Home

External SSO in alfresco share

You are here

50 posts / 0 new
Last post
External SSO in alfresco share

I need to test external sso in alfresco share

I followed the steps

1. renamed alfresco-4.2.c/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml.sample as share-config-custom.xml.
2. Uncommentd both the  <config evaluator="string-compare" and the condition="Remote"> sections.

 <config evaluator="string-compare" condition="Remote">
      <remote>
         <endpoint>
            <id>alfresco-noauth</id>
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not 
            require authentication
        </description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>none</identity>
         </endpoint>
 
         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that 
                         require user authentication
        </description>
            <connector-id>alfresco</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <identity>user</identity>
         </endpoint>
 
         <endpoint>
            <id>alfresco-feed</id>
            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via
                         the EndPointProxyServlet</description>
            <connector-id>http</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
            <basic-auth>true</basic-auth>
            <identity>user</identity>
         </endpoint>
 
         <endpoint>
            <id>activiti-admin</id>
            <name>Activiti Admin UI - user access</name>
            <description>Access to Activiti Admin UI, that requires user 
                         authentication</description>
            <connector-id>activiti-admin-connector</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/activiti-admin
            </endpoint-url>
            <identity>user</identity>
         </endpoint>
      </remote>
    </config>
 
<config evaluator="string-compare" condition="Remote">
      <remote>
         <keystore>
             <path>alfresco/web-extension/alfresco-system.p12</path>
             <type>pkcs12</type>
             <password>alfresco-system</password>
         </keystore>
 
         <connector>
            <id>alfrescoCookie</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based 
                          authentication
            </description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
         </connector>
 
         <connector>
            <id>alfrescoHeader</id>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and 
             cookie-based authentication
            </description>
            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
            <userHeader>SsoUserHeader</userHeader>
         </connector>
 
         <endpoint>
            <id>alfresco</id>
            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user
             authentication
            </description>
            <connector-id>alfrescoHeader</connector-id>
            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
            <identity>user</identity>
            <external-auth>true</external-auth>
         </endpoint>
      </remote>
   </config>

3. modified alfrsco-global.properties like ;

authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.proxyUserName=
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyHeader=SsoUserHeader

No other changes made
Do i need to do any further modifications?

i tried to access alfresco from my JSP application as follows,

Testing SSO <br>
<%
 
URL url1 = new URL("http://localhost:8080/share/page"); 
URLConnection conn = url1.openConnection(); 
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setRequestProperty("SsoUserHeader", "admin"); 
for (int i = 0;; i++) { 
	String headerName = conn.getHeaderFieldKey(i);  
	String headerValue = conn.getHeaderField(i);   
	System.out.println(headerName + "===");  
	System.out.println(headerValue);  
	if (headerName == null && headerValue == null) {     break;   } 
}
 
%>
its giving output in console :

 
***************
null===
HTTP/1.1 200 OK
Server===
Apache-Coyote/1.1
Set-Cookie===
JSESSIONID=89E6C0A9600DDA3675EEB633F5F3A248; Path=/share/; HttpOnly
Cache-Control===
no-cache
Content-Type===
text/html;charset=utf-8
Content-Language===
en-US
Transfer-Encoding===
chunked
Date===
Wed, 17 Apr 2013 13:52:24 GMT
null===
null
*************

Connection is success here.

Now I need to test SSO.
how can i link from my jsp application to alfresco share?
when i am using response.redirect it shows login page again

4.2.c
SSO
Hello,

Hello,

you can't simply link from your JSP to Alfresco and expect external authentication to work. Your test inside the JSP works because you are directly manipulating an URLConnection. Unless you provide a way for new connections (irregardless if redirected or pointed directly at Alfresco) to be authenticated and a HTTP header added transparently, external authentication will not work. You can't manipulate the HTTP headers of a request that is the result of a redirect.

For linking from an application to Alfresco without having a CAS (central authentication service) to provide real external authentication, I would evaluate the use of login tickets. I.e. have your application access Alfresco like you did in your test and obtain a ticket. Append that dynamically to the redirect URL to pass it to the client. This ticket will automatically login the user with the same context used in your JSP. You may have to provide a special SSO filter that is able to pass the ticket to the Alfresco Repository though - last I checked the default SSOAuthenticationFilter was not capable of passing a ticket.

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Thank you

Thank you for the reply.
I would like to have some clarification ,
1, when i am trying to connect using hhtp url connection or urlconnection, how the ticket get created?
2, when i make request through url connection will it return any ticket
3, how can i get ticket without giving password?

Thank you
Ram

Hello,

Hello,

1) and 2) You need to implement a web script that generates a returns the ticket for the current user. This web script is addressed by the URI you use to setup a URLConncetion. The ticket should be contained in the response body, which you need to evaluate in your JSP (or Java code) to extract the ticket. This can be done by a simple JavaScript / FreeMarker web script, using the JavaScript session root scope object to retrieve the ticket, i.e. session.getTicket()

3) By using the external authentication approach you've already shown in your original post for the request to retrieve the ticket.

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Webscript Implemented

I just created a web script to get the ticket of Alfresco Share. Steps which I done are;

 1. Created getticket.get.desc.xml
 
    <webscript>
      <shortname>Get User Ticket</shortname>
      <description>Personalized greeting</description>
      <url>/getticket</url>
      <authentication>user</authentication>
      <negotiate accept="text/html">html</negotiate>
      <negotiate accept="application/json">json</negotiate>
    </webscript>
 
   2. created getticket.get.html.ftl (Plain Text)
 
         ${session.getTicket()}

Next I tried to get it in the jsp code,

<%
 
URL url1 = new URL("http://localhost:8080/alfresco/service/getticket"); 
URLConnection conn = url1.openConnection(); 
conn.setRequestProperty("SsoUserHeader", "admin"); 
for (int i = 0;; i++) { 
	String headerName = conn.getHeaderFieldKey(i);  
	String headerValue = conn.getHeaderField(i);   
	System.out.println(headerName + "===");  
	System.out.println(headerValue);  
	if (headerName == null && headerValue == null) {     break;   } 
}
 
%>

Output;

null===
HTTP/1.1 401 Unauthorized
Server===
Apache-Coyote/1.1
WWW-Authenticate===
Basic realm="Alfresco"
Content-Type===
text/html;charset=utf-8
Content-Length===
951
Date===
Mon, 22 Apr 2013 13:23:58 GMT
null===
null

1)How can I get the ticket here? Its telling unautherized. Can't provide password as it is external SSO.

SSO filter

Can you please tell, how to provide a special SSO filter that is able to pass the ticket to the Alfresco Repository?

Hello,

Hello,

you develop a Java class that implements the Java Servlet API interface "Filter" and register it in the web.xml of Share. In that class, the doFilter method needs to take care of passing a ticket from the request URI to the backend Repository to verify / validate. Please take a look at the Alfresco class SSOAuthenticationFilter for an example of a similar filter available by default.

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Hello,

Hello,

you need to use "wcservice" not "service" in your URL, otherwise SSO will not be procesed ("/service/" and "/s/" never have SSO enabled).

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Yes, I tried with wcservice.

Yes, I tried with wcservice.

<%
URL url1 = new URL("http://localhost:8080/alfresco/wcservice/getticket");
HttpURLConnection conn = (HttpURLConnection) url1.openConnection();
conn.setRequestProperty("SsoUserHeader", "admin");
for (int i = 0;; i++) {
String headerName = conn.getHeaderFieldKey(i);
String headerValue = conn.getHeaderField(i);
System.out.println(headerName + "===");
System.out.println(headerValue);
if (headerName == null && headerValue == null) { break; }
}

Its giving Internal Server error. SSO is not happening.

null===
HTTP/1.1 500 Internal Server Error
Server===
Apache-Coyote/1.1
Content-Type===
text/html;charset=UTF-8
Transfer-Encoding===
chunked
Date===
Thu, 25 Apr 2013 04:39:39 GMT
Connection===
close
null===
null

What I have to do here to get the ticket?

Hello,

Hello,

what is the precise error in the logs?

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Error in the logs

Thanx for the reply.
Error logs are posting here...

 

Hello,

Hello,

Well, your request is missing some parameters that the web script requires to negotiate the response format. Simplest way to fix this would probably be to change your web script to a set response format instead of allowing negotiation. Otherwise you should provide the necessary HTTP headers in your request for the negotiation.

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Yes I got ticket

Got the ticket.
Now I am trying to redirect to user dash board by appending the ticket with the URL from JSP page;

/************************Getting Ticket************************************/
URL url1 = new URL("http://localhost:8080/alfresco/wcservice/qdriveticket.json"); 
HttpURLConnection conn = (HttpURLConnection) url1.openConnection();
HttpURLConnection.setFollowRedirects(false);
conn.setRequestProperty("x-alfresco-remote-user", "admin"); 
BufferedReader dis = new BufferedReader( 
        new InputStreamReader(
            conn.getInputStream()));
String ticket;
String tkt=null;
while ((ticket = dis.readLine()) != null)
{
	tkt = ticket;
}  
 
/*************************************************************************************************/
 url1 = new URL("http://localhost:8080/share/page"); 
 conn = (HttpURLConnection) url1.openConnection();
 conn.setRequestProperty("x-alfresco-remote-user", "admin"); 
 conn.connect();
 dis = new BufferedReader(new InputStreamReader(conn.getInputStream()));
 
 conn.setInstanceFollowRedirects(false);  //you still need to handle redirect manully.
 HttpURLConnection.setFollowRedirects(false); 
 HttpURLConnection.setFollowRedirects(false);
 
 String newUrl = conn.getHeaderField("Location");
 
 
 // open the new connnection again
 conn = (HttpURLConnection) new URL(newUrl+"?ticket="+tkt).openConnection();
 
 conn.setRequestProperty("x-alfresco-remote-user", "admin");
 
 response.sendRedirect(newUrl+"?ticket="+tkt);

Redirection happend to;

http://localhost:8080/share/page/user/admin/dashboard?ticket=TICKET_4be43a906429fa148af2f2fb4097d2b60500bda1

But the log in page is coming.
Is it the problem of not providing a special SSO filter that is able to pass the ticket to the Alfresco Repository?

Please give me reply...

Please give me reply...

Is it the problem of not

Is it the problem of not providing a special SSO filter that is able to pass the ticket to the Alfresco Repository? Yes, that is precisely the problem now. A simple filter should be sufficient that extracts the ticket from the request URL and puts it in the remote connector session as alfTicket parameter. That parameter is already used by the standard code of Share / Surf to enhance requests to the repository. By setting alfTicket yourself, you can reuse the existing code with the least amount of effort and least amount of complex code duplication.

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Thanx Axel Faust

Got basics of Filter and now I am trying to implement in alfresco. The steps which I followed are;
1. Created a simple Jave project in Eclipse.
2. Created a class which implements Filter interface and written code for extracting the ticket from the request URL and puts it in the remote connector session as alf_ticket parameter.
3. Exported it as a jar file and copied into share/WEB-INF/lib.
4. Modified share/WEB-INF/web.xml and registered the same before existing "Authentication Filter".

<!-- Special SSO-->
   <filter>
      <description>Share Special SSO authentication support filter.</description>
      <filter-name>Special SSO Authentication Filter</filter-name>
      <filter-class>in.dms.filter.SpecialSSOFilter</filter-class>
   </filter> 
 
   <filter-mapping>
      <filter-name>Special SSO Authentication Filter</filter-name>
      <url-pattern>/page/*</url-pattern>
   </filter-mapping>
 
   <filter-mapping>
      <filter-name>Special SSO Authentication Filter</filter-name>
      <url-pattern>/p/*</url-pattern>
   </filter-mapping>
 <!-- Special SSO-->

Java Code which I written is;

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
 
		 HttpServletRequest httpServletRequest = (HttpServletRequest) req; 
 
		 String ticket = httpServletRequest.getParameter("ticket");
 
		 HttpSession session = httpServletRequest.getSession();
 
		 if (ticket != null) { 
 
		    session.setAttribute("alf_ticket", ticket);
	          }
 
	    chain.doFilter(req,res); 
	}

Please let me know, What else I have to do here to make it work?

Hello,

Hello,

you are currently not setting alf_ticket in the connector session, rather in the "normal" HTTP session which does not help you.

You need something in the line of:

ApplicationContext context = WebApplicationContextUtils.getRequiredWebApplicationContext(getServletContext());
ConnectorService connectorService = (ConnectorService) context.getBean("connector.service");
ConnectorSession connectorSession = connectorService.getConnectorSession(session, "alfresco");
connectorSession.setParameter("alfTicket", ticket);

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Thanx AFaust, But not working.

Added needed jar files and rewritten the code as ;

 public void init(FilterConfig args) throws ServletException
{
if (logger.isDebugEnabled())
logger.debug("Initializing the SSOAuthenticationFilter.");
this.servletContext = args.getServletContext();
}
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
throws IOException, ServletException
{
HttpServletRequest httpServletRequest = (HttpServletRequest) req;
String ticket = httpServletRequest.getParameter("ticket");
HttpSession session = httpServletRequest.getSession();
logger.debug("Initializing the SpecialSSOFilter. Ticket : "+ticket);
 
if (ticket != null) {
ApplicationContext context = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
ConnectorService connectorService = (ConnectorService) context.getBean("connector.service");
ConnectorSession connectorSession = connectorService.getConnectorSession(session, "alfresco");
connectorSession.setParameter("alfTicket", ticket);
connectorSession.setParameter("alf_ticket", ticket);
}
chain.doFilter(req,resp);
}

For creating this filter I just followed the steps;
1. Created a simple Jave project in Eclipse.
2. Created a class which implements Filter and CallbackHandler interfaces and written above code.
3. Exported it as a jar file and copied into share/WEB-INF/lib.
4. Modified share/WEB-INF/web.xml and registered the same before existing "Authentication Filter" as mentioned in the last post.

***Should I need to provide any XML for giving bean details with this project? Don't know about "connector.service" more.

***I din do more than anyhing mentioned in th steps above. So please let me know the reason for not working SSO here.

Hello,

Hello,

it would be good to know which part of that code is not working. Do you get the log statement that prints out the ticket? Have you tried debugging the filter with Eclipse as a Remote Java Application?

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Log Statements

Code:

 public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
throws IOException, ServletException
{
System.out.println("FILTER IS EXECUTING-PRE");
HttpServletRequest httpServletRequest = (HttpServletRequest) req;
String ticket = httpServletRequest.getParameter("ticket");
HttpSession session = httpServletRequest.getSession();
System.out.println("Initializing the SpecialSSOFilter. Ticket : "+ticket);
 
if (ticket != null) {
ApplicationContext context = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
ConnectorService connectorService = (ConnectorService) context.getBean("connector.service");
ConnectorSession connectorSession = connectorService.getConnectorSession(session, "alfresco");
System.out.println("connectorService : "+connectorService);
System.out.println("connectorSession : "+connectorSession);
connectorSession.setParameter("alfTicket", ticket);
connectorSession.setParameter("alf_ticket", ticket);
System.out.println("ALF_TICKET "+ connectorSession.getParameter("alfTicket"));
}
 
chain.doFilter(req,resp);
System.out.println("FILTER IS EXECUTING-POST");
}

After Clicking link(URL appended with the Ticket) to reach user dashboard ;
"catalina.out" displays printed statements which I have mentioned in my Special SSO Filter class as;

FILTER IS EXECUTING-PRE
Initializing the SpecialSSOFilter. Ticket : TICKET_817097a9588838bbf40c26f7d3c5aebc737a0907
connectorService : org.springframework.extensions.webscripts.connector.ConnectorService@6a09865e
connectorSession : org.springframework.extensions.webscripts.connector.ConnectorSession@1cf5c34b
ALF_TICKET  TICKET_817097a9588838bbf40c26f7d3c5aebc737a0907
FILTER IS EXECUTING-POST

In each click I can see new entries in "catalina.out" with new ticket.
Hope filter is executing perfectly.
But asking for authentication again here if I click the link.

Hello,

Hello,

the (last) hurdle why this is not working (yet) seems to be the following lines of code from AlfrescoConnector (which is used to connect to the Repository based on "Remote"-config in share-config.xml / share-config-custom.xml):

        if (getCredentials() != null)
        {
            // if this connector is managing session info
            if (getConnectorSession() != null)
            {
                // apply alfresco ticket from connector session - i.e. previous login attempt
                alfTicket = (String)getConnectorSession().getParameter(AlfrescoAuthenticator.CS_PARAM_ALF_TICKET);
            }
        }

The getCredentials() != null is preventing the connector from using the ticket you put into the connector session. You've got two choices here: 1) set "dummy" credentials to satisfy this check or 2) provide a custom connector (simply copy the AlfrescoConnector class, remove the check and adjust "Remote"-config to use your new class) that uses the ticket regardless.

I'd recommend alternative #2, since #1 is a more complex operation and fakeing credentials should not be considered good practice.

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Thanks for your reply.

Because of some issues I reinstalled Alfresco and tried to finish all the steps which I have already done. But i got stuck in one place.
I have updated both share-config-custom.xml and alfresco-global.properties as I mentioned in first comment of this post to achieve external SSO. Then I created webscript to get the ticket.

1. getticket.get.desc.xml
<webscript>
<shortname>GET QDRIVE TICKET</shortname>
<description>Getting QdriveTicket</description>
<url>/getticket</url>
<authentication>user</authentication>
<negotiate accept="text/html">html</negotiate>
<negotiate accept="application/json">json</negotiate>
</webscript>
2.getticket.get.json.ftl
${session.getTicket()}

Then I restarted Alfresco. In logs I am getting following errors.

 org.springframework.extensions.webscripts.WebScriptException: 05060001 Web Script org/alfresco/repository/store/remoteadm.post 
requires user authentication; however, a guest has attempted access.
at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:321)
at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:303)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:433)
at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:345)
at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:377)
at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:209)
at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:118)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.alfresco.repo.web.filter.beans.NullFilter.doFilter(NullFilter.java:68)
at sun.reflect.GeneratedMethodAccessor384.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:116)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy236.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter.doFilter(WebScriptSSOAuthenticationFilter.java:140)
at sun.reflect.GeneratedMethodAccessor384.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:103)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy236.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1813)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)

Why this error is coming now?

Replace org.alfresco.web.site.servlet.SlingshotAlfrescoConnector

Replaced "org.alfresco.web.site.servlet.SlingshotAlfrescoConnector" class with my new Connector class in both connectors (alfrescoCookie and alfrescoHeader) defined in share-config-custom.xml.
Still the log in page is coming when I click the URL with appended ticket.

The modified class I am using is;

public class SlingshotAlfrescoConnector extends RequestCachingConnector
{
private static final String CD_USER_HEADER = "userHeader";
public static final String CS_PARAM_USER_HEADER = "userHeader";
public SlingshotAlfrescoConnector(ConnectorDescriptor descriptor, String endpoint) {
super(descriptor, endpoint);
}
private String getUserHeader() {
String userHeader = descriptor.getStringProperty(CD_USER_HEADER);
System.out.println("userHeader : " + userHeader);
if (userHeader != null && userHeader.trim().length() == 0) {
userHeader = null;
}
return userHeader;
}
@Override
public void setConnectorSession(ConnectorSession connectorSession) {
super.setConnectorSession(connectorSession);
connectorSession.setParameter(CS_PARAM_USER_HEADER, getUserHeader());
System.out.println(" connectorSession : " + connectorSession);
}
protected void applyRequestHeaders(RemoteClient remoteClient, ConnectorContext context) {
super.applyRequestHeaders(remoteClient, context);
Map<String, String> headers = new HashMap<String, String>(8);
if (context != null) {
headers.putAll(context.getHeaders());
}
if (getCredentials() != null) {
String user = (String) getCredentials().getProperty(Credentials.CREDENTIAL_USERNAME);
String pass = (String) getCredentials().getProperty(Credentials.CREDENTIAL_PASSWORD);
if (pass == null) {
headers.put("X-Alfresco-Remote-User", user);
System.out.println("X-Alfresco-Remote-User " + user);
}
String userHeader = getUserHeader();
if (userHeader != null) {
System.out.println("getUserHeader Not NULL: " + userHeader);
headers.put(userHeader, user);
}
}
String alfTicket = null;
if (getConnectorSession() != null) {
System.out.println("getConnectorSession() not NULL");
// apply alfresco ticket from connector session - i.e. previous login attempt
alfTicket = (String)getConnectorSession().getParameter(AlfrescoAuthenticator.CS_PARAM_ALF_TICKET);
 
// added some codes here written in above if condition :- if (getCredentials() != null).
System.out.println("alfTicket : " + alfTicket);
String user = "admin";
headers.put("X-Alfresco-Remote-User", user);
System.out.println("X-Alfresco-Remote-User Now : " + user);
String userHeader = getUserHeader();
if (userHeader != null) {
System.out.println("getUserHeader NOW : " + userHeader);
headers.put(userHeader, "admin");
}
}
 
// Additionally Setting ticket in the remoteClient as done in AlfrescoConnector.java class
 
if (alfTicket != null) {
System.out.println("Setting alf_ticket : " + alfTicket);
remoteClient.setTicket(alfTicket);
remoteClient.setTicketName("alf_ticket");
}
// stamp all headers onto the remote client
if (headers.size() != 0) {
System.out.println("size!=0");
remoteClient.setRequestProperties(headers);
}
}
}

It prints following lines in catalina.out fle when clicks on link.
FILTER IS EXECUTING-PRE
Initializing the SpecialSSOFilter. Ticket : TICKET_b5df0646f39c9b3bed6f29838990af7fbe1143d3
connectorService : org.springframework.extensions.webscripts.connector.ConnectorService@4ec4073f
connectorSession : org.springframework.extensions.webscripts.connector.ConnectorSession@3022d2c1
ALF_TICKET TICKET_b5df0646f39c9b3bed6f29838990af7fbe1143d3
userHeader : SsoUserHeader
connectorSession : org.springframework.extensions.webscripts.connector.ConnectorSession@3022d2c1
getConnectorSession() not NULL
alfTicket : TICKET_b5df0646f39c9b3bed6f29838990af7fbe1143d3
X-Alfresco-Remote-User Now : admin
getUserHeader NOW : SsoUserHeader
Setting alf_ticket : TICKET_b5df0646f39c9b3bed6f29838990af7fbe1143d3
size!=0
FILTER IS EXECUTING-POST

Why is it still standing in the log in page itself?

Hello

Were you able to resolve this issue?

Hello,

Hello,

At some point you should add some log output from the Repository into the mix so it is easier to determine what might be the problem here. I suggest setting the Log4J logger org.alfresco.repo.web.scripts.servlet to DEBUG, which should show you what is being read from the Share request on the Repository side.
Also, if you have configured Remote to point at /alfresco/wcs, the ticket name of Alfresco is in fact just "ticket" (a gross inconsistency, I know, but unfortunately this is the case if you compare WebClientAuthenticator with BasicHttpAuthenticator).

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Yes I have configured Remote to point at /alfresco/wcs

Yes I have configured Remote to point at /alfresco/wcs.
**Please have a look into the very first post, I have pasted my share-config-custom.xml there.
At the end of share-config-custom.xml, you can see;

<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user
authentication
</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>

Added following code in my connector class to test by setting alfresco ticket to the name "ticket";
remoteClient.setTicket(alfTicket);
remoteClient.setTicketName("ticket");
But, it didn't make any change.
**What else I can do here if I am using Remote to point at /alfresco/wcs?

I added
"log4j.logger.org.alfresco.repo.web.scripts.servlet=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory.WebClientAuthenticator=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory.BasicHttpAuthenticator=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.AuthenticatorServlet=debug
" in both share/WEB-INF/classes/log4j.properties and alfresco/WEB-INF/classes/log4j.properties under "# Repository" section.
Do I need to enable any more classes to show debug logs?
If yes, let me know the name of those classes. I am using alfresco.4.2.c.

While clicking on the URL appended with the ticket; I got following logs in alfresco.log

12:19:35,427 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
12:19:35,427 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
12:19:35,455 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
12:19:35,455 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
12:19:35,471 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
12:19:35,472 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
12:19:35,513 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
12:19:35,514 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
12:19:35,525 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
12:19:35,525 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
12:19:35,566 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: false
12:19:35,566 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating session
12:19:35,653 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: true
12:19:35,653 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating ticket TICKET_3f345f7d803d5446b8319b3d18d72fe9101981cb
It shows, "Alfresco ticket provided: true" and "Authenticating ticket TICKET_3f345f7d803d5446b8319b3d18d72fe9101981cb" in the last line of above log.
Reloading of redirected URL "http://localhost:8080/share/page/user/admin/dashboard?ticket=TICKET_3f345f7d803d5446b8319b3d18d72fe9101981cb" adding last two lines of logs[Alfresco ticket provided: true and Authenticating ticket TICKET_3f345f7d803d5446b8319b3d18d72fe9101981cb] in alfresco.log file each time.

Added "log4j.logger.org.alfresco.repo.security.authentication.AuthenticationUtil=debug" also in log4j.properties.
It adds following logs in "alfresco.log" file when redirecting to the URL appended with the ticket.

16:25:45,514 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Alfresco ticket provided: true
16:25:45,514 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating ticket TICKET_140e281e0d7423399353d111a7620b65d57699c7
16:25:45,514 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Removing the current security information.
16:25:45,514 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@33e0c1ff: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
16:25:45,514 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Creating new secure context.
16:25:45,515 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@68e066f4: Username: System; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SYSTEM
16:25:45,515 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@33e0c1ff: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
16:25:45,515 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@33e0c1ff: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
16:25:45,515 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@648752f6: Username: System; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SYSTEM
16:25:45,515 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@33e0c1ff: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
16:25:45,515 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@33e0c1ff: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
16:25:45,517 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Removing the current security information.
I am not getting any debug logs in share.log file. Logs are coming only in alfresco.log file.
I have added org.alfresco.repo.web.scripts.servlet to DEBUG in share/WEB-INF/classes/log4j.properties also.
As I am trying to implement SSO in an installed bundle, I cant add code in existing class files.
Please help me to find out the reason for not happening SSO?

Hello,

Hello,

you can't use Repository classes for logging configuration in Share. In the Share log4j configuration, you might get some log results by enabling debug for org.alfresco.web.site / org.alfresco.web.scripts.

I don't really understand what the problem is at the moment. You are clearly being authenticated correctly on the Repository tier, so all the Connector/Authenticator-related modifications seem to work correctly. Without information on what is going on in Share (not just "sits on login page"), we won't be getting any further.

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Thanx AFaust,

Thanx AFaust,
I couldn't see any classes which are belongs to org.alfresco.web.site / org.alfresco.web.scripts.
Could you please list out the class names which are being used in this case? Then I can see the logs by setting to DEBUG mode.
Currently I had set for following classes only;

log4j.logger.org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory.WebClientAuthenticator=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory.BasicHttpAuthenticator=debug
log4j.logger.org.alfresco.repo.web.scripts.servlet.AuthenticatorServlet=debug
log4j.logger.org.alfresco.repo.security.authentication.AuthenticationUtil=debug

Please let me know rest of the classes using in this case for Authentication.

Printed all headers after putting each value in my custom alfresco-connector;

headers.toString() It prints ; {Accept-Language=en-us,en;q=0.5, ticket=TICKET_d8bd7c178ff04530ed2a7bbf09bae5e3ccff3da3, SsoUserHeader=admin, X-Alfresco-Remote-User=admin, alfTicket=TICKET_d8bd7c178ff04530ed2a7bbf09bae5e3ccff3da3, userHeader=SsoUserHeader, user=admin, alf_ticket=TICKET_d8bd7c178ff04530ed2a7bbf09bae5e3ccff3da3}

And, please let me know, How can I get more information on what is going on in Share?

The default

The default "AlfrescoConnector" class in alfresco SVN is setting the ticket in the remoteClient with the ticket name "alf_ticket". If I am doing the same thing in my custom connector , the ticket is not getting in the repository side.
remoteClient.setTicketName("alf_ticket");
It results :

10:43:53,398 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] 
Alfresco ticket provided: false

But, Setting the ticket name to only "ticket" is able to provide the ticket.
Will it make any inconsistency any where in the authentication root?
remoteClient.setTicketName("ticket");
It results :
10:50:18,696 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] 
Alfresco ticket provided: true
10:50:18,696 DEBUG [org.alfresco.repo.web.scripts.servlet.WebClientAuthenticatorFactory$WebClientAuthenticator] Authenticating ticket TICKET_d08252d8da4774ba40ee1b569150222e878a8085
net.sf.acegisecurity.providers.dao.User@1f27c908:
Username: System; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SYSTEM
10:50:18,704 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting fully authenticated principal: net.sf.acegisecurity.providers.dao.User@66a5ec39:
Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
10:50:18,704 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil] Setting RunAs principal: net.sf.acegisecurity.providers.dao.User@66a5ec39:
Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_AUTHENTICATED
10:50:18,705 DEBUG [org.alfresco.repo.security.authentication.AuthenticationUtil]
Removing the current security information.

The above logs are printing repeatedly and atlast "Removing the current security information."
Seems like the authentication is correctly happening on the Repository tier. But, why username is changing to "System" sometimes?
Please let me know the reasoon for not happening SSO here... What can I do here?

Alfresco 4.2.c is using "org.alfresco.web.site.servlet.SlingshotAlfrescoConnector" instead of "org.springframework.extensions.webscripts.connector.AlfrescoConnector".

I tried by mixing functionality of these two classes in my new custom connector by overriding applyRequestHeaders and applyRequestAuthentication methods.
My new connector class extended AlfrescoConnector class.
And over-ridden two methods,
1.applyRequestHeaders
2.applyRequestAuthentication

@Override
protected void applyRequestHeaders(RemoteClient remoteClient,
ConnectorContext context) {
super.applyRequestHeaders(remoteClient, context);
Map<String, String> headers = new HashMap<String, String>(8);
if (context != null) {
headers.putAll(context.getHeaders());
}
String user = "admin";
headers.put("X-Alfresco-Remote-User", user);
String userHeader = getUserHeader();
if (userHeader != null) {
headers.put(userHeader, user);
}
if (headers.size() != 0) {
remoteClient.setRequestProperties(headers);
}
}
@Override
protected void applyRequestAuthentication(RemoteClient remoteClient, ConnectorContext context)
{
String alfTicket = null;
if (context != null)
{
alfTicket = context.getParameters().get(PARAM_TICKETNAME_ALF_TICKET);
}
if (getConnectorSession() != null)
{
alfTicket = (String)getConnectorSession().getParameter(AlfrescoAuthenticator.CS_PARAM_ALF_TICKET);
}
if (alfTicket != null)
{
remoteClient.setTicket(alfTicket);
remoteClient.setTicketName("ticket");
}
else
{
System.out.println("Guesttt...");
}
}

Please help me to find the reason for not logging in...

Hello,

Hello,

Alfresco unfortunately uses both "ticket" and "alf_ticket" in various instances. It depends on the Repository configuration which one is actually being used. The "alf_ticket" is used in a configuration where the Repository does not use SSO, and "ticket" seems to be used in a scenario where it does. This makes it a bit hard to copy experiences from one project to another with a different configuration.

The change of user name to "System" is part of Alfresco standard processing logic and to be expected. It just means that some of the code is executed in a higher security level / with an enhanced permission set than the user actually has. E.g. if a user does not exist, Alfresco may create that user dynamically and needs "System" privileges to do that. "Removing the current security information" is also in 99.9 % of all cases to be expected - when a specific request has been served / completed, Alfresco removes the authentication information, e.g. cleans up before handling the next request.

"Please let me know the reasoon for not happening SSO here... What can I do here?"

At the moment, I don't know what your current problems are. The Repository seems to be authenticating just fine - what is the action / response provided to you in the Share UI after these log messages?

Regards
Axel

Axel Faust
Senior IT-Consultant / Software Architect
PRODYNA AG
Frankfurt am Main, Germany

Even with subscriptions in the forum, it can be hard to keep track of all topics I participate in. If you feel you are waiting too long for me to answer, please send me a short PM. "Too long" means at least more than a day, preferably a couple of days - please don't abuse this offer. After all, I participate in this forum purely on my own time.

Done External SSO

Version : Alfresco 4.2.c

Scenario --> A JSP application to provide a link to Alfresco. --> User will log in to this JSP application. --> Link to alfresco dashboard will be provided there for that user. --> Alfresco dashboard will be opened for that user with out showing log in page.

Configure both "share-config-custom.xml" and alfresco-global.properties" properties files.

JSP Application to provide link to Alfresco dashboard

<body>
<%= "Test alfresco SSO" %>
<br/>
<%
	String url= "http://localhost:8080/share/page";
%>
<br/>
<form method=get>
Enter the username:<input type="text" name="alfuser" />
<br/>
<input type="submit" />
</form>
<br/>
<%
	String alf_user= request.getParameter("alfuser");
	url=url+"?SsoUserHeader="+alf_user;
%>
You are going to login as: <%= alf_user  %><br/>
<a href='<%= url %>' >Click here for Alfresco Dashboard</a>
<br/>
</body>
A Filter and Wrapper classes are needed to set the header "SsoUserHeader" in the http request
1. Filter 
public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
 
		// if the ServletRequest is an instance of HttpServletRequest
		if (request instanceof HttpServletRequest) {
			HttpServletRequest httpServletRequest = (HttpServletRequest) request;
			// Creating an instance of my custom request
			AlfrescoHttpServletRequestWrapper requestWrapper = new AlfrescoHttpServletRequestWrapper(httpServletRequest);
			// sending my custom request instead of the regular request
			chain.doFilter(requestWrapper, response);
		} else {
			chain.doFilter(request, response);
		}
 
		return;
	}
 
2. Wrapper Class : This wrapper will add custom headers in the request.
 
public class AlfrescoHttpServletRequestWrapper extends
		HttpServletRequestWrapper {
 
	public AlfrescoHttpServletRequestWrapper(HttpServletRequest request) {
		super(request);
	}
 
	@Override
	public String getHeader(String name) {
		String header = super.getHeader(name);
		// Getting the request parameter "SsoUserHeader" and adding it to the
		// header
		return (header != null) ? header : super.getParameter(name);
	}
 
	@Override
	public Enumeration<String> getHeaderNames() {
		List<String> names = Collections.list(super.getHeaderNames());
		names.addAll(Collections.list(super.getParameterNames()));
		return Collections.enumeration(names);
	}
}
Register the filter in the web.xml of share. Steps to Test 1. Run the JSP application in your browser. 2. Enter the alfresco username 3. Click submit 4. Click on the link to Alfresco dashboard 5. Alfresco dashboard will open without asking login page

Thanks a lot to Mr.AFaust for the efforts taken to give reply for my doubts.

jar for org.springframework.extensions.webscripts.connector.Conn

Hi Shibu and AFuast,

I am currently working on same thing. Could please provide me a jar for org.springframework.extensions.webscripts.connector.ConnectorService

Thanks & Regards
Shikha

The spring webscripts jar is

The spring webscripts jar is part of the spring framework. There's a copy checked into the "3rd party" project of alfresco.

Senior Software Engineer
Alfresco

got the jar files from the alfresco lib

Hi mrogers,
thanks for the reply. I got the jar files from the alfresco lib only.

Thanks & Regards
Shikha

Problem in external SSO

Dear All,
I tried the above discussion but not able to implement SSO.
The settings I have done are:
modified the share-config-custom.xml file by adding:

  <config evaluator="string-compare" condition="Remote">
<remote>
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>
 
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>
 
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>SsoUserHeader</userHeader>
</connector>
 
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoCookie</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
 
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user
authentication
</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
 
</remote>

Also modified the alfresco-global.properties by adding lines as:

authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.proxyUserName=
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin

and followed the codes given above but not able to do the same.

the one difference is rather then creating new web-script, I have used the default given one and extract the ticket from that.

http://xxx.xxx.xx.xxx:8080/alfresco/wcservice/api/login?u=admin&pw=admin123

I am also working on 4.2c

Could anybody help?? I am stucked here.

Thanks & Regards
Shikha

Hi shikhanirankari

Add
 external.authentication.proxyHeader=SsoUserHeader
in alfresco-global.properties and try.

Hi Shibu,

Hi Shibu,
I have already done that but same problem continues. It always redirect me to share login page but my target is share dashboard.
Have you changed the connectors also??

Thanks & Regards
Shikha

Hi shikhanirankari

Change the connector used by the endpoint in the second section to use alfrescoHeader rather than alfrescoCookie.

Read http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fauth-alfrescoexternal-sso.html , this is enough. Change share-config-custom.xml as mentioned.

Add in property file ;

external.authentication.enabled=true
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader

Create a filter to configure Alfresco to accept a user name from an HTTP header provided by an external authentication system.
See post No : 31 https://forums.alfresco.com/comment/136626#comment-136626 , follow the steps.
Copy you filter in to share/WEB-INF/lib and register in the web.xml.

SSO will work.

Attaching share-config-custom.xml

Hi Shibu,

Hi Shibu,
I have done the changes you suggested but then share stop working.

I have attached all the files. I copied the filter class files in share/WEB-INF/lib and add register filter in web.xml of share.
Also did the changes mentioned above in alfresco-global.properties file as well as share-config-custom.xml but still no luck.

Thanks & Regards
Shikha

anyone please reply I m

anyone please reply I m stucked.

Thanks & Regards
Shikha

Hi Shibbu ,

Hi Shibbu ,
Through the above configuration you are redirected to share dashboard of the logined user??

I always get redirected to share login page but my objective is to get redirected to share dashboard of the login user.

Thanks & Regards
Shikha

Hi shikh

Note that you didn't map your filter to any url pattern.
do mapping;

    <filter-mapping>
<filter-name>SpecialSSOAuthenticationFilter</filter-name>
<url-pattern>/page/*</url-pattern>
</filter-mapping>
 
<filter-mapping>
<filter-name>SpecialSSOAuthenticationFilter</filter-name>
<url-pattern>/proxy/*</url-pattern>
</filter-mapping>

and try to access localhost:8080/share/page?SsoUserHeader=shikh , you will get the dashboard. All other stuff seems correct.

Hi Shibu,

Hi Shibu,
I am attaching the log file where I am facing error on starting filter due to which alfresco share is not working.
Exception starting filter Special SSO Authentication Filter

Thanks & Regards
Shikha

this problem solve by copying

this problem solve by copying the class files in tomcat/lib but still redirecting to login page.

Thanks & Regards
Shikha

hi shibu,

hi shibu,
as per post 29, you have created custom connector class. can you please share that and where did you use taht class in the code shared??

As I have not created any custom connector class.

I did all the things mentioned above but always redirected to share login page.

Thanks & Regards
Shikha

this is the output I am

this is the output I am getting with the code mentioned above. page always redirected to share login. I think custom connector is the missing part.

Please revert.

Thanks & Regards
Shikha

teh problem I am facing is:

teh problem I am facing is: ticket get replaced with null every time.

can anybody help??

Thanks & Regards
Shikha

HI

Have you mapped the filter in web.xml?

Look at post 31. No where the ticket is used. Ticket and connectors are not needed. It was for old versions of Alfresco. Use Alfresco-4.2.c.
SSO is working based on the header : SsoUserHeader (specified in xml).
Just browse http://localhost:8080/share/page?SsoUserHeader=admin after mapping the filter in web.xml.

OR

download "ModifyHeaders" plug-in in firefox, and add header 'SsoUserHeader' as admin after configuring both share-config-custom.xml and alfresco-global.properties. And then browse http://localhost:8080/share/page?SsoUserHeader=admin. You will get admin dashboard.

Thanks Shuibu,

Thanks Shuibu,
Its done at my end too. Your post is really valuable.

Thanks & Regards
Shikha

hi shikhanirankari , shibu

hi shikhanirankari , shibu

I done all things as you said ,

1- create filter and add mapping to share/web-INF/web.xml
2- modify share-custome-config
3-add some properties to alfresco-properties

all things done but i still facing the problem in post #46
the redirect go to share login

please reply to me with solution and the paths of share-custome-config , alfresco propeties

i make alfresco propeties in my tomcat to override the one in alfresco & also share-custome-config.xml in my tomcat under the same path
its not working
and also i take them and put in alfresco/tomcat/... to their paths also not working