When accessing Alfresco Content Services (ACS) and Alfresco Community Edition outside of a Kerberos domain, it is necessary to direct the system to a login page when SSO fails. The correct implementation of a fallback login page depends on the specific use case, and an incorrect implementation could create an additional vector for authentication attacks. Instead of trying to put into the product a "one-size-fits-all" solution, this tutorial provides a small example that can be used to meet your specific needs.
Some setups require ACS to be configured with a composite authentication chain:
authentication.chain=kerberos:kerberos,basic:alfrescoNtlm
This might be useful to allow client machines outside of a Kerberos Domain to access resources like /webdav or /aos using a browser and basic authentication. When the unauthenticated client browser sends the first request to these resources, ACS will respond with 401 status containing the WWW-Authenticate: Negotiate header, meaning that Kerberos authentication is enabled. The response will also include a small HTML page with a link to a custom login page.
This link is configurable by using the property (available from 5.1.4 and 5.2.1):
kerberos.authentication.sso.login.page.link=/customloginpage.html
Let's take a small example of a login page (customloginpage.html) and place it in the root of alfresco.war file.
<!DOCTYPE html>
<html>
<head>
<title>Alfresco Custom Login Page</title>
</head>
<body>
<h3>Login to WebDAV</h3>
<div class="container">
<label><b>Username</b></label>
<input type="text" placeholder="Enter Username" id="username" tabindex="0">
<label><b>Password</b></label>
<input type="password" placeholder="Enter Password" id="password" tabindex="0">
<button onclick="httpGet()" tabindex="0">Login</button>
</div>
</body>
</html>
<script>
function httpGet()
{
var url = "http://192.168.56.102:8080/alfresco/webdav";
var request = new XMLHttpRequest();
request.open("GET", url, false);
request.setRequestHeader("Authorization", "Basic " +
btoa(document.getElementById("username").value + ":" + document.getElementById("password").value));
request.send();
window.location.replace(url);
}
</script>
Assuming that the server's IP address is 192.168.56.102, the credentials put into the login page will be Base64 encoded to create a Basic authentication header and sent to the ACS. The JavaScript will then redirect the user to [host]/alfresco/webdav.