【发布时间】:2022-01-18 00:42:05
【问题描述】:
我们使用 Kerberos SSO 设置了 Alfresco 6.2,我们的用户需要使用 AOS。
Kerberos SSO 有效:用户从其 Windows 客户端自动登录 Share。
AOS 似乎已正确安装:
使用 NTLM 身份验证,用户可以从 Share 中签出、编辑和保存 MS Word 中的文档。
但是在 Kerberos SSO 开启的情况下,当用户签出文档时,Alfresco 的日志中会出现以下堆栈跟踪,并且用户无法在文档中保存修改:
nov. 26, 2021 12:25:35 PM org.apache.catalina.core.StandardWrapperValve invoke
GRAVE: "Servlet.service()" pour la servlet [WebDAV] a généré une exception
java.lang.IllegalArgumentException: No enum constant org.springframework.http.HttpMethod.PROPFIND
at java.base/java.lang.Enum.valueOf(Enum.java:240)
at org.springframework.http.HttpMethod.valueOf(HttpMethod.java:33)
at org.alfresco.rest.api.PublicApiDeclarativeRegistry.findWebScript(PublicApiDeclarativeRegistry.java:97)
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:209)
at jdk.internal.reflect.GeneratedMethodAccessor659.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:119)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy216.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.ClearSecurityContextFilter.doFilter(ClearSecurityContextFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:330)
at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:182)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
有时我们也会遇到同样的错误,但使用 HttpMethod.LOCK :
déc. 01, 2021 11:58:18 AM org.apache.catalina.core.StandardWrapperValve invoke
GRAVE: "Servlet.service()" pour la servlet [AosWebdavService] a généré une exception
java.lang.IllegalArgumentException: No enum constant org.springframework.http.HttpMethod.LOCK
at java.base/java.lang.Enum.valueOf(Enum.java:240)
at org.springframework.http.HttpMethod.valueOf(HttpMethod.java:33)
at org.alfresco.rest.api.PublicApiDeclarativeRegistry.findWebScript(PublicApiDeclarativeRegistry.java:97)
at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:209)
at jdk.internal.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:119)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy216.doFilter(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at org.alfresco.module.aosmodule.auth.AosWebDavAuthenticationFilterInterceptor.invoke(AosWebDavAuthenticationFilterInterceptor.java:44)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy216.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.ServletMetricsFilter.doFilter(ServletMetricsFilter.java:161)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.alfresco.web.app.servlet.ClearSecurityContextFilter.doFilter(ClearSecurityContextFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
这是我们在 Word 中打开文档时的 localhost_access 日志:
[01/Dec/2021:12:10:58 +0100] "OPTIONS /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/ HTTP/1.1" 401 80
[01/Dec/2021:12:10:58 +0100] "OPTIONS /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/ HTTP/1.1" 200 -
[01/Dec/2021:12:10:58 +0100] "GET /_vti_inf.html HTTP/1.1" 200 247
[01/Dec/2021:12:10:58 +0100] "POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1" 200 230
[01/Dec/2021:12:10:58 +0100] "POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1" 200 194
[01/Dec/2021:12:10:58 +0100] "POST /alfresco/aos/_vti_bin/_vti_aut/author.dll HTTP/1.1" 401 80
[01/Dec/2021:12:10:58 +0100] "POST /alfresco/aos/_vti_bin/_vti_aut/author.dll HTTP/1.1" 200 2515
[01/Dec/2021:12:10:58 +0100] "POST /alfresco/aos/_vti_bin/_vti_aut/author.dll HTTP/1.1" 200 1789
[01/Dec/2021:12:10:58 +0100] "HEAD /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/Test-1.docx HTTP/1.1" 200 -
[01/Dec/2021:12:10:58 +0100] "LOCK /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/Test-1.docx HTTP/1.1" 500 3359
[01/Dec/2021:12:10:58 +0100] "GET /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/Test-1.docx HTTP/1.1" 200 11381
[01/Dec/2021:12:10:58 +0100] "PROPFIND /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/Test-1.docx HTTP/1.1" 500 3367
[01/Dec/2021:12:10:58 +0100] "HEAD /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/Test-1.docx HTTP/1.1" 200 -
这里是我们尝试保存文档时的日志:
[01/Dec/2021:12:12:03 +0100] "LOCK /alfresco/aos/Espaces%20Utilisateurs/svc_alfresco/Test-1.docx HTTP/1.1" 500 3359
上面提供了代码 500 错误的堆栈跟踪(没有枚举常量 HttpMethod.LOCK 和 .PROPFIND)。
查看堆栈跟踪和源代码后,似乎错误发生在由 BaseKerberosAuthenticationFilter 扩展的 BaseSSOAuthenticationFilter 中,当它尝试对 HTTP 方法设置为 PROPFIND 或 LOCK 的请求进行 root 时,这不是标准的HTTP 方法。
这让我觉得 AOS 不支持 SSO。
这是我们在 alfresco-global.properties 中的身份验证链:
authentication.chain=kerberos1:kerberos,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
我们设置了一个 aos.baseUrlOverwrite 属性。
我们还使用了反向代理,但在我们的案例中这似乎不是问题,因为请求被正确路由,并且 AOS 与 NTLM 身份验证一起使用。
所以我的问题是:
- AOS 能否在 alfresco 6.2 上与 Kerberos SSO 一起使用?官方文档说 MS Office 确实支持 Kerberos,但没有明确说明 AOS 是否支持 Kerberos。
- 如果是,如何使其工作?我们错过了什么吗?
【问题讨论】:
-
原则上 aos 在 Alfresco 6.2 上使用 kerberos。我的猜测是你的 WebDAV 和你的反向代理和/或你的 tomcat 配置有问题。堆栈跟踪没有帮助。您确定您的反向代理支持 PROPFIND 和 LOCK 等 DAV 方法吗?你确定你的 tomcat 连接器“看到”了正确的主机名吗?
-
代理没有问题,因为Tomcat收到了PROPFIND & LOCK请求。 AOS 也适用于非 SSO。它更有可能与已知错误有关:alfresco.atlassian.net/browse/MNT-21758。我们将尝试使用最新的修补程序 (6.2.2.21) 并更新此问题。
-
这很奇怪,Alfresco 确实(像往常一样)没有解释您提到的票证中的问题。在最新版本的任何其他组件中,整个 SSO 似乎都以某种方式被破坏了(从 6.0 开始?)。最好的建议可能是在 Alfresco 之外的单独组件中处理身份验证和 SSO,并使用外部身份验证 ...
标签: single-sign-on ms-office alfresco kerberos alfresco-enterprise