问题
We are trying to implement SSO solution based on Spring Cloud microservices including separate Auth server. One of our services works with Alfresco through the CMIS client (Apache Chemistry). Having read lots of docs I still cannot find out how to make Alfresco check the Bearer "token" and login without password.
I reviewed this solution but here is the idea of creating new people with predefined passwords. But Alfresco may be configured with LDAP (so is Auth server) - there's a good chance that there are same users with their own passwords.
As I see it:
- incoming request is caught in filters;
- then token is extracted from headers;
- then token is used in order to retrieve some basic info about Principal (bound to that token) from Auth server;
- then, lets say, check if user with such name already exists in Alfresco and if yes, login them.
And here is the problem: how to login without password at all? Moreover: there's a chance that it won't work as there are several CMIS filters in web.xml that may work in a different way.
Well, actually I am not sure if that solution is good.
Does anyone know any better option for that case? Is there some universal solution for CMIS which I may have missed?
Thanks.
回答1:
Have you tried putting an Apache proxy in front of Tomcat and using Apache to deal with the SSO token? You can then use the Alfresco "external" authentication mechanism to essentially tell Alfresco to trust Apache to handle it. I believe this works with CMIS but I haven't tested it lately.
Here are the Alfresco docs on using external auth and SSO.
来源:https://stackoverflow.com/questions/52859717/alfresco-community-oauth2-sso-via-cmis