Merge branch 'acs-aims' into acs-aims-enterprise

.env

@@ -5,3 +5,4 @@ ALFRESCO_LICENSE_DIR=~/alfresco/license
 PROXY_PROTOCOL=http
 PROXY_HOST=localhost
 PROXY_PORT=8080
+IDENTITY_SERVICE_BASEURL=http://auth.example.org:8080

docker-compose.yml

@@ -50,7 +50,7 @@ services:
 
                 -Dauthentication.chain=aims:identity-service,builtin:alfrescoNtlm
                 -Didentity-service.authentication.defaultAdministratorUserNames=admin.1
-                -Didentity-service.auth-server-url=http://identity:8080/auth
+                -Didentity-service.auth-server-url=${IDENTITY_SERVICE_BASEURL}/auth
                 
                 -Dsystem.content.eagerOrphanCleanup=true
                 -Dsystem.content.orphanProtectDays=0
@@ -106,8 +106,8 @@ services:
                 -Dalfresco.protocol=${PROXY_PROTOCOL}
                 -Daims.enabled=true
                 -Daims.realm=alfresco
-                -Daims.resource=alfresco
+                -Daims.resource=acs-share
-                -Daims.authServerUrl=http://identity:8080/auth
+                -Daims.authServerUrl=${IDENTITY_SERVICE_BASEURL}/auth
                 -Daims.sslRequired=none
                 -Daims.publicClient=true
                 -Daims.autodetectBearerOnly=true
@@ -173,9 +173,13 @@ services:
         environment:
             KEYCLOAK_USER: admin
             KEYCLOAK_PASSWORD: admin
-            KEYCLOAK_HOSTNAME: ${PROXY_HOST}
+            KEYCLOAK_HOSTNAME: auth.example.org
             KEYCLOAK_IMPORT: /tmp/keycloak-alfresco-realm.json
             KEYCLOAK_STATISTICS: enabled
+        networks:
+            default:
+                aliases:
+                    - "auth.example.org"
         volumes:
             - ./keycloak-alfresco-realm.json:/tmp/keycloak-alfresco-realm.json:ro
 

keycloak-alfresco-realm.json

@@ -10,16 +10,7 @@
     }, {
       "name": "admin",
       "description": "Administrator privileges"
-    } ],
+    } ]
-    "client": {
-      "alfresco": [
-        {
-          "name": "administrator",
-          "composite": false,
-          "clientRole": true
-        }
-      ]
-    }
   },
   "clients": [
     {
@@ -28,6 +19,24 @@
       "enabled": true,
       "alwaysDisplayInConsole": false,
       "redirectUris": [ "*" ],
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": true,
+      "directAccessGrantsEnabled": false,
+      "publicClient": true,
+      "protocol": "openid-connect",
+      "attributes": {
+        "login_theme": "alfresco"
+      }
+    },
+    {
+      "clientId": "acs-share",
+      "name": "ACS Share",
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "redirectUris": [ "*" ],
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
       "publicClient": true,
       "protocol": "openid-connect",
       "attributes": {
@@ -46,10 +55,7 @@
           "value" : "password"
         }
       ],
-      "realmRoles": [ "user" ],
+      "realmRoles": [ "user", "admin" ]
-      "clientRoles": {
-        "alfresco": ["administrator"]
-      }
     }
   ]
 }

nginx-ingress/nginx.conf

@@ -19,7 +19,10 @@ http {
 
         proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
         proxy_redirect off;
-        proxy_buffering off;
+#        proxy_buffering off;
+        proxy_buffer_size	64k;
+        proxy_buffers		4 256k;
+        proxy_busy_buffers_size	256k;
         proxy_set_header Host              $http_host;
         proxy_set_header X-Real-IP         $remote_addr;
         proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;