[MNT-15866] SSO alfrescoHeader problems in Share 201602-GA Created: 16-Mar-16  Updated: 20-Jul-16  Resolved: 05-Apr-16

Status: Closed
Project: Service Packs and Hot Fixes
Component/s: Repository Authentication and SSO
Affects Version/s: 5.1
Fix Version/s: 5.1.1

Type: Bug
Reporter: Erwin Bogaard (Inactive) Assignee: Closed Bugs (Inactive)
Resolution: Fixed Votes: 0
Labels: rn511
Remaining Estimate: 0 minutes
Time Spent: 3 days, 7 hours
Original Estimate: Not Specified
Environment:

Centos 7 + JDK 7

Attachments: PNG File Dashboard broken.png    
Issue Links:
Cloners
is cloned by MNT-15942 CLONE - SSO alfrescoHeader problems i... Closed
is cloned by MNT-16406 Clone- SSO alfrescoHeader problems in... Closed
Duplicate
duplicates ALF-21476 External authentication with REMOTE_USER Closed
is duplicated by ALF-21624 SSO alfrescoHeader problems in Share ... Closed
is duplicated by ALF-21607 Share login form doesn't appear as fa... Closed
Related
Bug Priority:
Category 1
Build Location: https://releases.alfresco.com/Enterprise-5.1/5.1.1/5.1.1/build-00138/ALL/
Regression Since:
5.0

 Description   

After upgrading from CE 5.0d to 5.1e, there appeared to be a problem with SSO using alfrescoHeader.
The login process does work, bu, amongst others. the Dashboard is broken and doesn't show any information. See attached screenshot.

I traced this problem to the SSO authentication, due to enabling parts one by one. After disabling SSO authentication in share-config-custom.xml, things started working as intended again.

I use the following config in alfresco-global.properties:

authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
external.authentication.enabled=true
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader

And the following in share-config-xustom.xml

   <config evaluator="string-compare" condition="Remote">
      <remote>
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>

         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>

         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>

         <endpoint>
            <id>alfresco-feed</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>

         <endpoint>
            <id>alfresco-api</id>
            <parent-id>alfresco</parent-id>
            <name>Alfresco Public API - user access</name>
            <description>Access to Alfresco Repository Public API that require user authentication.
                         This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>

As I understand, since 5.1 you can use an other endpoint-url for the alfresco-endpint.
I tried "<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>" instead of "<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>", but got the same result.

No CSRF-errors are present in the log.

When setting the SSOAuthenticationFilter on debug, I see the following relevant info in the log:

#During startup:
2016-03-16 10:05:23,962  DEBUG [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] Initializing the SSOAuthenticationFilter.
 2016-03-16 10:05:23,967  DEBUG [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] Endpoint is alfresco
 2016-03-16 10:05:23,967  DEBUG [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] userHeader is SsoUserHeader
 2016-03-16 10:05:23,967  DEBUG [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] userIdPattern is null
 2016-03-16 10:05:23,968  INFO  [site.servlet.SSOAuthenticationFilter] [localhost-startStop-1] SSOAuthenticationFilter initialised.

# When & directly after logging in
2016-03-16 10:06:57,833  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-5] Processing request /share/page/ SID:64181817416B97015C074BE5C07FFCBA
 2016-03-16 10:06:58,737  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-5] Initial login from externally authenticated user user@domain.ext
 2016-03-16 10:06:58,740  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-5] Accept-Language header present: en,nl;q=0.7,en-US;q=0.3
 2016-03-16 10:07:00,646  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-5] Authentication not required, chaining ...
 2016-03-16 10:07:01,439  INFO  [web.site.EditionInterceptor] [http-apr-8080-exec-5] Successfully retrieved license information from Alfresco.
 2016-03-16 10:07:02,537  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-3] Processing request /share/page/user/user%40domain.ext/dashboard SID:64181817416B97015C074BE5C07FFCBA
 2016-03-16 10:07:02,587  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-3] userHeader external auth - skipping auth filter...
 2016-03-16 10:07:20,464  INFO  [web.scripts.ImapServerStatus] [http-apr-8080-exec-3] Successfully retrieved IMAP server status from Alfresco: disabled
 2016-03-16 10:07:33,871  INFO  [solr.component.AsyncBuildSuggestComponent] [Suggestor-alfresco-1] Loaded suggester shingleBasedSuggestions, took 60570 ms
 2016-03-16 10:07:38,190  DEBUG [site.servlet.SSOAuthenticationFilter] [ajp-apr-8009-exec-1] Processing request /share/service/messages_5b3209b57be25b3a2576369a850f63e3.js SID:64181817416B97015C074BE5C07FFCBA
 2016-03-16 10:07:38,191  DEBUG [site.servlet.SSOAuthenticationFilter] [ajp-apr-8009-exec-1] Validating repository session for user@domain.ext
 2016-03-16 10:07:38,191  DEBUG [site.servlet.SSOAuthenticationFilter] [ajp-apr-8009-exec-1] Accept-Language header present: en,nl;q=0.7,en-US;q=0.3
 Mar 16, 2016 10:07:38 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [default] in context with path [/share] threw exception
java.lang.NullPointerException
        at org.alfresco.web.site.servlet.SlingshotAlfrescoConnector.applyRequestHeaders(SlingshotAlfrescoConnector.java:196)
        at org.springframework.extensions.webscripts.connector.HttpConnector.initRemoteClient(HttpConnector.java:269)
        at org.springframework.extensions.webscripts.connector.HttpConnector.call(HttpConnector.java:67)
        at org.springframework.extensions.webscripts.RequestCachingConnector.call(RequestCachingConnector.java:90)
        at org.alfresco.web.site.servlet.SSOAuthenticationFilter.challengeOrPassThrough(SSOAuthenticationFilter.java:839)
        at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:539)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
        at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:188)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2403)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

2016-03-16 10:07:38,374  ERROR [alfresco.web.site] [ajp-apr-8009-exec-1] java.lang.NullPointerException
 2016-03-16 10:07:38,723  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-1] Processing request /share/page/user/user%40domain.ext/undefinedservice/modules/authenticated SID:64181817416B97015C074BE5C07FFCBA
 2016-03-16 10:07:38,758  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-1] userHeader external auth - skipping auth filter...
 Mar 16, 2016 10:07:38 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Could not resolve view with name 'user/user@domain.ext/undefinedservice/modules/authenticated' in servlet with name 'Spring Surf Dispatcher Servlet'] with root cause
javax.servlet.ServletException: Could not resolve view with name 'user/user@domain.ext/undefinedservice/modules/authenticated' in servlet with name 'Spring Surf Dispatcher Servlet'
        at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1198)
        at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1001)
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:945)
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:867)
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953)
        at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:844)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.alfresco.web.site.servlet.SecurityHeadersFilter.doFilter(SecurityHeadersFilter.java:182)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.alfresco.web.site.servlet.CSRFFilter.doFilter(CSRFFilter.java:315)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:533)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2403)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

2016-03-16 10:07:38,786  ERROR [alfresco.web.site] [http-apr-8080-exec-1] javax.servlet.ServletException: Could not resolve view with name 'user/user@domain.ext/undefinedservice/modules/authenticated' in servlet with name 'Spring Surf Dispatcher Servlet'
 2016-03-16 10:07:39,132  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-2] Processing request /share/proxy/alfresco/api/people/user%40domain.ext/preferences SID:64181817416B97015C074BE5C07FFCBA
 2016-03-16 10:07:39,133  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-2] userHeader external auth - skipping auth filter...
 2016-03-16 10:07:39,315  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-7] Processing request /share/page/user/user%40domain.ext/undefinedcomponents/images/lightbox/loading.gif SID:64181817416B97015C074BE5C07FFCBA
 2016-03-16 10:07:39,316  DEBUG [site.servlet.SSOAuthenticationFilter] [http-apr-8080-exec-7] userHeader external auth - skipping auth filter...
 Mar 16, 2016 10:07:39 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Could not resolve view with name 'user/user%40domain.ext/undefinedcomponents/images/lightbox/loading.gif' in servlet with name 'Spring Surf Dispatcher Servlet'] with root cause
javax.servlet.ServletException: Could not resolve view with name 'user/user@domain.ext/undefinedcomponents/images/lightbox/loading.gif' in servlet with name 'Spring Surf Dispatcher Servlet'
        at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1198)
        at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1001)
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:945)
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:867)
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953)
        at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:844)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.alfresco.web.site.servlet.SecurityHeadersFilter.doFilter(SecurityHeadersFilter.java:182)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.alfresco.web.site.servlet.CSRFFilter.doFilter(CSRFFilter.java:315)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:533)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2403)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

Two thing stand out for me:

1. The username, which is 'user@domain.ext' sometimes has the '@' urlencoded to '%40' and sometime not
2. There seems to be some problem which leads to 'undefinedcomponents' be part of the URL.

If more information is needed, let me know.

 Comments   
Comment by Erwin Bogaard (Inactive) [ 18-Apr-16 ]

This bug seems to be fixed, but Alfresco probably forgot to share the fix with the community.
Luckily someone else has found a fix as well: See this small patch
I tried this small patch and it seems to work fix things

Comment by Kevin Roast [X] (Inactive) [ 12-May-16 ]

I believe we shared the fix with the community here: https://issues.alfresco.com/jira/browse/ALF-21607
A community member added it to github.

Comment by Kevin Roast [X] (Inactive) [ 12-May-16 ]

I would like to see fixes like this merged to trunk much, much quicker than this (it is still not merged!)

Brian Remmington and Richard Esplin [X] perhaps this is something you can discuss again. Waiting weeks and weeks for a merged fix (which has already been tested as OK) seems unreasonable for an open-source product.

Generated at Mon Mar 08 15:22:34 GMT 2021 using Jira 7.13.15#713015-sha1:7c5ddd2c3e1709974ae9c48c17df8edd3919fe2c.