Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-12801

external.authentication.userIdPattern isn't compatible with Share

    Details

      Description

      One of the options with the External Authentication subsystem is userIdPattern which allows Alfresco to pick out part of a special header to extract the username. For example, with a subsystem with the following properties:

      external.authentication.defaultAdministratorUserNames=admin,nick
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=X-My-Auth-Header
external.authentication.userIdPattern=^TESTignore-(\\w+)-ignore

      If you make a request like:

      curl -X GET -L -H "X-My-Auth-Header: TESTignore-admin-ignore" http://localhost:8080/alfresco/

      You'll be automatically logged in as "admin" (with the rest stripped out)

      However, the documentation for this makes no mention that it doesn't work with Share. The suggested Share config for external authentication is something like:

         <config evaluator="string-compare" condition="Remote">
        <remote>
            <connector>
               <id>alfrescoHeader</id>
               <name>Alfresco Connector</name>
               <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
               <class&gt;org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class&gt;
               <userHeader>X-My-Auth-Header</userHeader>
            </connector>

            <endpoint>
                <id>alfresco</id>
                <name>Alfresco - user access</name>
                <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                <connector-id>alfrescoHeader</connector-id>
                <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
                <identity>user</identity>
                <external-auth>true</external-auth>
            </endpoint>
        </remote>
    </config>

      If you're not using a userIdPattern, you can make a request like:

      curl -X GET -L -H "X-My-Auth-Header: admin" http://localhost:8081/share/page/ | grep Alfresco.constants.USERNAME

      And you'll see you've been automatically logged in as the "admin" user. However, if you turn on the userIdPattern, Share doesn't know, so it all goes a bit wrong as with a request like:

      curl -X GET -L -H "X-My-Auth-Header: TESTignore-admin-ignore" http://localhost:8081/share/

      Share will think you're logged in as "TESTignore-admin-ignore" while the Repo knows you as "admin", and then lots of things break

      There should either be a way to specify the userIdPattern to Share too, or the documentation + examples needs to make clear that it is only supported with Explorer / WCServices and not with Share

        Attachments

          Issue Links

          is cloned by

          Hot Fix Request - MNT-13716 CLONE - external.authentication.userIdPattern isn't compatible with Share

          • Closed

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs (Inactive)
                  Reporter:
                  nburch Nick Burch (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 4 hours
                    4h

                      Structure Helper Panel