Unable to use an account that isn't an administrator

[morgan-patou]

Hi,

When connecting to Alfresco on the Manifold interface, it ask to enter a username/password. Whenever this account isn't a member of the ALFRESCO_ADMINISTRATORS group, then the connection is failing and the following is showing up on the logs:

ERROR 2018-01-08T10:59:03,081 (qtp638169719-446) - Json response is missing username.
com.github.maoo.indexer.client.AlfrescoParseException: Json response is missing username.
        at com.github.maoo.indexer.client.WebScriptsAlfrescoClient.getUsername(WebScriptsAlfrescoClient.java:305) ~[alfresco-indexer-client-0.8.1.jar:?]
        at com.github.maoo.indexer.client.WebScriptsAlfrescoClient.getUser(WebScriptsAlfrescoClient.java:298) ~[alfresco-indexer-client-0.8.1.jar:?]
        at com.github.maoo.indexer.client.WebScriptsAlfrescoClient.userFromHttpEntity(WebScriptsAlfrescoClient.java:289) ~[alfresco-indexer-client-0.8.1.jar:?]
        at com.github.maoo.indexer.client.WebScriptsAlfrescoClient.fetchUserAuthorities(WebScriptsAlfrescoClient.java:352) ~[alfresco-indexer-client-0.8.1.jar:?]
        at org.apache.manifoldcf.crawler.connectors.alfrescowebscript.AlfrescoConnector.check(AlfrescoConnector.java:133) [mcf-alfresco-webscript-connector.jar:?]
        at org.apache.jsp.viewconnection_jsp._jspService(viewconnection_jsp.java:249) [jsp/:?]
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [jasper-6.0.35.jar:6.0.35]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:388) [jasper-6.0.35.jar:6.0.35]
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313) [jasper-6.0.35.jar:6.0.35]
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260) [jasper-6.0.35.jar:6.0.35]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:769) [jetty-servlet-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) [jetty-servlet-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:595) [jetty-security-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1125) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) [jetty-servlet-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1059) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:191) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:72) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:709) [jasper-6.0.35.jar:6.0.35]
        at org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:680) [jasper-6.0.35.jar:6.0.35]
        at org.apache.jsp.execute_jsp._jspService(execute_jsp.java:368) [jsp/:?]
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [jasper-6.0.35.jar:6.0.35]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:388) [jasper-6.0.35.jar:6.0.35]
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313) [jasper-6.0.35.jar:6.0.35]
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260) [jasper-6.0.35.jar:6.0.35]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:769) [jetty-servlet-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) [jetty-servlet-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) [jetty-security-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1125) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) [jetty-servlet-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1059) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.Server.handle(Server.java:497) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:248) [jetty-server-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) [jetty-io-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:610) [jetty-util-9.2.3.v20140905.jar:9.2.3.v20140905]
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:539) [jetty-util-9.2.3.v20140905.jar:9.2.3.v20140905]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]

Would it be possible to use another user without administrative accesses? Where needed, I'm guessing this should be provided by using a runAs for example... Since this is all happening on the Alfresco side anyway, I don't think there would be an issue doing something like that.

Regards,
Morgan

[bmlong137]

For future reference of this issue, this is due to the REST call executed here. It throws the exception here. This appears to be version v0.8.4 and not the latest v0.8.5, although that does not seem to be a factor at all.

The webscript in question requires user authority and not admin, so it is reasonable to have a non ALFRESCO_ADMINISTRATOR executing it. The big question is what if unprivileged userA requests the list of authorities for unprivileged (or privileged) userB. I am pretty sure, without verifying, that this is the case with this call to authorityService.getAuthoritiesForUser. This probably throws an exception, which gives a generic http500. It should probably give an http403 (forbidden) or allow it in certain cases. One such case is if the user is requesting their own username. In those cases, we would need an AuthenticationUtil.runAsSystem container.

Would that work for you? Do you have the details of your request? Is the authenticated user passing their own username to the webscript?

[morgan-patou]

Yes this seems to be the place where the exception is thrown.

If you want some information on the reason why I'm opening this issue: we are using Manifold since 5 years as a crawler for several components including Alfresco. It was using an old version of Manifold and was working perfectly with a non-administrative account. This is simply because we do not want to index all documents from Alfresco into this external Search system, but only public documents.
With the recent upgrade to Alfresco 5.x, our old Manifold isn't working anymore and we have to use the new version with this add-on.

There would be other ways to do what we want, like adding an aspect to all public documents and then indexing only the documents with this aspect. But it means that there would be rules too to categorized new documents as public or not, aso aso... This add complexity on the repository that isn't necessary.
Therefore I'm feeling like it should also be possible to use an unprivileged account to only get access to (and therefore index) the documents that this account can see. Then getting the properties, authorities and other similar things could be gathered using the runAs.

Basically this would just be to crawl a part of the Alfresco repository as it was possible with Alfresco 4.x. There would not be any real user interaction: the external users would just search for something and this would be using the index created from the crawl => So only public documents.

I'm not sure this is clear...