can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer

cancel
Showing results for 
Search instead for 
Did you mean: 
sanzoghenzo
Active Member II

can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer

I'm trying to make my custom application (an excel addin written with Office JS api and react) connect to our alfresco deployment.

If I try to login using the app, via alfresco js api, i get a 403 response with the following body:

 

{
  "error": {
    "errorKey": "Login failed",
    "statusCode": 403,
    "briefSummary": "02180006 Login failed",
    "stackTrace": "Per motivi di sicurezza l'analisi dello stack non viene più visualizzata, ma viene mantenuta la proprietà per le versioni precedenti",
    "descriptionURL": "https://api-explorer.alfresco.com"
  }
}

Here the request header:

Spoiler
Accept: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en-GB, en; q=0.8, it-IT; q=0.5, it; q=0.3
Authorization: Basic aXM0V2FpMWV4aWUwOmFuZHJlYS5naGVuc2k=
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 52
Content-Type: application/json
Host: dms.sws-digital.com
Origin: https://localhost:3000
Referer: https://localhost:3000/taskpane.html?_host_Info=Excel$Win32$16.01$it-IT$$$$0
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

(localhost:3000 is the domain of the excel addin, I'm running it on my pc and sideloading it in excel desktop app)

And here the response headers:

Spoiler
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://localhost:3000
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Date: Wed, 18 Mar 2020 16:19:47 GMT
Server: nginx/1.13.8
Transfer-Encoding: chunked
Vary: Origin

I got the same result with the API explorer with the POST tickets endpoint.

 

If I use postman to test the same endpoint, everything is ok.

I already solved (or so I think) the CORS issues by allowing * origin in CORS filters of web.xml

Spoiler

 web.xml CORS portion

    <filter>
      <filter-name>CORS</filter-name>
      <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
      <init-param>
         <param-name>cors.allowGenericHttpRequests</param-name>
      <init-param>
         <param-name>cors.allowGenericHttpRequests</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.allowOrigin</param-name>
         <param-value>*</param-value>
         <!--param-value>http://localhost:8081,https://localhost:3000,https://dms.sws-digital.com</param-value-->
      </init-param>
      <init-param>
         <param-name>cors.allowSubdomains</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportedMethods</param-name>
         <param-value>GET, HEAD, POST, PUT, DELETE, OPTIONS</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportedHeaders</param-name>
         <param-value>origin, authorization, x-file-size, x-file-name, content-type, accept, x-file-type</param-valu$      </init-param>
      <init-param>
         <param-name>cors.supportsCredentials</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.maxAge</param-name>
         <param-value>3600</param-value>
      </init-param>
   </filter>
[...]
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/api/*</url-pattern>
<url-pattern>/service/*</url-pattern>
<url-pattern>/s/*</url-pattern>
<url-pattern>/cmisbrowser/*</url-pattern>
</filter-mapping>

 

My alfresco dockers are behind an ngnix https proxy, that is configured like this:

 

Spoiler
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
rewrite ^ https://$host$request_uri? permanent;
}
[...]
server { listen 443 ssl; listen [::]:443 ssl; ssl_certificate /etc/ssl/certs/sws-digital.com.crt; ssl_certificate_key /etc/ssl/private/sws-digital.com.key; ssl_protocols TLSv1.2; root /var/www/html; server_name dms.sws-digital.com; rewrite ^/$ /share; location /share { proxy_pass http://share:8080; #proxy_redirect off; proxy_pass_header Set-Cookie; proxy_set_header Origin ""; proxy_set_header Proxy ""; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Frowarded-Proto $scheme; proxy_set_header Referer ""; # Allow large file upload client_max_body_size 0; } location /alfresco { proxy_pass http://alfresco:8080; #proxy_redirect off; proxy_pass_header Set-Cookie; proxy_set_header Proxy ""; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Frowarded-Proto $scheme; proxy_set_header Referer ""; # large files upload client_max_body_size 0; } }

 

I tried to add the following to the shared/classes/alfresco-global.properties:

 

Spoiler
alfresco.context=alfresco
alfresco.host=dms.sws-digital.com
alfresco.port=443
alfresco.protocol=https
share.context=share
share.host=dms.sws-digital.com
share.port=443
share.protocol=https
opencmis.context.override=false
opencmis.context.value=
opencmis.servletpath.override=false
opencmis.servletpath.value=
opencmis.server.override=true
opencmis.server.value=https://dms.sws-digital.com
aos.baseUrlOverwrite=https://dms.sws-digital.com/alfresco/aos

but nothing changed.

 

I'm banging my head on this for three days now, and I'm officially lost.

Alfresco dockers are based on acs-deployment from January 2019 modified to use ACS community 6.1.2-ga with a custom content model and the configuration shown above.

 

3 Replies
narkuss
Established Member II

Re: can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer

You should look at the Alfresco logs. It will probably give you a clue about what is the problem. 

sanzoghenzo
Active Member II

Re: can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer

Oh boy, what a shame... there was a bug in my javascript, I swapped the username and password parameters in the login call!

I overlooked the body check, and thanks to your help I enabled the logs:

  • At first I enabled the debug level of log4j.logger.org.alfresco.rest and it pointed to this line
  • then, browsing the source code, I figured out that i had to enable the debug level of log4j.logger.org.alfresco.repo.security.authentication, and with this I saw that the user that I tried to log in with was actually the password.

Is there somewhere a list of the logger used by alfresco with a description? I had to spend quite some time in the source code to figure out what logger to enable/set to debug level...

EddieMay
Community Manager
Community Manager

Re: can't login to Alfresco docker behind HTTPS nginx proxy from alfresco js api or api explorer

Hi @sanzoghenzo,

Glad to hear you got it sorted and thanks for reporting how you fixed it - really helpful to other users in a similar situation.

Best wishes,

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!