Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-17401

Share external authentication for (ajp,http) and (alfrescoCookie, alfrescoHeader)

    Details

    • Bug Priority:
      Category 2
    • Escalated:
      Yes
    • ACT Numbers:

      00799652, 00799667

    • Regression Since:

      Description

      Share external authentication should work with any combination of (ajp,http)X(alfrescoCookie, alfrescoHeader)

      MNT-16385 provided one fix to one of the 4 configuration paths.

      But you have 4 paths to make work and do the QA on.

      Platform work capture in MNT-17447.

      When a customer uses external authentication, that means he delegates the authentication stage to an external proxy.

      Once that proxy authenticates a user, it can communicate the authenticated user username to the Share layer using two protocols: ajp or http (not considering https)

      Then the share layer can communicate to the backend using alfrescoCookie or alfrescoHeader, that is in the share custom config using:

               <endpoint>
                  <id>alfresco</id>
                  <name>Alfresco - user access</name>
                  <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                  <connector-id>alfrescoHeader</connector-id>
                  <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
                  <identity>user</identity>
                  <external-auth>true</external-auth>
               </endpoint>
      

      or

               <endpoint>
                  <id>alfresco</id>
                  <name>Alfresco - user access</name>
                  <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                  <connector-id>alfrescoCookie</connector-id>
                  <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
                  <identity>user</identity>
                  <external-auth>true</external-auth>
               </endpoint>
      

      We have thus 4 scenarii to consider and make work:

      1) proxy-> (ajp) -> share -> (alfrescoHeader) -> alfresco
      2) proxy-> (ajp) -> share -> (alfrescoCookie) -> alfresco
      3) proxy-> (http) -> share -> (alfrescoHeader) -> alfresco
      4) proxy-> (http) -> share -> (alfrescoCookie) -> alfresco

      in 4.2.0, 1) and 2) where working
      in 5.1.0, 1) and 2) were failing
      in 5.1.2, 1) is working 2) is failing

      1) and 2) should both work.

      Notes

      1) see documentation
      http://docs.alfresco.com/community5.0/tasks/config-alf-share-sso.html
      which documents well the AJP side.

      http://docs.alfresco.com/5.1/tasks/auth-alfrescoexternal-sso.html
      which clearly states that both alfrescoHeader and alfrescoCookie should work (see the 2nd example) even the alfrescoHeader method is describes more in depth.
      (2nd example)

      and documentation bug:

      2) see share-config-custom.xml on 5.1.2 which uses alfrescoCookie as default in the SSO section.

      3) attached ajprequest.py which can be used to test scenarii 1) and 2).
      Usage example:

      ./ajprequest.py  -r admin5 http://localhost:8080/share/page/ ajp://localhost:8009/share > tt2.html
      > GET http://localhost:8080/share/page/ (via ajp://localhost:8009/share )
      > remote_user: admin5
      < 302 Found
      < b'Set-Cookie' b'JSESSIONID=E2308F4A13B8EC32B557F69BBACC3E96; Path=/share/; HttpOnly'
      < b'X-Frame-Options' b'SAMEORIGIN'
      < b'X-Content-Type-Options' b'nosniff'
      < b'X-XSS-Protection' b'1; mode=block'
      < b'Cache-Control' b'no-cache'
      < b'Location' b'http://localhost/share/page/user/admin5/dashboard'
      < b'Content-Type' b'text/html;charset=utf-8'
      < b'Content-Language' b'en-US'
      < b'Content-Length' b'0'
      

      Scenarii 3) and 4) can be tested with curl -H "x-alfresco-remote-user: user5"...

      4) [EDIT]
      we also need to use more than just one URL as testing with
      http://localhost:8080/share/page/
      is not enough;

      We also need to test with api URLs like
      http://localhost:8080/share/proxy/alfresco/api/people/admin5/sites
      see MNT-17445

      5) this also affects 5.2.0 Early Access (5.2.0 (r133068-b1) schema 10,005.)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                closedissues Closed Issues
                Reporter:
                amadon Alex Madon [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: