AnsweredAssumed Answered

Alfresco 4.2.e Community hangs on startup if SSO authentication enabled

Question asked by vmalygin on Jan 28, 2015

Hello community!
I found deadlock during Alfresco startup when SSO authentication enabled.
I use following configuration
1) alfresco installation from alfresco-community-4.2.e-installer-win-x64 using oracle jdk 1.7.0_67 64bit
2) tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad\ldap-ad1\ldap-ad-authentication.properties
<code linenumbers="normal">
ldap.authentication.active=true
ldap.synchronization.active=false
ldap.authentication.userNameFormat=%s

ldap.authentication.java.naming.provider.url={my ldap url}
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal={my ldap login}
ldap.synchronization.java.naming.security.credentials={my ldap password}
ldap.synchronization.groupSearchBase={my group search base}
ldap.synchronization.userSearchBase={my user search base}
</code>
3) tomcat\shared\classes\alfresco\extension\subsystems\Authentication\passthru\passthru1\ntlm-filter.properties
<code linenumbers="normal">
ntlm.authentication.sso.enabled=true
# ntlm.authentication.mapUnknownUserToGuest=false
# ntlm.authentication.browser.ticketLogons=true
</code>
4) tomcat\shared\classes\alfresco\extension\subsystems\Authentication\passthru\passthru1\passthru-authentication-context.properties
<code linenumbers="normal">
passthru.authentication.useLocalServer=false
passthru.authentication.domain={my domain}
passthru.authentication.servers={my authentication server}
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=Administrator
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NetBIOS
passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=false
# passthru.authentication.sessionCleanup=true
</code>
5) tomcat\shared\classes\alfresco\web-extension\share-config-custom.xml
<code linenumbers="normal">
<alfresco-config>
   <config replace="true">
      <flags>
         <client-debug>true</client-debug>
         <client-debug-autologging>false</client-debug-autologging>
      </flags>
   </config>  
   <config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
      <visible>true</visible>
   </config>

   <config evaluator="string-compare" condition="Remote">
      <remote>
         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8282/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoCookie</connector-id>
            <endpoint-url>http://localhost:8282/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:8282/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
         <endpoint>
            <id>activiti-admin</id>
            <name>Activiti Admin UI - user access</name>
            <description>Access to Activiti Admin UI, that requires user authentication</description>
            <connector-id>activiti-admin-connector</connector-id>
            <endpoint-url>http://localhost:8282/alfresco/activiti-admin</endpoint-url>
            <identity>user</identity>
         </endpoint>
      </remote>
   </config>
</alfresco-config>
</code>
6) tomcat\shared\classes\alfresco-global.properties
<code linenumbers="normal">
ntlm.authentication.sso.enabled=true
authentication.chain=passthru1:passthru,ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm
</code>
This configurations successfully starts and sso authentication works.
Now, if we add following changes to our configuration, it will hang on startup because of deadlock.
1) bean
<code linenumbers="normal">
package ru.it.lecm.auth.bootstrap;

import org.alfresco.service.cmr.security.AuthenticationService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
*
* @author vmalygin
*/
public class AuthBootstrapBean {

   private final static Logger LOGGER = LoggerFactory.getLogger(AuthBootstrapBean.class);

   private AuthenticationService authenticationService;

   public void setAuthenticationService(AuthenticationService authenticationService) {
      this.authenticationService = authenticationService;
   }

   public void init() {
      LOGGER.info("invoking authenticationService.getCurrentUserName()");
      try {
         LOGGER.info("current user name is {}", authenticationService.getCurrentUserName());
      } catch(Exception ex) {
         LOGGER.error("FAILURE invoking authenticationService.getCurrentUserName()", ex);
      }
   }
}
</code>
2) bean context
<code linenumbers="normal">
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
">
   <bean id="authBootstrapBean" class="ru.it.lecm.auth.bootstrap.AuthBootstrapBean" init-method="init">
      <property name="authenticationService" ref="authenticationService"/>
   </bean>
</beans>
</code>
If my configuration uses this bean, it will hang. I have the following output: alfresco.log, asynchronouslyRefreshedCacheThreadPool1-dump.txt, localhost-startStop-1-dump.txt (see attachment for details)

Is this behavior is wrong, or AuthenticationService should not be used during startup?
Also if I override webClientConfigSource bean removing <value>workspace://SpacesStore/${spaces.company_home.childname}/${spaces.dictionary.childname}/app:webclient_extension/cm:web-client-config-custom.xml</value> my configuration will start successfully.

Outcomes