Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-7027

Support for remote repos protected by realm-based SSO

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 3.4.2
    • Fix Version/s: 3.5.1
    • Component/s: HttpRepo
    • Labels:
      None

      Description

      Hi Artifactory Developers,

      We are in the process of standing up a highly-available Maven repository that is protected by an SSO solution using Basic Auth over SSL. The architecture is as follows:

      1.) Maven clients connect over the internet to the repository using maven.example.com

      2.) maven.example.com is a hardware load balancer DNS alias that uses HTTP 301 to redirect to repo.example.com

      3.) repo.example.com uses HTTP 302 to redirect the request to login.example.com

      4.) login.example.com sends back HTTP 401 to require authentication

      5.) The client returns the request with the Authorization header and login.example.com uses HTTP 302 to redirect the request back to repo.example.com with the proper Authorization header and retrieve the artifact.

      While the repository is currently in production, it has not been made generally available yet. We would very much like to be able to tell people that they can proxy our repository with Artifactory when we do make it generally available. However, the current version of Artifactory is not able to work with the SSO solution we are using. We have no ability to change the SSO solution, as it is used by many other applications as well.

      We found that with a few small changes to the configuration of the httpclient, we are able to get Artifactory to work with our repository correctly. I am including a diff below that shows those changes. The changes are as follows:

      • enable cookie management
      • allow circular redirects
      • change the AuthScope host to "ANY"
      • change the cookie spec to BROWSER_COMPATIBILITY

      I think that the best way to introduce these changes would be to add a new 'advanced property' checkbox to the remote repository advanced configuration panel, which would allow users to turn on these changes for a given repository. I have not done the work to change the UI/model to allow that.

      I am seeking your advice on how to proceed. What is the process to get this capability added to Artifactory OSS? We would also like to see this capability in Artifactory HA.

      C:\src\artifactory>svn diff
      Index: base/common/src/main/java/org/artifactory/util/HttpClientConfigurator.java
      ===================================================================
      — base/common/src/main/java/org/artifactory/util/HttpClientConfigurator.java (revision 14229)
      +++ base/common/src/main/java/org/artifactory/util/HttpClientConfigurator.java (working copy)
      @@ -27,6 +27,7 @@
      import org.apache.http.auth.NTCredentials;
      import org.apache.http.auth.UsernamePasswordCredentials;
      import org.apache.http.client.config.AuthSchemes;
      +import org.apache.http.client.config.CookieSpecs;
      import org.apache.http.client.config.RequestConfig;
      import org.apache.http.conn.routing.HttpRoute;
      import org.apache.http.impl.client.BasicCredentialsProvider;
      @@ -36,6 +37,7 @@
      import org.apache.http.impl.client.HttpClients;
      import org.apache.http.impl.conn.DefaultRoutePlanner;
      import org.apache.http.impl.conn.DefaultSchemePortResolver;
      +import org.apache.http.impl.cookie.BrowserCompatSpec;
      import org.apache.http.protocol.HttpContext;
      import org.artifactory.common.ConstantValues;
      import org.artifactory.descriptor.repo.ProxyDescriptor;
      @@ -68,7 +70,8 @@
      builder.setUserAgent(HttpUtils.getArtifactoryUserAgent());
      credsProvider = new BasicCredentialsProvider();
      if (!ConstantValues.enableCookieManagement.getBoolean())

      { - builder.disableCookieManagement(); + // Do not disable cookie management + //builder.disableCookieManagement(); }

      if (!ConstantValues.httpAcceptEncodingGzip.getBoolean())

      { builder.disableContentCompression(); @@ -192,10 +195,15 @@ throw new IllegalStateException("Cannot configure authentication when host is not set."); }

      + // we need the request to follow redirects from the front end URL
      + // to the login server and the actual content server, to accept circular
      + // redirects, and to maintain the cookies
      credsProvider.setCredentials(

      • new AuthScope(host, AuthScope.ANY_PORT, AuthScope.ANY_REALM),
        + new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, AuthScope.ANY_REALM),
        new UsernamePasswordCredentials(username, password));
        -
        + config.setCircularRedirectsAllowed(true);
        + config.setMaxRedirects(40);
        + config.setCookieSpec(CookieSpecs.BROWSER_COMPATIBILITY);
        builder.addInterceptorFirst(new PreemptiveAuthInterceptor());
        }
        return this;

        Attachments

          Activity

            People

            • Assignee:
              yossis Yossi Shaul
              Reporter:
              markxnelson Mark Nelson
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: