Shibbing Alfresco

Andrew G. Booth — Tue, 16 Jun 2009 14:37:31 +0100

Introduction

Part of the AMSeT project is the addition of a Shibboleth Service Provider to Alfresco. Some work has already been done in this area by Kimmo Ilppola, but this has used the Internet 2 implementation of the Shibboleth SAML Profile. This requires Apache as well as Tomcat and is complicated to set up and test.

We decided to use the Guanxi implementation instead. Written entirely in Java by Alistair Young at the University of the Highlands and Islands, all Guanxi modules are fully compatible with the Internet2 implementation and also fully compatible with the UK Access Management Federation and OpenAthens. These notes describe how Alfresco was 'shibbed' using Guanxi.

Adding Guanxi to Alfresco

We used Tomcat version 5.5.27, Java 1.6.0_13 and Alfresco Labs version 3 final. Most of our work has been done using Red Hat Enterprise 5 on a 64-bit Dell server, but we have also successfully installed Guanxi on Windows and OSX computers.

We'll assume that Java, Tomcat and Alfresco have been successfully installed and that the Alfresco webapp is installed at <TOMCAT_HOME>/webapps/alfresco. We downloaded and compiled the source code of all five modules of Guanxi (WAYF, IdP, security provider, SP engine and SP guard from Sourceforge. Installation of Guanxi, protecting a test webapp - <TOMCAT_HOME>/webapps/protectedapp - was done as described in Alistair's localhost tutorial, except that all references to localhost were replaced by the domain name of the server.

Having tested Guanxi and made sure that the attributes were being released by the IdP, it was time to copy the Guanxi guard to the alfresco webapp.
cd <TOMCAT_HOME>/webapps/alfresco cp -r ../protectedapp/guanxi_sp . cp -r ../protectedapp/protected . cd WEB-INF cp -r ../../protectedapp/WEB-INF/classes . cp -r ../../protectedapp/WEB-INF/guanxi_sp_guard .
Then we compared the contents of <TOMCAT_HOME>/webapps/alfresco/WEB-INF/lib with the contents of <TOMCAT_HOME>/webapps/protectedapp/WEB-INF/lib and copied from the latter to the former any files that were only found in the latter. Any jar files that were older in the former were removed and replaced with the newer files from Guanxi.

We modified Kimmo Ilppola's authentication filter to include the creation of groups and to implement a logout from the SP. Here is the Java code. The compiled class file was placed in the directory <TOMCAT_HOME>/webapps/alfresco/WEB-INF/classes/org/alfresco/web/app/servlet.

The corresponding shibbolethAttributes.properties was placed in the directory <TOMCAT_HOME>/webapps/alfresco/WEB-INF/classes.

The web.xml files of the alfresco and Guanxi Guard webapps were then merged. Here is the merged file.

The next file to edit was <TOMCAT_HOME>/webapps/alfresco/WEB-INF/guanxi_sp_guard/config/guanxi-sp-guard.xml and here is the content of our file:
<?xml version="1.0" encoding="UTF-8"?> <Guard xmlns="urn:guanxi:sp"> <GuardInfo> <HostName>socket1.leeds.ac.uk</HostName> <ID>alfresco-guard</ID> <AttributePrefix>HTTP_</AttributePrefix> </GuardInfo> <Cookie> <Domain>.leeds.ac.uk</Domain> <Path>/</Path> <Age units="transient"/> <Prefix>GUANXI_GUARD_SERVICE_PROVIDER_</Prefix> </Cookie> <EngineInfo> <AuthConsumerURL>https://socket1.leeds.ac.uk:8443/samlengine/shibb/acs</AuthConsumerURL> <WAYFLocationService>https://socket1.leeds.ac.uk:8443/samlengine/shibb/wayf-location</WAYFLocationService> <Timeout>10</Timeout> </EngineInfo>

<TrustStore>/opt/tomcat55/webapps/alfresco/WEB-INF/guanxi_sp_guard/truststore/guard.jks</TrustStore> <TrustStorePassword>xxxxxxxx</TrustStorePassword> <Keystore>/opt/tomcat55/webapps/protectedapp/WEB-INF/guanxi_sp_guard/keystore/guard.jks</Keystore> <KeystorePassword>xxxxxxxx</KeystorePassword> <CertificateAlias>webservices</CertificateAlias> </Guard>
Our <TOMCAT_HOME> was /opt/tomcat55 and our server's domain name was socket1.leeds.ac.uk - you will need to substitute your own values.

At this point it was necessary to start Tomcat and register the alfresco-guard with the SP engine and the IdP as described in Alistair's tutorial. If you are using the Internet2 IdP, then you will need to supply the IdP with the guard's certificate. Again, Alistair has an excellent tutorial which will guide you through the process.

Enabling logout

In order to log out from a session, you need to log out from both the SP and the IdP. Logging out from the SP is easy, because we know where it is. Logging out from the IdP is not as straightforward because we need to call a web service at the IdP. We need to know the URL of this web service - if it exists. The easiest way to find the URL is for the IdP to send it as an attribute. Here is how to set this up using the Guanxi IdP. (We have been using the flat file authenticator/attributor which is the default for Guanxi. If you use a different authenticator, you will need to make the appropriate changes.)

We added the following entry to the file <TOMCAT_HOME>/webapps/guanxi_idp/WEB-INF/guanxi_idp/config/shared/custom-arps/arp-providers.xml
  <provider name="alfresco-guard">     <allow>MappedFlatFileAttributesForAlfresco</allow>   </provider>
We added the following entry to the file <TOMCAT_HOME>/webapps/guanxi_idp/WEB-INF/guanxi_idp/config/shared/custom-arps/arp-bags.xml
  <bag name="MappedFlatFileAttributesForAlfresco">     <attribute name="alfresco_ID" value="*" />     <attribute name="idWithDomain" value="*" />     <attribute name="idEncrypted" value="*" />     <attribute name="alfresco_FirstName" value="*" />     <attribute name="alfresco_Surname" value="*" />     <attribute name="alfresco_Email" value="*" />     <attribute name="mail" value="*" />     <attribute name="memberOf" value="*" />     <attribute name="function" value="*" />     <attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" value="*" />     <attribute name="alfresco_PersistentID" value="*" />     <attribute name="logoutIDP" value="*" />   </bag>
Then we edited Harry McDesperate's entry in the file <TOMCAT_HOME>/webapps/guanxi_idp/WEB-INF/guanxi_idp/config/shared/flatfile.xml to:
  <User>          <Username>harrymcd</Username>     <Password>growl</Password>     <UserAttribute name="id" value="harrymcd" />     <UserAttribute name="firstName" value="Harry" />     <UserAttribute name="surname" value="McDesperate" />     <UserAttribute name="email" value="HarryMcD-AT-jumpingupanddown-DOT-net" />     <UserAttribute name="role" value="CheifHeidbanger" />     <UserAttribute name="group" value="heidbangers" />     <UserAttribute name="logoutIDP" value="http://socket1.leeds.ac.uk:8080/guanxi_idp/shibb/logout" />   </User>
Our modifications to Kimmo Ilppola's ShibbolethHttpRequestAuthenticationFilter include the following piece of code which picks up the logout service URL from the Shibboleth header and then stores it as a session attribute. It then redirects to the SP logout service, which in turn will chain the IdP logout.
  if (req.getMethod()=="POST")   {     for (Enumeration e = req.getParameterNames(); e.hasMoreElements(); )     {       String name = (String)e.nextElement();       String value = req.getParameter(name);       if (name.endsWith("act") && value.endsWith("logout"))       {         // get the IdP's logout URL - if it's there         String logoutIDP = req.getHeader( logoutHeaderName );         if ((logoutIDP==null) || (logoutIDP.length() <1 ))           logoutIDP = "NO_IDP_LOGOUT";         // and store it in the session -         // the logout jsp will use this to log out from the IdP         logger.info("IdP logout is "+logoutIDP);         httpSess.setAttribute("LOGOUT_IDP_URL", logoutIDP);

// log out of the sp logger.info("Logging out of SP"); String logoutURL = req.getContextPath()+"/guard.guanxiGuardlogout"; logger.info("URL is: "+logoutURL); resp.sendRedirect( logoutURL ); return; } } }
To make Guanxi log out of the IdP, the following code was added to <TOMCAT_HOME>/webapps/alfresco/WEB-INF/guanxi_sp_guard/jsp/logout.jsp
<% HttpSession httpSess = request.getSession(); String logoutURL = (String)httpSess.getAttribute("LOGOUT_IDP_URL"); if ((logoutURL==null) || (logoutURL == "NO_IDP_LOGOUT")) { %> <center>Cannot log out of the IdP.</center> <% } else { response.sendRedirect( logoutURL ); } %>
Now when the used clicks on the logout link in Alfresco, he/she is logged out of both the SP and the IdP.

The AMSeT Project Blog

Shibbing Alfresco