Configuring mod_sso?

Is there any recent document describing the use of org.nuxeo.ecm.platform.login.mod_sso ?

0 votes

2 answers

1295 views

ANSWER



Ok, some more information about what I'm fighting against. I installed org.nuxeo.ecm.platform.login.mod_sso (it's shown in the list after INFO [org.nuxeo.runtime.deployment.preprocessor.DeploymentPreprocessor] Preprocessing order:).

On server start, it's shown as registered and merged as an authentificator:

2011-09-16 15:03:17,730 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] merged AuthenticationPluginDescriptor: BASIC_AUTH
2011-09-16 15:03:18,959 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] registered AuthenticationPluginDescriptor: PROXY_AUTH
2011-09-16 15:03:18,960 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService] merged AuthenticationPluginDescriptor: PROXY_AUTH

(among others)

I configured my extension point to read the requested header :

   <extension
      target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
      point="authenticators">
      <authenticationPlugin
              name="PROXY_AUTH"
              enabled="true"
              class="org.nuxeo.ecm.platform.ui.web.auth.proxy.ProxyAuthenticator">
       <loginModulePlugin>Trusting_LM</loginModulePlugin>
       <parameters>
         <parameter name="ssoHeaderName">HTTP_AUTH_USER</parameter>
       </parameters>
      </authenticationPlugin>
  </extension>

And I even tested - by pointing my reverse proxy on a simple PHP page showing phpinfo() - that the env var is sent. So, as far as I'm concerned, everything should work. But when I try to access the instance through the proxy, login page is shown (and working). According to my logs :

2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Entering Nuxeo Authentication Filter
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Principal not found inside Request via getUserPrincipal
2011-09-16 16:03:07,484 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Try getting authentication from cache
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin BASIC_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin FORM_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator] Looking for user/password in the request
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin WEBENGINE_FORM_AUTH
2011-09-16 16:03:07,485 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin ANONYMOUS_AUTH
2011-09-16 16:03:07,505 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIndetification using plugin WEBSERVICES_AUTH
2011-09-16 16:03:07,505 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] user/password not found in request, try into identity cache
2011-09-16 16:03:07,538 DEBUG [org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator] Forward to Login Screen

For the sake of completeness (sorry for the lengthy post), here is my plugin chain :

    <extension
      target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
      point="chain">
    <authenticationChain>
      <plugins>
        <!--  Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
        <plugin>BASIC_AUTH</plugin>
        <plugin>PROXY_AUTH</plugin>
      </plugins>
    </authenticationChain>
  </extension>

So it looks like my plugin chain (BASIC_AUTH, then PROXY_AUTH) isn't even taken into account. Any idea, anyone?

0 votes



Ok, I'll be answering myself here. It was actually pretty simple, only I needed to :

  • know how to force my authenticationChain to prevail (like explained here)
  • forget about my PHP “knowledge” and set the ssoHeaderName to “Auth-User” instead of “HTTP_AUTH_USER”.

And then, with all that, my Nuxeo instance is officially connected to LemondLDAP::NG (through a reverse-proxy, CAS/Shibboleth might come later).

0 votes