AnsweredAssumed Answered

Alfresco 5 Share + CAS 3.5.2 + CAS Client 3.3.3 ticket validation problem

Question asked by giorgio76 on Jun 9, 2015
Latest reply on Aug 20, 2015 by jakub.krikala
Hi,
I'm working on this integration by the last 3-4 days.I have read a lot of threads and topics and resolved a lot of problema.
Now I have last problem on tickect validation on the cas server.
This is the scenario:

I'd want to configure share for SSO with CAS on LDAP,but when I login with credential the next call to cas ticket validator fials because Cas Server receive URL plus 3 times share context:

ticket 'ST-17-H3Ideiv7vHkeonY3j1Dg-cas01.example.org' does not match supplied service. The original service was 'https://machinename:8443/share/share/' and the supplied service was 'https://machinename:8443/share/share/share/'.

Where is the problem? there any problems with this softwares version?

Firs of all,I have followed the topics and modified the configuration files manually.
I have to use alfresco admin console instead?
Is possible to configure on SSO CAS only share app? Or I have to configure alfresco app too?

I have 1 machine with 2 tomcat,1 for cas server and 1 for alfresco server.I have my own certificates with ext=dns ( the same for 2 tomcat instances ) signed by my own CA,in my own keystore.All works.
I have java 7 and java 8 for cas tomcat and alfresco tomcat.
I have tried to uncomment the SSO valve on alfresco tomcat server.xml…same problem occurs

I have modified these files:

share web.xml

<filter>
           <filter-name>CAS Authentication Filter</filter-name>
           <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
           <init-param>
                   <param-name>casServerLoginUrl</param-name>
                   <param-value>https://machinename:18443/cas-server-webapp/login</param-value>
           </init-param>
           <init-param>
                   <param-name>serverName</param-name>
                   <param-value>https://machinename:8443/share</param-value>
           </init-param>
   </filter>
   <filter>
           <filter-name>CAS Validation Filter</filter-name>
           <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
           <init-param>
                   <param-name>casServerUrlPrefix</param-name>
                   <param-value>https://machinename:18443/cas-server-webapp</param-value>
           </init-param>
           <init-param>
                   <param-name>serverName</param-name>
                   <param-value>https://machinename:8443/share</param-value>
           </init-param>
   </filter>
   <filter>
           <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
           <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
   </filter>


<filter-mapping>
      <filter-name>CAS Authentication Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>
   <filter-mapping>
      <filter-name>CAS Validation Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>
   <filter-mapping>
      <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>


all the other filters and filter mapping commented
I have tried with Cas10TickectValidationFilter too….same prolbem





alfresco-global-properties

authentication.chain=cas:external
external.authentication.proxyUserName=
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyHeader=X-Alfresco-Remote-User



web-extension/share-config-custom.xml

uncommented and configured

<config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>//certificates/myidentitykeystore.jks</path>
             <type>jks</type>
             <password>password</password>
         </keystore>
        
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
        
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>X-Alfresco-Remote-User</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>https://machinename:8443/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
        
         <endpoint>
            <id>alfresco-feed</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>https://machinename:8443/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
        
         <endpoint>
            <id>alfresco-api</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Public API - user access</name>
            <description>Access to Alfresco Repository Public API that require user authentication.
                         This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>https://machinename:8443/alfresco/api</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>



Could anyone help me please?












Outcomes