Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-16232

Share cannot be configured to use both elements of the chain: external+kerberos (while /alfresco/webdav can)/Share limitation

    Details

    • Bug Priority:
      Category 2
    • Escalated:
      Yes
    • ACT Numbers:

      00648254

    • Regression Since:

      Description

      How to reproduce?
      ================

      1) create a 5.0.2 system (linux pg tomcat) with kerberos + external authentication:

      authentication.chain=kerberos1:kerberos,external1:external
      
      
      external.authentication.proxyUserName=
      external.authentication.proxyHeader=X-Alfresco-Remote-User
      
      
      kerberos.authentication.realm=EXAMPLE.FOO
      kerberos.authentication.authenticateCIFS=true
      
      kerberos.authentication.cifs.password=mypass
      kerberos.authentication.http.password=mypass
      
      kerberos.authentication.sso.enabled=true
      kerberos.authentication.defaultAdministratorUserNames=administrator
      

      2) confirm that you can authentication with webdav using:

      a) external authentication:

      curl -v -H "X-Alfresco-Remote-User: admin2" http://localhost:8080/alfresco/webdav
      < HTTP/1.1 200 OK
      

      b) kerberos (user1 being a user of your Active Directory):

      kinit user1
      curl -v --negotiate --user : http://madona:8080/alfresco/webdav
      < HTTP/1.1 200 OK
      

      3) try to find a configuration for Share such that both calls below success (200 OK):

      a) external authentication:

      curl -v -H "X-Alfresco-Remote-User: admin2" http://localhost:8080/share/page/user/admin2/dashboard 
      

      b) kerberos:

      kinit user1
      curl -v --negotiate --user : --delegation always  http://madona:8080/share/page/user/user1/dashboard
      

      (note the delegation option is necessary to tell curl to use kerberos delegation)

      Results:
      =======
      I could not find a share-config-custom.xml that makes both calls 3)a) and 3)b) succeed (see notes)

      Expected results
      ==================
      Share can be configured to make both call succeed, just like alfresco webdav can.

      Notes
      =======
      1) this is exactly the same problem as in MNT-14541 but for a different pair of subsystems.
      However the trick proposed that was to use two connectors alfrescoCookie and alfrescoHeader with the same config did not work:

               <connector>
                  <id>alfrescoCookie</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using cookie-based authentication</description>
                  <class&gt;org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class&gt;
                  <userHeader>X-Alfresco-Remote-User</userHeader>
               </connector>
               
               <connector>
                  <id>alfrescoHeader</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
                  <class&gt;org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class&gt;
                  <userHeader>X-Alfresco-Remote-User</userHeader>
               </connector>
      

      It makes only the external auth query work, kerberos fails.

      2) In a more classical naming, i.e with:

               <connector>
                  <id>alfrescoCookie</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using cookie-based authentication</description>
                  <class&gt;org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class&gt;
               </connector>
               
               <connector>
                  <id>alfrescoHeader</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
                  <class&gt;org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class&gt;
                  <userHeader>X-Alfresco-Remote-User</userHeader>
               </connector>
      

      if I use alfrescoCookie, then kerberos works.
      if I use alfrescoHeader, then external works.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                closedissues Closed Issues
                Reporter:
                amadon Alex Madon [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days, 3 hours
                  2d 3h