Merge pull request #11 from Alfresco/feature/REPO-2575_basic_auth_header_toggle

REPO-2575: allow sending 'AlfTicket' scheme in WWW-Authenticate header
2025-08-14 17:58:59 +00:00 · 2017-10-10 14:28:42 +01:00
parent 72b037b30c dd325c419f
commit 23f20e2e5a
5 changed files with 110 additions and 27 deletions
--- a/pom.xml
+++ b/pom.xml
@@ -36,7 +36,7 @@
        <dir.root>${project.build.directory}/alf_data</dir.root>
        <img.exe>convert</img.exe>

-        <dependency.alfresco-repository.version>6.4</dependency.alfresco-repository.version>
+        <dependency.alfresco-repository.version>6.6</dependency.alfresco-repository.version>
        <dependency.alfresco-pdf-renderer.version>1.0</dependency.alfresco-pdf-renderer.version>

        <dependency.webscripts.version>6.13</dependency.webscripts.version>
--- a/src/main/java/org/alfresco/rest/api/PublicApiAuthenticatorFactory.java
+++ b/src/main/java/org/alfresco/rest/api/PublicApiAuthenticatorFactory.java
@@ -67,6 +67,7 @@ public class PublicApiAuthenticatorFactory extends RemoteUserAuthenticatorFactor
    private TenantAuthentication tenantAuthentication;
    private Set<String> validAuthenticatorKeys = Collections.emptySet();
    private Set<String> outboundHeaderNames;
+    private boolean useBasicAuth = true;
    
    public void setAuthenticatorKeyHeader(String authenticatorKeyHeader)
    {
@@ -92,6 +93,23 @@ public class PublicApiAuthenticatorFactory extends RemoteUserAuthenticatorFactor
        this.outboundHeaderNames = outboundHeaders;
    }

+    /**
+     * Whether to suggest that users use Basic auth. If set to true, then a
+     * 401 (unauthorized) response will contain a WWW-Authentication header
+     * specifying the scheme "Basic". If this is set to false, then
+     * the scheme "AlfTicket" will be used.
+     * <p>
+     * Set this to false to avoid getting Basic auth dialogue popups in browsers
+     * when using the public API directly, for example.
+     * 
+     * @see <a href="https://issues.alfresco.com/jira/browse/REPO-2575">REPO-2575</a>
+     * @param useBasicAuth
+     */
+    public void setUseBasicAuth(boolean useBasicAuth)
+    {
+        this.useBasicAuth = useBasicAuth;
+    }
+
    public void setTenantAuthentication(TenantAuthentication service)
    {
        this.tenantAuthentication = service;
@@ -232,7 +250,9 @@ public class PublicApiAuthenticatorFactory extends RemoteUserAuthenticatorFactor
                if (!authorized)
                {
                    servletRes.setStatus(401);
-                    servletRes.setHeader("WWW-Authenticate", "Basic realm=\"Alfresco " + servletReq.getTenant() + " tenant\"");
+                    String scheme = useBasicAuth ? "Basic" : "AlfTicket";
+                    String challenge = scheme + " realm=\"Alfresco " + servletReq.getTenant() + " tenant\"";
+                    servletRes.setHeader("WWW-Authenticate", challenge);
                }
            }
        }
--- a/src/main/resources/alfresco/project-remote-api.properties
+++ b/src/main/resources/alfresco/project-remote-api.properties
@@ -0,0 +1,24 @@
+################################################################################
+# Remote API property defaults
+# 9th October 2017
+################################################################################
+
+
+# Whether to send a "basic auth" challenge along with a 401 response (not authorized)
+#
+# If set to true, then a header will be sent similar to:
+#
+#   WWW-Authenticate: Basic realm="..."
+#
+# If set to false, then a header will be sent with an AlfTicket challenge:
+#
+#   WWW-Authenticate: AlfTicket realm="..."
+#
+# This latter case is particularly useful when building a web-browser based client
+# that communicates directly with the Alfresco Public API - using the AlfTicket
+# challenge allows the client to completely control the login behaviour, whereas
+# allowing a Basic auth challenge to be sent results in the Basic Authentication
+# browser dialogue being popped-up without the client app being involved.
+#
+# See issue REPO-2575 for details.
+alfresco.restApi.basicAuthScheme=true
--- a/src/main/resources/alfresco/public-rest-context.xml
+++ b/src/main/resources/alfresco/public-rest-context.xml
@@ -95,6 +95,7 @@
      <property name="remoteUserMapper">
         <ref bean="RemoteUserMapper" />
      </property>
+      <property name="useBasicAuth" value="${alfresco.restApi.basicAuthScheme}"/>
   </bean>

    <bean id="apiBootstrapBean" class="org.alfresco.rest.framework.core.ApiBootstrap">
--- a/src/test/java/org/alfresco/rest/api/tests/AuthenticationsTest.java
+++ b/src/test/java/org/alfresco/rest/api/tests/AuthenticationsTest.java
@@ -31,6 +31,7 @@ import static org.junit.Assert.assertNotNull;
 import org.alfresco.rest.AbstractSingleNetworkSiteTest;
 import org.alfresco.rest.api.Nodes;
 import org.alfresco.rest.api.People;
+import org.alfresco.rest.api.PublicApiAuthenticatorFactory;
 import org.alfresco.rest.api.model.LoginTicket;
 import org.alfresco.rest.api.model.LoginTicketResponse;
 import org.alfresco.rest.api.sites.SiteEntityResource;
@@ -41,6 +42,7 @@ import org.alfresco.rest.api.tests.client.data.Document;
 import org.alfresco.rest.api.tests.client.data.Folder;
 import org.alfresco.rest.api.tests.util.RestApiUtil;
 import org.apache.commons.codec.binary.Base64;
+import org.junit.Before;
 import org.junit.Test;

 import java.util.Collections;
@@ -56,7 +58,43 @@ public class AuthenticationsTest extends AbstractSingleNetworkSiteTest
 {
    private static final String TICKETS_URL = "tickets";
    private static final String TICKETS_API_NAME = "authentication";
+    private PublicApiAuthenticatorFactory authFactory;
    
+    @Before
+    public void setUpAuthTest()
+    {
+        authFactory = (PublicApiAuthenticatorFactory) applicationContext.getBean("publicapi.authenticator");
+    }
+    
+    @Test
+    public void canDisableBasicAuthChallenge() throws Exception
+    {
+        authFactory.setUseBasicAuth(false);
+        
+        // Expect to be challenged for an AlfTicket (REPO-2575)
+        testAuthChallenge("AlfTicket");
+    }
+
+    @Test
+    public void canEnableBasicAuthChallenge() throws Exception
+    {
+        authFactory.setUseBasicAuth(true);
+        
+        // Expect to be challenged for Basic auth.
+        testAuthChallenge("Basic");
+    }
+    
+    private void testAuthChallenge(String expectedScheme) throws Exception
+    {
+        // Unauthorized call
+        setRequestContext(null);
+        
+        HttpResponse response = getAll(SiteEntityResource.class, getPaging(0, 100), null, 401);
+        String authenticateHeader = response.getHeaders().get("WWW-Authenticate");
+        assertNotNull("Expected an authentication challenge", authenticateHeader);
+        String authScheme = authenticateHeader.split(" ")[0]; // Other parts may contain, e.g. realm="..."
+        assertEquals(expectedScheme, authScheme);
+    }
    
    /**
     * Tests login (create ticket), logout (delete ticket), and validate (get ticket).