Having successfully configured Alfresco (and Share) to authenticate using CAS – it’s documented here
The next challenge is to try and work out how to get this authentication working with webdav
Update:
One way to do this this is to bypass CAS and authenticate against the underlying CAS datastore directly by adding a new authentication component.
Of course this means that you are not using CAS but then as you are likely to be accessing WebDAV outside of the browser the single sign on capabilities are not particularly relevant
We use Drupal as our underlying CAS data store so there’s a bit of custom code here – you may be able to just configure the authentication chain if you’re using a different method e.g. LDAP
So in alfresco-global.properties add to the authentication chain:
authentication.chain=cas:external,localDrupal:drupal
While you’re there set up some database connection properties e.g.
drupal.db.driver=org.gjt.mm.mysql.Driver
drupal.db.username=drupal
drupal.db.password=drupal
drupal.db.url=jdbc:mysql://localhost:3306/drupal6
I’m not going to cover ensuring that you have access to the mysql database here. If it’s on a different machine you’ll need to configure MySQL as well as any firewall rules.
Next it’s time to tell Alfresco about the new component that you are creating so create the directory alfresco/subsystems/Authentication/drupal and add the following files:
drupal-authentication-context.xml
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/beans"
xsi:schemalocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
<bean class="org.apache.commons.dbcp.BasicDataSource"
destroy-method="close" id="drupalDataSource">
<property name="driverClassName" value="${drupal.db.driver}"/>
<property name="url" value="${drupal.db.url}"/>
<property name="username" value="${drupal.db.username}"/>
<property name="password" value="${drupal.db.password}"/>
<property name="validationQuery" value="SELECT 1"/>
<property name="testOnBorrow" value="true"/>
<property name="defaultAutoCommit" value="false"/>
<property name="maxWait" value="5000"/>
</bean>
<bean class="mypackage.authentication.DrupalAuthenticationComponentImpl"
id="drupalAuthenticationComponent" parent="authenticationComponentBase">
<property name="dataSource" ref="drupalDataSource"/>
<property name="nodeService">
<ref bean="nodeService"/>
</property>
<property name="personService">
<ref bean="personService"/>
</property>
<property name="transactionService">
<ref bean="transactionService"/>
</property>
</bean>
<!-- Wrapped Drupal authentication component to be used within subsystem -->
<bean id="AuthenticationComponent">
<property name="proxyInterfaces">
<value>org.alfresco.repo.security.authentication.AuthenticationComponent</value>
</property>
<property name="transactionManager">
<ref bean="transactionManager"/>
</property>
<property name="target">
<ref bean="drupalAuthenticationComponent"/>
</property>
<property name="transactionAttributes">
<props>
<prop key="*">${server.transaction.mode.default}</prop>
</props>
</property>
</bean>
<!-- Authentication service for authentication component chaining
Note. the id of this bean must be 'localAuthenticationService' for it to
be picked up, as an authentication service, by the
Subsystem Chaining Authentication Service
-->
<bean id="localAuthenticationService">
<property name="ticketComponent">
<ref bean="ticketComponent"/>
</property>
<property name="authenticationComponent">
<ref bean="drupalAuthenticationComponent"/>
</property>
<property name="sysAdminParams">
<ref bean="sysAdminParams"/>
</property>
</bean>
</beans>
drupal-authentication.properties
drupal.db.driver=org.gjt.mm.mysql.Driver
drupal.db.username=drupal
drupal.db.password=drupal
drupal.db.url=jdbc:mysql://localhost:3306/drupal6
Then create the bean that is referenced from the config
package mypackage.cms.authentication;
import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.security.authentication.AbstractAuthenticationComponent;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.dao.DataAccessException;
import org.springframework.jdbc.core.JdbcTemplate;
import javax.sql.DataSource;
import java.security.MessageDigest;
/**
* Authenticates a user by Drupal.
* <p/>
* The authentication is done against the database table USERS and the
* column NAME (username) and column PASS (MD5 password)
* <p/>
* Tested with Drupal 6
*
* @author martin.bergljung@ixxus.co.uk
*/
public class DrupalAuthenticationComponentImpl
extends AbstractAuthenticationComponent implements ActivateableBean {
public static final String GET_USER_PWD_SQL = "SELECT pass FROM users WHERE name=?";
private final Log logger = LogFactory.getLog(getClass());
/**
* Spring JDBC template used to query or update a JDBC data source
*/
private JdbcTemplate m_jdbcTemplate;
/**
* Is this bean active? I.e. should this part of the subsystem be used?
*/
private boolean m_active = true;
public DrupalAuthenticationComponentImpl() {
super();
}
/**
* Controls whether this bean is active. I.e. should this part of the subsystem be used?
*
* @param active <code>true</code> if this bean is active
*/
public void setActive(boolean active) {
m_active = active;
}
/**
* Dependeny Injects the data source to be used for querying Drupal database
*
* @param dataSource the data source to use
*/
public void setDataSource(DataSource dataSource) {
m_jdbcTemplate = new JdbcTemplate(dataSource);
}
/*
* (non-Javadoc)
* @see org.alfresco.repo.management.subsystems.ActivateableBean#isActive()
*/
public boolean isActive() {
return m_active;
}
/**
* Authenticate against the Drupal database
*
* @param userName the username to authenticate
* @param password the password to authenticate (passed in as plain text)
* @throws AuthenticationException if authentication failed
*/
@Override
protected void authenticateImpl(String userName, char[] password) throws AuthenticationException {
String userPwd = new String(password);
// Generate an MD5 hash for the password as that is what we get back from Drupal
// Get the value as hex
String userPwdMd5 = DigestUtils.md5Hex(userPwd);
if (logger.isDebugEnabled()) {
logger.debug("About to authenticate user: " + userName + " with MD5 password: " + userPwdMd5);
}
try {
String drupalPwdMd5 = m_jdbcTemplate.queryForObject(GET_USER_PWD_SQL, new Object[]{userName}, String.class);
if (logger.isDebugEnabled()) {
logger.debug("Got MD5 password from Drupal database: " + drupalPwdMd5);
}
if (StringUtils.isNotBlank(drupalPwdMd5)) {
if (MessageDigest.isEqual(userPwdMd5.getBytes(), drupalPwdMd5.getBytes())) {
// Authentication has been successful.
// Set the current user, they are now authenticated.
setCurrentUser(userName);
} else {
throw new AuthenticationException("Access denied for user: " + userName +
", incorrect password provided.");
}
} else {
throw new AuthenticationException(
"Password in Drupal database is blank, empty, or null for user: " + userName);
}
} catch (DataAccessException dae) {
throw new AuthenticationException(
"Error getting password from Drupal database for user: " + userName +
", user may not exist in the Drupal database", dae);
}
}
@Override
protected boolean implementationAllowsGuestLogin() {
return true;
}
}