't chain, trying Apache mod_auth_kerb

Question asked by xkahn on Jan 7, 2010
Latest reply on Jan 13, 2010 by xkahn
So it looks like Alfresco can't chain Kerberos with SSO.  ( http://forums.alfresco.com/en/viewtopic.php?f=3&t=24149 )  So I'm trying to use external auth with Apache configured to authenticate users via Kerberos and mod_jk to forward the request.

Apache puts the user name in the "REMOTE_USER" header.  I've edited Alfresco's web.xml and replaced the header x-user with REMOTE_USER.  But still I don't see anything.  My setup looks like this:

web.xml:

      <init-param>
         <param-name>httpServletRequestAuthHeaderName</param-name>
         <param-value>REMOTE_USER</param-value>
      </init-param>

alfresco-global.properties:

authentication.chain=external1:external
external.authentication.enabled=true
external.authentication.userIdPattern=([A-Za-z0-9]*)@.*

I haven't been able to see any debugging messages for the external auth method.  My logs look like this (after several log in attempts; apache credentials were supplied and passed):
alfresco.log:
15:56:21,609 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Synchronization' subsystem, ID: [Synchronization, default]
15:56:21,629 INFO  [org.alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
15:56:21,726 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [Authentication, managed, external1]
15:56:21,747 INFO  [org.alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
15:56:21,919 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [Authentication, managed, external1] complete
15:56:21,959 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Synchronization' subsystem, ID: [Synchronization, default] complete
15:56:22,175 INFO  [org.alfresco.service.descriptor.DescriptorService] Alfresco JVM - v1.6.0_17-b04; maximum heap size 618.688MB
15:56:22,176 INFO  [org.alfresco.service.descriptor.DescriptorService] Alfresco started (Community): Current version 3.2.0 (r2 2440) schema 3300 - Originally installed version 3.2.0 (r2 2440) schema 3300
15:56:23,146 INFO  [org.alfresco.module.vti.VtiServer] Vti server started successfully on port: 7070
15:56:45,229 INFO  [org.alfresco.web.site.FrameworkHelper] Successfully Initialized Web Framework
15:56:45,624 INFO  [org.alfresco.config.JBossEnabledWebApplicationContext] Refreshing org.alfresco.config.JBossEnabledWebApplicationContext@60d45375: display name [Root WebApplicationContext]; startup date [Thu Jan 07 15:56:45 EST 2010]; root of context hierarchy
15:56:45,788 INFO  [org.alfresco.config.JBossEnabledWebApplicationContext] Bean factory for application context [org.alfresco.config.JBossEnabledWebApplicationContext@60d45375]: org.springframework.beans.factory.support.DefaultListableBeanFactory@4ce7372b
15:56:47,378 INFO  [org.alfresco.web.scripts.DeclarativeRegistry] Registered 22 Web Scripts (+0 failed), 24 URLs
15:56:47,387 INFO  [org.alfresco.web.scripts.AbstractRuntimeContainer] Initialised Presentation Web Script Container (in 168.698ms)
15:56:47,528 INFO  [org.alfresco.web.scripts.DeclarativeRegistry] Registered 40 Web Scripts (+0 failed), 42 URLs
15:56:47,536 INFO  [org.alfresco.web.scripts.AbstractRuntimeContainer] Initialised WebFramework Web Script Container (in 146.136ms)
15:56:47,801 INFO  [org.alfresco.web.site.FrameworkHelper] Successfully Initialized Web Framework

My log4j.properties file has:

log4j.logger.org.alfresco.repo.security.authentication=debug
log4j.logger.org.alfresco.web.app.servlet=debug
log4j.logger.org.alfresco.repo.webdav.auth=debug
log4j.logger.org.alfresco.web.app.servlet.HTTPRequestAuthenticationFilter=debug
log4j.logger.org.alfresco.repo.webdav.auth.HTTPRequestAuthenticationFilter=debug

Those were my attempts to get SOME kind of logging out.

I see lots of logging messages in projects/web-client/source/java/org/alfresco/web/app/servlet/HTTPRequestAuthenticationFilter.java but nothing is ever printed.  What am I missing?

Outcomes