Welcome

Alfresco and microservices – SSO over Spring Cloud Gateway

Most of the time I have been using Alfresco and Share with Kerberos for a single sign on solution in an enterprise environment. Lately, Alfresco is moving to a microservice oriented architecture and therefore it is also time for me to prepare for this new kind of development on top of Alfresco.

I have to say that I have been developing modules inside of the repository for quite a long time and today I am not that proud of it, in some cases it would be better to have a decoupled integration. I always thought it is easier to handle transactionality when the code is running in the same container or transaction as the repository itself and honestly it made my life easier. But when re-thinking about it today, I am sure some development could be better done outside of the Alfresco repository and just have smaller microservices integrations.

Many people think about Alfresco as a “black box” and my opinion is that custom code does not belong in a “black box”, especially if the developer does not know what he is doing. But if we think about the repository as some kind of “clever storage” giving us the ability to store documents and use full text search, folder or document level permissions, versioning and some other functionalities like applying a custom model to different types of documents than indeed, it could be seen as that “black box”. The real question is: do I need Alfresco for those features? I think Jeff Pots wrote something about that, I highly recommend to read that.

Anyhow, Alfresco introduced ActiveMQ as a messaging platform for its own internal usage, but it seems that the community edition will not benefit of that, therefore we are left alone to find out other ways in order to integrate our custom microservices with the Alfresco platform. By Alfresco platform I think of ACS + ADF based applications + Share + APS.

So let’s go to the point, user and authentication management is always problematic in such distributed contexts and supporting correctly SSO is not simple. For a long time I have been using Apache HTTPD + SAML in order to integrate a custom http header with Alfresco external authentication and hopefuly, as Java developers we can call Spring to the rescue and use Spring Cloud Gateway in order to provide any kind of authentication integration without using Alfresco specific Keycloack deployments. Spring Cloud Gateway is just an API gateway library but if you add Spring security to it (Spring reactive security) it can handle SSO or OAuth2 for you quite easily. Than configuring Alfresco to use external authentication mechanism is just straight forward by following the official documentation. I am sure that you understand that Spring Cloud Gateway will act as a proxy and after a successful authentication it should add the required header to be used by Alfresco external auth. It should be unerstood that any request must go through the proxy before reaching the correct destination (Alfresco/Shar/ADF apps or your custom microservice).

For ADF based applications you can bypass the login by adding the following configuration to your ADF app, as described in Alfresco documentation

{
  "auth": {
    "withCredentials": "true"
  }
}

I am sorry that I did not provide a full working sample yet but I am planning to do so soon. I will provide a Spring Cloud Gateway sample to integrate with your Alfresco external authentication, so please keep posted.

UPDATE: and finally the code https://github.com/dgradecak/alfresco-jwt-auth

Leave a Reply

Your email address will not be published. Required fields are marked *