Help

Alfresco AOS authentication

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
jhigueraf
Active Member
‎22 Aug 2023 1:26 PM

Alfresco AOS authentication

Hi,

I'm having issues with AOS and the authentaction... My goal is to edit documents using local microsoft office.

I'm using alfresco community in dockers.

I had it configured to authenticate with user and password. But, in this pass days the authentcation method changes and the office app tries to connect to keycloak. Keycloak is configured in the authentication-chain property in order to login in alfresco-share and the external API. But keycloak is not accesible from outside the local net of the containers. I can login in alfresco-share and create documents or whatever I want.

The problem occurs when I try to edit a file. A few days ago the word application prompts me the tipical user/password popup, which I fill properly and works like a charm... But now, word application prompts a web-browser which tries to connect to the local url of keycloak (http://keycloak:8080)... This url is not accesible from outside the containers network so It dosn't work... I made the url accesible for testing purpouse but the web-browser doesn't support cookies so I can not login 

Here is the JAVA_OPTS variable which is the only thing I edited:

ENV JAVA_OPTS=" \
    -Dalfresco_user_store.adminusername=alfresco_admin \
    -Dalfresco_user_store.adminpassword=alfresco_admin \
    -Ddb.username=alfresco_admin \
    -Ddb.password=alfresco_admin \
    -Ddb.driver=org.postgresql.Driver \
    -Ddb.url=jdbc:postgresql://db:5432/alfresco_db \
    -Dalfresco_user_store.adminpassword=209c6174da490caeb422f3fa5a7ae634 \
    -Dsystem.preferred.password.encoding=bcrypt10 \
    -Dsolr.host=solr6 \
    -Dsolr.port=9084 \
    -Dsolr.port.ssl=9084 \
    -Dsolr.secureComms=secret \
    -Dsolr.sharedSecret=mysecret \
    -Dsolr.baseUrl=/solr \
    -Dindex.subsystem.name=solr6 \
    -Dalfresco.host=alfresco \
    -Dalfresco.port=8443 \
    -Dalfresco.protocol=https \
    -Dshare.host=alfresco \
    -Dshare.port=8443 \
    -Dshare.protocol=https \
    -Daos.baseUrlOverwrite=https://alfresco:8443/alfresco/aos \
    -Daos.contentFilter.ignoreOOXMLProtected=false \
    -Dmessaging.broker.url='failover:(nio://activemq:61616)?timeout=3000&jms.useCompression=true' \
    -Ddeployment.method=DOCKER_COMPOSE \
    -Dcsrf.filter.enabled=false \
    -Dopencmis.server.override=true \
    -Dopencmis.server.value=https://alfresco:8443 \
    -DlocalTransform.core-aio.url=http://alfresco-transform-core-aio:9083 \
    -DlocalTransform.ocr.url=http://alfresco-transform-ocr:8090 \
    -Dcsrf.filter.enabled=false \
    -Dalfresco.restApi.basicAuthScheme=true \
    -Dauthentication.protection.enabled=false \
    -XX:+UseG1GC -XX:+UseStringDeduplication \
    -Dgoogledocs.enabled=true \
    -Xms6848m -Xmx6848m \
    -Dauthentication.chain=identity-service1:identity-service,ldap1:ldap \
    -Didentity-service.authentication.defaultAdministratorUserNames=alfresco_admin \
    -Didentity-service.enable-basic-auth=true \
    -Didentity-service.auth-server-url=http://keycloak:8080/auth \
    -Didentity-service.realm=${ALFRESCO_REALM} \
    -Didentity-service.resource=oicd-alfresco \
    -Dldap.authentication.active=false \
    -Dldap.synchronization.active=true \
    -Dldap.authentication.java.naming.provider.url=ldap://ldap:8888 \
    -Dldap.synchronization.java.naming.security.principal=ldapconfig \
    -Dldap.synchronization.userNameFormat=cn=%s,ldapconfig \
    -Dldap.synchronization.java.naming.security.credentials=ldapconfig \
    -Dldap.synchronization.groupSearchBase=ldapconfig \
    -Dldap.synchronization.userSearchBase=ldapconfig \
    -Dldap.synchronization.java.naming.security.authentication=simple \
    -Dldap.synchronization.userIdAttributeName=cn \
    -Dldap.synchronization.full.enabled=true \
    -Dsynchronization.syncOnStartup=true \
    -Dsynchronization.import.cron='0 * * ? * *' \
    -Dlog4j.logger.org.alfresco.repo.security.sync=debug \
    -Dlog4j.logger.org.alfresco.repo.security.person=debug \
    -Dlog4j.logger.org.alfresco.enterprise.repo.authorization.AuthorizationService=debug \
    -Dlog4j.logger.org.alfresco.enterprise.repo.authorization.AuthorizationsConsistencyMonitor=debug \
    -Dlog4j.logger.org.alfresco.filesys.auth.ftp=debug \
    -Dlog4j.logger.org.alfresco.ftp.protocol.auth=debug \
    -Dlog4j.logger.org.alfresco.repo.webdav.auth=debug \
    -Dlog4j.logger.org.alfresco.repo.web.auth=debug \
    -Dlog4j.logger.org.alfresco.web.app.servlet=debug \
    -Dlog4j.logger.org.alfresco.repo.security.authentication=debug \
    -Dkeycloak.enabled=true \
    -Dkeycloak.realm=alfresco-realm \
    -Dkeycloak.auth-server-url=http://keycloak:8080/auth \
    -Dkeycloak.resource=oicd-alfresco \
    -Dkeycloak.principal-attribute=email \
    -Dkeycloak.autodetect-bearer-only=true \
    -Dkeycloak.token-store=header \
    -Dkeycloak.enable-basic-auth=false \
    -Dkeycloak.sso.enabled=true \
    -Dkeycloak.handlePublicApi=false \
    -Dkeycloak.allowTicketLogons=true \
    -Dkeycloak.allowUserNamePasswordLogin=true \
    -Dkeycloak.mapAuthorities=true \
    -Dkeycloak.mapPersonPropertiesOnLogin=true \
    -Dkeycloak.synchronization.enabled=true \
    -Dkeycloak.verify-token-audience=true \
    -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 \
    -Dcors.enabled=false \
    -Dheartbeat.enabled=false \
    "

So, could you help me to solve this problem¿? 

I'm having nightmares with this problem...

 

0 Kudos
Reply
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.