External Auth REST Api visibility

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Member II

External Auth REST Api visibility

Hi everyone.

I'm trying to invoke Alfresco Core REST API with external authentication option enabled. Everything works, but I have found there is one thing I do not understand.

As indicated in the documentation, in the file alfresco-global.properties , the property

external.authentication.defaultAdministratorUserNames = admin

is a separated list of user names who should be considered administrators by default.

I expected that the services could be called with external authentication only if the credentials of one of the administrators were present in the Basic Auth of the request.

Instead it works in all cases.

For example, I can access the administrator's data by passing the credentials of any user in the Basic Auth and in the header X-Alfresco-Remote-User=admin.

So what is the meaning of that property? And isn't there a way to avoid this behavior?

One last thing.

If a username not present in the system is passed in the header, I noticed that it is automatically created even if I don't understand with what password. Can't we avoid this?

I forgot, I'm using Alfresco Community Edition 6.2.

Thanks for any help!

1 Reply
Highlighted
Professional

Re: External Auth REST Api visibility

You have enabled external authentication, which means Alfresco is no longer responsible for authentication--that has been delegated to some other system.

Whatever is in X-Alfresco-Remote-User is the user that Alfresco is going to assume has already been authenticated by your external system.

In this configuration you need to make sure that all traffic to Alfresco goes through a proxy which is protected by whatever external auth system you've enabled.

Hope that makes sense and that I'm understanding your issue correctly.