Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2019-07-31 07:58:24 GMT <alfresco-discord> <monica> Hello everyone. I need a suggestion. PermissionServicePolicies are used under 5.2.g version while Currently I am using 5.2.f version . If I upgrade the version in pom.xml file from 5.2.f to 5.2.g , will it create issue in existing classes or it will work fine as work with the older version ??

2019-07-31 08:05:53 GMT *** jelly-home is now known as jelly

2019-07-31 08:43:47 GMT <alfresco-discord> <dgradecak> it depends highly of your custom code, but between those two versions you should be just fine

2019-07-31 08:47:17 GMT <alfresco-discord> <dgradecak> @angelborroy regarding the transformations ... it is a wrong timing right now doing anything with it. The old transformations are deprecated but it is not replaced with the new RenditionService2 code, so from share it still uses the old one but the APIs use the new implementation

2019-07-31 08:48:11 GMT <alfresco-discord> <dgradecak> that is a funny way of deprecating things, since I would imagine that a deprecation that is still used would replace the old implementation with the new one, just keeping old "interfaces" as deprecated

2019-07-31 08:49:17 GMT <alfresco-discord> <dgradecak> and the only interesting doc is here https://github.com/Alfresco/acs-packaging/blob/master/docs/transform-services.md

2019-07-31 08:49:18 GMT <alfbot> Title:acs-packaging/transform-services.md at master ยท Alfresco/acs-packaging ยท GitHub (at github.com)

2019-07-31 08:49:34 GMT <alfresco-discord> <dgradecak> everything is marked as TBA ๐Ÿ˜„

2019-07-31 08:51:07 GMT <alfresco-discord> <dgradecak> but the names are really creative ๐Ÿ˜ƒ RenditionDefinition2Impl

2019-07-31 08:51:17 GMT <Tichodroma> In current Alfresco versions, user preferences are stored in a content object of type `cm:preferenceValues`. In ancient versions (2.x) this QName does not exists, therefore I think that user prefernces are stored somewhere else.

2019-07-31 08:51:35 GMT <Tichodroma> Do you have any idea where in the database this could be for Alfresco 2.x?

2019-07-31 08:52:17 GMT <alfresco-discord> <dgradecak> that is a good question;) did the user preferences even existed at that time?

2019-07-31 08:52:35 GMT <Tichodroma> The concrete use case is to find the interface language that in the ancient JSF client could be changed in the user options.

2019-07-31 08:54:10 GMT <alfresco-discord> <dgradecak> practices also changed during the last decade. The language comes from the browser usually now but I do not your use case

2019-07-31 08:55:09 GMT <Tichodroma> Yes, the browser settings where not used in those times. So there must be some place where the user selected language is persisted (DB or content store).

2019-07-31 08:56:17 GMT <alfresco-discord> <dgradecak> my point was that why would you need something like that if you are migrating

2019-07-31 08:56:26 GMT <alfresco-discord> <dgradecak> unless it is not just for the browser locale

2019-07-31 08:57:46 GMT <Tichodroma> I am not migrating. $CUSTOMER is on 2.x and can't migrage (yes, I know). But an unknown number of users have changed the interface language and now encounter the stupid MLText implementation that hides cm:title and cm:description if you use a different language than the other user who changed these properties.

2019-07-31 08:58:25 GMT <Tichodroma> So the goal is to find thos users that have set their interface language to a value different than English.

2019-07-31 09:01:58 GMT <alfresco-discord> <dgradecak> well those who complain they changed it ๐Ÿ˜‰

2019-07-31 09:02:38 GMT <Tichodroma> Sure :) But you know users: Only a fraction of those that encounter a bug acutally complain. The rest keeps silent.

2019-07-31 09:02:52 GMT <alfresco-discord> <dgradecak> unfortunately I do not know the answer. A solution might be to "patch" the MLText to always return english

2019-07-31 09:03:07 GMT <alfresco-discord> <dgradecak> although not that clever solution

2019-07-31 09:03:20 GMT <Tichodroma> Yes, that's what we did for Alfreso 4+. But for < 4 we don't even have the source code.

2019-07-31 09:03:34 GMT <alfresco-discord> <dgradecak> I see

2019-07-31 09:03:40 GMT <alfresco-discord> <dgradecak> JAD? ๐Ÿ˜„

2019-07-31 09:03:57 GMT <Tichodroma> I don't think the problem is *that* important.

2019-07-31 13:23:20 GMT <dgradecak> AFaust: qq, did you check the "new" transformers yet?

2019-07-31 13:30:53 GMT <AFaust> That is still a "no" on that topic, and as I mentioned previously, I will likely not have a chance to this week. But I may have a look next week, since at one of my customers, we are looking into preparing a potential migration to 6.x in the future (whatever the latest version will be at that point) and we'll have to check what to do about our custom transformers...

2019-07-31 13:31:40 GMT <dgradecak> ok, I thought you might have a look already

2019-07-31 13:32:15 GMT <dgradecak> I did not check anything on the enterprise side, but the community side seems a mess to me right now

2019-07-31 13:32:41 GMT <dgradecak> we would say "I do not know who pdrinks and who pays"

2019-07-31 13:33:53 GMT <dgradecak> although I might miss the forest behind the tree ... anyhow I would like to hear your thoughts on that once you are on it

2019-07-31 14:14:20 GMT <AxelFaust> Wow... the Alfresco Identity Service documentation on docs.alfresco.com is overwhelming. A whole two pages of "content" alongside the copyright and disclaimer.

2019-07-31 15:00:55 GMT <alfresco-discord> <dgradecak> looks great! I am waiting to have an AAMQ soon (Alfresco Active MQ)

2019-07-31 15:01:40 GMT <alfresco-discord> <dgradecak> beside deploying it in a container, I wonder how else it will be deployable in half a year

2019-07-31 15:15:45 GMT <alfresco-discord> <IanW> Doesn't feel like the identity service is getting a whole lot of love...

2019-07-31 15:16:22 GMT <alfresco-discord> <dgradecak> personnaly, I like Keycloack

2019-07-31 15:17:51 GMT <alfresco-discord> <IanW> Quite happy with keycloak - seems like a sound choice

2019-07-31 15:18:53 GMT <alfresco-discord> <IanW> but don't know how that that relates to the identity service in future

2019-07-31 15:20:27 GMT <alfresco-discord> <IanW> and don't really like having to look after keycloak(s) as well as other SSO server

2019-07-31 15:21:37 GMT <alfresco-discord> <dgradecak> I would prefer that all of the 3rd party applications stay as they are provided by the "creators/maintainers", so a vanilla app

2019-07-31 15:22:17 GMT <alfresco-discord> <dgradecak> and that people have the choice to configure it with Alfresco or not

2019-07-31 15:26:05 GMT <AxelFaust> Hmm... currently wondering about Microsoft Office support for OIDC / SAML, e.g. whether it could be made to work with Keycloak / Alfresco Identity Service. As far as I can see now, there is not yet any support by Alfresco to have /aos URLs coverered by AIS / Keycloak.

2019-07-31 15:26:06 GMT <alfresco-discord> <IanW> I think we're saying the same thing - it's the difference between having an/some solid SSO implementation e.g. using OAuth that can be tied into any provider vs something that is closely tied to a specific implementation

2019-07-31 15:28:11 GMT <alfresco-discord> <IanW> I had the impression that at the moment things are quite loosely tied to the identity service as a very lightweight wrapper around keycloak but that the plan was to make the identity service more substantial

2019-07-31 15:28:33 GMT <AxelFaust> Yeah, when I was working on the Share Keycloak integration last week, I was wondering how I could make this "more generic" / "open to other OIDC IdPs" - without over-engineering it all or loosing the option to support Keycloak-specifics, like backchannel logout and such.

2019-07-31 15:29:44 GMT <AxelFaust> loosing => losing

2019-07-31 15:30:33 GMT <alfresco-discord> <dgradecak> well spring security/oauth for instance is "quite simple" to integrate with other IdPs

2019-07-31 15:31:17 GMT <alfresco-discord> <IanW> I worry that somebody is thinking about replacing e.g. LDAP sync with the identity service

2019-07-31 15:31:19 GMT <AxelFaust> Yes, but then you don't support whatever backchannel features they offer which make the integration with IdP XY "complete"

2019-07-31 15:31:58 GMT <alfresco-discord> <dgradecak> @IanW I also feel that coming indeed

2019-07-31 15:32:35 GMT <alfresco-discord> <dgradecak> enterprise customers tell me, ok let's use AIS and we want SSO with kerberos

2019-07-31 15:32:43 GMT <AxelFaust> IanW: Well, from what I have heard, that worry is sort of warranted, though what I read / heard was that user / group management may be extracted / moved to AIS completely. So I wonder how an Alfresco without an internal user / group management would look like...

2019-07-31 15:34:40 GMT <AxelFaust> But as with everything on their "we plan to do X" list, it might probably take years and years... just considering the announcement of "we are going to extract/remove workflows from ACS" and what has (not) happened on that front so far...

2019-07-31 15:34:45 GMT <alfresco-discord> <dgradecak> looking at what is going on with transformeation "servers" I doubt they will do that group management in the next decade

2019-07-31 15:35:04 GMT <alfresco-discord> <IanW> It will no doubt make it trickier to do stuff like loading avatars from LDAP, which I believe I'm not alone in implementing, and is a bit harder than groups/text field mapping

2019-07-31 15:36:47 GMT <alfresco-discord> <IanW> Anybody know if things like CMIS, mobile apps... are covered by the identity service?

2019-07-31 15:37:23 GMT <alfresco-discord> <IanW> I ended up with some relatively nasty work arounds doing that for CAS

2019-07-31 15:39:31 GMT <alfresco-discord> <dgradecak> all good questions, I also wonder what will happen to the "TICKET_"

2019-07-31 15:39:49 GMT <alfresco-discord> <IanW> (I'm hoping/expecting to replace all my CAS stuff with delegated auth from keycloak to CAS in version 6+ - which I'm avoiding at the moment)

2019-07-31 15:42:23 GMT <AxelFaust> IanW: Currently, AIS only covers the "remote user mapper" use case, e.g. in which the client already sends a request with an OIDC bearer token. So unless you use a special client for CMIS, mobile apps etc, which perform OIDC auth on the client side, AIS will not cover those.

2019-07-31 15:42:56 GMT <AxelFaust> Essentially, right now, AIS is only covering the ADF/ACA/ADW usage of Alfresco Public ReST API...

2019-07-31 15:43:47 GMT <alfresco-discord> <IanW> Thought as much.... - thanks

2019-07-31 15:43:55 GMT <AxelFaust> My Share Keycloak integration is basically just an enhancement of the client to add the Bearer token to the remote connector, so it works with the "remote user mapper" logic based on AIS / Keycloak

2019-07-31 15:45:00 GMT <alfresco-discord> <IanW> That seems a pretty straightforward way of doing it

2019-07-31 15:47:10 GMT <alfresco-discord> <IanW> In 5.2. I've got an authenticated webscript that returns a ticket and uses that - used to OOTB but keeps getting removed - quite useful tho'

2019-07-31 15:48:33 GMT <alfresco-discord> <dgradecak> CMIS integrations for instance, I always do with a ticket, but I guess you do the same

2019-07-31 15:50:44 GMT <AxelFaust> I actually don't, because of the potential side effects that can occur with ticket-based authentication. Since Alfresco 5.0 or so, each user by default only has one unique ticket. When a user might use Share and a CMIS client at the same time, ticket-based authentication can be problematic for the CMIS app - when the user logs out of share, the ticket will be invalidated, which can interrupt whatever operation the CMIS client is

2019-07-31 15:50:45 GMT <AxelFaust> currently performing.

2019-07-31 15:52:09 GMT <alfresco-discord> <dgradecak> hopefully such a case is limited when using kerberos for share

2019-07-31 15:52:30 GMT <AxelFaust> As long as CMIS occurs over HTTPS, I would prefer regular authentication with user credentials - or a "real" SSO solution with a proper handshake / global token...

2019-07-31 15:52:32 GMT <alfresco-discord> <dgradecak> but taht is a good point

2019-07-31 15:52:42 GMT <alfresco-discord> <IanW> I don't either - I did, for browser based auth, before they removed the ticket webscript

2019-07-31 15:53:33 GMT <AxelFaust> Well, when using Kerberos for Share, you will not have a chance to logout in Share, so cannot invalidate the ticket (other than via Repository Administration Console / JMX)

2019-07-31 15:53:38 GMT <alfresco-discord> <dgradecak> well that was the only way to do kind of SSO with CMIS (at that time)

2019-07-31 15:54:16 GMT <alfresco-discord> <IanW> I did put the logout option back into share for my CAS project

2019-07-31 15:54:36 GMT <alfresco-discord> <dgradecak> opening a CMIS app from within share (via a link action) and that no login is needed

2019-07-31 15:55:04 GMT <alfresco-discord> <IanW> Currently using the ticket for playing with ADF and 5.2

2019-07-31 15:56:01 GMT <alfresco-discord> <dgradecak> when you say: they removed the ticket webscript ... but there is the rest api for getting a ticket, so it is the same right?

2019-07-31 15:56:19 GMT <AxelFaust> I am also planning to add the logout option for my Keycloak integration (currently Share hides it as usual because user is "externally authenticated")

2019-07-31 15:56:31 GMT <alfresco-discord> <dgradecak> or you mean the currently logged user ticket ...

2019-07-31 15:57:38 GMT <alfresco-discord> <IanW> Welcome to steal logout stuff - made more difficult when logout changed from get to post

2019-07-31 15:58:52 GMT <alfresco-discord> <IanW> I believe that the rest api requires you to post credentials to get a ticket rather than having the possibility to use an existing auth

2019-07-31 16:01:04 GMT <alfresco-discord> <dgradecak> well at some point you have to do the POST anyhow, but I understand

2019-07-31 16:01:34 GMT <alfresco-discord> <dgradecak> I think alfresco would better do by providing a JWT (regardless of AIS)

2019-07-31 16:02:37 GMT <alfresco-discord> <dgradecak> with a "refresh token", but again ... that would be too easy I guess

2019-07-31 16:04:18 GMT <alfresco-discord> <IanW> It's part of SSO meaing ACS and APS rather than being part of a wider SSO infrastructure - people will already be logged in to something else before coming to the ADF app

2019-07-31 16:05:04 GMT <alfresco-discord> <IanW> got to go now...

2019-07-31 16:05:25 GMT <alfresco-discord> <dgradecak> cheer

2019-07-31 16:05:26 GMT <alfresco-discord> <dgradecak> s

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco