Alfresco无法使用CAS SSO

时间:2018-05-18 15:57:02

标签: single-sign-on alfresco cas keycloak alfresco-share

我使用 mod_auth_cas 将SSO用于 Alfresco社区5.2 Keycloak 4.0 ,并使用keycloak-cas-protocol插件。

Alfresco坐在第一个Apache反向代理后面,而Keycloak在另一台机器上运行另一个。 SSL证书由前端Apache服务器处理。

我的问题是以下:当我登录时,我被重定向到Alfresco网址的方式太多CAS门票:

http://alfresco-server-url/alfresco?ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..2fzwwcMChdFFNk49ucH56A.aHDDlnXrignL4oCAXzrSmIinjqVqaisUQtaioLTzRlLoHjPGD8k-PRrUA0U5S09Wh0Z8MV2JkK2_2CUh5efDFnVdrLqvCtFUOakAtTH9b8MK_7NLU6H_K6tM0cItB7tGAooUZmoKhHAc5DlzIx7n7QrbThk5nrwt5BBl4luIK0k9zeLUOjn5Cp6_nRyCK6uJZZu2-l0qbeMSPjTOktbGZUb2S0F4l1Af5be6sYwQO95XTLEyny8mPKhexEnFR6vx.9BDatlhtuxg17oqopjwpdw&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..SCWcwVtbK9xcZKCYm12Tpw.9h03gCwnzeC6xBNwvDojAJs1b6zIIn4AxA02jrx_CZ5m8r2enNjIiS70wJWvSx_a1bq_EekSTCAFU01b93UopZNuEPDExZ1A9S1hur6t-IWTYfDS1WfKKh9CyKRSvUTqPkug-lf3UoPR4KTXgjhrXIC_nTxX_TJX6lIXsTEKTDPA0GZXRkHAB9PGTy98X1orm10qN_q8zMefo7aCqVIcx3WRrqs4XvwBVqY3oGv8oNN4dE1jONTUonGZSWtwfHlk.s_1V8uVC7XArWHVc6ICYRA&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..T56R8c7F8tQoSnZ2uAkckw.GB7WHWpTURuSxsMITJblSNTuYf4Rd3TiDult_HBWXm7AEOIiiHC0n2Af9SvrjOjdEGxPhkfMimQzOZgigbYG2SoQ2I0xuBRVSv0to8ib-gATbBSWoKayAqaT5CdXQuAxii1bqQ1ysdOK00jQKweaQoa-NAbDr6lTtZf9hwS5bj0x05yiczD2Pzf-w57oqPOdmmr_YrbHNy8qiMXNMp8HqmFAF0Brtpu-m_PW5skSHTpWGHXr_vPKLHsFcSHeKwTz.NkCBgoCEtf4_7xevG2_04w&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..h7WkA0L-0cir8OxkNjXbRA.xnYyOrOAD8_fVXwrQ-kydcbTrVlEVLvACdmNAi-DVKbBF53HllKmFE2HBe3PSjaYcmI85y1xzVuZEd6JgzzfdCKPHkGY4AUAFICcxyFjruxvBULo-tp2BCSunGKp-0vwJ4Ty8fYRkj2l5AphnSaBdn_A6_lM4pW1Ietm6PxJkvUvvFE1J00LSB0mU35ys--V_ri7T-NOvRyc5hBTWdU_qun8464vTdEaDXpKADLEr4gn5VnKEOGp5M9KOkfOgVB8.jzb3spHhYsO8unDITNjHyw&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..HblYkRPxMSEe2_11COlOYQ.V6BNdvgAqrJfh2OW2Mm5ZnnZpvu6qjdoPofumFbMo0-prIc9x92qgPIkFQPn2JCKIA8esDS-R7X4DNNq59-KBS6pnQfBgdZDD1KviF07G4xtDjCrc0PCrpnxM6Z_OovmtuRsMeXpAlBb-eQ5FuF1-LKtZAy2h_mIACsJD0GZEaD2PNKi-xRrzi0MU1NEE9y8T73ZxBzxt30LFU9NpmPHAfmXXuhRMk97326L34ae-7Uh-TMgcEeUTukFTvn0rDi1.5ACqkhDwdBwIGcaFrYb1IA&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..1m-5uj9sJcsU4Jzu1DmDfg.H8fgd0W_xOo4IB0AKsm27NEnNM9YP8XdZURip3aW0yqgprsrfOBSlNL0jssP_YjwuNT_-IR8O5TB4iw8_tP_kf32D6vA8YavIOEPKFks3a2s8pIqk0zfp1SXn-c2g228cBctDYVh7gHANR2UgQt_WZt2A6fg2OJveD2Lan11udD1bFojIP6ADWVbkwohhwHyAIPiuXUTELCvytT3y_q_QhPqT7JEBQrRCHawRMLAnhZjXBBTJxrJEXOTE2Qiad5C.sO7povpRpOU-G3rRsN7zcg&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..93a2rMaFy9lGj_0HN2349Q.KIkpwoYROOKglvJ5EjMkQtY2D7jacyNJ8f6viNWSj3SFOjZIXGGYwXqnOL3Wrk7M6DQAB3bGw2X4OJQ3UJY7SANYO-cUBvjgMueZ7TxtMZTE87Xl0Vo1KkFVFdP1hTwIQ1fQhRLQKOSzvOun_FXHRnWG-7rHMPBR9LX6qk1L1E5Y8Zo7edTrUEqOLIKmp719q3MUaUs5mGQimjv_MwOHbVb5c5KCnndn9jbG9CNexVxpkFt9CRpO_c4MC3WP-LlY._DCqAqUVZYJgcddeJkdVxw&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..s41OanknH97t3zX-jUOU-A.0mhgL6z_WRdSyy5nZt8JJ-JASNl93xgAB6IBEsbFs_elu84DGASNfBtYmhIktk9PTlSYQzPTD_FEveME_ThDEEGXS3ojTQ4vRDJuR5crV41kXmrcm9kjDxtlUz_nlT0HOtuSmyQdUwHyVoNcEITkvr63-jbvBD3Z5yEWD8uZGkKLHvnOwZ6tc4tJcqsb52W5AMU3Lh6sqAidwOVtObjQvSXw9Otzk0mkKpCdIksBeeHaP9sIAalVwK6vHHHN-ean.n-VJaIwSJZxvviopuJdpYQ&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..PPIdjwnNIqHFm0B-eimXEA.iiDs_2mHMt9yGzSjyNWMeg2tkNRKatK8Xd5vOmBg0zgfVhAxqPDii1J3SauIK9ujEJ_7oFLqnDiPWJjp-EFJVRq59Ihf6g3un5n1yNGaNUolXhVxqZ1kwZrLer0kulX1GxKWKi_YWiCJH6Zupc322GgmE8ZFAX_rB__vH8PbdtWvoTPcYE3GrmgVASPxzC0EDj1sf552F6BSk5XrmWDH6ipGaY_rTEWJ6NdPYrb0k1vAkuonhAc2zdfloaXEe3c3.6zYuKHuXrm-zlxMV3UW-RA&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..nGaDNtyvKsn8C0ziVB-2_Q.L9DuWHfKGNumX8cd-H0UphZfjgnhBxd8clZopkWLMQOWr6VFKjPi2IM9H9Gb9hXji31txiLJoRnCc6DG75oE6-hwvWjiF4hy2tHRbm0zmnia4l0ILS2hW_Te1Wdi9Dc2XilGBrI2mjQky1YFODC0o2B5MBjKbRuCM83hliRBxFE1PgujQpl3AGvF3H4iCDKC6aYDqvFVeyJr_Bv8tVAj2gRko0z8jH4-7mjRIoEmZOt4iqWPlrdS023ZQJxyFX7h.wErxn32g48QZOn4rLWMHYg

看起来像 mod_auth_cas 一直将我重定向到Keycloak,将票证标记堆叠在一起;这导致Alfresco返回401 Unauthorized错误。

删除所有票证,但URL中的一个票证正常工作,并使用经过身份验证的用户重定向到Alfresco资源管理器。

我不确定这是否相关,但是一旦服务器启动,我也会在日志中收到以下错误:

WARN  [org.alfresco.wcm.client.util.impl.GuestSessionFactoryImpl] 
WQS unable to connect to repository: Unauthorized

由以下原因引起:

127.0.0.1 - - [18/May/2018:17:24:38 +0200] "GET /alfresco/service/api/login?u=admin&pw=admin HTTP/1.1" 403 425
127.0.0.1 - - [18/May/2018:17:24:38 +0200] "GET /alfresco/cmisatom HTTP/1.1" 401 5

以下是相关的配置片段:

alfresco-global.properties:

authentication.chain=external1:external
external.authentication.proxyUserName=
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyHeader=X-Alfresco-Remote-User

### Initial admin password ###
alfresco_user_store.adminusername=admin
#alfresco_user_store.adminpassword=209c6174da490caeb422f3fa5a7ae634

share-config-custom.xml:

<config evaluator="string-compare" condition="Remote">
  <remote>
     <ssl-config>
        <keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
        <keystore-type>pkcs12</keystore-type>
        <keystore-password>alfresco-system</keystore-password>

        <truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
        <truststore-type>JCEKS</truststore-type>
        <truststore-password>password</truststore-password>

        <verify-hostname>false</verify-hostname>
     </ssl-config>

     <connector>
        <id>alfrescoCookie</id>
        <name>Alfresco Connector</name>
        <description>Connects to an Alfresco instance using cookie-based authentication</description>
        <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
     </connector>

     <connector>
        <id>alfrescoHeader</id>
        <name>Alfresco Connector</name>
        <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
        <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
        <userHeader>X-Alfresco-Remote-User</userHeader>
     </connector>

     <endpoint>
        <id>alfresco</id>
        <name>Alfresco - user access</name>
        <description>Access to Alfresco Repository WebScripts that require user authentication</description>
        <connector-id>alfrescoHeader</connector-id>
        <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
        <basic-auth>false</basic-auth>
        <identity>user</identity>
        <external-auth>true</external-auth>
     </endpoint>

     <endpoint>
        <id>alfresco-feed</id>
        <parent-id>alfresco</parent-id>
        <name>Alfresco Feed</name>
        <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description> 
        <connector-id>alfrescoHeader</connector-id> 
        <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
        <basic-auth>false</basic-auth>
        <identity>user</identity>
        <external-auth>true</external-auth>
     </endpoint>

     <endpoint>
        <id>alfresco-api</id>
        <parent-id>alfresco</parent-id>
        <name>Alfresco Public API - user access</name>
        <description>Access to Alfresco Repository Public API that require user authentication.
                     This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
        <connector-id>alfrescoHeader</connector-id>
        <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
        <basic-auth>false</basic-auth>
        <identity>user</identity>
        <external-auth>true</external-auth>
     </endpoint>
  </remote>

Apache配置:

ProxyPass               /alfresco           http://127.0.0.1:8080/alfresco
ProxyPassReverse        /alfresco           http://127.0.0.1:8080/alfresco
ProxyPassReverseCookiePath /alfresco /alfresco

ProxyPass               /share           http://127.0.0.1:8080/share
ProxyPassReverse        /share           http://127.0.0.1:8080/share
ProxyPassReverseCookiePath /share /share

ServerName my-apache-server-url

RequestHeader set Host "my-apache-server-url"
RequestHeader set X-Real-IP "my-apache-server-url"
RequestHeader set X-Forwarded-Server "my-apache-server-url"
RequestHeader set X-Forwarded-Host "my-apache-server-url"
RequestHeader set X-Forwarded-For "127.0.0.1:8080, my-apache-server-url"

mod_auth_cas config:

CASCookiePath /var/cache/httpd/mod_auth_cas/
CASLoginURL https://my-keycloak-server-url/keycloak/realms/my-client-id/protocol/cas/login
CASValidateURL https://my-keycloak-server-url/keycloak/realms/my-client-id/protocol/cas/serviceValidate
CASProxyValidateURL https://my-keycloak-server-url/keycloak/realms/my-client-id/protocol/cas/proxyValidate
CASDebug On

    <Location /share>
        Authtype CAS
        AuthName "CAS"
        require valid-user
        CASAuthNHeader X-Alfresco-Remote-User
        CASScope /share
    </Location>

    <Location /alfresco>
        Authtype CAS
        AuthName "CAS"
        require valid-user
        CASAuthNHeader X-Alfresco-Remote-User
        CASScope /alfresco
    </Location>

以下是 HTTPD调试日志

[Tue May 22 18:12:37.738754 2018] [:debug] [pid 63283] mod_auth_cas.c(2058): [client XXX.XX.XXX.XXX:XXXXX] Entering cas_authenticate()
[Tue May 22 18:12:37.738817 2018] [:debug] [pid 63283] mod_auth_cas.c(580): [client XXX.XX.XXX.XXX:XXXXX] CAS Service 'http%3a%2f%2fXXX.XX.XXX.XX%2fshare%3fticket%3dST-eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..RR2EyToZ7ciuGy3XPKUVcg.oZBjcuS7OrZxk_OqU-cQDdXSzkzCq5bsKmlX3Ixt9XLAvjyPV2zoeoBjxol3zmL0hF1COsWt9QzkaF0_rWABvWPUEC9hT3QqtwMrmZMtivcdo9EDkV_3J8xSCtAjP45wPEDc0cYM50L7X6dcF76PCsgxIjEt5KUQVzDoNHwzocvdjk4_KpZEplx1l2WVJdD3UzsSoYN1YbXnPQU4kyGL33d8F1eW0VOfshrV9fz9WaKGzFG3K1ADdvADGfjSGoT3.zv7i2QPMu3AiwfXZOj3Dvw'
[Tue May 22 18:12:37.738846 2018] [:debug] [pid 63283] mod_auth_cas.c(528): [client XXX.XX.XXX.XXX:XXXXX] entering getCASLoginURL()
[Tue May 22 18:12:37.738859 2018] [:debug] [pid 63283] mod_auth_cas.c(505): [client XXX.XX.XXX.XXX:XXXXX] entering getCASGateway()
[Tue May 22 18:12:37.738865 2018] [:debug] [pid 63283] mod_auth_cas.c(595): [client XXX.XX.XXX.XXX:XXXXX] entering redirectRequest()

为什么mod_auth_cas会在Keycloak返回票证时重定向到SSO服务器?

1 个答案:

答案 0 :(得分:0)

我在一段时间后发现了这个问题。

mod_auth_cas seems to use以上 5.2.2 的CAS版本可防止门票下划线。

这是一个问题,因为Keycloak CAS add-on 会生成带下划线的票证。

我通过修改mod_auth_cas.c中的validCASTicketFormat函数并重新编译Apache模块解决了这个问题,从而允许令牌包含下划线。

在最新的mod_auth_cas版本中,只允许使用点,短划线和字母数字字符。