Permanent links don't work with CAS Authentication ?
We trying to use permanent link like this one “http://localhost/nuxeo/nxdoc/default/5e84c7a3-e40c-4152-9497-b0cfdb916a6a/view_documents” to access document on a “nuxeo-cap-5.6-tomcat” server, with HF15 and DM add-on.
We first test this possibility with a default authentification: it works as expected (direct access).
But, we need use CAS authentication and in this case, the permanent link doesn't work anymore … It's for us an important issue because we need direct acces on task (workflow context) send via email to our users.
Is it a known problem ?
We've done tests on two differents “Centos (5.9 and 6.4)” servers:
In both case:
- a first direct access doesn't work. The return URL from CAS is wrong: the path to the document is missing.
On one server (Centos 6.4, nuxeo-5.6-HF10), after a first connection and deconnection (without removing JSESSION cookie) to the plateform, the direct access on a document works even with a CAS access for authentication (the return URL is correct). No error message are seen (with a default log4j configuration).
On the other one (Centos 5.9, nuxeo-5.6-HF15), an access after a first connection and deconnection (without removing JSESSION cookie) doesn't work and an error message is sent in the log:
2013-04-25 14:26:49,819 ERROR [org.nuxeo.ecm.core.api.CoreSession] Permission 'Read' is not granted to 'invite' on document /default-domain/workspaces/niv2/dd (5e84c7a3-e40c-4152-9497-b0cfdb916a6a - Folder) 2013-04-25 14:26:49,821 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/nuxeo]] L'écouteur d'évènement de session (session event listener) a généré une exception java.lang.IllegalStateException: Please end the HttpSession via org.jboss.seam.web.Session.instance().invalidate() at org.jboss.seam.contexts.Lifecycle.endSession(Lifecycle.java:221) ....
Thanks for your help
Sorry that I don't have any hint to help you solve this, but I've tested against a 5.6-HF15 with CAS authentication and permanent links do work correctly on this version.
Thank for the replay. It was on a CentOS server?
Did you try with the delete of nuxeo cookies before go to a document directly with its permanent link (and then reconnect)?
Can you trace the HTTP requests and responses to see at which point the URL gets truncated? (with something like firebug or httpfox).
We trace as you suggest with "HttpFox" and the lost of URL's end appends near the beginning:
- the first redirect seems correct, - the second looks wrong ?
Here, the start of the output (with MYHOST for our hostname and AUTH_HOST for our CAS server):
GET 302 Redirect to: /nuxeo/logout?requestedUrl=nxdoc%2Fdefault%2Fe72298ab-a7bb-4502-ad07-10e8de2d698f%2Fview_documents&forceAnonymousLogin=true&securityError=true http://MYHOST:8080/nuxeo/nxdoc/default/e72298ab-a7bb-4502-ad07-10e8de2d698f/view_documents
GET 302 Redirect to: https://AUTH_HOST/cas/login?service=http%3A%2F%2FMYHOST%3A8080%2Fnuxeo%2Fnxstartup.faces /nuxeo/logout?requestedUrl=nxdoc%2Fdefault%2Fe72298ab-a7bb-4502-ad07-10e8de2d698f%2Fview_documents&forceAnonymousLogin=true&securityError=true
In this configuration, we chain three authentification plugins: <pre>
<authenticationChain> <plugins> <plugin>BASIC_AUTH</plugin> <plugin>CAS2_AUTH</plugin> <plugin>ANONYMOUS_AUTH_FOR_CAS2</plugin> </plugins> </authenticationChain>
With a new test without the "ANONYMOUS_AUTH_FOR_CAS2" plugin, we got the following result:
. Permanent links work, - the acces to the nuxeo plateform via the URL "http://MYHOST:8080/nuxeo/" is redirected to the CAS server (no more "guest page")
Here, the beginning of trace got with "HttpFox":
GET 302 Redirect to: https://AUTH_HOST/cas/login?service=http%3A%2F%2FMYHOST%3A8080%2Fnuxeo%2Fnxstartup.faces%3Bjsessionid%3D678D6DF028FB5F8B8D5CAFD0975D6520.nuxeo http://MYHOST:8080/nuxeo/nxstartup.faces;jsessionid=678D6DF028FB5F8B8D5CAFD0975D6520.nuxeo
I've created NXP-11602 to track this issue.
We've tried the 5.6-HF18 nuxeo server with the "nuxeo-platform-login-cas2-5.6.0-HF18.jar". We retried the ANONYMOUS_AUTH_FOR_CAS2 plugin, and permanent links still not work for us. (We didn't see any difference in the httpfox log with our previous test).
Can you send us an sample of your own xml configuration? Or have you another idea ?
Besides, we've made tests without ANONYMOUS_AUTH_FOR_CAS2: permanent links seem to work (direct access to a workspace for instance) without any previous connection but we got another problem. We'll describe it a new question.
Thanks for your help.
It wasn't fixed for 5.6-HF18 so it's probably the case for HF23. I didn't try with 5.7 or 5.8. But as it not the only problem with CAS authentication (see http://answers.nuxeo.com/questions/5797/permanent-links-and-cas-authentication), we change the authentication mode to use shibboleth.
We have try yesterday CAS authentication on 5.8 without ANONYMOUS_AUTH, but permanent links still no work, so we drop it again to use shibboleth.