No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Mutual Authentication via Tomcat

This Alfresco module allows for app to app mutual authentication via Trusted Tomcat Certificates.



Updated Info

  • Use of web-fragments to define web security context

Development Usage

$ git clone [git-repo-url] mutual-auth
$ cd mutual-auth
$ chmod 755
$ ./

curl -k -E keystore/serviceA.p12:alfresco --cert-type PEM \
-H "Content-Type: application/json" -X POST -d '{ "auth_user": "admin"}'  \

A successful Response will be as follows:


Brief Usage Instructions

Brief instructions until a more elaborate technical document can be written. These instructions assumes that the user has knowledge on how Mutual Authentication works, and knowledge with creating certificates and managing digital certificates. If not, please review the information on the following pages:


  • Install amp into alfresco.war using alfresco-mmt.jar
  • Install client certificates and CA that it was signed with (if any) into your application container's truststore
  • Add user info to tomcat/conf/tomcat-users.xml, for example:
<user username="CN=serviceA, OU=Consulting, O=Alfresco Software Ltd., L=Atlanta, ST=GA, C=US" roles="repoclient" password="null"/>
  • Restart Alfresco
  • Create a service account in Alfresco with that of the CN used in your Client Certificate
  • Configure Service Application to send your Client Certificate when a called service requests it
  • Configure Service Application to request an Alfresco Token from https://your-alfresco-server/alfresco/service/auth/mutual
  • If Sudoing or running services on behalf of other users are allowed, then you can POST the user to sudo to via Content-Type: application/json
    auth_user: "username"

Advanced Configurations

# Fail if the service is called through a NON SSL protocol I.E Not HTTPS
# This should only be set to false for debugging,
# and SECURITY CONTEXT in resources/META-INF/web-fragment.xml will need to be updated.
# Allow Client Authenticated account to authenticate as another user


  • Update documentation
  • Develop X509 Certificate Handler (So that Client-Auth Users could be handled outside of Tomcat)