We're using our custom SSO auth filter and connector (based on the ones in the Share sources) to provide external OAuth authentication for Alfresco. It worked fine in 5.0.d but after upgrading to 5.1.e some of the dashboard elements in some cases (i.e., quite randomly) would disappear or return an error message. After some digging the issue turned out to be related to the following:
- The endpoint connector relies on the MTAuthentationFilter to get the servlet request in cases the request bypasses the Spring dispatcher servlet;
- The SSO auth filter has a mapping on /service/* while the MTAuthenticationFilter does not;
- The auth filter checks if the user is authenticated by calling "/touch" through the connector. In theory, this should result in a null pointer exception in the connector for the requests that came through the /service/ (in our code we did check for nulls :) but the user would still be unauthenticated for the repository)
According to the SVN log the auth filter was mapped to /service/ in 5.1 due to some issues with Kerberos, MNT-13524 I believe. Is it a bug that MTAuthenticationFilter wasn't mapped as well?