Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-16232

Share cannot be configured to use both elements of the chain: external+kerberos (while /alfresco/webdav can)/Share limitation

    Details

    • Bug Priority:
      Category 2
    • Escalated:
      Yes
    • ACT Numbers:

      00648254

    • Regression Since:

      Description

      How to reproduce?
      ================

      1) create a 5.0.2 system (linux pg tomcat) with kerberos + external authentication:

      authentication.chain=kerberos1:kerberos,external1:external
      
      
      external.authentication.proxyUserName=
      external.authentication.proxyHeader=X-Alfresco-Remote-User
      
      
      kerberos.authentication.realm=EXAMPLE.FOO
      kerberos.authentication.authenticateCIFS=true
      
      kerberos.authentication.cifs.password=mypass
      kerberos.authentication.http.password=mypass
      
      kerberos.authentication.sso.enabled=true
      kerberos.authentication.defaultAdministratorUserNames=administrator
      

      2) confirm that you can authentication with webdav using:

      a) external authentication:

      curl -v -H "X-Alfresco-Remote-User: admin2" http://localhost:8080/alfresco/webdav
      < HTTP/1.1 200 OK
      

      b) kerberos (user1 being a user of your Active Directory):

      kinit user1
      curl -v --negotiate --user : http://madona:8080/alfresco/webdav
      < HTTP/1.1 200 OK
      

      3) try to find a configuration for Share such that both calls below success (200 OK):

      a) external authentication:

      curl -v -H "X-Alfresco-Remote-User: admin2" http://localhost:8080/share/page/user/admin2/dashboard 
      

      b) kerberos:

      kinit user1
      curl -v --negotiate --user : --delegation always  http://madona:8080/share/page/user/user1/dashboard
      

      (note the delegation option is necessary to tell curl to use kerberos delegation)

      Results:
      =======
      I could not find a share-config-custom.xml that makes both calls 3)a) and 3)b) succeed (see notes)

      Expected results
      ==================
      Share can be configured to make both call succeed, just like alfresco webdav can.

      Notes
      =======
      1) this is exactly the same problem as in MNT-14541 but for a different pair of subsystems.
      However the trick proposed that was to use two connectors alfrescoCookie and alfrescoHeader with the same config did not work:

               <connector>
                  <id>alfrescoCookie</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using cookie-based authentication</description>
                  <class&gt;org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class&gt;
                  <userHeader>X-Alfresco-Remote-User</userHeader>
               </connector>
               
               <connector>
                  <id>alfrescoHeader</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
                  <class&gt;org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class&gt;
                  <userHeader>X-Alfresco-Remote-User</userHeader>
               </connector>
      

      It makes only the external auth query work, kerberos fails.

      2) In a more classical naming, i.e with:

               <connector>
                  <id>alfrescoCookie</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using cookie-based authentication</description>
                  <class&gt;org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class&gt;
               </connector>
               
               <connector>
                  <id>alfrescoHeader</id>
                  <name>Alfresco Connector</name>
                  <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
                  <class&gt;org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class&gt;
                  <userHeader>X-Alfresco-Remote-User</userHeader>
               </connector>
      

      if I use alfrescoCookie, then kerberos works.
      if I use alfrescoHeader, then external works.

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedissues Closed Issues
                  Reporter:
                  amadon Alex Madon [X] (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  8 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 2 days, 3 hours
                    2d 3h

                      Structure Helper Panel