Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco.

Slides:



Advertisements
Similar presentations
Implementing Tableau Server in an Enterprise Environment
Advertisements

Unveiling ProjectWise V8 XM Edition. ProjectWise V8 XM Edition An integrated system of collaboration servers that enable your AEC project teams, your.
MyProxy: A Multi-Purpose Grid Authentication Service
Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.
Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.
Enterprise Single Sign On Identity management for web applications.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 7: Using Windows Servers to Share Information.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
INTEGRATION WITH OTHER IDM SOLUTIONS Remember… The primary goal of KIM was to build a service- oriented abstraction layer for Identity and Access Management.
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Phone: Mega AS Consulting Ltd © 2007  CAT – the problem & the solution  Using the CAT - Administrator  Mega.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
1 Administering Shared Folders Understanding Shared Folders Planning Shared Folders Sharing Folders Combining Shared Folder Permissions and NTFS Permissions.
Single Sign-On
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Integrating and Troubleshooting Citrix Access Gateway.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Week 4 Objectives Overview of Group Policy Group Policy Processing Implementing a Central Store for Administrative Templates.
Windows SharePoint Services. Overview Windows SharePoint Services (WSS) Information Worker Infrastructure component delivered in Windows Server 2003 Enables.
Module 10: Identity and Access Services in Windows Server 2008 Active Directory.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Designing a Secure Extranet with Sharepoint Russ Basiura Principal Consultant RJB Technical Consulting
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Audit API : Hints and Tricks Mehdi BELMEKKI, Consultancy Team Alfresco.
F5 APM & Security Assertion Markup Language ‘sam-el’
#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Advanced Alfresco Authentication from a Drupal Website Cristophe Pepe ECM Amplexor, Belgium.
#SummitNow Alfresco Authentication and Synchronization Nov 2013 Mark Rogers.
Alain Bethuyne Web Security Architect BNPParibas Fortis
Architecture Review 10/11/2004
Chapter 7: Using Windows Servers
Ask the Experts – Building Login-Based Sites in AEM
Stop Those Prying Eyes Getting to Your Data
Consulting Services JobScheduler Architecture Decision Template
Contents Software components All users in one location:
Consuming OAuth Services in Alfresco Share
Federation made simple
Getting Started with Alfresco Development
Consulting Services JobScheduler Architecture Decision Template
Securing the Network Perimeter with ISA 2004
How to Create a Custom Subsystem
IBM Certified WAS 8.5 Administrator
JAAS AuthN Tokens in uPortal and Beyond
Presentation transcript:

Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco

Agenda Introduction Talk objectives Alfresco Authentication Share Authentication External Authentication External SSO Demo Debugging tricks Questions

Introduction Mehdi Belmekki Technical consultant, Professional Service Team 5 years experience : Born and grow-up in Community : Graduated Community Contributor High-school Partners : Graduated RD University of Alfresco: Undergraduate Consultant ACA/ACE Based in Paris, France

Talk objectives Give a global overview of Repository authentication subsystems. Explain how Share get authenticated against the Repository How External Authentication works with Share/Repository Be able to configure SSO Filter for Share, with External Authentication Debugging tricks

Repository Authentication

Repository Authentication : Before subsystems Up to version 3.1 Spring configuration subdivided into themed-context files Authentication-services-context.xml Authority-services-context.xml Rendition-services-context.xml … All loaded into single Spring Application Context Customized by overriding bean’s definition Highly-coupled components :

Repository Authentication : Before subsystems - Limitations Everything global, managed by the same component Hard to separate dependencies Supportability / Upgradeability Configuration / Customization ? Basic admin tasks required Spring understanding Hard to maintain compatibility with old configuration Server restarts for any changes on the configuration Switching between supported authentications mechanisms, involved simultaneous editing of several files Template configuration could not be used without editing due to the uniqueness of namespacing e.g two LDAP directories

Repository Authentication : After subsystems A subsystem is a separate module responsible for a sub-part of Alfresco functionality Can be started, stopped, configured independently Has its own isolated Spring bean container and configuration Can have multiple instances

Repository Authentication : After subsystems – Subsystem’s actions Clearly define its interfaces with the rest of the system Automatically expose its configuration properties for editing via JMX (enterprise only) Change configuration without server restart All edited properties are persisted in the database and synchronized across the cluster.

Repository Authentication : Subsystem components Authentication Component Authentication Data Access Object (DAO) Authentication Service User Registry Export Service (optional) Authentication Filters Provide form or SSO-Based login functions for the following: Web Client WebDav WebScripts Sharepoint Protocol File Server Authentiticators CIFS Protocol (optional) FTP Protocol

Repository Authentication : OOTB Mechanisms – 5 types of subsystems alfrescoNtlm Native Alfresco authentication optional NTLM v2-based single sign-on (SSO) Supports CIFS authentication ldap Authentication via an LDAP server Optional user registry export No CIFS authentication ldap-ad variant exists with preconfigured defaults for Active Directory external Authentication by the application server E.g. CAS, Websphere LTPA User identity asserted to Alfresco via HttpServletRequest.getRemoteUser() or configured HTTP header

Repository Authentication : OOTB Mechanisms – 5 types of subsystems kerberos Authentication with a Kerberos Realm Optional SPNEGO-based single sign-on (SSO) Supports CIFS authentication Starting from v3.4: Sharepoint Protocol, Webscript and Share support passthru Authentication via a Windows domain server Optional NTLM v1-based single sign-on (SSO) Supports CIFS authentication

Repository Authentication : Advantages of Subsystems Each subsystem is a coordinated stack of compatible components No danger of e.g. Using the wrong CIFS authenticator with the wrong authentication component Common parameters are shared No need to paste the same Kerberos parameters multiple times into different configuration files No need to edit web.xml – ever! Web.xml uses generic filters that call into the authentication subsystem You can hot swap from one filter to another Easily chained

Repository Authentication : Chaining Mechanism Some enterprise customers may store user authentication data in multiple systems Local Alfresco Active Directory LDAP Kerberos There may be more than one instance of each type E.g. multiple LDAP directories One system may support different protocols for different purposes E.g. Active Directory with LDAP for User Registry Export and Kerberos for Authentication Rather than tie Alfresco exclusively to one of those systems and protocols, our customers want it all!

Repository Authentication : Chaining Mechanism An authentication component is configured for each system and added to an ordered list or ‘chain’ On a user login, Alfresco tries the credentials against each of the components in the chain If a chain member accepts the credentials the login succeeds If no chain member accepts, the login fails

Repository Authentication : Authentication Mechanism Decision OkLoginPage ChainingSubsystemProxyFactory ldapalfrescoNtlmexternal Users requests (e.g Explorer Web Client) AuthenticationFilter

Share Authentication

Share Authentication : Connectors, Endpoints, Credentials, Authenticators Connectors Responsible of establishing connection/communication with a remote location e.g Alfresco Repository Endpoints URL link to a remote resource Share connectors point to Alfresco Webscript service url Authenticators Plugged into connector to allow handshake with the remote location (e.g Alfresco Repository, using login/password against api/login webscript) Credentials User credentials (username/password) are used to get Endpoint credentials (Alfresco Ticket for example)

External Authentication And Single Sign On

External authentication Integrate Alfresco with any external authentication system. Can be integrated with your application server in such a way that the identity of the logged-in user is passed to servlets via the HttpServletRequest.getRemoteUser() method. Compatible with a number of SSO solutions, including Central Authentication Service (CAS). The subsystem also allows a proxy user to be configured, such that requests made through this proxy user are made in the name of an alternative user, whose name is carried in a configured HTTP request header Activating external authentication makes Alfresco accept external authentication tokens, make sure that no untrusted direct access to Alfresco's HTTP or AJP ports is allowed

External Authentication : Single Sign On prior to Alfresco 4 Custom Alfresco repo filter Changes in web.xml Custom Share filter Changes in web.xml Custom authentication webscript (Repo-side) Custom Connector Custom Authenticator

External Authentication : Single Sign On Alfresco 4 onward Subsystem configuration No need to change web.xml files (either in Repo or Share side) No need to code new authentication webscript. It’s provided now OOTB Easy to maintain Benefit from all subsystem’s features and capabilities Easy to support and maintain No change after version upgrade Modularity

External Authentication : SSO Configuration Share Uncomment remote section in share-config-custom.xml Replace AlfrescoCoockie by HeaderConnector Set the name of the header used by the external SSO in the userHeader element of the alfrescoHeader connector Repository Alfresco-global.properties authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm

External Authentication with SSO Demo

Debugging Tricks

Debugging tricks : External Auth/SSO Repository Enable logging for repository authentication : org.alfresco.web.site.servlet.SSOAuthenticationFilter org.alfresco.repo.security.authentication.AuthenticationUtil Enable logging for Chaining : org.alfresco.repo.security.authentication.AbstractChainingAuthentic ationService

Debugging tricks : External Auth/SSO

Share Enable logging for : org.alfresco.web.app.servlet.DefaultRemoteUserMap org.springframework.extensions.webscripts.connector.RemoteClien t org.springframework.extensions.webscripts.connector.AlfrescoAuth enticator Use firebug to trace header properties and Modify-Header plugin to force header re-write

Questions ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.