Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-19923

External Authentication fails after ticket expiration

    Details

    • Bug Priority:
      Category 2
    • ACT Numbers:

      00969388

      Description

      Description When using Alfresco with an external authentication, requests fail after the expiration period of the first ticket given to the user and the responses return with a 401 Unauthorized. This error persists until invalid tickets are cleaned up by the scheduled job.

      Steps to reproduce

      Use these settings for alfresco-global.properties

      authentication.ticket.ticketsExpire=true 
      authentication.ticket.expiryMode=AFTER_INACTIVITY 
      authentication.ticket.validDuration=PT1M 
      authentication.chain=external1:external 
      external.authentication.proxyUserName= 
      external.authentication.enabled=true 
      external.authentication.defaultAdministratorUserNames=Scott 
      external.authentication.proxyHeader=X-Alfresco-Remote-User 

      Use this curl command 

      curl -v -H "X-Alfresco-Remote-User: Scott" http://scott-ubu.springfield.local:8080/alfresco/api/-default-/public/alfresco/versions/1/people/Scott
      

      Expected Behaviour
      Because the user is External, and thus trusted, an expired ticket should be renewed.
       

      Observed Behaviour
      After ticket expiration, a 401 Unauthorized is returned and the ticket is not renewed. This behavior continues until the ticket is cleaned up, forcing a new ticket to be issued.

      *   Trying 192.168.15.106...
      * TCP_NODELAY set
      * Connected to scott-ubu.springfield.local (192.168.15.106) port 8080 (#0)
      > GET /alfresco/api/-default-/public/alfresco/versions/1/people/Scott HTTP/1.1
      > Host: scott-ubu.springfield.local:8080
      > User-Agent: curl/7.58.0
      > Accept: */*
      > X-Alfresco-Remote-User: Scott
      > 
      < HTTP/1.1 401 Unauthorized
      < Server: Apache-Coyote/1.1
      < WWW-Authenticate: Basic realm="Alfresco -default- tenant"
      < Cache-Control: no-cache
      < Expires: Thu, 01 Jan 1970 00:00:00 GMT
      < Pragma: no-cache
      < Content-Type: application/json;charset=UTF-8
      < Transfer-Encoding: chunked
      < Date: Thu, 30 Aug 2018 13:15:50 GMT
      < 
      * Connection #0 to host scott-ubu.springfield.local left intact
      {"error":{"errorKey":"framework.exception.ApiDefault","statusCode":401,"briefSummary":"07300000 Authentication failed for Web Script org/alfresco/api/ResourceWebScript.get","stackTrace":"For security reasons the stack trace is no longer displayed, but the property is kept for previous versions","descriptionURL":"https://api-explorer.alfresco.com"}}
      

      Notes
      *The same behavior can be demonstrated using the /alfresco/webdav endpoint, but a 500 error is returned instead of a 401.
      *The ticket expiry is set to 1 minute for testing purposes only. Problem reproduces with default 1 hour expiry.

      • The code of the new identity-service is based on the external-authentication component. Please check if we have a similar problem there as well.

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs (Inactive)
                  Reporter:
                  twilliams Terry Williams [X] (Inactive)
                • Votes:
                  3 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Structure Helper Panel