Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2019-07-19 05:23:24 GMT <alfresco-discord> <MorganP> When I have to deal with first occurrence in a file with sed, I also proceed as mentioned by Angel. ' sed "0,/pattern /s//PATTERN_HERE/" '

2019-07-19 05:23:40 GMT <alfresco-discord> <MorganP> it replaces the first occurrence of pattern with PATTERN_HERE

2019-07-19 05:25:28 GMT <alfresco-discord> <MorganP> If you want to insert something one line before, just do something like that: sed "0,/pattern/s//Toto\n&/"

2019-07-19 05:31:50 GMT <alfresco-discord> <MorganP> Of course the pattern in this case must match the full line otherwise it will cut your line into 2 and put Toto in between

2019-07-19 05:32:29 GMT <alfresco-discord> <MorganP> Something like "[[:space:]]*<xml_tag>"

2019-07-19 05:41:01 GMT <alfresco-discord> <MorganP> sed "0,/^([[:space:]]*)<xml_tag>/s//\1<new_tag>\n\1 <sub_tag>\n\1</new_tag>\n&/" web.xml

2019-07-19 07:36:48 GMT <alfresco-discord> <IanW> A few years ago I thought I was making progress with the point about the web-fragments (with Richard) - I did manage to get them to work for my CAS sso but with a great deal of hackery (stopped working in 5.2 for share however)

2019-07-19 07:38:48 GMT <alfresco-discord> <IanW> I have got angular oidc and dynamic env vars working but be aware that it doesn't work with a prod build (at least the way I did it)

2019-07-19 07:52:16 GMT <alfresco-discord> <dgradecak> @IanW why not? for now I have loading that via assets/dynamic-vars.json and replaces a config map when loaded. but I am not convinced by that

2019-07-19 07:52:48 GMT <alfresco-discord> <dgradecak> are you also using angular-oauth2-oidc ?

2019-07-19 08:02:59 GMT <alfresco-discord> <IanW> I am also using angular-oauth2-oidc - I followed https://www.bennettnotes.com/post/angular-read-system-environment-variables/ although I put the process.env.xxx into src/environments/environment.ts

2019-07-19 08:03:00 GMT <alfbot> Title:Read System Environment Variables in Angular - Bennett Notes (at www.bennettnotes.com)

2019-07-19 08:05:21 GMT <alfresco-discord> <IanW> I haven't spent any time looking at prod build issue, or indeed found a better way than rebuilding with a new environment.ts file for each deployment (which is not ideal but probably not worth my time to investigate)

2019-07-19 08:21:40 GMT <alfresco-discord> <dgradecak> I did try that too but ended up with loading from assets, since I need to change them at runtime and not at build time

2019-07-19 08:21:50 GMT <alfresco-discord> <dgradecak> at least that is the idea

2019-07-19 08:24:14 GMT <alfresco-discord> <IanW> One of those things that feels like it needs solving for the Dockerized world but no obvious consensus on how to do it yet...

2019-07-19 15:53:03 GMT <AFaust> Argh... Amazed at how incredibly under-documented Keycloak really is, when you want to do more / something different then just use the pre-built integrations.

2019-07-19 15:54:02 GMT <AFaust> Barely any JavaDoc at all (most of the time, there is just an @author / @version tag in the class), code comments also rarely existing...

2019-07-19 15:55:32 GMT <AFaust> Trying to figure out which of the various authenticator / adapter classes I really need to build an integration in Share, and I am basically just stumbling through JARs, looking at classes that "sound" relevant and making educated guesses from the bare source code...

2019-07-19 15:56:45 GMT <AFaust> One might say "sounds similar to Alfresco", but I believe it to be worse so far...

2019-07-19 16:03:56 GMT <alfresco-discord> <dgradecak> sounds exciting

2019-07-19 16:04:37 GMT <alfresco-discord> <dgradecak> did share move to spring security 5 ?

2019-07-19 16:04:58 GMT <AFaust> AFAIK, Share never included / used Spring security...

2019-07-19 16:05:19 GMT <AFaust> Only Repository-tier used ACEGI, the ancient Spring security ancestor...

2019-07-19 16:05:24 GMT <AFaust> used => uses

2019-07-19 16:06:37 GMT <alfresco-discord> <dgradecak> right sorry ... tlaked too fast

2019-07-19 16:06:43 GMT <alfresco-discord> <dgradecak> to spring 5 I mean

2019-07-19 16:06:54 GMT <alfresco-discord> <dgradecak> I think it did ...

2019-07-19 16:08:23 GMT <AFaust> Yes, Spring 5 is there...

2019-07-19 16:09:00 GMT <alfresco-discord> <dgradecak> ok, good ... do you have any idea how technically it should look like, that integration?

2019-07-19 16:13:53 GMT <AFaust> Yes, roughly... put a filter facade in front of the default Share SSO authentication filter, have that handle any special OIDC / OAuth2 requests (primarily verification of codes / tokens, generation of redirect URLs), and pass on auth details via bearer token to the endpoint connectors for the call to Repository...

2019-07-19 16:15:25 GMT <AFaust> Filter can be configured to force OIDC / OAuth authentication via Keycloak, or let user through to login page (where I am planning on a customisation to provide a "SSO Login" button similar to what ACA has)

2019-07-19 16:16:50 GMT <alfresco-discord> <dgradecak> are you planning to do that negotiation via a share webscript maybe? I think via JS it owuld be a night mare

2019-07-19 16:17:02 GMT <alfresco-discord> <dgradecak> that is why spring security can be handy

2019-07-19 16:17:04 GMT <AFaust> I am also looking at the option of that filter handling backchannel logout, though that might be a bit harder to do, since the filter runs inside the web app, not as a global filter with access to Catalina / Tomcat internals

2019-07-19 16:17:31 GMT <AFaust> No web script, no JS. Plain old servlet filter...

2019-07-19 16:17:32 GMT <alfresco-discord> <dgradecak> ok .. a filter, server side

2019-07-19 16:18:11 GMT <alfresco-discord> <dgradecak> in angular I used a JS library for oauth

2019-07-19 16:18:19 GMT <AFaust> Yeah, Share is a server side application with a server-side integration with backend systems, so anything auth-related should (IMHO, "must") be server-side too...

2019-07-19 16:18:54 GMT <alfresco-discord> <dgradecak> well does not have to be, but here it owuld be easier

2019-07-19 16:19:00 GMT <AFaust> And web scripts are not an option for me, after I have seen and had to work with the mess that is the Alfresco Enterprise SAML module...

2019-07-19 16:19:41 GMT <alfresco-discord> <dgradecak> with filters cna be quite good to reuse spring security oauth2

2019-07-19 16:21:57 GMT <alfresco-discord> <dgradecak> and I imagine you want to reuse the awk command? 😄

2019-07-19 16:22:02 GMT <AFaust> Might have been, if they didn't tie themselves so excessively to the Spring Boot crap...

2019-07-19 16:22:37 GMT <alfresco-discord> <dgradecak> I cna check but many things have been moved

2019-07-19 16:22:46 GMT <alfresco-discord> <dgradecak> from boot to security

2019-07-19 16:22:55 GMT <alfresco-discord> <dgradecak> but you are right

2019-07-19 16:23:01 GMT <AFaust> Ehm... potentially, though that was a different project actually where I needed that this week.

2019-07-19 16:23:47 GMT <AFaust> I actually already set up the filter to be injected either via web.xml modification (awk / sed / whatever) or by using a Spring post processor to facade the default Share SSOAuthenticationFilter (since this is a bean, that is an option luckily)

2019-07-19 16:24:36 GMT <alfresco-discord> <dgradecak> well if you want some help about that let me know, I am also interested by this

2019-07-19 16:25:26 GMT <AFaust> Well, if you find a good example / guide / documentation on how to implement the OIDC authorization code flow with Keycloak adapter / client libraries, that would be cool...

2019-07-19 16:25:48 GMT <AFaust> My Google-Fu has only turned up examples / guides for the pre-built integrations.

2019-07-19 16:26:10 GMT <alfresco-discord> <dgradecak> I did it with the keycloack adapter

2019-07-19 16:26:26 GMT <alfresco-discord> <dgradecak> and spring boot, so I have that as sample

2019-07-19 16:26:39 GMT <AFaust> That's also the undocumented pile of classes that I am wading through right now.

2019-07-19 16:26:51 GMT <alfresco-discord> <dgradecak> but lately I planned to do spring oauth with keycloack without the adapter

2019-07-19 16:27:25 GMT <AFaust> I believe I now have the right starting point, and only need to figure out how some of the required dependencies can be hooked up...

2019-07-19 16:28:48 GMT <AFaust> Doing this without Keycloak adapters is also an option for the (medium far) future... First want to get it done with the vendor's own libs.

2019-07-19 16:29:15 GMT <AFaust> (in the hope that I can avoid any accidental incompatibilities that way)

2019-07-19 16:29:49 GMT <alfresco-discord> <dgradecak> ach so ... so the plan is to take what is on the repo side and move to share?

2019-07-19 16:30:42 GMT <AFaust> Well... that was the starting idea.

2019-07-19 16:31:00 GMT <alfresco-discord> <dgradecak> I was not even thinking about that honestly 😉

2019-07-19 16:31:02 GMT <AFaust> But the Repo-tier only has Bearer-Token evaluation

2019-07-19 16:31:54 GMT <AFaust> Without any handling of redirect to login, dealing with code vs. access token (authorization code flow), and handling backend calls.

2019-07-19 16:32:11 GMT <AFaust> No logout handling etc...

2019-07-19 16:32:35 GMT <AFaust> The Repo-tier integration really has only been built to support ADF / ACA, and other SPA clients.

2019-07-19 16:32:42 GMT <alfresco-discord> <dgradecak> well logaout is a bit specially with tokens

2019-07-19 16:32:56 GMT <alfresco-discord> <dgradecak> but I get your point

2019-07-19 16:33:34 GMT <AFaust> Yeah, logout will be interesting, and is only of lower priority.

2019-07-19 16:34:05 GMT <AFaust> When I was doing the Azure integration, I was trying to set up the backchannel logout from Azure to Keycloak, so that all my session would be killed when I log out of Azure.

2019-07-19 16:34:28 GMT <AFaust> Did not get it to work then either, but for a "proper" integration, that should be supported at some point.

2019-07-19 16:35:37 GMT <AFaust> Azure did a proper redirect + request to Keycloak during logout when I tested, but the session(s) were all still active afterwards.

2019-07-19 16:36:23 GMT <alfresco-discord> <dgradecak> that logout is also on my todo list for "my" stuffs with oauth

2019-07-19 18:52:39 GMT <alfresco-discord> <IanW> Interested to hear how you get on - repo and share really quite different - I may have mentioned this area is a bit flaky as I've discovered working on alfresco-cas (might be worth a look...) - I haven't looked at this since 6 came out but once you can log in to share I guess it's about replacing the SlingshotAlfrescoConnector with something that replaces the username header with a proxy authentication

2019-07-19 18:52:39 GMT <alfresco-discord> token - at least that's how I'd do it (and assumes that the repo can handle proxy token but surely it can...)

2019-07-19 19:14:43 GMT <AFaust> I think I may be almost done with the general implementation of the filter (with some corner cases marked as TODO), that I can deal with the connector stuff either this weekend or Monday, and then do first tests.

2019-07-19 19:35:40 GMT <alfresco-discord> <dgradecak> I wonder how the donload would work

2019-07-19 20:41:27 GMT <AFaust> Should not be a problem. After initial token exchange, the token will be stored in the session. It will be refreshed in the background when necessary. As long as the client uses the same session, download will be unaffected.

2019-07-19 20:49:52 GMT <alfresco-discord> <dgradecak> sure, but if the download is dicated by a browser GET you need to pass the token in the url

2019-07-19 20:50:52 GMT <alfresco-discord> <dgradecak> that brings the security on the table, since tokens are "long" living

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco