Professional Documents
Culture Documents
Alfresco 4 SSO
Alfresco 4 SSO
Alfresco 4 SSO
Samarko Search
As the working mechanism of Alfresco authorization you should select External. For
this in file C:\Alfresco\tomcat\shared\classes\alfresco-global.properties you should set
blog.samarko.com/2011/09/alfresco-40-share-single-sign-on-sso.html 1/7
09.05.2013 Alfresco 4.0 Share single sign on (SSO)
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
external.authentication.enabled=true
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.proxyUserName=
To set the interaction between the applications Alfresco and Share to be hold by
cookies, in a file you should write:
At the same time, register in the httpd.conf configuration that will be useful in the
future:
LoadFile "C:/Perl/bin/perl512.dll"
LoadModule perl_module modules/mod_perl.so
Listen 10.0.20.245:80
ServerName vm-lysenko
<VirtualHost 10.0.20.245:80>
ServerName vm-lysenko
2/7
09.05.2013 Alfresco 4.0 Share single sign on (SSO)
DocumentRoot "C:\alf"
UseCanonicalName Off
PerlModule Apache2::RequestRec
<Proxy ajp://127.0.0.1:8009/login/>
Order deny,allow
Deny from none
Allow from all
</Proxy>
<Proxy ajp://127.0.0.1:8009/alfresco/>
Order deny,allow
Deny from none
Allow from all
</Proxy>
<Proxy ajp://127.0.0.1:8009/share/>
Order deny,allow
Deny from none
Allow from all
PerlFixupHandler Apache2::SetRemoteUser
</Proxy>
<Location "/login/login.jsp">
AuthName "Tomcat"
AuthType SSPI
SSPIAuth On
SSPIPackage NTLM
SSPIAuthoritative On
SSPIOfferBasic Off
SSPIOmitDomain On
SSPIUsernameCase lower
# SSPIPerRequestAuth Off
# SSPIBasicPreferred
# SSPIUsernameCase lower
require valid-user
</Location>
</VirtualHost>
From the above settings it is clear, that Apache serves as a proxy, and passes
through all the requests from the user to the Alfresco Share. Every time we refer to
Share, we use PerlFixupHandler Apache2:: SetRemoteUser, to set the variable
RemoteUser. To set this variable, use this perl-script: (in folder
c:\Perl\site\lib\Apache2\ file SetRemoteUser.pm)
package Apache2::SetRemoteUser;
use strict;
use warnings;
use CGI::Cookie;
use Apache2::Const -compile => qw(OK);
use Apache2::Connection;
use Apache::DBI;
sub handler {
my $r = shift;
my $session_value = "";
blog.samarko.com/2011/09/alfresco-40-share-single-sign-on-sso.html 3/7
09.05.2013 Alfresco 4.0 Share single sign on (SSO)
my $result = $sth->fetchrow_hashref();
my $u_name = $result->{'username'} || "";
$dbh->disconnect( ); # NOOP under Apache::DBI
if ($u_name ne "") {
$r->user($u_name);
}
return Apache2::Const::OK;
}
1;
This script checks if there is a registered session with the provided user name. If
the session exists, the remoteUser sets up. As a place of sessions storage selected the
MySQL database. The structure of sessions table is:
Perl-script only reads the data from this table. The jsp-app Login, which is
mentioned in the httpd.conf settings, records there. This application must be
deployed on the same tomcat server, as applications Alfresco and Share. The main
part of it is the file login.jsp, which is responsible for "recognition" of users and
recording sessions to the database.
4/7
09.05.2013 Alfresco 4.0 Share single sign on (SSO)
if (remoteUser != null) {
String found_name="";
String sessionValue="";
String sql="";
String ip = request.getRemoteAddr();
String browser = request.getHeader("User-Agent");
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
if (((String)cookies[i].getName()).equals("JSESSIONID")) {
sessionValue = cookies[i].getValue();
}
}
}
try {
String session_url = "jdbc:mysql://localhost:3306/sessions";
String alfresco_url = "jdbc:mysql://localhost:3307/alfresco";
if (sessionValue.equals("")) {
error_status = 1;
}
if (error_status.equals(0)) {
con=DriverManager.getConnection(session_url, "session_user", "se
ssion_password");
sql = "DELETE FROM session WHERE (session_value = '" + sessionVa
lue + "') OR (username = '" + remoteUser + "')";
pstmt = con.prepareStatement(sql);
pstmt.executeUpdate();
login = true;
} else {
login = false;
}
rst.close();
pstmt.close();
con.close();
} catch(Exception e){
blog.samarko.com/2011/09/alfresco-40-share-single-sign-on-sso.html
09.05.2013 Alfresco 4.0 Share single sign on (SSO)
System.out.println(e.getMessage());
}
if (login) {
if (returnPath != null) {
response.sendRedirect(returnPath);
} else {
response.sendRedirect("/share/page/user/" + remoteUser + "/dashb
oard");
}
} else {
if (error_status.equals(1)) {
response.sendRedirect("login.jsp");
} else {
response.sendRedirect("could-not-login.jsp");
}
}
}
%>
Each time the Share application is not identified the user, it produces a page with a
login and password form. In this page we need to implement a handler that instead
of issuing a login form will redirect to our domain login script. To do this, you need to
add the line in file slingshot-login.ftl:
<script>
window.location.href = "/login/login.jsp?r=" + window.location.href;
</script>
The r parameter is needed in order to return the user to the page, that it wanted to
refer.
Now that you have installed all the additional subsystems, you must correctly
configure Tomcat. In the server.xml file should be registered two connectors with the
following parameters:
Connector on port 8009 is required for Apache proxy. For security purposes, you
must close the ports 8080 and 8009 from outside access, only local server must have
access to them. All external requests takes on Apache on port 80. If you do not close
the mentioned ports, an attacker could fool the system and log into any desired user.
blog.samarko.com/2011/09/alfresco-40-share-single-sign-on-sso.html 6/7
09.05.2013 Alfresco 4.0 Share single sign on (SSO)
0 2
Alfresco
Alfresco Desktop Recom m endations for Floating block using Forbid site to load in
actions in CIFS Google im ages indexing JQuery fram es (or ifram es)
HFS, a free HTTP file Opening port in the Perform ing secure FTP- How to install counter on
service Com odo Firew all connection over SSH any w eb-application
0 comments 0
Leave a message...
C o m m e n t fe e d Su b s cri b e vi a e m a i l
blog.samarko.com/2011/09/alfresco-40-share-single-sign-on-sso.html 7/7