Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-12801

external.authentication.userIdPattern isn't compatible with Share

    Details

      Description

      One of the options with the External Authentication subsystem is userIdPattern which allows Alfresco to pick out part of a special header to extract the username. For example, with a subsystem with the following properties:

      external.authentication.defaultAdministratorUserNames=admin,nick
      external.authentication.enabled=true
      external.authentication.proxyUserName=
      external.authentication.proxyHeader=X-My-Auth-Header
      external.authentication.userIdPattern=^TESTignore-(\\w+)-ignore
      

      If you make a request like:

      curl -X GET -L -H "X-My-Auth-Header: TESTignore-admin-ignore" http://localhost:8080/alfresco/
      

      You'll be automatically logged in as "admin" (with the rest stripped out)

      However, the documentation for this makes no mention that it doesn't work with Share. The suggested Share config for external authentication is something like:

         <config evaluator="string-compare" condition="Remote">
              <remote>
                  <connector>
                     <id>alfrescoHeader</id>
                     <name>Alfresco Connector</name>
                     <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
                     <class&gt;org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class&gt;
                     <userHeader>X-My-Auth-Header</userHeader>
                  </connector>
      
                  <endpoint>
                      <id>alfresco</id>
                      <name>Alfresco - user access</name>
                      <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                      <connector-id>alfrescoHeader</connector-id>
                      <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
                      <identity>user</identity>
                      <external-auth>true</external-auth>
                  </endpoint>
              </remote>
          </config>
      

      If you're not using a userIdPattern, you can make a request like:

      curl -X GET -L -H "X-My-Auth-Header: admin" http://localhost:8081/share/page/ | grep Alfresco.constants.USERNAME
      

      And you'll see you've been automatically logged in as the "admin" user. However, if you turn on the userIdPattern, Share doesn't know, so it all goes a bit wrong as with a request like:

      curl -X GET -L -H "X-My-Auth-Header: TESTignore-admin-ignore" http://localhost:8081/share/
      

      Share will think you're logged in as "TESTignore-admin-ignore" while the Repo knows you as "admin", and then lots of things break

      There should either be a way to specify the userIdPattern to Share too, or the documentation + examples needs to make clear that it is only supported with Explorer / WCServices and not with Share

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs
                  Reporter:
                  nburch Nick Burch
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 4 hours
                    4h

                      Structure Helper Panel