Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-743

CLONE - Authenticating Share RSS feed using cookies rather than basic auth

    Details

      Description

      Client has an SSO system that uses a cookie rather than basic auth,
      Client would like to have even the RSS feeds use the cookie (their feed reader will present the credentials)
      Some relevant notes....

      • I also noticed that on the share side – /feedservice/(.*) is rewritten to /page/feed/$1
      • /page/* is mapped to be authenticated by org.alfresco.web.site.servlet.SSOAuthenticationFilter which appears to have logic that allows it to use cookies or basic auth..
      • I also noticed in slingshot-application-context.xml there is the following .....
        <bean id="webframeworkHandlerMappings" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping" abstract="true">
        .......
        <property name="mappings">
        <value>
        ....
        /feed/**=feedController
        .....
        </value>
        </property>
        </bean>
      • I also noticed that in spring-surf-mvc-context.xml feedController is defined
        <bean id="feedController" class="org.springframework.extensions.surf.mvc.FeedController">
        <property name="cacheSeconds" value="-1" />
        <property name="useExpiresHeader"><value>true</value></property>
        <property name="useCacheControlHeader"><value>true</value></property>
        <property name="connectorService" ref="connector.service" />
        </bean>
      • I also noticed that org.springframework.extensions.surf.mvc.FeedController forces Basic Auth – in its handleRequestInternal method
        What would be the best way to disable this behavoiur?
        can we just modify the webframeworkHandlerMappings bean?

      ===========================================================
      Chat history for reference
      ==========================================================================
      (12:32:12 PM) Rich McKnight: Question about basic auth – which seems to be used for feeds and /service (web scripts) – if we want to allow it to look at a cookie – can we just
      create a new bean with an id like webscripts.authenticator.cookie (rather than webscripts.authenticator.basic)
      and then fashion the Authenticator similar to org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory but have it inspect the cookie (maybe along with the alf_ticket and the auth header?

      (12:43:14 PM) Rich McKnight: I am thinking the webscripts.authenticator.cookie bean can extend org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory
      override this method ---> public boolean authenticate(RequiredAuthentication required, boolean isGuest)
      to check the cookie and then call super.authenticate(...) if the cookie is not valid
      (12:43:37 PM) Rich McKnight: we would have to change web.xml
      (12:44:06 PM) Rich McKnight: to point to webscripts.authenticator.cookie in lieu of webscripts.authenticator.basic
      (12:47:12 PM) Rich McKnight: I will try it out and let y'all know how it goes

      (12:55:27 PM) David Ward: Rich just change your endpoint definitions to point to /wcs/api instead of /s/api
      ----------------

      (04:55:02 AM) Rich McKnight: Revsiting a question from yesterday about using only cookies for authentication – rather than changing the endpoints (which had been tried in the past), I changed the following — the authenticator for the apiServlet from webscripts.authenticator.basic to webscripts.authenticator.webclient but the feedapi is still challenging for basic auth when I look for share feeds —
      I also noticed that on the share side – /feedservice/(.*) is rewritten to /page/feed/$1
      And /page/* is mapped to be authenticated by org.alfresco.web.site.servlet.SSOAuthenticationFilter which appears to have logic that allows it to use cookies or basic auth..

      I also noticed in slingshot-application-context.xml there is the following .....
      <bean id="webframeworkHandlerMappings" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping" abstract="true">
      .......
      <property name="mappings">
      <value>
      ....
      /feed/**=feedController
      .....
      </value>
      </property>
      </bean>

      (04:55:18 AM) Rich McKnight: I cannot find feedController anywhere though
      (04:55:38 AM) Rich McKnight: so I am thinking there is something with the feedController forcing basic auth – but I am not sure
      (04:59:35 AM) Rich McKnight: Ahh found the FeedController class file in spring-surf-1.0.0.CI-SNAPSHOT.jar – looking to see if there is some config buried in there
      (04:59:41 AM) Rich McKnight: via an xml file

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                closedbugs Closed Bugs
                Reporter:
                rmcknight Richard Mcknight
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 15 minutes
                  1d 15m