Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-15942

CLONE - SSO alfrescoHeader problems in Share 201602-GA

    Details

      Description

      After upgrading from CE 5.0d to 5.1e, there appeared to be a problem with SSO using alfrescoHeader.
      The login process does work, bu, amongst others. the Dashboard is broken and doesn't show any information. See attached screenshot.

      I traced this problem to the SSO authentication, due to enabling parts one by one. After disabling SSO authentication in share-config-custom.xml, things started working as intended again.

      I use the following config in alfresco-global.properties:

      authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
      external.authentication.enabled=true
      external.authentication.proxyUserName=
      external.authentication.proxyHeader=SsoUserHeader
      

      And the following in share-config-xustom.xml

         <config evaluator="string-compare" condition="Remote">
            <remote>
               <connector>
                  <id>alfrescoCookie</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using cookie-based authentication</description>
                  <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
               </connector>
      
               <connector>
                  <id>alfrescoHeader</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
                  <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
                  <userHeader>SsoUserHeader</userHeader>
               </connector>
      
               <endpoint>
                  <id>alfresco</id>
                  <name>Alfresco - user access</name>
                  <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                  <connector-id>alfrescoHeader</connector-id>
                  <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
                  <identity>user</identity>
                  <external-auth>true</external-auth>
               </endpoint>
      
               <endpoint>
                  <id>alfresco-feed</id>
                  <parent-id>alfresco</parent-id>
                  <name>Alfresco Feed</name>
                  <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
                  <connector-id>alfrescoHeader</connector-id>
                  <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
                  <identity>user</identity>
                  <external-auth>true</external-auth>
               </endpoint>
      
               <endpoint>
                  <id>alfresco-api</id>
                  <parent-id>alfresco</parent-id>
                  <name>Alfresco Public API - user access</name>
                  <description>Access to Alfresco Repository Public API that require user authentication.
                               This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
                  <connector-id>alfrescoHeader</connector-id>
                  <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
                  <identity>user</identity>
                  <external-auth>true</external-auth>
               </endpoint>
            </remote>
         </config>
      

      As I understand, since 5.1 you can use an other endpoint-url for the alfresco-endpint.
      I tried "<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>" instead of "<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>", but got the same result.

      No CSRF-errors are present in the log.

      When setting the SSOAuthenticationFilter on debug, I see the following relevant info in the log:

      #During startup:
      2016-03-16 10:05:23,962  DEBUG [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] Initializing the SSOAuthenticationFilter.
       2016-03-16 10:05:23,967  DEBUG [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] Endpoint is alfresco
       2016-03-16 10:05:23,967  DEBUG [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] userHeader is SsoUserHeader
       2016-03-16 10:05:23,967  DEBUG [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] userIdPattern is null
       2016-03-16 10:05:23,968  INFO  [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] SSOAuthenticationFilter initialised.
      
      # When & directly after logging in
      2016-03-16 10:06:57,833  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-5] Processing request /share/page/ SID:64181817416B97015C074BE5C07FFCBA
       2016-03-16 10:06:58,737  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-5] Initial login from externally authenticated user user@domain.ext
       2016-03-16 10:06:58,740  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-5] Accept-Language header present: en,nl;q=0.7,en-US;q=0.3
       2016-03-16 10:07:00,646  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-5] Authentication not required, chaining ...
       2016-03-16 10:07:01,439  INFO  [web.site.EditionInterceptor] [http-apr-8080-exec-5] Successfully retrieved license information from Alfresco.
       2016-03-16 10:07:02,537  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-3] Processing request /share/page/user/user%40domain.ext/dashboard SID:64181817416B97015C074BE5C07FFCBA
       2016-03-16 10:07:02,587  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-3] userHeader external auth - skipping auth filter...
       2016-03-16 10:07:20,464  INFO  [web.scripts.ImapServerStatus] [http-apr-8080-exec-3] Successfully retrieved IMAP server status from Alfresco: disabled
       2016-03-16 10:07:33,871  INFO  [solr.component.AsyncBuildSuggestComponent] [Suggestor-alfresco-1] Loaded suggester shingleBasedSuggestions, took 60570 ms
       2016-03-16 10:07:38,190  DEBUG [site.servlet.SSOAuthenticationFilter] [ajp-apr-8009-exec-1] Processing request /share/service/messages_5b3209b57be25b3a2576369a850f63e3.js SID:64181817416B97015C074BE5C07FFCBA
       2016-03-16 10:07:38,191  DEBUG [site.servlet.SSOAuthenticationFilter] [ajp-apr-8009-exec-1] Validating repository session for user@domain.ext
       2016-03-16 10:07:38,191  DEBUG [site.servlet.SSOAuthenticationFilter] [ajp-apr-8009-exec-1] Accept-Language header present: en,nl;q=0.7,en-US;q=0.3
       Mar 16, 2016 10:07:38 AM org.apache.catalina.core.StandardWrapperValve invoke
      SEVERE: Servlet.service() for servlet [default] in context with path [/share] threw exception
      java.lang.NullPointerException
              at org.alfresco.web.site.servlet.SlingshotAlfrescoConnector.applyRequestHeaders(SlingshotAlfrescoConnector.java:196)
              at org.springframework.extensions.webscripts.connector.HttpConnector.initRemoteClient(HttpConnector.java:269)
              at org.springframework.extensions.webscripts.connector.HttpConnector.call(HttpConnector.java:67)
              at org.springframework.extensions.webscripts.RequestCachingConnector.call(RequestCachingConnector.java:90)
              at org.alfresco.web.site.servlet.SSOAuthenticationFilter.challengeOrPassThrough(SSOAuthenticationFilter.java:839)
              at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:539)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
              at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:188)
              at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
              at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2403)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
              at java.lang.Thread.run(Thread.java:745)
      
      2016-03-16 10:07:38,374  ERROR [alfresco.web.site] [ajp-apr-8009-exec-1] java.lang.NullPointerException
       2016-03-16 10:07:38,723  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-1] Processing request /share/page/user/user%40domain.ext/undefinedservice/modules/authenticated SID:64181817416B97015C074BE5C07FFCBA
       2016-03-16 10:07:38,758  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-1] userHeader external auth - skipping auth filter...
       Mar 16, 2016 10:07:38 AM org.apache.catalina.core.StandardWrapperValve invoke
      SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Could not resolve view with name 'user/user@domain.ext/undefinedservice/modules/authenticated' in servlet with name 'Spring Surf Dispatcher Servlet'] with root cause
      javax.servlet.ServletException: Could not resolve view with name 'user/user@domain.ext/undefinedservice/modules/authenticated' in servlet with name 'Spring Surf Dispatcher Servlet'
              at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1198)
              at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1001)
              at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:945)
              at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:867)
              at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953)
              at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:844)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
              at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.alfresco.web.site.servlet.SecurityHeadersFilter.doFilter(SecurityHeadersFilter.java:182)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.alfresco.web.site.servlet.CSRFFilter.doFilter(CSRFFilter.java:315)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:533)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
              at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
              at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
              at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2403)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
              at java.lang.Thread.run(Thread.java:745)
      
      2016-03-16 10:07:38,786  ERROR [alfresco.web.site] [http-apr-8080-exec-1] javax.servlet.ServletException: Could not resolve view with name 'user/user@domain.ext/undefinedservice/modules/authenticated' in servlet with name 'Spring Surf Dispatcher Servlet'
       2016-03-16 10:07:39,132  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-2] Processing request /share/proxy/alfresco/api/people/user%40domain.ext/preferences SID:64181817416B97015C074BE5C07FFCBA
       2016-03-16 10:07:39,133  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-2] userHeader external auth - skipping auth filter...
       2016-03-16 10:07:39,315  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-7] Processing request /share/page/user/user%40domain.ext/undefinedcomponents/images/lightbox/loading.gif SID:64181817416B97015C074BE5C07FFCBA
       2016-03-16 10:07:39,316  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-7] userHeader external auth - skipping auth filter...
       Mar 16, 2016 10:07:39 AM org.apache.catalina.core.StandardWrapperValve invoke
      SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Could not resolve view with name 'user/user%40domain.ext/undefinedcomponents/images/lightbox/loading.gif' in servlet with name 'Spring Surf Dispatcher Servlet'] with root cause
      javax.servlet.ServletException: Could not resolve view with name 'user/user@domain.ext/undefinedcomponents/images/lightbox/loading.gif' in servlet with name 'Spring Surf Dispatcher Servlet'
              at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1198)
              at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1001)
              at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:945)
              at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:867)
              at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953)
              at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:844)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
              at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.alfresco.web.site.servlet.SecurityHeadersFilter.doFilter(SecurityHeadersFilter.java:182)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.alfresco.web.site.servlet.CSRFFilter.doFilter(CSRFFilter.java:315)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:533)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
              at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
              at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
              at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2403)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
              at java.lang.Thread.run(Thread.java:745)
      

      Two thing stand out for me:

      1. The username, which is 'user@domain.ext' sometimes has the '@' urlencoded to '%40' and sometime not
      2. There seems to be some problem which leads to 'undefinedcomponents' be part of the URL.

      If more information is needed, let me know.

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs
                  Reporter:
                  ebogaard Erwin Bogaard
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 3 hours
                    3h

                      Structure Helper Panel