Closed manurajsingh closed 3 years ago
dgradecak
commented
3 years ago Hi, I did not yet test this with Alfresco 7, so I cannot help with it yet. For the api explorer I am sorry but you will have to understand what you are doing, I cannot assist here with that kind of things.
For the admin console, if your user is not part of ALFRESCO_ADMINISTRATORS I guess this is what you would see.
I doubt you have an issue with the setup, but you can share your proejct and I can have a look.
manurajsingh
commented
3 years ago Hi Thanks for a quick response. I checked and my user was not part of ALFRESCO_ADMINISTRATORS group. But having done that change, outcome is that now I get a pop up to enter credentials (as if token is not there or is not liked)
Regarding Setup
In order to add user
docker exec -it -u root alfresco62_alfresco_1 bash
Following properties have been added
authentication.chain=identity-service1:identity-service identity-service.register-node-at-startup=true identity-service.authentication.enabled=true identity-service.authentication.enable-username-password-authentication=false identity-service.bearer-only=true identity-service.realm-public-key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsR2E4gZpYgv3tw6KDf6Ms89W/1/UKQY5uQTcPGwUMJkbRgW0ovO9nxQiOmxPr/gs0dS9DVnpbPh9SuDuRDEDrFdyvrkU+4SHAJYoh82OjLrBhnEH9pC/OEG/vxHUCv0qBbIeaoNaTittnHW4YcTKxchVCJM4F0L4tsP6B8kKMaOyTVE9Q2tJu5ipiB6Q/xU45B9mlDELr+U6JRsdbAHSATKGWENVbTNcw0DvaprHT2l2fhSqrN81pTuFvV6VH3b0YNqLVdwUiVvZ13/1MTeDyCk0CCf5ejkbP2WaVwOdzDjL79K6dhjzIjggT6Ggzw/VrPwJ6WTwE+IVOkmCdBocCwIDAQAB aos.baseUrlOverwrite=http://localhost:9595/alfresco/aos csrf.filter.enabled=true csrf.filter.referer=http://localhost:9595/alfresco/.* csrf.filter.referer.always=false csrf.filter.origin=http://localhost:9595 csrf.filter.origin.always=falseWhen I attempt login to alfresco http://localhost:9595/alfresco I get gateway page that upon redirection to google returns and I can see token being created and then redirecting me to alfresco page. After that, when I attempt to go into admin console, I now get a pop up which shouldn't be there.
I see no errors in alfresco logs or proxy server logs.
Just to see if restart of alfresco has not cleared my user, I have reverted setting and was able to login using normal basic auth again
I am now unsure what could be going wrong and at what spot.
I am grateful for your help.
Thanks in advance.
dgradecak
commented
3 years ago I took your docker-compose and added all the config as you stated. and that works correctly. I would suggest to enable debu logs on alfresco and make sure your private/public keys are correctly set. If you use the one from the sample. Although I use a different public key it should not matter. If it does not work, I would also recommend to generate your own key.
dgradecak
commented
3 years ago also you can configure a local user in spring cloud gateway with the username=admin
spring.security.user.name=admin spring.security.user.password=password
than just use the login to make sure your setup work. Because if that works than you have some other issues.
manurajsingh
commented
3 years ago Hello Daniel Thanks for q quick response. No Change, I am afraid :( Attempted following
Issue is that when I go to admin console I still get pop up asking for credentials. Expectation of course is no pop up but I have tried admin/admin and admin/password but goes no where.
The above has been tried in following versions of browser
Error
_Web Script Status 401 - Unauthorized
The Web Script /alfresco/s/admin has responded with a status of 401 - Unauthorized.
401 Description: The request requires HTTP authentication.
Message: 02240033 Authentication failed for Web Script org/alfresco/repository/admin/admin-root.get
Server: Community v6.2.0 (rb65251d6-b368) schema 13,001
Time: 24 Mar 2021, 16:21:08_I am unsure about properties required to enable debug logging
I am now curious as to why the behaviour is consistently odd.
Any help that you can provide will be greatly appreciated.
Regards,
dgradecak
commented
3 years ago what is the url you are trying to access alfresco? and add here your config on the gateway
fiste788
commented
3 years ago Hello Daniel Thanks for q quick response. No Change, I am afraid :( Attempted following
- Changed keystore to my newly created keystore and updated public key in docker-compose file
- Also tried to login using admin and password as credentials on login form.
Issue is that when I go to admin console I still get pop up asking for credentials. Expectation of course is no pop up but I have tried admin/admin and admin/password but goes no where.
The above has been tried in following versions of browser
- Chrome (incognito) 89.0.4389.82
- Firefox 86.01
Error
_Web Script Status 401 - Unauthorized The Web Script /alfresco/s/admin has responded with a status of 401 - Unauthorized. 401 Description: The request requires HTTP authentication. Message: 02240033 Authentication failed for Web Script org/alfresco/repository/admin/admin-root.get Server: Community v6.2.0 (rb65251d6-b368) schema 13,001 Time: 24 Mar 2021, 16:21:08_I am unsure about properties required to enable debug logging
I am now curious as to why the behaviour is consistently odd.
Any help that you can provide will be greatly appreciated.
Regards,
i have exactly the same problem. Many thanx for your help
dgradecak
commented
3 years ago @fiste788 are you sure you access http://localhost:9595/alfresco/ ?
I have a doubt that both of you do not access alfresco through the gateway but directly http://localhost:8080/alfresco
manurajsingh
commented
3 years ago Thanks for quick response.
URL to access alfresco via gateway server
Config Spring Cloud Gateway
server:
use-forward-headers: true
spring:
security:
oauth2:
client:
registration:
google:
client-id: MY_CLIENT_ID HIDDEN INTENTIONALLY
client-secret: MY_SECRET HIDDEN INTENTIONALLY
authorization-grant-type: authorization_code
clientName: Google
scope: openid,profile,email
facebook:
clientId: YOUR_CLIENT_ID
clientSecret: YOUR_SECRET
authorization-grant-type: authorization_code
clientName: Facebook
scope:
- email
- public_profile
provider:
google:
issuer-uri: https://accounts.google.com
user-name-attribute: email
facebook:
user-name-attribute: email
cloud:
gateway:
httpclient:
pool:
type: DISABLED
routes:
- id: alfresco
uri: http://localhost:8080/alfresco
predicates:
- Path=/alfresco/**
filters:
- JwtBearerAuthorizationHeader
- id: share
uri: http://localhost:8080/share
predicates:
- Path=/share/**
filters:
- UsernameHeader=X-Alfresco-Remote-User
- JwtBearerAuthorizationHeader=WEB_TOKEN
server.port=9595
logging.level.org=INFO
spring.security.user.name=admin
spring.security.user.password=password
spring.security.user.roles=ADMINISTRATOR
spring.boot.admin.context-path=/adminThanks
dgradecak
commented
3 years ago ok I am not sure why it redirects to :8080/alfresco but you must go through :9595/alfresco
I will check what is going wrong with the redirect and post in here
manurajsingh
commented
3 years ago Thanks Daniel
dgradecak
commented
3 years ago Sorry, I had work on different repositories and did not merge into this one what is needed for the correct redirect. If you checkout now it should work without issues.
But please remember, you should never access alfresco through :8080 but through :9595 or the gateway server.
manurajsingh
commented
3 years ago Thanks Daniel. I will Checkout and report back.
manurajsingh
commented
3 years ago I can report following Daniel
So Success :) Thanks.
Side note Ideally redirection should keep the gateway url and not change it back to localhost:8080.
As a separate question (may be not for here)
Thanks for your help.
Regards
dgradecak
commented
3 years ago the redirection is kept if you update the cloud gateway from master (application.yml)
for your second question please see https://github.com/dgradecak/alfresco-jwt-auth/issues/1#issuecomment-801266386
regarding custom permissions, all works normally once you are logged in alfresco, so yes.
dgradecak
commented
3 years ago @manurajsingh could you please close the issue if it is working for you
fiste788
commented
3 years ago as far as i can see it works with 6.2 alfresco community. we will test it also with 7.0 version and we'll keep you informed. For your convenience i attach my 7.0 docker configuration
Many thanx
https://drive.google.com/file/d/1rD1sEsSHogmpO9RyXLdlN8Xlzj2i45-y/view?usp=sharing
manurajsingh
commented
3 years ago Thanks Daniel. All Good. Closing.
@fiste788 - Worthwhile reporting back if you get 7.0 working (I think it will be ok).
dgradecak
commented
3 years ago I can tell you that alf7 has some changes and there will be need to change the approach and the config for sure
dgradecak
commented
3 years ago to give you some updates:
stay tuned and I hope you do not matter deploying a custom subsystem of course
manurajsingh
commented
3 years ago Thanks for the update Daniel
manurajsingh
commented
3 years ago Hello Daniel Are the changes that you are referring to in alfresco-jwt-auth project or will they be on service side i.e. alfresco or share? If it is the latter then when will these changes become part of Alfresco 7.
I am planning to use Zuul gateway server to forward requests (with Bearer in Authorization header) to Alfresco ecosystem and then get Alfresco to validate the Bearer token in header to validate the token using public key. As I did not see the token issued in your project attached to request in header, I was wondering how this is being passed to Alfresco service. Also are you aware if Alfresco can validate token using url providing jwks.
Thanks. Your insights about the above will be useful.
I have used Spring Cloud Gateway (cloned from your Github repo) and configured it to use Google as my Identity Provider. Upon successful redirection and issuing of token, I am redirected to Alfresco Community (6.2 / 7.0 Snapshot) on Docker. When I attempt to go into Admin console, I am getting following error when browsing to admin console.
In 7.0 Snapshot (Within Browser and Via API Explorer) Authorisation 'Bearer' not supported.
In 6.2 (Within Browser) Attempted to login into admin console using non-admin credentials (Within API Explorer) Authorisation 'Bearer' not supported.
As for configuration Passed Properties
-Dauthentication.chain=identity-service1:identity-service -Didentity-service.register-node-at-startup=true -Didentity-service.authentication.enabled=true -Didentity-service.authentication.enable-username-password-authentication=false -Didentity-service.bearer-only=true -Didentity-service.realm-public-key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsR2E4gZpYgv3tw6KDf6Ms89W/1/UKQY5uQTcPGwUMJkbRgW0ovO9nxQiOmxPr/gs0dS9DVnpbPh9SuDuRDEDrFdyvrkU+4SHAJYoh82OjLrBhnEH9pC/OEG/vxHUCv0qBbIeaoNaTittnHW4YcTKxchVCJM4F0L4tsP6B8kKMaOyTVE9Q2tJu5ipiB6Q/xU45B9mlDELr+U6JRsdbAHSATKGWENVbTNcw0DvaprHT2l2fhSqrN81pTuFvV6VH3b0YNqLVdwUiVvZ13/1MTeDyCk0CCf5ejkbP2WaVwOdzDjL79K6dhjzIjggT6Ggzw/VrPwJ6WTwE+IVOkmCdBocCwIDAQAB
As Java Options (in Docker Compose file) for Alfresco Container
Also Attempted to update alfresco-global.properties (empty to begin with) within docker container
authentication.chain=identity-service1:identity-service identity-service.register-node-at-startup=true identity-service.authentication.enabled=true identity-service.authentication.enable-username-password-authentication=false identity-service.bearer-only=true identity-service.realm-public-key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsR2E4gZpYgv3tw6KDf6Ms89W/1/UKQY5uQTcPGwUMJkbRgW0ovO9nxQiOmxPr/gs0dS9DVnpbPh9SuDuRDEDrFdyvrkU+4SHAJYoh82OjLrBhnEH9pC/OEG/vxHUCv0qBbIeaoNaTittnHW4YcTKxchVCJM4F0L4tsP6B8kKMaOyTVE9Q2tJu5ipiB6Q/xU45B9mlDELr+U6JRsdbAHSATKGWENVbTNcw0DvaprHT2l2fhSqrN81pTuFvV6VH3b0YNqLVdwUiVvZ13/1MTeDyCk0CCf5ejkbP2WaVwOdzDjL79K6dhjzIjggT6Ggzw/VrPwJ6WTwE+IVOkmCdBocCwIDAQAB
Both options were tried but result was same.
Any help from yourself will be greatly appreciated.
Thanks in advance.