AnsweredAssumed Answered

Getting Alfresco to Trust Share during External Auth

Question asked by vamirr on Jul 1, 2011
I'm having issues with Share and external authentication.  The issue seems to be with the alfresco repository not trusting Share.  Here's what I've been able to find so far:

When Share requests a login to the repository, it is actually receiving the Alfresco repository's own login page.  We've verified this through a browser and did a response length comparison and we are in fact seeing the same page.

This correlated with what we were seeing in the log file (that Share was expecting a JSON object but was given something else…. which was the html of the login page).


Details:

For a login attempt, Share does a getRemoteUser call for the username set by the external authentication, it then sets its own cookies/headers.  From there, it sends a request to the repository to see if the user given by the external authentication exists in the database and to get metadata for the user.

In our case, getRemoteUser and the setting of cookies/headers is operating correctly:

07:13:39,239 DEBUG [webscripts.connector.RemoteClient] Executing (GET) http://localhost:8080/alfresco/wcs/webframework/content/metadata?user=500685731
    07:13:39,239 DEBUG [webscripts.connector.RemoteClient] - OutputStream supplied - will stream response…
    07:13:39,240 TRACE [webscripts.connector.RemoteClient] Set request header: X-Alfresco-Remote-User=500685731
    07:13:39,240 DEBUG [webscripts.connector.RemoteClient] Setting cookie header: JSESSIONID=0A00A4DE4805A3DED950BE41276D9D1D
    07:13:39,243 TRACE [webscripts.connector.RemoteClient] Set request header: X-Alfresco-Remote-User=500685731
    07:13:39,243 DEBUG [webscripts.connector.RemoteClient] Setting cookie header: JSESSIONID=0A00A4DE4805A3DED950BE41276D9D1D
    07:13:39,343 DEBUG [webscripts.connector.RemoteClient] Response status code: 200


I cannot login, however, and my alfresco log is complaining about this a failed login because of the below.  Notice the last part of the stack trace about JSON.

 
10:33:46,933 ERROR [org.alfresco.web.site] org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springfram$
    org.springframework.extensions.surf.exception.PlatformRuntimeException: 06010000 Failed to init Request Context: Unable to fault user as safeguard during ini$
            at org.alfresco.web.site.SlingshotPageViewResolver.lookupPage(SlingshotPageViewResolver.java:63)
            at org.springframework.extensions.surf.mvc.PageViewResolver.canHandle(PageViewResolver.java:104)
            at org.springframework.web.servlet.view.UrlBasedViewResolver.createView(UrlBasedViewResolver.java:370)
            at org.springframework.web.servlet.view.AbstractCachingViewResolver.resolveViewName(AbstractCachingViewResolver.java:77)
            at org.springframework.web.servlet.DispatcherServlet.resolveViewName(DispatcherServlet.java:1091)
            at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1040)
            at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:798)
            at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
            at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
            at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.alfresco.web.site.servlet.SSOAuthenticationFilter.challengeOrPassThrough(SSOAuthenticationFilter.java:604)
            at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:381)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
            at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
            at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:444)
            at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:372)
            at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
            at java.lang.Thread.run(Thread.java:662)
    Caused by: org.springframework.extensions.surf.exception.RequestContextException: Unable to fault user as safeguard during init request context
            at org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:111)
            at org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:54)
            at org.alfresco.web.site.SlingshotPageViewResolver.lookupPage(SlingshotPageViewResolver.java:59)
            … 31 more
    Caused by: org.springframework.extensions.surf.exception.UserFactoryException: Unable to retrieve user from repository
            at org.springframework.extensions.surf.support.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:188)
            at org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:176)
            at org.springframework.extensions.surf.support.AbstractUserFactory.initialiseUser(AbstractUserFactory.java:99)
            at org.springframework.extensions.surf.RequestContextUtil.initialiseUser(RequestContextUtil.java:203)
            at org.springframework.extensions.surf.RequestContextUtil.initRequestContext(RequestContextUtil.java:107)
            … 33 more
    Caused by: org.json.JSONException: A JSONObject text must begin with '{' at character 47
            at org.json.JSONTokener.syntaxError(JSONTokener.java:413)
            at org.json.JSONObject.<init>(JSONObject.java:180)
            at org.json.JSONObject.<init>(JSONObject.java:420)
            at org.springframework.extensions.surf.support.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:182)
            … 37 more

In my tomcat access log I have 5 requests from Share to Alfresco.  Note that my user name is 500685731 as set by the external authentication.

[01/Jul/2011:07:18:23 -0400] "GET /alfresco/wcs/touch HTTP/1.1" 302 -
    [01/Jul/2011:07:18:23 -0400] "GET /alfresco/faces/jsp/login.jsp?_alfRedirect=%2Falfresco%2Fwcs%2Ftouch HTTP/1.1" 200 10061
    [01/Jul/2011:07:18:24 -0400] "GET /alfresco/wcs/webframework/content/metadata?user=500685731 HTTP/1.1" 302 -
    [01/Jul/2011:07:18:24 -0400] "GET /alfresco/faces/jsp/login.jsp?_alfRedirect=%2Falfresco%2Fwcs%2Fwebframework%2Fcontent%2Fmetadata%3Fuser%3D500%3D500685731 HTTP/1.1" 200 10100
    [01/Jul/2011:07:18:24 -0400] "GET /share/page/site-index HTTP/1.1" 500 6612


Notice the 10100 bytes file that is coming back from the alfresco/faces/login.jsp.  What is being returned to Share during that request is the alfresco explorer login prompt.  If I load that page in firefox after killing all session cookies, I receive the same 10100 byte response.  Additionally, traces in the log show the html document coming back and it is that of the login page.  Now the error about JSON makes sense as the site-index page was expecting JSON but getting back HTML from the login page.

It appears that even though session cookies and headers are set, Alfresco does not know 'who' Share is and is prompting for a login.

We are using a keystore with a pkcs12 certificate as set in the share-config-custom.xml file.  In the test case where no certificate is used, we receive the same results despite the intended functionality as described by:

  
The Share <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url> sends directly to the Alfresco layer using HTTP+a user header. In that case no Cert is used and the external.authentication.proxyUserName is blank. Alfresco trusts the header (defined by external.authentication.proxyHeader) sent by Share.
   taken from: http://wiki.alfresco.com/wiki/Alfresco_With_mod_auth_cas


At this point, I'm not sure what else to do.  Any thoughts or comments would be appreciated.

Outcomes