Override Alfresco Custom Authentication System

Override Alfresco Custom Authentication System

Alfresco is one of the most popular and widely used Document management system in the world.

In this blog I am explaining how we can override the complete alfresco authentication system.

Table of Contents

What is Alfresco?

Alfresco is the Document Management System and in these type of system document security is one of the key concern of all whose who are working with these type of systems.

In this blog I am not bothering about document Authorization my main concern is about Alfresco authentication system.

Alfresco authentication system.

Alfresco authentication system is based on modules in which each of the module is the Subsystem for authentication we can use one or more subsystem at one time for authentication within alfresco leave other at same time by defining it within the chain of authentication.

When user try to Login within the Alfresco. Authentication system check for all those subsystem which are configured in the authentication chain of alfresco if user try to Login with credential present in one authentication subsystem but not in another user will be able to Login but if user is not valid in all the subsystem configured in authentication chain then he/she is not able to Login within the Alfresco system.

Types of authentication sub-system in Alfresco :

In Alfresco we are having many kind of authentication subsystem employed for user authentication.

| TYPE | DESCRIPTION |
| ——: | ———–: |
|ALFRESCO NTLM | This is the default alfresco way of authentication comes with alfresco sometime called Native Alfresco Authentication.|
|EXTERNAL | Authentication based on some external authentication mechanism.|
|LDAP-AD | This authentication system provide user authentication from LDAP active directory based on LDAP protocol it also allow user export from LDAP active directory.|
|KERBEROS | Kerberos provide very strong encryption mechanism compared to other. Java Authentication and Authorization Service (JAAS) is used within the Kerberos subsystem to support Kerberos authentication of user name and password.|
|LDAP | This authentication system provide user authentication from open LDAP based on LDAP protocol it also allow user export from open LDAP.|
|PASSTHRU | This authentication system isused to replace the User database in Alfdresco System with a Windows server controller, domain controller, or list of servers to authenticate users.|

We can use more than one authentication system at one time to allow user within alfresco system.

There is authentication chain within alfresco where we can define which all authentication subsystem we want to employ for authentication in alfresco.

Like :-

`authentication.chain= ldap1:ldap,alfrescoNtlm1:alfrescoNtlm;`

Here we have used two authentication system one is Open LDAP and another is Alfresco NTLM.

Overriding alfresco authentication.

Here we start how to override the complete alfresco authentication and write our own code for authenticating user.

STEP 1 : Create Folder MyCustomAuthentication in project directory Alfresco_Installation/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication.

STEP 2 : Create file mycustom-authentication.properties within MyCustomAuthentication folder with following content.

`external.authentication.defaultAdministratorUserNames=admin`

STEP 3: Create file mycustom-authentication-context.xml within MyCustomAuthentication folder with following content.

<?xmlversion='1.0'encoding='UTF-8'?>

<!DOCTYPEbeansPUBLIC'-//SPRING//DTD BEAN//EN''http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>

<beanid="authenticationComponent"class="org.alfresco.repo.security.authentication.MyCustomAuthentication.MyCustomAuthenticationImpl"

parent="authenticationComponentBase">

<propertyname="nodeService">

<refbean="nodeService"/>

</property>

<propertyname="personService">

<refbean="personService"/>

</property>

<propertyname="transactionService">

<refbean="transactionService"/>

</property>

<propertyname="defaultAdministratorUserNameList">

<value>${external.authentication.defaultAdministratorUserNames}</value>

</property>

</bean>

<!-- Wrapped version to be used within subsystem -->

<beanid="AuthenticationComponent"class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">

<propertyname="proxyInterfaces">

<list>

<value>org.alfresco.repo.security.authentication.AuthenticationComponent</value>

</list>

</property>

<propertyname="transactionManager">

<refbean="transactionManager"/>

</property>

<propertyname="target">

<refbean="authenticationComponent"/>

</property>

<propertyname="transactionAttributes">

<props>

<propkey="*">${server.transaction.mode.default}</prop>

</props>

</property>

</bean>

<!-- Authentication service for chaining -->

<beanid="localAuthenticationService"class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">

<propertyname="ticketComponent">

<refbean="ticketComponent"/>

</property>

<propertyname="authenticationComponent">

<refbean="authenticationComponent"/>

</property>

<propertyname="sysAdminParams">

<refbean="sysAdminParams"/>

</property>

</bean>

</beans>

STEP 4 : Create file mycustom-filter.properties within MyCustomAuthentication folder with following content.

<?xmlversion='1.0'encoding='UTF-8'?>

<!DOCTYPEbeansPUBLIC'-//SPRING//DTD BEAN//EN''http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>

<!-- Enable control over mapping between request and user ID -->

<beanid="remoteUserMapper"class="org.alfresco.web.app.servlet.DefaultRemoteUserMapper">

<propertyname="proxyUserName">

<value>${external.authentication.proxyUserName}</value>

</property>

<propertyname="proxyHeader">

<value>${external.authentication.proxyHeader}</value>

</property>

<propertyname="active">

<value>${external.authentication.enabled}</value>

</property>

<propertyname="userIdPattern">

<value>${external.authentication.userIdPattern}</value>

</property>

<propertyname="personService">

<refbean="PersonService"/>

</property>

</bean>

<!-- Enable cookie-based handling of webscript logins. We must assume cookie based client authentication when external auth is in the chain. -->

<beanid="webscriptAuthenticationFilter"class="org.alfresco.web.app.servlet.WebScriptSSOAuthenticationFilter">

<propertyname="active">

<value>true</value>

</property>

<propertyname="authenticationService">

<refbean="AuthenticationService"/>

</property>

<propertyname="authenticationComponent">

<refbean="AuthenticationComponent"/>

</property>

<propertyname="personService">

<refbean="personService"/>

</property>

<propertyname="nodeService">

<refbean="NodeService"/>

</property>

<propertyname="transactionService">

<refbean="TransactionService"/>

</property>

<propertyname="container">

<refbean="webscripts.container"/>

</property>

</bean>

</beans>

STEP 5 : Create file mycustom-filter-context.xml within MyCustomAuthentication folder with following content.

external.authentication.proxyUserName=alfresco-system

external.authentication.proxyHeader=X-Alfresco-Remote-User

external.authentication.enabled=true

external.authentication.userIdPattern=

STEP 6 : Create new Plain Java Project in eclipse with any name.

STEP 7 : Create new package under src folder in java project with name org.alfresco.repo.security.authentication.MyCustomAuthentication.

STEP 8 : Create new class under package org.alfresco.repo.security.authentication.MyCustomAuthentication with name MyCustomAuthenticationImpl with content there are some library which need to be imported from tomcat/webapps/alfresco/WEB_INF/lib folder.

package org.alfresco.repo.security.authentication.MyCustomAuthentication;

import net.sf.acegisecurity.Authentication;

import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent;

import org.alfresco.repo.security.authentication.AuthenticationException;

publicclassMyCustomAuthenticationImplextendsAbstractAuthenticationComponent

{

publicvoid authenticateImpl(String userName, char[] password) throwsAuthenticationException

{

System.out.println("userName = "+userName + " ::::::::::::::: password = "+String.valueOf(password));

// Here you can write your own code for authentication any API call or any other authentication code

if(!String.valueOf(password).equals(userName + "123"))

// when authentication fails

throw new AuthenticationException("Test auth failed...");

else

// when authentication pass

setCurrentUser(userName);

}

/**

* The default is not to support Authentication token base authentication

*/

public Authentication authenticate(Authenticationtoken) throws AuthenticationException

{

System.out.println("authenticating vi vi token");

//throw new AlfrescoRuntimeException("Authentication via token not supported");

returntoken;

}

@Override

protectedbooleanimplementationAllowsGuestLogin() {

// TODO Auto-generated method stub

returnfalse;

}

}

STEP 9 : Create jar file for your java project using eclipse export and place the jar in alfresco/tomcat/webapps/alfresco/WEB-INF/lib.

STEP 10 : Open file alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/repository.properties
and edit file by replacing authentication.chain field to authentication.chain=MyCustomAuthentication: MyCustomAuthentication.

Step 11 : At last restart the alfresco server.

Step 12 : Your custom class MyCustomAuthenticationImpl method authenticateImpl is called with every hit of login url .

By this way you are overriding alfresco custom authentication by your own authentication subsystem class which need to be extended is AbstractAuthenticationComponent .

Here we can get username and password in authenticateImpl method.

We can get token and customizing token based authentication in method authenticate.

Here we can also override the Guest Login using implementationAllowsGuestLogin method.

For more hacks about alfresco visit

Comments

lelak: Hello Sourabh, congrats for the great article. My name is Tiago director at LELAK hipermidia. We have a Alfresco Project that is requiring some expertise that we don't have currently on our team. We need to setup Alfresco Community 5 to Authenticate through Google Apps accounts. We are considering these options (in order of preferred solution): 1) Authenticate on Alfresco with google Apps accounts directly using some SSO support like: https://github.com/gdepourtales/share-oauth-sso 2) Authenticate through openLDAP and synchronize openLDAP with Google APPS (GADS) 3) Authenticate with passthrough and active directory, using the GADS (google directory sync) to synchronize accounts with the Active Directory. Are you interested on working on some Alfresco tasks with us? Please let us know, and give your cost for this task. Please leave this comment private. Thank you! Tiago | LELAK

Leave a Reply

Your email address will not be published. Required fields are marked *