Help

Custom Login Page when Outside a Kerberos Domain

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Custom Login Page when Outside a Kerberos Domain

amukha
Active Member
1 0 2,425
‎19 Jul 2017 10:22 AM

When accessing Alfresco Content Services (ACS) and Alfresco Community Edition outside of a Kerberos domain, it is necessary to direct the system to a login page when SSO fails. The correct implementation of a fallback login page depends on the specific use case, and an incorrect implementation could create an additional vector for authentication attacks. Instead of trying to put into the product a "one-size-fits-all" solution, this tutorial provides a small example that can be used to meet your specific needs.


Some setups require ACS to be configured with a composite authentication chain:


authentication.chain=kerberos:kerberos,basic:alfrescoNtlm

This might be useful to allow client machines outside of a Kerberos Domain to access resources like /webdav or /aos using a browser and basic authentication. When the unauthenticated client browser sends the first request to these resources, ACS will respond with 401 status containing the WWW-Authenticate: Negotiate header, meaning that Kerberos authentication is enabled. The response will also include a small HTML page with a link to a custom login page.

This link is configurable by using the property (available from 5.1.4 and 5.2.1):


kerberos.authentication.sso.login.page.link=/customloginpage.html

Let's take a small example of a login page (customloginpage.html) and place it in the root of alfresco.war file.

<!DOCTYPE html>
<html>
   <head>
       <title>Alfresco Custom Login Page</title>
   </head>
   <body>
      <h3>Login to WebDAV</h3>
      <div class="container">
          <label><b>Username</b></label>
          <input type="text" placeholder="Enter Username" id="username" tabindex="0">
          <label><b>Password</b></label>
          <input type="password" placeholder="Enter Password" id="password" tabindex="0">
          <button onclick="httpGet()" tabindex="0">Login</button>
      </div>

   </body>
</html>

<script>
 function httpGet()
 {
    var url = "http://192.168.56.102:8080/alfresco/webdav";
    var request = new XMLHttpRequest();
    request.open("GET", url, false);
    request.setRequestHeader("Authorization", "Basic " +
       btoa(document.getElementById("username").value + ":" + document.getElementById("password").value));
    request.send();
    window.location.replace(url);
 }
</script>


Assuming that the server's IP address is 192.168.56.102, the credentials put into the login page will be Base64 encoded to create a Basic authentication header and sent to the ACS. The JavaScript will then redirect the user to [host]/alfresco/webdav.

Alfresco Content Services Hub Docs

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.