No description, website, or topics provided.
Java Batchfile Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
keystore
src
tomcat
.gitignore
README.md
pom.xml
run.bat
run.sh

README.md

Mutual Authentication via Tomcat

This Alfresco module allows for app to app mutual authentication via Trusted Tomcat Certificates.

Version

1.1

Updated Info

  • Use of web-fragments to define web security context

Development Usage

$ git clone [git-repo-url] mutual-auth
$ cd mutual-auth
$ chmod 755 run.sh
$ ./run.sh

curl -k -E keystore/serviceA.p12:alfresco --cert-type PEM \
-H "Content-Type: application/json" -X POST -d '{ "auth_user": "admin"}'  \
https://localhost:8443/alfresco/service/auth/mutual

A successful Response will be as follows:

{
    "output":"TICKET_e6543ffd41d4e8ad4d45fcb72c770783a77b9ce0",
    "status":200
}

Brief Usage Instructions

Brief instructions until a more elaborate technical document can be written. These instructions assumes that the user has knowledge on how Mutual Authentication works, and knowledge with creating certificates and managing digital certificates. If not, please review the information on the following pages:

Instructions

  • Install amp into alfresco.war using alfresco-mmt.jar
  • Install client certificates and CA that it was signed with (if any) into your application container's truststore
  • Add user info to tomcat/conf/tomcat-users.xml, for example:
<user username="CN=serviceA, OU=Consulting, O=Alfresco Software Ltd., L=Atlanta, ST=GA, C=US" roles="repoclient" password="null"/>
  • Restart Alfresco
  • Create a service account in Alfresco with that of the CN used in your Client Certificate
  • Configure Service Application to send your Client Certificate when a called service requests it
  • Configure Service Application to request an Alfresco Token from https://your-alfresco-server/alfresco/service/auth/mutual
  • If Sudoing or running services on behalf of other users are allowed, then you can POST the user to sudo to via Content-Type: application/json
{
    auth_user: "username"
}

Advanced Configurations

# Fail if the service is called through a NON SSL protocol I.E Not HTTPS
# This should only be set to false for debugging,
# and SECURITY CONTEXT in resources/META-INF/web-fragment.xml will need to be updated.
mutual.service.enforce.https=true
# Allow Client Authenticated account to authenticate as another user
mutual.service.sudo.allow=true

Todo's

  • Update documentation
  • Develop X509 Certificate Handler (So that Client-Auth Users could be handled outside of Tomcat)