I am trying to configure alfresco with remote authentication using apache (shibboleth module) in front of Alfresco - essentially passing REMOTE_USER from apache to alfresco after authenticating. I am able to configure alfresco where I can successfully log into /alfresco (classic explorer gui), however, /share (newer gui) does not log me in. Has anyone experienced/solved this issue?
Here is some details:
setup apache with the shibboleth mod (which works since i get automatcially logged into /alfresco)
setup ajp entry for both /alfresco and /share in apache.
Alfresco Explorer
ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco
ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco
Alfresco Share
ProxyPass /share ajp://127.0.0.1:8009/share
ProxyPassReverse /share ajp://127.0.0.1:8009/share
setup tomcat ajp entry
set /tomcat/shared/classes/alfresco-global.properties with
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.proxyUserName=
external.authentication.proxyHeader=
external.authentication.enabled=true
in share-config-custom.xml, i have put in the suggested xml entries below:
Blockquote
<alfresco-config>
<!-- Repository Library config section -->
<config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
<!--
Whether the link to the Repository Library appears in the header component or not.
-->
<visible>true</visible>
</config>
<config evaluator="string-compare" condition="Remote">
<remote>
<endpoint>
<id>alfresco-noauth</id>
<name>Alfresco - unauthenticated access</name>
<description>Access to Alfresco Repository WebScripts that do not require authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>none</identity>
</endpoint>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>user</identity>
</endpoint>
<endpoint>
<id>alfresco-feed</id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>http</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<basic-auth>true</basic-auth>
<identity>user</identity>
</endpoint>
<endpoint>
<id>activiti-admin</id>
<name>Activiti Admin UI - user access</name>
<description>Access to Activiti Admin UI, that requires user authentication</description>
<connector-id>activiti-admin-connector</connector-id>
<endpoint-url>http://localhost:8080/alfresco/activiti-admin</endpoint-url>
<identity>user</identity>
</endpoint>
</remote>
</config>
<config evaluator="string-compare" condition="Remote">
<remote>
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoCookie</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
</config>
Blockquote
Try defining a connector called 'alfrescoHeader':
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>X-Alfresco-Remote-User</userHeader>
</connector>
Of course, change the header name to what you are using.
Then, use it in the alfresco endpoint:
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
Related
Recently, I migrated from Jboss EAP 6.4 to Jboss EAP 7.1.
I have a Jboss EWS in front of Jboss EAP, with mod cluster to connect to them.
I use some static content which is kept in websever (Jboss EWS).
While accessing the webserver URL it used to server the static content in websever.
However, after migrating to JBoss EAP 7.1, it is looking for static content in Appserver and giving 404. This possibly is due to new addition of undertow, which wasn't in place in Jboss EAP 6.x
What changes should I do ( possibly in undertow config) so that it looks for static content in webserver itself, instead of appservers.
You need to add file handler and another location to the undertow subsystem in standalone.xml to serve static content (like images):
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<location name="/img" handler="images"/>
</host>
</server>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content" directory-listing="true"/>
<file name="images" path="/var/images" directory-listing="true"/>
</handlers>
With web forms I can designate an individual ASPX page to require SSL and IIS will ask the user to pick a certificate from their CAC. However, in IIS Manager on the server for an MVC site, the individual views are not listed so I cannot require SSL for a particular view. Is there any way to do this?
My web.config has been changed:
<location path="FileSharing/Welcome" allowOverride="true"></location>
<location path="FileSharing/Index" allowOverride="true">
<system.webServer>
<security>
<access sslFlags="Ssl,SslNegotiateCert,SslRequireCert"/>
</security>
</system.webServer>
Error 500.19
Error Code
0x80070021
Config Error
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
I believe that Proxy Services not being Sequences don't have statistics facilities. I core requirement I have is to acquire statistics & service availability stats for my Proxies. What is the standard approach? Wrap a Proxy Service within a Sequence? Is there an example of this?
Also The Monitor/Mediation Statistics page has a section Proxy Service Statistics, is there a means to turning on Proxy Service stats that I have missed. if not, exactly where does this data derive?
To enable statistics for a mediation component using the Synapse configuration language, set the value of the "statistics" attribute to "enabled" on the sequence, proxy or endpoint configuration as mentioned in https://docs.wso2.com/display/ESB470/Monitoring+the+ESB document.
Here is a sample proxy which enabled statistics.
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="oldmac"
transports="https,http"
statistics="enable"
trace="disable"
startOnLoad="true">
<target>
<inSequence>
<log level="full"/>
<send>
<endpoint>
<address uri="http://www.google.com"/>
</endpoint>
</send>
</inSequence>
</target>
<description/>
</proxy>
I have configured SSL in my web application. I have installed the certificate in my Tomcat as per the required steps.
The tutorial that I have been following is
https://www.mulesoft.com/tcat/tomcat-security
I have enforced the use of https over http which means that any request to http will be forwarded to https. I made the following changes in my server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
proxyHost="10.1.1.1" proxyPort="80"
URIEncoding="UTF-8"
maxHttpHeaderSize="32768"/>
See more at: https://www.mulesoft.com/tcat/tomcat-security#sthash.6zIVA27x.dpuf
The web.xml changes are as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureConnection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
However, the redirect that is taking place is temporary re-direct ie 302.
I want to use 301 re-direct ie., permanent redirect.
How can I achieve that?
This is configured on your Realm. See the transportGuaranteeRedirectStatus attribute of your particular Realm implementation.
https://tomcat.apache.org/tomcat-8.5-doc/config/realm.html
Ex: server.xml has this out-of-the-box
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
It does not set transportGuaranteeRedirectStatus so it defaults to 302. If you want to make it use a 301, just add the attribute transportGuaranteeRedirectStatus="301" to the top level Realm (you may not have nested Realms depending on your configuration) and restart Tomcat.
Ex:
<Realm className="org.apache.catalina.realm.LockOutRealm" transportGuaranteeRedirectStatus="301">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" />
</Realm>
If you do not have a Realm tag defined in your configuration, Tomcat will default to using a NullRealm. If you want to override the redirect in this situation, you'd just need to define a NullRealm under with the transportGuaranteeRedirectStatus property set on it.
Hope that helps!
My web application uses form authentication. It is working fine. But when I install 2 instances of the same application as virtual directories, I am able to log into both instances with the same cookie. Is there any way to keep it to a single virtual directory?
Here is my web.config.
<authentication mode="Forms">
<forms name="MyAppAuth" loginUrl="~/secured/login" protection="All" timeout="30" slidingExpiration="true" path="/">
<credentials passwordFormat="Clear">>
</credentials>
</forms>
</authentication>
I'm not sure what technology is being used here, but I would guess that the path="/" is used to create the cookie (you could probably use your browser developer tools to make certain). Try setting the path to the root of each webapp /app1 /app2