Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-17445

Share with external authentication cannot be configured anymore to use the AJP CGI REMOTE_USER for /share/proxy/alfresco/api URLs

    Details

    • RCA Description:
      Fixed by another tranche of work on a later version.

      Description

      How to reproduce?

      1) create a 5.1.2 system (linux pg tomcat) with external auth

      2) confirm that your SSO works using AJP:

      ./ajprequest.py  -r admin5 http://localhost:8080/share/page/
      > GET http://localhost:8080/share/page/ (via ajp://localhost:8009/alfresco )
      > remote_user: admin5
      < 302 Found
      < b'Set-Cookie' b'JSESSIONID=AA1C0169A3F7B0F2B4D8D611F809BAE3; Path=/share/; HttpOnly'
      < b'Set-Cookie' b'Alfresco-CSRFToken=3L8Mbb%2fardmzXETCVQWHODcejX68QCc790BejlWVxdg%3d; Expires=Mon, 13-Feb-2017 09:08:02 GMT; Path=/share'
      < b'X-Frame-Options' b'SAMEORIGIN'
      < b'X-Content-Type-Options' b'nosniff'
      < b'X-XSS-Protection' b'1; mode=block'
      < b'Cache-Control' b'no-cache'
      < b'Location' b'http://localhost/share/page/user/admin5/dashboard'
      < b'Content-Type' b'text/html;charset=utf-8'
      < b'Content-Language' b'en-US'
      < b'Content-Length' b'0'
      

      (note the redirect to the user dashboard)

      3) try to authenticate to a API url using the AJP REMOTE_USER cgi variable.
      We use the 'admin5' site URL as an example

      ./ajprequest.py  -r admin5 http://localhost:8080/share/proxy/alfresco/api/people/admin5/sites ajp://localhost:8009/share > tt2.html
      

      Result

      Authentication fails with a 401 Unauthorized error:

      ./ajprequest.py  -r admin5 http://localhost:8080/share/proxy/alfresco/api/people/admin5/sites ajp://localhost:8009/share > tt2.html
      > GET http://localhost:8080/share/proxy/alfresco/api/people/admin5/sites (via ajp://localhost:8009/share )
      > remote_user: admin5
      < 401 Unauthorized
      < b'Set-Cookie' b'JSESSIONID=FD13420C0B3CE7436961771C4F385D40; Path=/share/; HttpOnly'
      < b'Set-Cookie' b'Alfresco-CSRFToken=Q6t7AtiHErS1BjTvJzF5ZWdgk5OePtEhgK2UyL%2bVOYs%3d; Expires=Mon, 13-Feb-2017 09:08:57 GMT; Path=/share'
      < b'X-Frame-Options' b'SAMEORIGIN'
      < b'X-Content-Type-Options' b'nosniff'
      < b'X-XSS-Protection' b'1; mode=block'
      < b'WWW-Authenticate' b'Basic realm="Alfresco"'
      < b'Cache-Control' b'no-cache'
      < b'Expires' b'Thu, 01 Jan 1970 00:00:00 GMT'
      < b'Pragma' b'no-cache'
      < b'Date' b'Mon, 06 Feb 2017 09:08:57 GMT'
      < b'Content-Type' b'text/html;charset=utf-8'
      < b'Content-Language' b'en'
      < b'Content-Length' b'975'
      

      Expected result

      Authentication succeeds with a 200 OK.

      Notes
      1) MNT-16385 is similar to this Jira.
      In MNT-16385 the failure was defined as a failure to authenticate on

      http://localhost:8080/share/page/

      ./ajprequest.py  -r admin5 http://localhost:8080/share/page/
      > GET http://localhost:8080/share/page/ (via ajp://localhost:8009/alfresco )
      > remote_user: admin5
      < 302 Found
      < b'Set-Cookie' b'JSESSIONID=3CAF3E647A71A8003E71D8CCC8D32670; Path=/share/; HttpOnly'
      < b'Location' b'http://localhost/share/page?pt=login'
      < b'Content-Length' b'0'
      

      In this Jira, the failure affects another URL pattern, that seems to be related to a different section of the share-config-custom.xml

               <endpoint>
                  <id>alfresco-api</id>
                  <parent-id>alfresco</parent-id>
                  <name>Alfresco Public API - user access</name>
                  <description>Access to Alfresco Repository Public API that require user authentication.
                               This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
                  <connector-id>alfrescoHeader</connector-id>
                  <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
                  <identity>user</identity>
                  <external-auth>true</external-auth>
               </endpoint>
      	 

      2) in that section where have tried both alfrescoHeader and alfrescoCookie.

      3) in MNT-17401 we show that the fix for MNT-16385 is limited to one of the connector: alfrescoHeader and not alfrescoCookie

      4) workaround: send and extra header in AJP:

      ./ajprequest.py  -r admin5 -H 'x-alfresco-remote-user: admin5' http://localhost:8080/share/proxy/alfresco/api/people/admin5/sites ajp://localhost:8009/share > tt2.html
      > GET http://localhost:8080/share/proxy/alfresco/api/people/admin5/sites (via ajp://localhost:8009/share )
      > remote_user: admin5
      < 200 OK
      < b'Set-Cookie' b'JSESSIONID=6229259AE59F632C11FDC7518D1BA474; Path=/share/; HttpOnly'
      < b'Set-Cookie' b'Alfresco-CSRFToken=rYXFmitk1ueIdQLYCoWiYBh02%2f%2fgQTfkXvZcW7ClryA%3d; Expires=Mon, 13-Feb-2017 09:11:34 GMT; Path=/share'
      < b'X-Frame-Options' b'SAMEORIGIN'
      < b'X-Content-Type-Options' b'nosniff'
      < b'X-XSS-Protection' b'1; mode=block'
      < b'Cache-Control' b'no-cache'
      < b'Expires' b'Thu, 01 Jan 1970 00:00:00 GMT'
      < b'Pragma' b'no-cache'
      < b'Date' b'Mon, 06 Feb 2017 09:11:34 GMT'
      < b'Content-Type' b'application/json;charset=UTF-8'
      < b'Content-Length' b'6'
      

      5) could we add (QA) tests for more URL patterns than just http://localhost:8080/share/page/ ?

      6) this also affects 5.2.0 Early Access (5.2.0 (r133068-b1) schema 10,005.)

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs
                  Reporter:
                  amadon Alex Madon [X] (Inactive)
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  9 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Structure Helper Panel