Service Packs and Hot Fixes
  1. Service Packs and Hot Fixes
  2. MNT-1416

use of flash technology to upload documents into a share site makes the use of (some) external authentication methods difficult (or impossible)

    Details

    • Type: Service Pack Request Service Pack Request
    • Status: Closed Closed (View Workflow)
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.3.1, 3.3.2
    • Fix Version/s: 3.3.3, 3.4
    • Component/s: Installer
    • Labels:
      None
    • Environment:
      external auth with apache front end on linux+mysql+tomcat
    • ACT Numbers:

      734466

      Description

      How to reproduce?
      =================

      1) create a 3.3.1 (or 3.3.2prerelease) system (linux+mysql+tomcat)

      2) set authentication chain and parameters to:

      -------------------------
      authentication.chain=external1:external
      external.authentication.enabled=true
      external.authentication.proxyHeader=X-Alfresco-Remote-User
      external.authentication.proxyUserName=
      -------------------------

      3) we need way to set the REMOTE_USER cgi variable.
      One way to do this is to put an apache front-end with a ajp1.3 connector with basic auth, i.e.:

      a) create a /usr/local/apache2/conf/workers.properties file with:

      -------------------------
      worker.list=alexwk,jkstatus
      worker.alexwk.host=127.0.0.1
      worker.alexwk.port=8009
      worker.alexwk.type=ajp13
      worker.alexwk.lbfactor=100
      -------------------------

      b) in apache httpd.conf:

      -------------------------
      JkworkersFile "/usr/local/apache2/conf/workers.properties"
      <VirtualHost 127.0.0.5:80>
      ServerName alfjk2.foo
      JkLogFile "/usr/local/apache2/logs/mod_jk_2.log"
      JkMount /alfresco alexwk
      JkMount /alfresco/* alexwk
      JkMount /share alexwk
      JkMount /share/* alexwk
      JkLogLevel info
      <Location / >
      AuthType Basic
      AuthName "Test Basic Auth"
      AuthUserFile /usr/local/apache2/passtest.txt
      Require valid-user
      </Location>
      </VirtualHost>
      -------------------------

      4) In tomcat server.xml, define an ajp13 connector turning off tomcat authentication:

      <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false" />

      5) generate a password file with admin/admin:
      /usr/local/apache2/bin/htpasswd -c /usr/local/apache2/passtest.txt admin

      6) check the cgi variable setup putting in a new file
      'tomcat/webapps/alfresco/test.jsp':

      -------------------------
      getRemoteUser() is set to:
      <% out.print (request.getRemoteUser()); %>
      -------------------------
      and go to:

      http://alfjk2.foo/alfresco/test.jsp

      You should see the name of the HTTP user.

      7) confirm you can go to:
      http://alfjk2.foo/alfresco
      and log as admin

      8) configure Share to use the X-Alfresco-Remote-User to authenticate to alfresco:

      tomcat/shared/classes/alfresco/web-extension/webscript-framework-config-custom.xml

      webscript-framework-config-custom.xml

      (in 3.3.2: share-config-custom.xml)
      uncomment the NTLM paragraph

      -------------------------
      <config evaluator="string-compare" condition="Remote">
      <remote>
      <connector>
      <id>alfrescoCookie</id>
      <name>Alfresco Connector</name>
      <description>Connects to an Alfresco instance using cookie-based authentication</description>
      <class>org.alfresco.connector.AlfrescoConnector</class>
      </connector>
      <endpoint>
      <id>alfresco</id>
      <name>Alfresco - user access</name>
      <description>Access to Alfresco Repository WebScripts that require user authentication</description>
      <connector-id>alfrescoCookie</connector-id>
      <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
      <identity>user</identity>
      <external-auth>true</external-auth>
      </endpoint>
      </remote>
      </config>
      -------------------------

      9) check you can log in as admin into share
      10) create a share test site (public or private, does not matter)
      11) upload a document into the site's document library.

      Results:
      ========
      The upload fails (see screen shot external.png and see video share_external_auth.ogv for the full process)

      Expected result:
      ===============
      Upload works.

      Analysis:
      =========
      The design of share based on a Flash uploader makes external authentication difficult.
      Looking at a network dump of the traffic between the client and the server (see attached share2.pcap)

      ----------
      POST /share/proxy/alfresco/api/upload;jsessionid=26689B8065651C53EEAB6558E0A87314 HTTP/1.1
      Host: alfjk2.foo
      Accept: /
      User-Agent: Shockwave Flash
      Connection: Keep-Alive
      Cache-Control: no-cache
      Content-Length: 1167
      Expect: 100-continue
      Content-Type: multipart/form-data; boundary=----------------------------feed47596273

      HTTP/1.1 401 Authorization Required
      Date: Wed, 04 Aug 2010 13:35:00 GMT
      Server: Apache
      WWW-Authenticate: Basic realm="Test Basic Auth"
      Content-Length: 461
      Keep-Alive: timeout=15, max=100
      Connection: Keep-Alive
      Content-Type: text/html; charset=iso-8859-1

      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
      <html><head>
      <title>401 Authorization Required</title>
      </head><body>
      <h1>Authorization Required</h1>
      <p>This server could not verify that you
      are authorized to access the document
      requested. Either you supplied the wrong
      credentials (e.g., bad password), or your
      browser doesn't understand how to supply
      the credentials required.</p>
      <hr>
      <address>Apache Server at alfjk2.foo Port 80</address>
      </body></html>
      ---------

      One sees that the Flash uploader does not send the authorization basic header:

      Authorization: Basic YWRtaW46YWRtaW4=

      as the web browser does.

      tkt 734466

      1. share_external_auth.ogv
        2.68 MB
        Alex Madon
      2. share2.pcap
        2 kB
        Alex Madon
      1. external.png
        94 kB

        Issue Links

          Activity

          Hide
          dward added a comment -

          For retest on V3.3.3 build 182

          Show
          dward added a comment - For retest on V3.3.3 build 182
          Hide
          Alfresco QA Team added a comment -

          Validated against 3.3.3.194

          Show
          Alfresco QA Team added a comment - Validated against 3.3.3.194
          Hide
          dward added a comment -

          For retest in 3.4b

          Show
          dward added a comment - For retest in 3.4b
          Hide
          Steve Rigby added a comment -

          For retest in 3.4.b build 3185 or later

          Show
          Steve Rigby added a comment - For retest in 3.4.b build 3185 or later
          Hide
          Alfresco QA Team added a comment -

          Validated against 3.4.376

          Show
          Alfresco QA Team added a comment - Validated against 3.4.376

            People

            • Assignee:
              Closed Bugs
              Reporter:
              Alex Madon
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: