Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-17858

Share prompts for Basic authentication if external user header is not present in the request instead of redirecting to Share login page

    Details

    • Type: Service Pack Request
    • Status: Closed (View Workflow)
    • Resolution: Not a bug
    • Affects Version/s: 5.2
    • Fix Version/s: None
    • Component/s: Web-client SSO
    • Labels:
      None
    • Bug Priority:
      Category 1
    • Escalated:
      Yes
    • ACT Numbers:

      00851634, 00860195

    • Regression Since:

      Description

      [Technical Description of the issue]
      When external authentication is configured, if an admin user tries to bypass external authentication by going directly to the /share URL or the external header user is missing, instead of redirecting to the Share login page user gets prompted for Basic user authentication.

      [Steps to reproduce]
      1. Install Alfresco
      2. Configure external authentication per documentation (in my example the external header being used is SM_SITE) (repo + share-config-custom.xml)
      3. Try to access Share passing the external header (simulating externally authenticated user with Firefox Modify headers)
      4. Observe it works correctly.
      5. Go to Share without the external authentication header (http://localhost:8080/share)
      6. Observe Share asking for credentials using Basic authentication instead of redirecting to Share login page

      [Expected Behaviour]
      The user is shown the Share login page.

      [Observed Behaviour]
      The user sees a Basic authentication dialog box asking for credentials. Upon cancelling the dialog Share login page is shown.

      [Supporting evidence]

      Accessing Share using external authentication header:

      curl http://localhost:8080/share -v -L -H SM_SITE:xx22
      
      dario@dario-ubuntu-vm:~/alfresco-content-services$ curl http://localhost:8080/share -v -L -H SM_SITE:xx22
      * Hostname was NOT found in DNS cache
       * Connected to localhost (127.0.0.1) port 8080 (#0)
      > GET /share HTTP/1.1
      > User-Agent: curl/7.35.0
      > Host: localhost:8080
      > Accept: */*
      > SM_SITE:xx22
      > 
      < HTTP/1.1 302 Found
      * Server Apache-Coyote/1.1 is not blacklisted
      < Server: Apache-Coyote/1.1
      < Location: http://localhost:8080/share/
      < Transfer-Encoding: chunked
      < Date: Thu, 04 May 2017 17:11:45 GMT
      < 
      * Ignoring the response-body
      * Connection #0 to host localhost left intact
      * Issue another request to this URL: 'http://localhost:8080/share/'
      * Found bundle for host localhost: 0x26238d0
      * Re-using existing connection! (#0) with host localhost
      * Connected to localhost (127.0.0.1) port 8080 (#0)
      > GET /share/ HTTP/1.1
      > User-Agent: curl/7.35.0
      > Host: localhost:8080
      > Accept: */*
      > SM_SITE:xx22
      > 
      < HTTP/1.1 302 Found
      * Server Apache-Coyote/1.1 is not blacklisted
      < Server: Apache-Coyote/1.1
      < Location: http://localhost:8080/share/page/
      < Content-Type: text/html;charset=ISO-8859-1
      < Content-Length: 0
      < Date: Thu, 04 May 2017 17:11:45 GMT
      * Connection #0 to host localhost left intact
      * Issue another request to this URL: 'http://localhost:8080/share/page/'
      * Found bundle for host localhost: 0x26238d0
      * Re-using existing connection! (#0) with host localhost
      * Connected to localhost (127.0.0.1) port 8080 (#0)
      > GET /share/page/ HTTP/1.1
      > User-Agent: curl/7.35.0
      > Host: localhost:8080
      > Accept: */*
      > SM_SITE:xx22
      > 
      < HTTP/1.1 302 Found
      * Server Apache-Coyote/1.1 is not blacklisted
      < Server: Apache-Coyote/1.1
      < Set-Cookie: JSESSIONID=2C71AA9D0E43EEDE44B865C98FD13178; Path=/share/; HttpOnly
      < Set-Cookie: Alfresco-CSRFToken=hqMn9cUd5ZOHONeSsY7CzKRvuuWY62Xqvt693LhhYfc%3d; Expires=Thu, 11-May-2017 17:11:45 GMT; Path=/share
      < X-Frame-Options: SAMEORIGIN
      < X-Content-Type-Options: nosniff
      < X-XSS-Protection: 1; mode=block
      < Cache-Control: no-cache
      < Location: http://localhost:8080/share/page/user/xx22/dashboard
      < Content-Type: text/html;charset=utf-8
      < Content-Language: en-US
      < Content-Length: 0
      < Date: Thu, 04 May 2017 17:11:45 GMT
      

      User is being redirected to dashboard.

      Accessing Share without the header:

      curl http://localhost:8080/share -v -L
      

      Response:

      dario@dario-ubuntu-vm:~/alfresco-content-services$ curl http://localhost:8080/share -v -L
      * Hostname was NOT found in DNS cache
      * Connected to localhost (127.0.0.1) port 8080 (#0)
      > GET /share HTTP/1.1
      > User-Agent: curl/7.35.0
      > Host: localhost:8080
      > Accept: */*
      > 
      < HTTP/1.1 302 Found
      * Server Apache-Coyote/1.1 is not blacklisted
      < Server: Apache-Coyote/1.1
      < Location: http://localhost:8080/share/
      < Transfer-Encoding: chunked
      < Date: Thu, 04 May 2017 17:13:48 GMT
      < 
      * Ignoring the response-body
      * Connection #0 to host localhost left intact
      * Issue another request to this URL: 'http://localhost:8080/share/'
      * Found bundle for host localhost: 0x7eb890
      * Re-using existing connection! (#0) with host localhost
      * Connected to localhost (127.0.0.1) port 8080 (#0)
      > GET /share/ HTTP/1.1
      > User-Agent: curl/7.35.0
      > Host: localhost:8080
      > Accept: */*
      > 
      < HTTP/1.1 302 Found
      * Server Apache-Coyote/1.1 is not blacklisted
      < Server: Apache-Coyote/1.1
      < Location: http://localhost:8080/share/page/
      < Content-Type: text/html;charset=ISO-8859-1
      < Content-Length: 0
      < Date: Thu, 04 May 2017 17:13:48 GMT
      * Connection #0 to host localhost left intact
      * Issue another request to this URL: 'http://localhost:8080/share/page/'
      * Found bundle for host localhost: 0x7eb890
      * Re-using existing connection! (#0) with host localhost
      * Connected to localhost (127.0.0.1) port 8080 (#0)
      > GET /share/page/ HTTP/1.1
      > User-Agent: curl/7.35.0
      > Host: localhost:8080
      > Accept: */*
      > 
      < HTTP/1.1 401 Unauthorized
      * Server Apache-Coyote/1.1 is not blacklisted
      < Server: Apache-Coyote/1.1
      < Set-Cookie: JSESSIONID=B1DF810777373D1302F72E53B7453030; Path=/share/; HttpOnly
      < WWW-Authenticate: Basic realm="Alfresco"
      < Content-Type: text/html;charset=ISO-8859-1
      < Content-Length: 164
      < Date: Thu, 04 May 2017 17:13:48 GMT
      < 
      * Connection #0 to host localhost left intact
      

      We're sending the WWW-Authenticate: Basic header instead of redirect to /share/page?pt=login page.

      [notes]
      Might be related to MNT-17445 (AJP not being used in this case)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                closedissues Closed Issues
                Reporter:
                dsamarzija Dario Samarzija
              • Votes:
                1 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 30 minutes
                  1h 30m