[ALF-679] Unable to use regular expression matching in external authentication subsystem Created: 25-Jan-10  Updated: 13-May-10  Resolved: 26-Apr-10

Status: Closed
Project: Alfresco
Component/s: Repository
Affects Version/s: 3.2 Enterprise
Fix Version/s: 3.3 Enterprise

Type: Bug Priority: Critical
Reporter: Dave Ward [X] (Inactive) Assignee: Closed Bugs (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: 2 hours
Time Spent: Not Specified
Original Estimate: 2 hours

Date of First Response:

 Description   

See http://forums.alfresco.com/en/viewtopic.php?f=9&t=24350#p79466



 Comments   
Comment by Jamie Lentin (Inactive) [ 03-Feb-10 ]

If it's useful, I've implemented our own RemoteUserMapper, that reimplements the header extraction as follows:-

    private String extractUserFromProxyHeader(HttpServletRequest request)
    {
        String userId = request.getHeader(this.proxyHeader);
        if (userId == null)
        {
            return null;
        }
        if (this.userIdPattern == null)
        {
            return userId.trim();
        }

        Matcher matcher = this.userIdPattern.matcher(userId);

        // If pattern matches, pull out first bracketed group, or entire matching area
        if (matcher.find())
        {
            return matcher.groupCount() > 0 ? matcher.group(1) : matcher.group();
        }

        // Couldn't match pattern
        return null;
    }
Comment by Dave Ward [X] (Inactive) [ 16-Mar-10 ]

org.alfresco.web.app.servlet.DefaultRemoteUserMapper.extractUserFromProxyHeader(HttpServletRequest) should use group(1) instead of group() so that it will extract the first matching group from a regular expression, rather than the entire match.

Comment by Dave Ward [X] (Inactive) [ 01-Apr-10 ]

This was fixed by the fix to ALF-2043

Comment by Steve Rigby [X] (Inactive) [ 01-Apr-10 ]

For retest in 3.2 sp1

Comment by Alfresco QA Team (Inactive) [ 15-Apr-10 ]

Reopened in Alfresco 3.2.1 EE b 495 using Windows 2008 SP1 x64, Tomcat 6.0.18, Mysql 5.1.34, JDK 6u16 x64.

Used the following settings:
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.proxyUserName=
external.authentication.proxyHeader=x-user
external.authentication.userIdPattern=^(admin)

We can successully login with such headers as "123Adminsd", "345" and any other. The userIdPattern doesn't block user login and doesn't strip headers like "admin-somethingelse". We login with exactly the same username as set in the header.

Comment by Steve Rigby [X] (Inactive) [ 12-May-10 ]

For retest in 3.3E build 27

Comment by Alfresco QA Team (Inactive) [ 13-May-10 ]

Successfully validated in ALfresco 3.3 EE b 27 using Windows 2003 SP1 x64, Tomcat 6.0.26, Mysql 5.1.34, JDK 6u16 x64.

Generated at Sun Mar 07 00:44:50 GMT 2021 using Jira 7.13.15#713015-sha1:7c5ddd2c3e1709974ae9c48c17df8edd3919fe2c.