stackoom
  简体   繁体   中英

Cannot use AOS with Kerberos SSO on Alfresco 6.2

 原文  2021-12-03 10:42:23       single-sign-on/ ms-office/ alfresco/ kerberos/ alfresco-enterprise

Question

We set up Alfresco 6.2 with Kerberos SSO, and our users need to use AOS.
Kerberos SSO works: users are automatically logged in on Share from their Windows client.
AOS seems to be properly installed: With NTLM auth, users can check-out, edit and save documents in MS Word from Share.

But with Kerberos SSO on, when users check-out documents, the following stacktrace appears in Alfresco's logs, and users are not able to save modifications in the document:

nov. 26, 2021 12:25:35 PM org.apache.catalina.core.StandardWrapperValve invoke
GRAVE: "Servlet.service()" pour la servlet [WebDAV] a généré une exception
java.lang.IllegalArgumentException: No enum constant org.springframework.http.HttpMethod.PROPFIND
        at java.base/java.lang.Enum.valueOf(Enum.java:240)
        at org.springframework.http.HttpMethod.valueOf(HttpMethod.java:33)
        at org.alfresco.rest.api.PublicApiDeclarativeRegistry.findWebScript(PublicApiDeclarativeRegistry.java:97)
        at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:209)
        at jdk.internal.reflect.GeneratedMethodAccessor659.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:119)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
        at com.sun.proxy.$Proxy216.doFilter(Unknown Source)
        at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.alfresco.web.app.servlet.ClearSecurityContextFilter.doFilter(ClearSecurityContextFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
        at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:330)
        at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:182)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:834)

Sometimes we also have the same error but with the HttpMethod.LOCK:

déc. 01, 2021 11:58:18 AM org.apache.catalina.core.StandardWrapperValve invoke
GRAVE: "Servlet.service()" pour la servlet [AosWebdavService] a généré une exception
java.lang.IllegalArgumentException: No enum constant org.springframework.http.HttpMethod.LOCK
        at java.base/java.lang.Enum.valueOf(Enum.java:240)
        at org.springframework.http.HttpMethod.valueOf(HttpMethod.java:33)
        at org.alfresco.rest.api.PublicApiDeclarativeRegistry.findWebScript(PublicApiDeclarativeRegistry.java:97)
        at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:209)
        at jdk.internal.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:119)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
        at com.sun.proxy.$Proxy216.doFilter(Unknown Source)
        at jdk.internal.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
        at org.alfresco.module.aosmodule.auth.AosWebDavAuthenticationFilterInterceptor.invoke(AosWebDavAuthenticationFilterInterceptor.java:44)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
        at com.sun.proxy.$Proxy216.doFilter(Unknown Source)
        at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.alfresco.web.app.servlet.ServletMetricsFilter.doFilter(ServletMetricsFilter.java:161)
        at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.alfresco.web.app.servlet.ClearSecurityContextFilter.doFilter(ClearSecurityContextFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:834)

Here are the localhost_access logs when we OPEN the doc in Word:

[01/Dec/2021:12:10:58 +0100] "OPTIONS /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/ HTTP/1.1" 401 80
[01/Dec/2021:12:10:58 +0100] "OPTIONS /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/ HTTP/1.1" 200 -
[01/Dec/2021:12:10:58 +0100] "GET /_vti_inf.html HTTP/1.1" 200 247
[01/Dec/2021:12:10:58 +0100] "POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1" 200 230
[01/Dec/2021:12:10:58 +0100] "POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1" 200 194
[01/Dec/2021:12:10:58 +0100] "POST /alfresco/aos/_vti_bin/_vti_aut/author.dll HTTP/1.1" 401 80
[01/Dec/2021:12:10:58 +0100] "POST /alfresco/aos/_vti_bin/_vti_aut/author.dll HTTP/1.1" 200 2515
[01/Dec/2021:12:10:58 +0100] "POST /alfresco/aos/_vti_bin/_vti_aut/author.dll HTTP/1.1" 200 1789
[01/Dec/2021:12:10:58 +0100] "HEAD /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/Test-1.docx HTTP/1.1" 200 -
[01/Dec/2021:12:10:58 +0100] "LOCK /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/Test-1.docx HTTP/1.1" 500 3359
[01/Dec/2021:12:10:58 +0100] "GET /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/Test-1.docx HTTP/1.1" 200 11381
[01/Dec/2021:12:10:58 +0100] "PROPFIND /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/Test-1.docx HTTP/1.1" 500 3367
[01/Dec/2021:12:10:58 +0100] "HEAD /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/Test-1.docx HTTP/1.1" 200 -

And here the logs when we try to SAVE the doc:

[01/Dec/2021:12:12:03 +0100] "LOCK /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/Test-1.docx HTTP/1.1" 500 3359

The stacktraces for the code 500 errors are provided above (no enum constants HttpMethod.LOCK and.PROPFIND).

After looking at the stacktraces and the sources, it seems that the error happens in the BaseSSOAuthenticationFilter, which is extend by BaseKerberosAuthenticationFilter, when it tries to root the request which has the HTTP method set with PROPFIND or LOCK, which are not standard HTTP methods.
It makes me think that AOS doesn't support SSO.

Here is our authentication chain in alfresco-global.properties:

authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

And we set an aos.baseUrlOverwrite property.

Also we use a reverse proxy, but it doesn't seem to be a problem in our case since requests are properly routed, and AOS works with NTLM auth.

So my questions are:

  • Can AOS work with Kerberos SSO on alfresco 6.2? The official documentation says that MS Office does support Kerberos, but it does'nt explicitly say that AOS does support Kerberos or doesn't.
  • If yes, how to make it work? Did we miss something?

1 answers

solution1
 0 ACCPTED  2022-01-17 16:42:05

It is actually a known bug, fixed in Alfresco 6.2.2.2:
https://alfresco.atlassian.net/browse/MNT-21758

Installing ACS 6.2.2.21 fixed the issue.

It is sad that this ticket (or the whole website? ) is not indexed by search engines...

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Kerberos-SSO with Liferay 6.2 and JBoss SSO with Kerberos Getting Kerberos Token for SSO Alfresco SSO with CAS and Apache Alfresco Community SSO with SAML Alfresco SSO with Cookie oAuth SSO on Liferay 6.2 Implement SSO in jBPM 6.2 Yii2 with SSO + kerberos Tomcat SSO Kerberos Realm
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM