AnsweredAssumed Answered

Is External authentication subsystem safe? How does it work?

Question asked by iblanco on Nov 16, 2010
Latest reply on Jun 21, 2011 by goldmar
It migth sound like a stupid question but I'm using it for CAS (through apache's mod_auth_cas) authentication and there are some points I don't understand.

I do understand that Apache's httpd server negotiates the session with CAS after checking it's certificate, so I do understand that Apache can get the user in a safe way, so far so good.

Once apache has the user it just passes the credentials to Tomcat through the AJP connector… but here my concerns arise. How does tomcat know that the connected AJP client is the right Apache and not a rogue one ? Is there some kind of check or does it simply rely on the correct configuration of the listening IP's and firewalls ?

What about the HTTP conector of Tomcat ? If the "external" authentication subsystem is activated can a fake HTTP request simulating "some credentials" access Alfresco or it just acts on the AJP side ?

Finally the wiki says that whole "/alfresco" Location should be protected by "mod_auth_cas" but that makes some "non web-ui" services like Webdav or "/service" not work.

I think that it would be enough just protecting "/alfresco/faces" , maybe even "/alfresco/faces/jsp/login.jsp" only. In the "standard" Alfresco Explorer every non authenticated request will be forwarded to the login page so that seems like no risk, and that makes Webdav and "service" authenticate through HTTP authentication.

Is this correct or is there any security implication ? If someone could confirm that point I would update the wiki.

Outcomes