How do I integrate with nuxeo-platform-login-portal-sso in my portal?
I want to use nuxeo-platform-login-portal-sso
for authentication, but how do I communicate the client authentication info exactly?
First, note that nuxeo-platform-login-portal-sso
is a bit of a misnomer, what this module really does is establish a shared-secret method of authenticating between the Nuxeo server and a client.
Server
On the server side, you establish it using something like:
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="authenticators">
<authenticationPlugin name="PORTAL_AUTH">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<parameters>
<parameter name="secret">MySharedSecret</parameter>
<parameter name="maxAge">60</parameter>
</parameters>
</authenticationPlugin>
</extension>
<!-- Include Portal Auth into authentication chain -->
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<!-- Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
<plugin>BASIC_AUTH</plugin>
<plugin>PORTAL_AUTH</plugin>
<plugin>FORM_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
Here we've chosen to name this authentication method PORTAL_AUTH
. Note that the secret parameter contains the shared secret that the client will have to know.
Client
On the client side, you could use one of the existing clients:
Using nuxeo-http-client
nuxeo-http-client
is a sample Java client to do REST calls to Nuxeo. You can configure it connect to a server that uses nuxeo-platform-login-portal-sso
by doing:
NuxeoServer nxServer = new NuxeoServer("http://127.0.0.1:8080/nuxeo");
nxServer.setAuthType(NuxeoServer.AUTH_TYPE_SECRET);
nxServer.setSharedSecretAuthentication("Administrator", "MySharedSecret");
See src/test/java/org/nuxeo/ecm/http/client/remote/tests/RemoteTests.java
in nuxeo-http-client
for more.
Using nuxeo-automation-client
nuxeo-automation-client
is a more modern Nuxeo Java client using high-level Document abstractions. You can configure it to connect to a server that uses platform-login-portal-sso
by doing:
HttpAutomationClient client = new HttpAutomationClient("http://localhost:8080/nuxeo/site/automation");
client.setRequestInterceptor(new PortalSSOAuthInterceptor("MySharedSecret", "Administrator"));
Session session = client.getSession();
See src/test/java/org/nuxeo/ecm/automation/client/jaxrs/test/SampleSSOPortal.java
in nuxeo-automation-client
for more.
Manual HTTP calls
If you want to do all the calls to Nuxeo yourself, you'll have to decide which HTTP requests to make, and in addition you'll have to send some specific headers to authenticate. The HTTP headers are:
NX_TS
: the timestamp, in milliseconds since epoch, when you're generating the request.NX_RD
: a few some random characters.NX_USER
: the user as whom you want to authenticate.NX_TOKEN
: a token proving authentication generated using the algorithmBASE64_MD5(timestamp + ":" + random + ":" + secret + ":" + user)
The token contains the secret but in a hashed form which cannot be reversed by an eavesdropper to generate new requests. The timestamp is used to avoid replay attacks (the delta with the real time on the server cannot be more than the maxAge
specified on the server). The random characters are used to avoid pre-computed dictionary attacks.
The following Java code can be used:
import java.security.MessageDigest;
import javax.xml.bind.DatatypeConverter;
public String makeToken(String timestamp, String random, String secret,
String user) throws Exception {
String clearToken = timestamp + ":" + random + ":" + secret + ":"
+ user;
byte[] md5 = MessageDigest.getInstance("MD5").digest(
clearToken.getBytes());
return DatatypeConverter.printBase64Binary(md5);
}
As a validation of your code, check that makeToken("1324572561000", "qwertyuiop", "secret", "bob")
returns 8y4yXfms/iKge/OtG6d2zg==
It was like there was another authenticationChain declaring <i>AUTOMATION_BASIC_AUTH</i>.
When searching in nuxeo sources, I found this in <i>nuxeo-automation-server/OSGI-INF/auth-contrib.xml </i>: <pre> <code> <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="specificChains">
<specificAuthenticationChain name="Automation">
<urlPatterns>
<url>(.*)/automation.*</url>
</urlPatterns>
<replacementChain>
<plugin>AUTOMATION_BASIC_AUTH</plugin>
<plugin>ANONYMOUS_AUTH</plugin>
</replacementChain>
</specificAuthenticationChain>
</extension> </code> </pre>
Then, I extended the "specificChains" point instead of "chain" point to add <i>PORTAL_AUTH</i> and it works fine.