Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-12764

The X-Alfresco-Remote-User (SsoUserHeader) SSO code path executes x2 requests and is stateful when it does not need to be



      Share can be configured to use some kind of SSO remote-user header (commonly X-Alfresco-Remote-User or SsoUserHeader) and Alfresco set to use External auth first in the chain.

      However, this effectively executes x2 requests more than is needed and also is stateful when it does not need to be.

      This is because the SSOAuthenticationFilter uses the same Session based challenge/response code path for remote-user as it does for NTLM/Kerberos etc. This should be avoided as it means the /touch API is called before each and every request to the repo - hugely increasing the traffic between the web-tier and the repo-tier.

      The fix is to avoid calling /touch more than once per Share session for a Share user when the SSO remote-user header config is used and also to allow Remote configuration from Share that uses the stateless /service endpoint instead of the Session based /wcservice endpoint.


        1. alfresco-global.properties
          2 kB
        2. httpd.conf
          34 kB
        3. MNT-12764.pcapng
          25 kB
        4. MNT-12764.Web Script Status 500 - Internal Error.png
          MNT-12764.Web Script Status 500 - Internal Error.png
          127 kB
        5. Rss - external auth.png
          Rss - external auth.png
          109 kB
        6. share-config-custom.xml
          17 kB




              • Assignee:
                closedbugs Closed Bugs (Inactive)
                kroast Kevin Roast [X] (Inactive)
              • Votes:
                0 Vote for this issue
                4 Start watching this issue


                • Created:

                  Structure Helper Panel