通过CMIS进行Alfresco社区OAuth2 SSO

本文介绍了通过CMIS进行Alfresco社区OAuth2 SSO的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我们正在尝试基于Spring Cloud微服务（包括单独的Auth服务器）实施SSO解决方案。 我们的一项服务是通过CMIS客户（Apache Chemistry）与Alfresco合作。 阅读了许多文档之后，我仍然找不到如何使Alfresco检查Bearer令牌并在没有密码的情况下登录的系统。

We are trying to implement SSO solution based on Spring Cloud microservices including separate Auth server. One of our services works with Alfresco through the CMIS client (Apache Chemistry). Having read lots of docs I still cannot find out how to make Alfresco check the Bearer "token" and login without password.

我查看了此解决方案，但这是用预定义密码创建新人的想法。但是Alfresco可能配置了LDAP（身份验证服务器），因此很有可能有相同的用户使用自己的密码。

I reviewed this solution but here is the idea of creating new people with predefined passwords. But Alfresco may be configured with LDAP (so is Auth server) - there's a good chance that there are same users with their own passwords.

如我所见：

• 传入请求被过滤器捕获；
• 然后从标头中提取令牌；
• 然后使用令牌以便从Auth服务器检索有关Principal（绑定到该令牌）的一些基本信息;
• 然后，假设，检查Alfresco中是否已经存在具有该名称的用户，如果是，请登录。

• incoming request is caught in filters;
• then token is extracted from headers;
• then token is used in order to retrieve some basic info about Principal (bound to that token) from Auth server;
• then, lets say, check if user with such name already exists in Alfresco and if yes, login them.

这是问题所在：如何完全不用密码登录？ 而且：由于web.xml中有多个CMIS过滤器可能以不同的方式起作用，因此它可能无法工作。

And here is the problem: how to login without password at all? Moreover: there's a chance that it won't work as there are several CMIS filters in web.xml that may work in a different way.

嗯，实际上我不确定该解决方案是否很好。

Well, actually I am not sure if that solution is good.

有人知道这种情况下有更好的选择吗？ 我可能会错过一些针对CMIS的通用解决方案吗？

Does anyone know any better option for that case? Is there some universal solution for CMIS which I may have missed?

谢谢。

推荐答案

您是否尝试过将Apache代理置于Tomcat之前并使用Apache处理SSO令牌？然后，您可以使用Alfresco的外部身份验证机制从本质上告诉Alfresco信任Apache来处理它。我相信这可与CMIS一起使用，但我最近尚未对其进行测试。

Have you tried putting an Apache proxy in front of Tomcat and using Apache to deal with the SSO token? You can then use the Alfresco "external" authentication mechanism to essentially tell Alfresco to trust Apache to handle it. I believe this works with CMIS but I haven't tested it lately.

这里是有关使用外部auth和SSO的露天文档。