[ALF-21129] Unable to authenticate CMIS 1.1 endpoints from Ajax (browser) Created: 10-Oct-14  Updated: 18-Oct-15  Resolved: 20-Mar-15

Status: Closed
Project: Alfresco
Component/s: CMIS, Platform Authentication and SSO
Affects Version/s: 4.2.f Community
Fix Version/s: 5.0.d Community
Security Level: external (External user)

Type: Bug Priority: Critical
Reporter: Ian Wright Assignee: Closed Issues
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Date of First Response:
Resolution Time Custom Field: 23 weeks, 4 hours, 24 minutes, 27 seconds

 Description   

I am trying to access the CMIS 1.1 browser bindings via javascript (from within and outside share) in the browser but can only authenticate via basic auth (which pops up a dialog box and is not acceptable for production)

From within share it appears that unlike CMIS 1.0 the CMIS 1.1 endpoint is not available via the share proxy so that route doesn't work.

I tried SSO (I'm using CAS) but it looks like the public api authenticator does not look at the request credentials(principal) so no joy there.

I have also tried using a ticket - doesn't work with JSONP as you can't modify the headers, and doesn't work as a request parameter.
If you make a successful Ajax call by modifying the headers then the browser won't add these details to subsequent requests in the same way that it does if you authenticate via the dialog box.
(not very satisfactory anyway due to having to get the ticket in the first place)
Ref:
https://forums.alfresco.com/forum/developer-discussions/alfresco-api/cmis-11-browser-bindings-share-proxy-06042014-1243



 Comments   
Comment by Kevin Roast [X] (Inactive) [ 10-Oct-14 ]

Thank you for raising this.

We will add a share proxy endpoint to allow access to the CMIS 1.1 browser bindings so that the usual SSO authentication routes becomes available.

Comment by Kevin Roast [X] (Inactive) [ 12-Nov-14 ]

OK i have got this work but it required some surgery in the connector framework. Unfortunately it cannot be achieved with configuration currently which is unfortunate. I will see if it can be achieved for Community 5.0.c.

Comment by Ian Wright [ 13-Nov-14 ]

While changing the connector framework is great and a big step forward what it really needs, for me at least, is for the CMIS 1.1 endpoint to understand HttpServletRequest.getRemoteUser() as an authentication method so that it will work with SSO solutions

Comment by Kevin Roast [X] (Inactive) [ 13-Nov-14 ]

I agree - step 1 was the connector framework refactor. Step 2 is to get SSO working over the public API route.

Comment by Kevin Roast [X] (Inactive) [ 20-Nov-14 ]

I have this all working now on a branch. It is now possible to use x-remote-user (CAS or similar) auth and also Session based auth such as NTLM with Public API endpoints such as CMIS.

Comment by Kevin Roast [X] (Inactive) [ 20-Nov-14 ]

I will target 5.0.c

Comment by Kevin Roast [X] (Inactive) [ 20-Mar-15 ]

5.0.d it is, and will be out on monday

Generated at Sat Jan 19 23:21:06 GMT 2019 using JIRA 7.6.3#76005-sha1:8a4e38d34af948780dbf52044e7aafb13a7cae58.