Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco.

Published byAmelia Grant Modified over 8 years ago

Similar presentations

Presentation on theme: "Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco."— Presentation transcript:

1 Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco

2 Agenda Introduction Talk objectives Alfresco Authentication Share Authentication External Authentication External SSO Demo Debugging tricks Questions

3 Introduction Mehdi Belmekki Technical consultant, Professional Service Team 5 years experience : Born and grow-up in Community : Graduated Community Contributor High-school Partners : Graduated RD University of Alfresco: Undergraduate Consultant ACA/ACE Based in Paris, France Mehdi.belmekki@alfresco.com

4 Talk objectives Give a global overview of Repository authentication subsystems. Explain how Share get authenticated against the Repository How External Authentication works with Share/Repository Be able to configure SSO Filter for Share, with External Authentication Debugging tricks

5 Repository Authentication

6 Repository Authentication : Before subsystems Up to version 3.1 Spring configuration subdivided into themed-context files Authentication-services-context.xml Authority-services-context.xml Rendition-services-context.xml … All loaded into single Spring Application Context Customized by overriding bean’s definition Highly-coupled components :

7 Repository Authentication : Before subsystems - Limitations Everything global, managed by the same component Hard to separate dependencies Supportability / Upgradeability Configuration / Customization ? Basic admin tasks required Spring understanding Hard to maintain compatibility with old configuration Server restarts for any changes on the configuration Switching between supported authentications mechanisms, involved simultaneous editing of several files Template configuration could not be used without editing due to the uniqueness of namespacing e.g two LDAP directories

8 Repository Authentication : After subsystems A subsystem is a separate module responsible for a sub-part of Alfresco functionality Can be started, stopped, configured independently Has its own isolated Spring bean container and configuration Can have multiple instances

9 Repository Authentication : After subsystems – Subsystem’s actions Clearly define its interfaces with the rest of the system Automatically expose its configuration properties for editing via JMX (enterprise only) Change configuration without server restart All edited properties are persisted in the database and synchronized across the cluster.

10 Repository Authentication : Subsystem components Authentication Component Authentication Data Access Object (DAO) Authentication Service User Registry Export Service (optional) Authentication Filters Provide form or SSO-Based login functions for the following: Web Client WebDav WebScripts Sharepoint Protocol File Server Authentiticators CIFS Protocol (optional) FTP Protocol

11 Repository Authentication : OOTB Mechanisms – 5 types of subsystems alfrescoNtlm Native Alfresco authentication optional NTLM v2-based single sign-on (SSO) Supports CIFS authentication ldap Authentication via an LDAP server Optional user registry export No CIFS authentication ldap-ad variant exists with preconfigured defaults for Active Directory external Authentication by the application server E.g. CAS, Websphere LTPA User identity asserted to Alfresco via HttpServletRequest.getRemoteUser() or configured HTTP header

12 Repository Authentication : OOTB Mechanisms – 5 types of subsystems kerberos Authentication with a Kerberos Realm Optional SPNEGO-based single sign-on (SSO) Supports CIFS authentication Starting from v3.4: Sharepoint Protocol, Webscript and Share support passthru Authentication via a Windows domain server Optional NTLM v1-based single sign-on (SSO) Supports CIFS authentication

13 Repository Authentication : Advantages of Subsystems Each subsystem is a coordinated stack of compatible components No danger of e.g. Using the wrong CIFS authenticator with the wrong authentication component Common parameters are shared No need to paste the same Kerberos parameters multiple times into different configuration files No need to edit web.xml – ever! Web.xml uses generic filters that call into the authentication subsystem You can hot swap from one filter to another Easily chained

14 Repository Authentication : Chaining Mechanism Some enterprise customers may store user authentication data in multiple systems Local Alfresco Active Directory LDAP Kerberos There may be more than one instance of each type E.g. multiple LDAP directories One system may support different protocols for different purposes E.g. Active Directory with LDAP for User Registry Export and Kerberos for Authentication Rather than tie Alfresco exclusively to one of those systems and protocols, our customers want it all!

15 Repository Authentication : Chaining Mechanism An authentication component is configured for each system and added to an ordered list or ‘chain’ On a user login, Alfresco tries the credentials against each of the components in the chain If a chain member accepts the credentials the login succeeds If no chain member accepts, the login fails

16 Repository Authentication : Authentication Mechanism Decision OkLoginPage ChainingSubsystemProxyFactory ldapalfrescoNtlmexternal Users requests (e.g Explorer Web Client) AuthenticationFilter

17 Share Authentication

18

19 Share Authentication : Connectors, Endpoints, Credentials, Authenticators Connectors Responsible of establishing connection/communication with a remote location e.g Alfresco Repository Endpoints URL link to a remote resource Share connectors point to Alfresco Webscript service url Authenticators Plugged into connector to allow handshake with the remote location (e.g Alfresco Repository, using login/password against api/login webscript) Credentials User credentials (username/password) are used to get Endpoint credentials (Alfresco Ticket for example)

20 External Authentication And Single Sign On

21 External authentication Integrate Alfresco with any external authentication system. Can be integrated with your application server in such a way that the identity of the logged-in user is passed to servlets via the HttpServletRequest.getRemoteUser() method. Compatible with a number of SSO solutions, including Central Authentication Service (CAS). The subsystem also allows a proxy user to be configured, such that requests made through this proxy user are made in the name of an alternative user, whose name is carried in a configured HTTP request header Activating external authentication makes Alfresco accept external authentication tokens, make sure that no untrusted direct access to Alfresco's HTTP or AJP ports is allowed

22 External Authentication : Single Sign On prior to Alfresco 4 Custom Alfresco repo filter Changes in web.xml Custom Share filter Changes in web.xml Custom authentication webscript (Repo-side) Custom Connector Custom Authenticator

23 External Authentication : Single Sign On Alfresco 4 onward Subsystem configuration No need to change web.xml files (either in Repo or Share side) No need to code new authentication webscript. It’s provided now OOTB Easy to maintain Benefit from all subsystem’s features and capabilities Easy to support and maintain No change after version upgrade Modularity

24 External Authentication : SSO Configuration Share Uncomment remote section in share-config-custom.xml Replace AlfrescoCoockie by HeaderConnector Set the name of the header used by the external SSO in the userHeader element of the alfrescoHeader connector Repository Alfresco-global.properties authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm

25 External Authentication with SSO Demo

26 Debugging Tricks

27 Debugging tricks : External Auth/SSO Repository Enable logging for repository authentication : org.alfresco.web.site.servlet.SSOAuthenticationFilter org.alfresco.repo.security.authentication.AuthenticationUtil Enable logging for Chaining : org.alfresco.repo.security.authentication.AbstractChainingAuthentic ationService

28 Debugging tricks : External Auth/SSO

29 Share Enable logging for : org.alfresco.web.app.servlet.DefaultRemoteUserMap org.springframework.extensions.webscripts.connector.RemoteClien t org.springframework.extensions.webscripts.connector.AlfrescoAuth enticator Use firebug to trace header properties and Modify-Header plugin to force header re-write

30 Questions ?

Download ppt "Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Unveiling ProjectWise V8 XM Edition. ProjectWise V8 XM Edition An integrated system of collaboration servers that enable your AEC project teams, your.

Unveiling ProjectWise V8 XM Edition. ProjectWise V8 XM Edition An integrated system of collaboration servers that enable your AEC project teams, your.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.

Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.
Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.

Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.
Enterprise Single Sign On Identity management for web applications.

Enterprise Single Sign On Identity management for web applications.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
August 25, 20151 SSO with Microsoft Active Directory Presented by: Craig Larrabee.

August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 7: Using Windows Servers to Share Information.

Chapter 7: Using Windows Servers to Share Information.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.

Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Similar presentations

Ads by Google