[MNT-12801] external.authentication.userIdPattern isn't compatible with Share - Alfresco JIRA

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 4.1
Fix Version/s: 5.0.1
Component/s: Repository Authentication and SSO, Share Application
Labels:
None

Build Location:
https://releases.alfresco.com/Enterprise-5.0/5.0.1/build-00068/

Description

One of the options with the External Authentication subsystem is userIdPattern which allows Alfresco to pick out part of a special header to extract the username. For example, with a subsystem with the following properties:

external.authentication.defaultAdministratorUserNames=admin,nick
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=X-My-Auth-Header
external.authentication.userIdPattern=^TESTignore-(\\w+)-ignore

If you make a request like:

curl -X GET -L -H "X-My-Auth-Header: TESTignore-admin-ignore" http://localhost:8080/alfresco/

You'll be automatically logged in as "admin" (with the rest stripped out)

However, the documentation for this makes no mention that it doesn't work with Share. The suggested Share config for external authentication is something like:

   <config evaluator="string-compare" condition="Remote">
        <remote>
            <connector>
               <id>alfrescoHeader</id>
               <name>Alfresco Connector</name>
               <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
               <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
               <userHeader>X-My-Auth-Header</userHeader>
            </connector>

            <endpoint>
                <id>alfresco</id>
                <name>Alfresco - user access</name>
                <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                <connector-id>alfrescoHeader</connector-id>
                <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
                <identity>user</identity>
                <external-auth>true</external-auth>
            </endpoint>
        </remote>
    </config>

If you're not using a userIdPattern, you can make a request like:

curl -X GET -L -H "X-My-Auth-Header: admin" http://localhost:8081/share/page/ | grep Alfresco.constants.USERNAME

And you'll see you've been automatically logged in as the "admin" user. However, if you turn on the userIdPattern, Share doesn't know, so it all goes a bit wrong as with a request like:

curl -X GET -L -H "X-My-Auth-Header: TESTignore-admin-ignore" http://localhost:8081/share/

Share will think you're logged in as "TESTignore-admin-ignore" while the Repo knows you as "admin", and then lots of things break

There should either be a way to specify the userIdPattern to Share too, or the documentation + examples needs to make clear that it is only supported with Explorer / WCServices and not with Share

Attachments

Issue Links

is cloned by

MNT-13716 CLONE - external.authentication.userIdPattern isn't compatible with Share

Closed

Activity

People

Assignee:

Closed Bugs

Reporter:

Nick Burch

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

15-Mar-13 09:57 PM

Updated:

10-Apr-15 03:54 PM

Resolved:

26-Nov-14 02:41 PM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: