Difference between platform endpoints?

cancel
Showing results for 
Search instead for 
Did you mean: 
idwright
Senior Member

Difference between platform endpoints?

Jump to solution

I haven't found any documentation about this so I thought I'd ask a question.

(I have all this working, I'm just trying to understand it all a bit better)

My aim is to have SSO set up and configured - share is relatively straightforward but I'm trying to understand the detail behind the platform/repo endpoints as the documentation doesn't really cover this.

I think the only URL I need to expose is: /alfresco/s/admin/admin-communitysummary (or /alfresco/s/enterprise/admin)

The information for configuring a proxy Configuring SSL for a production environment | Alfresco Documentation is pretty good here but I think the /alfresco mount point exposes rather more than is necessary these days

I think /alfresco would be better as:

JkMount /alfresco/s/admin alfresco-worker
JkMount /alfresco/s/admin/* alfresco-worker
JkMount /alfresco/admin/css/* alfresco-worker

(For enterprise add /service/enterprise/admin/* and /s/enterprise/admin/* ?)

(And if you're using the nice new ootb support tools extension

JkMount /alfresco/s/ootbee/* alfresco-worker
JkMount /alfresco/ootbee-support-tools/* alfresco-worker

)

The implication here is that these, or at least /alfresco/.../admin, are the endpoints that need to be covered by SSO at the alfresco level (have I missed anything?) + the ones for public API access if you want those

The authentication mappings in alfresco/WEB-INF/web.xml seem to have changed a fair bit recently

(a clue! - there is a CSRF token filter on /service/enterprise/admin/* and /s/enterprise/admin/*)

There appear to be authentication filters around /wcs and /wcservice, as well as /api, /webdav and /cmisatom

The documentation on configuration the SSO endpoint (incidentally the examples don't even all have the same number of endpoints listed...) Configuring Alfresco Share to use an external SSO | Alfresco Documentation (code doesn't match text...), Configuring the Share default port | Alfresco Documentation  and Configuring the Share default port | Alfresco Documentation has for a long time said to use the wcs endpoint in share-custom-config.xml when external auth is being used, however now I believe that the s endpoint is recommended (although it's not entirely clear) e.g. [ACE-5661] External authentication Problem with CAS - Alfresco JIRA (and other issues) see the comment from Kevin Roast

 

So this is a rather long winded way of asking what is the purpose of the /wcs endpoint and how does it differ from the /s endpoint? (obviously there are authentication filters in front of /wcs)

1 Solution

Accepted Solutions
afaust
Master

Re: Difference between platform endpoints?

Jump to solution

The /wcs endpoint is essentially the same as the /s endpoint, but only with a different HTTP authentication factory being used during the dispatch to the web script layer. The /s endpoint (actually, the /service endpoint - /s is just an alias) uses a simple authentication factory that only supports HTTP BASIC. /wcs (or to be more precise /wcservice) uses an authentication factory that ties in with the Repository-tier SSO handling and thus is required to be used by Share when enabling SSO there.

View solution in original post

2 Replies
cesarista
Customer

Re: Difference between platform endpoints?

Jump to solution

Hi Ian:

I have the same question. First, I agree that Share SSO is quite straightfoward, configuring external auth subsystem and enabling the Remote configuration in Share. For old Alfresco Explorer, we needed to add additional cas client library in /alfresco/WEB-INF/lib and to change web.xml as you commented, which is not necessary for Alfresco 5, except in Admin Console (and maybe for /alfresco/webdav).

 

On the other hand, I can only say that I have seen the WCS endpoint, when activating Remote config in Alfresco Share configured for an external or NTLM based SSO. I understood that Alfresco Share needed /wcs endpoint to pass NTML challenge for Alfresco Repository Services (in case of AlfrescoNtlm with SSO). I would expect in this case, that once enabled /wcs you can go directly to admin console via /alfresco/wcs instead of /alfresco/s. Maybe it is not the case with an external web SSO like CAS.

Regards.

--C.

afaust
Master

Re: Difference between platform endpoints?

Jump to solution

The /wcs endpoint is essentially the same as the /s endpoint, but only with a different HTTP authentication factory being used during the dispatch to the web script layer. The /s endpoint (actually, the /service endpoint - /s is just an alias) uses a simple authentication factory that only supports HTTP BASIC. /wcs (or to be more precise /wcservice) uses an authentication factory that ties in with the Repository-tier SSO handling and thus is required to be used by Share when enabling SSO there.