Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Resolution: Fixed
-
Affects Version/s: 4.1
-
Fix Version/s: 5.0.1
-
Component/s: Repository Authentication and SSO, Share Application
-
Labels:None
-
Bug Priority:
-
Build Location:
Description
One of the options with the External Authentication subsystem is userIdPattern which allows Alfresco to pick out part of a special header to extract the username. For example, with a subsystem with the following properties:
external.authentication.defaultAdministratorUserNames=admin,nick
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=X-My-Auth-Header
external.authentication.userIdPattern=^TESTignore-(\\w+)-ignore
If you make a request like:
curl -X GET -L -H "X-My-Auth-Header: TESTignore-admin-ignore" http://localhost:8080/alfresco/
You'll be automatically logged in as "admin" (with the rest stripped out)
However, the documentation for this makes no mention that it doesn't work with Share. The suggested Share config for external authentication is something like:
<config evaluator="string-compare" condition="Remote"> <remote> <connector> <id>alfrescoHeader</id> <name>Alfresco Connector</name> <description>Connects to an Alfresco instance using header and cookie-based authentication</description> <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class> <userHeader>X-My-Auth-Header</userHeader> </connector> <endpoint> <id>alfresco</id> <name>Alfresco - user access</name> <description>Access to Alfresco Repository WebScripts that require user authentication</description> <connector-id>alfrescoHeader</connector-id> <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url> <identity>user</identity> <external-auth>true</external-auth> </endpoint> </remote> </config>
If you're not using a userIdPattern, you can make a request like:
curl -X GET -L -H "X-My-Auth-Header: admin" http://localhost:8081/share/page/ | grep Alfresco.constants.USERNAME
And you'll see you've been automatically logged in as the "admin" user. However, if you turn on the userIdPattern, Share doesn't know, so it all goes a bit wrong as with a request like:
curl -X GET -L -H "X-My-Auth-Header: TESTignore-admin-ignore" http://localhost:8081/share/
Share will think you're logged in as "TESTignore-admin-ignore" while the Repo knows you as "admin", and then lots of things break
There should either be a way to specify the userIdPattern to Share too, or the documentation + examples needs to make clear that it is only supported with Explorer / WCServices and not with Share
Attachments
Issue Links
- is cloned by
-
MNT-13716 CLONE - external.authentication.userIdPattern isn't compatible with Share
- Closed