Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-12801

external.authentication.userIdPattern isn't compatible with Share

    Details

      Description

      One of the options with the External Authentication subsystem is userIdPattern which allows Alfresco to pick out part of a special header to extract the username. For example, with a subsystem with the following properties:

      external.authentication.defaultAdministratorUserNames=admin,nick
      external.authentication.enabled=true
      external.authentication.proxyUserName=
      external.authentication.proxyHeader=X-My-Auth-Header
      external.authentication.userIdPattern=^TESTignore-(\\w+)-ignore
      

      If you make a request like:

      curl -X GET -L -H "X-My-Auth-Header: TESTignore-admin-ignore" http://localhost:8080/alfresco/
      

      You'll be automatically logged in as "admin" (with the rest stripped out)

      However, the documentation for this makes no mention that it doesn't work with Share. The suggested Share config for external authentication is something like:

         <config evaluator="string-compare" condition="Remote">
              <remote>
                  <connector>
                     <id>alfrescoHeader</id>
                     <name>Alfresco Connector</name>
                     <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
                     <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
                     <userHeader>X-My-Auth-Header</userHeader>
                  </connector>
      
                  <endpoint>
                      <id>alfresco</id>
                      <name>Alfresco - user access</name>
                      <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                      <connector-id>alfrescoHeader</connector-id>
                      <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
                      <identity>user</identity>
                      <external-auth>true</external-auth>
                  </endpoint>
              </remote>
          </config>
      

      If you're not using a userIdPattern, you can make a request like:

      curl -X GET -L -H "X-My-Auth-Header: admin" http://localhost:8081/share/page/ | grep Alfresco.constants.USERNAME
      

      And you'll see you've been automatically logged in as the "admin" user. However, if you turn on the userIdPattern, Share doesn't know, so it all goes a bit wrong as with a request like:

      curl -X GET -L -H "X-My-Auth-Header: TESTignore-admin-ignore" http://localhost:8081/share/
      

      Share will think you're logged in as "TESTignore-admin-ignore" while the Repo knows you as "admin", and then lots of things break

      There should either be a way to specify the userIdPattern to Share too, or the documentation + examples needs to make clear that it is only supported with Explorer / WCServices and not with Share

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                closedbugs Closed Bugs
                Reporter:
                nburch Nick Burch
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours
                  4h