0

How does share know that user is not connected (and redirect him to login page)?

Even if a user is connected i'd like to check if he has some permission and redirect him to login page if not. So i'd like to know how Share manage authenticated user from session.

Can i use a filter, or listener or servlet or any other mecanism to intercept ALL url on share and check if connected user has require permission.

I'm using alfresco 5.0.d.

Thank you in advance for your help.

soung
  • 1,411
  • 16
  • 33

1 Answers1

2

Depending on the authentication method being used and which services of Share are accessed (pages, proxy servlet or web scripts), there are multiple places where checks against the current user are made:

  • class SSOAuthenticationFilter - a servlet filter handling what it says in its name, Single Sign-On (SSO), e.g. Kerberos, NTLM or CAS / external authentication
  • class PageView - part of the Surf framework that checks if the current user has the required privileges for the current page (limited differentiation of guest, user, admin as defined by the page XML definition)
  • class SlingshotPageView - an enhancement / specialisation of the PageView class
  • class EndpointProxyServlet - handling authentication for any backend ReST API calls proxied via Share
  • classes PresentationContainer and instances of Authenticator interface - handling direct calls to any web scripts outside of normal page rendition cycles

Technically you can use a filter to intercept all servlet invocations on Share, but I it is not ideal from a maintenance point of view (web.xml is not easily extensible and overriden on upgrades). If all you are interested in are page rendition requests, you can use Surf extension modules to inject post-processing code that is able to generate redirection responses if user permissions are lacking. Via the root-scoped "status" object you can send the HTTP redirect responses and define a target location.

Axel Faust
  • 551
  • 2
  • 7
  • Thanks Alex. I d like to implement my logic by overriding SSOAuthenticationFilter (i can see all http calls go through this filter). i'd like test if user has specific permission at beginning of doFilter method and redirect user if not. I can see the redirection is done (in firefox adress bar i can see `localhost:8080/share/page?pt=login&error=true` ) but login page can't be displayed. i can't found why. DO you have a idea of the problem ? – soung Dec 04 '15 at 16:59
  • The user won't yet be identified at the beginning of doFilter in the SSO AuthenticationFilter on the first call, so the permission check will always fail. If you want to use a filter I'd advise you to write a custom one, place it after the SSO one and check if a page is requested and the user has already been authenticated before performing the permission check. That way you won't interrupt any processing that might be required for login to show properly. – Axel Faust Dec 08 '15 at 13:24
  • Hi My question is how to write a such filter ? – soung Dec 08 '15 at 15:50
  • Hi My question is how to write a such filter ? Can i write any filter with have a global filter mapping (/*) ? – soung Dec 08 '15 at 15:59