Hi All,
I am trying to implement SSO with cmdbuild.
I am trying to use Atlassian Crowd to implement SSO. Is it possible with CMDBuild to integrate with crowd for SSO, as both are java application.
I tried to implement SSO directly by adding CMDBuild application in crowd and changing some configuration in auth.conf file. It didnt work. Whether there is any possibility to do custom authentication in CMDbuild.
The next thing is i tried to follow is by doing a reverse proxy through apache.
Server version: Apache/2.2.15 (Unix)
OS: Centos 6.5
CMDBuild: 2.4.1
In Apache,
I have added configuration for apache reverse proxy in httpd.conf
<VirtualHost *:80>
ServerAdmin admin@domain.com
ServerName localhost
ServerAlias localhost
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
RewriteEngine On
RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
</Proxy>
ProxyPass /cmdbuild http://localhost:8080
ProxyPassReverse /cmdbuild http://localhost:8080
<Location />
AuthName "Atlassian Crowd"
AuthType Basic
AuthBasicProvider crowd
CrowdAppName cmdbuild
CrowdAppPassword password
CrowdURL http://localhost:8095/crowd
CrowdAcceptSSO On
#CrowdCreateSSO On
CrowdSSLVerifyPeer Off
CrowdTimeout 60
#CrowdCacheMaxAge 120
#CrowdCacheMaxEntries 1000
CrowdBasicAuthEncoding ISO-8859-1
Require valid-user
Order allow,deny
Allow from all
</Location>
</VirtualHost>
I am trying to do a header authentication in CMDBuild. So in auth.conf
## Authentication method chain (the first match stops the auth chain)
#auth.methods=HeaderAuthenticator,CasAuthenticator,LdapAuthenticator,DBAuthenticator
auth.methods=HeaderAuthenticator,DBAuthenticator
#force.ws.password.digest=true
##
## HEADER
##
#header.attribute.name=username
header.attribute.name=X-WEBAUTH-USER
auto_sign_up = true
According to the CMDBuild authentication documentation
It is possible to configure an authentication mechanism that scans the request header. It might be useful if CMDBuild is shielded by a reverse proxy that handles the Single Sign On, adding a custom header with the user name. No password check is performed if the header is found.
header.attribute.name
Specifies the header name containing the authenticated user.
But i could not by pass the index.page
In cmdbuild.log: at java.lang.Thread.run(Thread.java:745)
INFO 2016-09-09 10:45:00 [jsonrpc ] Calling url /session/create
INFO 2016-09-09 10:45:00 [cmdbuild] trying to login user userno1 with group null
ERROR 2016-09-09 10:45:00 [cmdbuild] Login failed
ERROR 2016-09-09 10:45:00 [jsonrpc ] A org.cmdbuild.exception.AuthException occurred calling method class org.cmdbuild.servlets.json.Session.create: AUTH_LOGIN_WRONG
org.cmdbuild.exception.AuthException: AUTH_LOGIN_WRONG
In apache log,
access_log:
admin [09/Sep/2016:10:54:39 -0400] "POST /cmdbuild/ HTTP/1.1" 500 619
error_log:
i am getting 500 internal server error
[Fri Sep 09 10:43:50 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Sep 09 10:43:51 2016] [notice] Digest: generating secret for digest authentication ...
[Fri Sep 09 10:43:51 2016] [notice] Digest: done
[Fri Sep 09 10:43:51 2016] [notice] Apache/2.2.15 (Unix) DAV/2 SVN/1.6.11 configured -- resuming normal operations
Can anybody tell what i have to do achieve bypass the login page?