Uploaded image for project: 'Alfresco'
  1. Alfresco
  2. ALF-21848

Improve support for third party SSO via web-fragment.xml

    Details

    • Triage:
      ACE

      Description

      It would greatly help integrating third party SSO components if the authentication filters were moved to a web-fragment.xml so that it is possible to inject the third party filters before the Alfresco authentication filters. (e.g. CAS)

      Third party filters can then set the value returned by request.getRemoteUser() before the Alfresco filters are reached.

      Some other things to take into account:

      Be aware of deep linking e.g. going directly to document rather than the dashboard - because , when not logged in during the initial request, the destination is held in the session rather than using URL parameters this can be fragile.

      The platform (repository) also needs to be covered because of access to the workflow console etc (what is the correct URL to access this? should it be /s/ /service/ /wcs/ /wcservice/?)

      The new api and mobile apps also need to be considered (http://docs.alfresco.com/5.1/tasks/configure-ssl-prod.html is a good starting point to see endpoints but it misses out a number used by the mobile apps)

      The noauth endpoint also needs to be taken into account - the docs can lead you to miss this out - as far as I can tell it's only used for invites and the share (via email, twitter etc) feature.

      It would be good to support the Servlet 3 logout method as that would allow the third party filters to support single log out.

      As a minimum move the following from web.xml into a web-fragment.xml

         <filter>
            <description>MT authentication support</description>
            <filter-name>MTAuthentationFilter</filter-name>
            <filter-class>org.alfresco.web.site.servlet.MTAuthenticationFilter</filter-class>
         </filter>
      
         <filter>
            <description>Share SSO authentication support filter.</description>
            <filter-name>Authentication Filter</filter-name>
            <filter-class>org.springframework.extensions.webscripts.servlet.BeanProxyFilter</filter-class>
            <init-param>
               <param-name>beanName</param-name>
               <param-value>SSOAuthenticationFilter</param-value>
            </init-param>
         </filter>
      
      
      
      
        <filter-mapping>
            <filter-name>MTAuthentationFilter</filter-name>
            <url-pattern>/page/*</url-pattern>
         </filter-mapping>
      
         <filter-mapping>
            <filter-name>MTAuthentationFilter</filter-name>
            <url-pattern>/p/*</url-pattern>
         </filter-mapping>
      
         <filter-mapping>
            <filter-name>MTAuthentationFilter</filter-name>
            <url-pattern>/proxy/*</url-pattern>
         </filter-mapping>
      
         <filter-mapping>
            <filter-name>Authentication Filter</filter-name>
            <url-pattern>/page/*</url-pattern>
         </filter-mapping>
      
         <filter-mapping>
            <filter-name>Authentication Filter</filter-name>
            <url-pattern>/p/*</url-pattern>
         </filter-mapping>
      
         <filter-mapping>
            <filter-name>Authentication Filter</filter-name>
            <url-pattern>/proxy/*</url-pattern>
         </filter-mapping>
      
         <filter-mapping>
            <filter-name>Authentication Filter</filter-name>
            <url-pattern>/service/*</url-pattern>
         </filter-mapping>
      

        Attachments

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              uiteam Web Apps
              Reporter:
              idwright Ian Wright
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: