External Auth REST Api visibility

cancel
Showing results for 
Search instead for 
Did you mean: 
iwine
Member II

External Auth REST Api visibility

Hi everyone.

I'm trying to invoke Alfresco Core REST API with external authentication option enabled. Everything works, but I have found there is one thing I do not understand.

As indicated in the documentation, in the file alfresco-global.properties , the property

external.authentication.defaultAdministratorUserNames = admin

is a separated list of user names who should be considered administrators by default.

I expected that the services could be called with external authentication only if the credentials of one of the administrators were present in the Basic Auth of the request.

Instead it works in all cases.

For example, I can access the administrator's data by passing the credentials of any user in the Basic Auth and in the header X-Alfresco-Remote-User=admin.

So what is the meaning of that property? And isn't there a way to avoid this behavior?

One last thing.

If a username not present in the system is passed in the header, I noticed that it is automatically created even if I don't understand with what password. Can't we avoid this?

I forgot, I'm using Alfresco Community Edition 6.2.

Thanks for any help!

2 Replies
jpotts
Professional

Re: External Auth REST Api visibility

You have enabled external authentication, which means Alfresco is no longer responsible for authentication--that has been delegated to some other system.

Whatever is in X-Alfresco-Remote-User is the user that Alfresco is going to assume has already been authenticated by your external system.

In this configuration you need to make sure that all traffic to Alfresco goes through a proxy which is protected by whatever external auth system you've enabled.

Hope that makes sense and that I'm understanding your issue correctly.

ranjeetsi
Established Member II

Re: External Auth REST Api visibility

Hi @jpotts ,

Thanks for the detail!

Have some questions:a) Can you please suggest what are the ways to protect the proxy by external auth system(ADFS).

b) If there is another mulesoft layer between custom UI and Alfresco server(with or without proxy) then how can the external authentication work via mulesoft(sample screenshot 1 attached) 

The UI will make REST calls to mulesoft which has the api wrappers over alfresco REST apis. Also UI server can authenticate with mulesoft only via Oauth2 , 

alf_ext_auth_adfs.PNG

 

Alfresco Content Services Certified Engineer (ACSCE)