Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-16176

Setting Alfresco to read-only with external SSO breaks Share access (for existing users)

    Details

      Description

      [Description]:

      • Technical Description of the issue
        With the external SSO enabled adding server.allowWrite=false to alfresco-global.properties causes a server error has occurred page to be displayed instead of Share UI thus rendering existing users unable to access Share. Error is logged in the alfresco.log
      • Customers Description of the problem
        Unable to use Alfresco with existing users when enabling read-only mode.
      • Supporting evidence
      • ext_sso_disabled-ntlm_login.jpg - screenshot from the TSE reproducing the problem -> expected result
      • Ext_SSO_not_working_readonly.jpg - screenshot from the TSE reproducing the problem -> actual result
      • stacktrace_extsso.txt - stack trace from the alfresco.log when the issue occurs

      [Steps to reproduce]:
      1) Install Alfresco 5.0.2/5.1
      2) Configure external authentication in the alfresco-global.properties:
      authentication.chain=extsso:external,alf1:alfrescoNtlm
      external.authentication.proxyUserName=
      external.authentication.enabled=true
      external.authentication.defaultAdministratorUserNames=admin
      external.authentication.proxyHeader=SsoUserHeader
      3) Uncomment the required parts in share-custom-config.xml as per documentation, i.e.

      <connector>
                  <id>alfrescoHeader</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
                  <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
                  <userHeader>SsoUserHeader</userHeader>
               </connector>

      4) Using Firefox with Headers plugin test external Auth by injecting SsoUserHeader value as 'admin' (or some other user that already exists in Alfresco)
      5) Add server.allowWrite=false to alfresco-global.properties/JMX. Restart Alfresco or sysAdmin subsystem
      6) Retest again by injecting SsoUserHeader value
      7) Instead of dashboard shown A server error has occurred.

      [Expected Behaviour]:

      • User (that already exists in Alfresco) should be able to login as usual, with the banner message displayed about system being in the read-only mode.
      • Note: missing users (that do not already exist) will not be auto-created when the repo is in read-only mode (as per existing functionality)

      [Observed Behaviour]:

      • Existing Users unable to login to Share
      • A server error has occurred shown
      • Error message logged in the alfresco.log:
        ERROR [org.springframework.extensions.webscripts.AbstractRuntime] [http-apr-8080-exec-5] Exception from executeScript - redirecting to status template error: 03190095 Read-Write transaction started within read-only transaction
        org.alfresco.error.AlfrescoRuntimeException: 03190095 Read-Write transaction started within read-only transaction
        	at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:376)
        	at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:326)
        	at org.alfresco.web.app.servlet.AuthenticationHelper.createUser(AuthenticationHelper.java:429)
        	at org.alfresco.web.app.servlet.AuthenticationHelper.setUser(AuthenticationHelper.java:383)
        	at org.alfresco.web.app.servlet.AuthenticationHelper.getUser(AuthenticationHelper.java:644)
        	at org.alfresco.web.app.servlet.AuthenticationHelper.authenticate(AuthenticationHelper.java:184)
        	at org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator.authenticate(WebClientAuthenticatorFactory.java:145)
        	at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:356)
        	at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:353)
        	at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:457)
        	at org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:395)
        	at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:280)
        	at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:378)
        	at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:209)
        	at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)
        	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.alfresco.repo.web.filter.beans.NullFilter.doFilter(NullFilter.java:68)
        	at sun.reflect.GeneratedMethodAccessor461.invoke(Unknown Source)
        	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        	at java.lang.reflect.Method.invoke(Method.java:483)
        	at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:125)
        	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        	at com.sun.proxy.$Proxy294.doFilter(Unknown Source)
        	at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter.doFilter(WebScriptSSOAuthenticationFilter.java:114)
        	at sun.reflect.GeneratedMethodAccessor461.invoke(Unknown Source)
        	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        	at java.lang.reflect.Method.invoke(Method.java:483)
        	at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:112)
        	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        	at com.sun.proxy.$Proxy294.doFilter(Unknown Source)
        	at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.alfresco.web.app.servlet.WebscriptCookieAuthenticationFilter.doFilter(WebscriptCookieAuthenticationFilter.java:59)
        	at sun.reflect.GeneratedMethodAccessor461.invoke(Unknown Source)
        	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        	at java.lang.reflect.Method.invoke(Method.java:483)
        	at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:125)
        	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        	at com.sun.proxy.$Proxy294.doFilter(Unknown Source)
        	at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
        	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
        	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
        	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        	at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2403)
        	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        	at java.lang.Thread.run(Thread.java:745)

      [Analysis to date]:

      • Customer business impact: high impact - required functionality for business reasons (corporate SSO)

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs
                  Reporter:
                  nkisa Nebil Kisa
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  9 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 2 days, 30 minutes
                    2d 30m

                      Structure Helper Panel