AnsweredAssumed Answered

CASifying share (4.2.x): Header or filter approach?

Question asked by stefanthomas on Jul 23, 2013
Latest reply on Jul 23, 2013 by stefanthomas
Dear all,

(we are new to Alfresco and this is my first post ever to the community - forgive me if I have overlooked some obvious resources to search for first)

we need to provide SSO with a 3.X CAS server for Alfreso share (4.2.x). The chapter 6.5.3 in the Alfresco wiki on authentication sub-systems describes how to change the shared configuration files. In this chapter we do not find any info about changing the web.xml to add new CAS filters or to replace the existing SSO filter with a special implementation which is forwarding the CAS-authenticated user to Alfrescos authentication system.

Hence, I assume that this 'manual' only works with an Apache upfront using mod_auth_cas, so Apache is doing
the redirect and then connects to Alfresco with the CAS-authenticated user in a request header? And this is then processed by SSOAuthenticationFilter out-of-the-box?

On the one hand, we do not have Apache in front of Alfresco (yet), second mod_auth_cas seems to be rather old (which must not be bad in general of course :-)) and finally, it is not officially supported for Windows (any more) - and thats where we are evaluating Alfresco currently.

Is the header based authentication the only SSO variant documented on the Wiki for Alfresco 4.2.x? Because we found numerous blogs/posts on the internet for different versions of Alfresco on this topic but nothing official from the Alfresco community.

We tried the filter approach documented somewhere else, but ended up with the exceptions for the guest user trying to the create the CAs-authenticated user in a read-only transaction context. We already tried to set the restrictions to readwrite, but did not notice a difference.

In our naive thinking we would like to add the CAS filters to the web.xml, tell Alfresco that external authentication exists in the config files and then "hope" SSOAuthenticationFilter is picking up the CAS-authenticated user from the http session or request. But it does not seem to be that easy.

Can you point us to some 'official' resources how to setup the filter approach with the current version of Alfresco? Or maybe just shed some light on the different options available in general for CASifying share?

Thank you and best wishes