Custom Login Page when Outside a Kerberos Domain

Showing results for 
Search instead for 
Did you mean: 

Custom Login Page when Outside a Kerberos Domain

Active Member
1 0 2,552

When accessing Alfresco Content Services (ACS) and Alfresco Community Edition outside of a Kerberos domain, it is necessary to direct the system to a login page when SSO fails. The correct implementation of a fallback login page depends on the specific use case, and an incorrect implementation could create an additional vector for authentication attacks. Instead of trying to put into the product a "one-size-fits-all" solution, this tutorial provides a small example that can be used to meet your specific needs.

Some setups require ACS to be configured with a composite authentication chain:


This might be useful to allow client machines outside of a Kerberos Domain to access resources like /webdav or /aos using a browser and basic authentication. When the unauthenticated client browser sends the first request to these resources, ACS will respond with 401 status containing the WWW-Authenticate: Negotiate header, meaning that Kerberos authentication is enabled. The response will also include a small HTML page with a link to a custom login page.

This link is configurable by using the property (available from 5.1.4 and 5.2.1):

Let's take a small example of a login page (customloginpage.html) and place it in the root of alfresco.war file.

<!DOCTYPE html>
      <title>Alfresco Custom Login Page</title>
      <h3>Login to WebDAV</h3>
      <div class="container">
         <input type="text" placeholder="Enter Username" id="username" tabindex="0">
         <input type="password" placeholder="Enter Password" id="password" tabindex="0">
         <button onclick="httpGet()" tabindex="0">Login</button>


function httpGet()
   var url = "";
   var request = new XMLHttpRequest();"GET", url, false);
   request.setRequestHeader("Authorization", "Basic " +
      btoa(document.getElementById("username").value + ":" + document.getElementById("password").value));

Assuming that the server's IP address is, the credentials put into the login page will be Base64 encoded to create a Basic authentication header and sent to the ACS. The JavaScript will then redirect the user to [host]/alfresco/webdav.