diff --git a/Makefile b/Makefile
index e8d02bb5..c4ebf111 100644
--- a/Makefile
+++ b/Makefile
@@ -53,6 +53,10 @@ prepare_connectors: scripts/fetch-artifacts.sh setenv
 	@echo "Fetching all artifacts for Connectors targets"
 	@./scripts/fetch-artifacts.sh connector
 
+prepare_share: scripts/fetch-artifacts.sh setenv
+	@echo "Fetching all artifacts for Share targets"
+	@./scripts/fetch-artifacts.sh share
+
 prepare_all: scripts/fetch-artifacts.sh setenv
 	@echo "Fetching all artifacts"
 	@./scripts/fetch-artifacts.sh
@@ -77,6 +81,10 @@ connectors: prepare_connectors
 	@echo "Building Connectors images"
 	docker buildx bake ${DOCKER_BAKE_ARGS} connectors
 
+share: prepare_share
+	@echo "Building Share images"
+	docker buildx bake ${DOCKER_BAKE_ARGS} share
+
 all: docker-bake.hcl prepare_all
 	@echo "Building all images"
 	docker buildx bake ${DOCKER_BAKE_ARGS}
diff --git a/README.md b/README.md
index c1c81b7d..d49afe4d 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ Using this tool to build Alfresco images requires:
   require authentication
 * Some Unix tools: `jq`, `wget`, `make`
 
-Configuring the authentication to Alfresco NExus server must be dopne using the
+Configuring the authentication to Alfresco Nexus server must be done using the
 wget rc file `~/.wgetrc` or `~/.netrc`:
 
 ```sh
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 056782b7..089dc78d 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -1,5 +1,5 @@
 group "default" {
-  targets = ["content_service", "enterprise-search", "ats", "tengines", "connectors"]
+  targets = ["content_service", "enterprise-search", "ats", "tengines", "connectors", "share"]
 }
 
 group "content_service" {
@@ -22,6 +22,10 @@ group "connectors" {
   targets = ["connector_msteams", "connector_ms365"]
 }
 
+group "share" {
+  targets = ["share"]
+}
+
 variable "REGISTRY" {
   default = "localhost"
 }
@@ -546,3 +550,19 @@ target "connector_ms365" {
   output = ["type=docker"]
   platforms = split(",", "${TARGETARCH}")
 }
+
+target "share" {
+  context = "./share"
+  dockerfile = "Dockerfile"
+  inherits = ["tomcat_base"]
+  contexts = {
+    tomcat_base = "target:tomcat_base"
+  }
+  labels = {
+    "org.opencontainers.image.title" = "${PRODUCT_LINE} Share Enterprise"
+    "org.opencontainers.image.description" = "Alfresco Share Enterprise"
+  }
+  tags = ["${REGISTRY}/${REGISTRY_NAMESPACE}alfresco-share:${TAG}"]
+  output = ["type=docker"]
+  platforms = split(",", "${TARGETARCH}")
+}
diff --git a/share/Dockerfile b/share/Dockerfile
new file mode 100644
index 00000000..052dcfa4
--- /dev/null
+++ b/share/Dockerfile
@@ -0,0 +1,33 @@
+FROM tomcat_base
+
+USER root
+EXPOSE 8000
+
+RUN mkdir -p ${CATALINA_HOME}/shared/classes/alfresco/web-extension \
+    ${CATALINA_HOME}/amps_share \
+    ${CATALINA_HOME}/webapps/share/ \
+    ${CATALINA_HOME}/alfresco-mmt/ \
+    /licenses
+
+COPY substituter.sh ${CATALINA_HOME}/shared/classes/alfresco
+
+ADD distribution /tmp/
+ENV DISTDIR="/tmp/distribution"
+
+RUN yum install -y unzip xmlstarlet && \
+    unzip /tmp/*.zip -d ${DISTDIR} &&\
+    unzip ${DISTDIR}/alfresco*/web-server/webapps/share.war -d ${CATALINA_HOME}/webapps/share/ &&\
+    cp ${DISTDIR}/alfresco*/bin/* ${CATALINA_HOME}/alfresco-mmt/ &&\
+    cp -r ${DISTDIR}/alfresco*/amps ${CATALINA_HOME}/amps_share &&\
+    cp ${DISTDIR}/alfresco*/web-extension-samples/custom-slingshot-application-context.xml.sample ${CATALINA_HOME}/shared/classes/alfresco/web-extension &&\
+    cp ${DISTDIR}/alfresco*/web-extension-samples/smartfolders-amp-actions-config.xml ${CATALINA_HOME}/shared/classes/alfresco/web-extension &&\
+    cp /tmp/share-config-custom.xml ${CATALINA_HOME}/shared/classes/alfresco/web-extension &&\
+    rm -rf ${DISTDIR} /tmp &&\
+    sed -i "s/shared.loader=/shared.loader=\${catalina.base}\/shared\/classes/" ${CATALINA_HOME}/conf/catalina.properties &&\
+    chmod +x ${CATALINA_HOME}/shared/classes/alfresco/substituter.sh &&\
+    yum clean all && rm -rf /var/cache/yum
+    
+RUN java -jar ${CATALINA_HOME}/alfresco-mmt/alfresco-mmt*.jar install \
+              ${CATALINA_HOME}/amps_share ${CATALINA_HOME}/webapps/share -directory -nobackup -force
+
+ENTRYPOINT ["/usr/local/tomcat/shared/classes/alfresco/substituter.sh", "catalina.sh run"]
diff --git a/share/README.md b/share/README.md
new file mode 100644
index 00000000..e69de29b
diff --git a/share/artifacts.json b/share/artifacts.json
new file mode 100644
index 00000000..a666d02f
--- /dev/null
+++ b/share/artifacts.json
@@ -0,0 +1,14 @@
+{
+  "artifacts": {
+    "acs23": [
+      {
+        "name": "alfresco-content-services-share-distribution",
+        "version": "23.2.2",
+        "path": "share/distribution",
+        "classifier": ".zip",
+        "group": "org.alfresco",
+        "repository": "enterprise-releases"
+      }
+    ]
+  }
+}
diff --git a/share/distribution/README.md b/share/distribution/README.md
new file mode 100644
index 00000000..9172a562
--- /dev/null
+++ b/share/distribution/README.md
@@ -0,0 +1,17 @@
+# Alfresco Content Services share distribution
+
+Place here the version of Alfresco Content Services share distribution you want to
+use in your Docker image.
+Distribution file must be a ZIP file with the expected structure of an Alfresco
+Content Services share distribution.
+
+```tree
+amps/
+bin/
+web-extension-samples/
+web-server/
+|_webapps/
+|_conf/
+  |_Catalina/
+    |_localhost/
+```
diff --git a/share/distribution/share-config-custom.xml b/share/distribution/share-config-custom.xml
new file mode 100644
index 00000000..65fa6aa3
--- /dev/null
+++ b/share/distribution/share-config-custom.xml
@@ -0,0 +1,741 @@
+<alfresco-config>
+
+   <!-- Global config section -->
+   <config replace="true">
+      <flags>
+         <!--
+            Developer debugging setting to turn on DEBUG mode for client scripts in the browser
+         -->
+         <client-debug>false</client-debug>
+
+         <!--
+            LOGGING can always be toggled at runtime when in DEBUG mode (Ctrl, Ctrl, Shift, Shift).
+            This flag automatically activates logging on page load.
+         -->
+         <client-debug-autologging>false</client-debug-autologging>
+      </flags>
+   </config>
+   
+   <config evaluator="string-compare" condition="WebFramework">
+      <web-framework>
+         <!-- SpringSurf Autowire Runtime Settings -->
+         <!-- 
+              Developers can set mode to 'development' to disable; SpringSurf caches,
+              FreeMarker template caching and Rhino JavaScript compilation.
+         -->
+         <autowire>
+            <!-- Pick the mode: "production" or "development" -->
+            <mode>production</mode>
+         </autowire>
+
+         <!-- Allows extension modules with <auto-deploy> set to true to be automatically deployed -->
+         <module-deployment>
+            <mode>manual</mode>
+            <enable-auto-deploy-modules>true</enable-auto-deploy-modules>
+         </module-deployment>
+      </web-framework>
+   </config>
+
+   
+   <!--
+      CSRF filter config to mitigate CSRF/Seasurfing/XSRF attacks
+
+      To disable the CSRF filter override the <filter> to not contain any values, see share-config-custom.xml for
+      an example.
+
+      If you have a custom resource(s) that a client POST to that can't accept a token, for whatever reason, then make
+      sure to copy the entire CSRFPolicy config and place it in your share-config-custom.xml file
+      with the replace="true" attribute and make sure to add a new <rule> in the top of the <filter> element,
+      which has a <request> element matching your requests, and uses only the "assertReferer" & "assertOrigin" actions.
+
+      I.e.
+      <rule>
+         <request>
+            <method>POST</method>
+            <path>/proxy/alfresco/custom/repoWebscript/withoutParams|/service/custom/shareResource/thatMayHaveParams(\?.+)?</path>
+         </request>
+         <action name="assertReferer">
+            <param name="referer">{referer}</param>
+         </action>
+         <action name="assertOrigin">
+            <param name="origin">{origin}</param>
+         </action>
+      </rule>
+   -->
+   <config evaluator="string-compare" condition="CSRFPolicy" replace="false">
+
+      <!--
+         Properties that may be used inside the rest of the CSRFPolicy config to avoid repetition but
+         also making it possible to provide different values in different environments.
+         I.e. Different "Referer" & "Origin" properties for test & production etc.
+         Reference a property using "{propertyName}".
+      -->
+      <properties>
+
+         <!-- There is normally no need to override this property -->
+         <token>Alfresco-CSRFToken</token>
+
+         <!--
+            Override and set this property with a regexp that if you have placed Share behind a proxy that
+            does not rewrite the Referer header.
+         -->
+         <referer></referer>
+
+         <!--
+            Override and set this property with a regexp that if you have placed Share behind a proxy that
+            does not rewrite the Origin header.
+         -->
+         <origin></origin>
+      </properties>
+
+      <!--
+        Will be used and exposed to the client side code in Alfresco.contants.CSRF_POLICY.
+        Use the Alfresco.util.CSRFPolicy.getHeader() or Alfresco.util.CSRFPolicy.getParameter() with Alfresco.util.CSRFPolicy.getToken()
+        to set the token in custom 3rd party code.
+      -->
+      <client>
+         <cookie>{token}</cookie>
+         <header>{token}</header>
+         <parameter>{token}</parameter>
+      </client>
+
+      <!-- The first rule with a matching request will get its action invoked, the remaining rules will be ignored. -->
+      <filter>
+
+         <!--
+            Certain webscripts shall not be allowed to be accessed directly form the browser.
+            Make sure to throw an error if they are used.
+         -->
+         <rule>
+            <request>
+               <path>/proxy/alfresco/remoteadm/.*</path>
+            </request>
+            <action name="throwError">
+               <param name="message">It is not allowed to access this url from your browser</param>
+            </action>
+         </rule>
+
+         <!--
+            Certain Repo webscripts should be allowed to pass without a token since they have no Share knowledge.
+            TODO: Refactor the publishing code so that form that is posted to this URL is a Share webscript with the right tokens.
+         -->
+         <rule>
+            <request>
+               <method>POST</method>
+               <path>/proxy/alfresco/api/publishing/channels/.+</path>
+            </request>
+            <action name="assertReferer">
+               <param name="referer">{referer}</param>
+            </action>
+            <action name="assertOrigin">
+               <param name="origin">{origin}</param>
+            </action>
+         </rule>
+
+         <!--
+            Certain Surf POST requests from the WebScript console must be allowed to pass without a token since
+            the Surf WebScript console code can't be dependent on a Share specific filter.
+         -->
+         <rule>
+            <request>
+               <method>POST</method>
+               <path>
+                  /page/caches/dependency/clear|/page/index|/page/surfBugStatus|/page/modules/deploy|/page/modules/module|/page/api/javascript/debugger|/page/console
+               </path>
+            </request>
+            <action name="assertReferer">
+               <param name="referer">{referer}</param>
+            </action>
+            <action name="assertOrigin">
+               <param name="origin">{origin}</param>
+            </action>
+         </rule>
+
+         <!-- Certain Share POST requests does NOT require a token -->
+         <rule>
+            <request>
+               <method>POST</method>
+               <path>
+                  /page/dologin(\?.+)?|/page/site/[^/]+/start-workflow|/page/start-workflow|/page/context/[^/]+/start-workflow
+               </path>
+            </request>
+            <action name="assertReferer">
+               <param name="referer">{referer}</param>
+            </action>
+            <action name="assertOrigin">
+               <param name="origin">{origin}</param>
+            </action>
+         </rule>
+
+         <!-- Assert logout is done from a valid domain, if so clear the token when logging out -->
+         <rule>
+            <request>
+               <method>POST</method>
+               <path>/page/dologout(\?.+)?</path>
+            </request>
+            <action name="assertReferer">
+               <param name="referer">{referer}</param>
+            </action>
+            <action name="assertOrigin">
+               <param name="origin">{origin}</param>
+            </action>
+            <action name="clearToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+
+         <!-- Make sure the first token is generated -->
+         <rule>
+            <request>
+               <session>
+                  <attribute name="_alf_USER_ID">.+</attribute>
+                  <attribute name="{token}" />
+                  <!-- empty attribute element indicates null, meaning the token has not yet been set -->
+               </session>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+
+         <!-- Refresh token on new "page" visit when a user is logged in -->
+         <rule>
+            <request>
+               <method>GET</method>
+               <path>/page/.*</path>
+               <session>
+                  <attribute name="_alf_USER_ID">.+</attribute>
+                  <attribute name="{token}">.+</attribute>
+               </session>
+            </request>
+            <action name="generateToken">
+               <param name="session">{token}</param>
+               <param name="cookie">{token}</param>
+            </action>
+         </rule>
+
+         <!--
+            Verify multipart requests from logged in users contain the token as a parameter
+            and also correct referer & origin header if available
+         -->
+         <rule>
+            <request>
+               <method>POST</method>
+               <header name="Content-Type">multipart/.+</header>
+               <session>
+                  <attribute name="_alf_USER_ID">.+</attribute>
+               </session>
+            </request>
+            <action name="assertToken">
+               <param name="session">{token}</param>
+               <param name="parameter">{token}</param>
+            </action>
+            <action name="assertReferer">
+               <param name="referer">{referer}</param>
+            </action>
+            <action name="assertOrigin">
+               <param name="origin">{origin}</param>
+            </action>
+         </rule>
+
+         <!--
+            Verify that all remaining state changing requests from logged in users' requests contains a token in the
+            header and correct referer & origin headers if available. We "catch" all content types since just setting it to
+            "application/json.*" since a webscript that doesn't require a json request body otherwise would be
+            successfully executed using i.e."text/plain".
+         -->
+         <rule>
+            <request>
+               <method>POST|PUT|DELETE</method>
+               <session>
+                  <attribute name="_alf_USER_ID">.+</attribute>
+               </session>
+            </request>
+            <action name="assertToken">
+               <param name="session">{token}</param>
+               <param name="header">{token}</param>
+            </action>
+            <action name="assertReferer">
+               <param name="referer">{referer}</param>
+            </action>
+            <action name="assertOrigin">
+               <param name="origin">{origin}</param>
+            </action>
+         </rule>
+      </filter>
+
+   </config>
+
+
+   <!--
+      Remove the default wildcard setting and use instead a strict whitelist of the only domains that shall be allowed
+      to be used inside iframes (i.e. in the WebView dashlet on the dashboards)
+   -->
+   <!--
+   <config evaluator="string-compare" condition="IFramePolicy" replace="true">
+      <cross-domain>
+         <url>http://www.trusted-domain-1.com/</url>
+         <url>http://www.trusted-domain-2.com/</url>
+      </cross-domain>
+   </config>
+   -->
+
+   <!-- Turn off header that stops Share from being displayed in iframes on pages from other domains -->
+   <!--
+   <config evaluator="string-compare" condition="SecurityHeadersPolicy">
+      <headers>
+         <header>
+            <name>X-Frame-Options</name>
+            <enabled>false</enabled>
+         </header>
+      </headers>
+   </config>
+   -->
+
+   <!-- Prevent browser communication over HTTP (for HTTPS servers) -->
+   <!--
+   <config evaluator="string-compare" condition="SecurityHeadersPolicy">
+      <headers>
+         <header>
+            <name>Strict-Transport-Security</name>
+            <value>max-age=31536000</value>
+         </header>
+      </headers>
+   </config>
+   -->
+
+   <config evaluator="string-compare" condition="Replication">
+      <share-urls>
+         <!--
+            To locate your current repositoryId go to Admin Console > General > Repository Information:
+              http://localhost:8080/alfresco/s/enterprise/admin/admin-repositoryinfo        
+
+            Example config entry:
+              <share-url repositoryId="622f9533-2a1e-48fe-af4e-ee9e41667ea4">http://new-york-office:8080/share/</share-url>
+         -->
+      </share-urls>
+   </config>
+
+   <!-- Document Library config section -->
+   <config evaluator="string-compare" condition="DocumentLibrary" replace="true">
+
+      <tree>
+         <!--
+            Whether the folder Tree component should enumerate child folders or not.
+            This is a relatively expensive operation, so should be set to "false" for Repositories with broad folder structures.
+         -->
+         <evaluate-child-folders>false</evaluate-child-folders>
+         
+         <!--
+            Optionally limit the number of folders shown in treeview throughout Share.
+         -->
+         <maximum-folder-count>1000</maximum-folder-count>
+         
+         <!--  
+            Default timeout in milliseconds for folder Tree component to recieve response from Repository
+         -->
+         <timeout>7000</timeout>
+      </tree>
+
+      <!--
+         Used by "Manage Rules" -> "Add aspect" action.
+
+         If an aspect has been specified without a title element in the content model,
+         or you need to support multiple languages,
+         then an i18n file is needed on the Repo AMP/JAR extension side for the aspect to
+         be visible when creating rules:
+
+          custom_customModel.aspect.custom_myaspect.title=My Aspect
+
+         Used by the "Manage Aspects" action.
+
+         For the aspect to have a localised label add relevant i18n string(s) in a Share AMP/JAR extension:
+
+          aspect.custom_myaspect=My Aspect
+      -->
+      <aspects>
+         <!-- Aspects that a user can see -->
+         <visible>
+            <aspect name="cm:generalclassifiable" />
+            <aspect name="cm:complianceable" />
+            <aspect name="cm:dublincore" />
+            <aspect name="cm:effectivity" />
+            <aspect name="cm:summarizable" />
+            <aspect name="cm:versionable" />
+            <aspect name="cm:templatable" />
+            <aspect name="cm:emailed" />
+            <aspect name="emailserver:aliasable" />
+            <aspect name="cm:taggable" />
+            <aspect name="app:inlineeditable" />
+            <aspect name="cm:geographic" />
+            <aspect name="exif:exif" />
+            <aspect name="audio:audio" />
+            <aspect name="cm:indexControl" />
+            <aspect name="dp:restrictable" />
+            <aspect name="smf:customConfigSmartFolder" />
+            <aspect name="smf:systemConfigSmartFolder" />
+         </visible>
+
+         <!-- Aspects that a user can add. Same as "visible" if left empty -->
+         <addable>
+         </addable>
+
+         <!-- Aspects that a user can remove. Same as "visible" if left empty -->
+         <removeable>
+         </removeable>
+      </aspects>
+
+      <!--
+         Used by "Manage Rules" -> "Specialise type" action.
+
+         If a type has been specified without a title element in the content model,
+         or you need to support multiple languages,
+         then an i18n file is needed on the Repo AMP/JAR extension side for the type to
+         be visible when creating rules:
+
+            custom_customModel.type.custom_mytype.title=My SubType
+
+         Used by the "Change Type" action.
+
+         For the type to have a localised label add relevant i18n string(s) in a Share AMP/JAR extension:
+
+            type.custom_mytype=My SubType
+
+         Define valid subtypes using the following example:
+
+            <type name="cm:content">
+             <subtype name="custom:mytype" />
+            </type>
+      -->
+      <types>
+         <type name="cm:content">
+            <subtype name="smf:smartFolderTemplate" />
+         </type>
+
+          <type name="cm:folder">
+         </type>
+
+         <type name="trx:transferTarget">
+            <subtype name="trx:fileTransferTarget" />
+         </type>
+      </types>
+
+      <!--
+         If set, will present a WebDAV link for the current item on the Document and Folder details pages.
+         Also used to generate the "View in Alfresco Explorer" action for folders.
+      -->
+      <repository-url>http://REPO_HOST:REPO_PORT/alfresco</repository-url>
+
+      <!--
+         Google Docs™ integration
+      -->
+      <google-docs>
+         <!--
+            Enable/disable the Google Docs UI integration (Extra types on Create Content menu, Google Docs actions).
+         -->
+         <enabled>false</enabled>
+
+         <!--
+            The mimetypes of documents Google Docs allows you to create via the Share interface.
+            The I18N label is created from the "type" attribute, e.g. google-docs.doc=Google Docs&trade; Document
+         -->
+         <creatable-types>
+            <creatable type="doc">application/vnd.openxmlformats-officedocument.wordprocessingml.document</creatable>
+            <creatable type="xls">application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</creatable>
+            <creatable type="ppt">application/vnd.ms-powerpoint</creatable>
+         </creatable-types>
+      </google-docs>
+
+      <!--
+         File upload configuration
+      -->
+      <file-upload>
+         <!--
+            Adobe Flash™
+            In certain environments, an HTTP request originating from Flash cannot be authenticated using an existing session.
+            See: http://bugs.adobe.com/jira/browse/FP-4830
+            For these cases, it is useful to disable the Flash-based uploader for Share Document Libraries.
+         -->
+         <adobe-flash-enabled>true</adobe-flash-enabled>
+      </file-upload>
+   </config>
+
+
+   <!-- Custom DocLibActions config section -->
+   <config evaluator="string-compare" condition="DocLibActions">
+      <actionGroups>
+         <actionGroup id="document-browse">
+
+            <!-- Simple Repo Actions -->
+            <!--
+            <action index="340" id="document-extract-metadata" />
+            <action index="350" id="document-increment-counter" />
+            -->
+
+            <!-- Dialog Repo Actions -->
+            <!--
+            <action index="360" id="document-transform" />
+            <action index="370" id="document-transform-image" />
+            <action index="380" id="document-execute-script" />
+            -->
+
+         </actionGroup>
+      </actionGroups>
+   </config>
+
+   <!-- Global folder picker config section -->
+   <config evaluator="string-compare" condition="GlobalFolder">
+      <siteTree>
+         <container type="cm:folder">
+            <!-- Use a specific label for this container type in the tree -->
+            <rootLabel>location.path.documents</rootLabel>
+            <!-- Use a specific uri to retreive the child nodes for this container type in the tree -->
+            <uri>slingshot/doclib/treenode/site/{site}/{container}{path}?children={evaluateChildFoldersSite}&amp;max={maximumFolderCountSite}</uri>
+         </container>
+      </siteTree>
+   </config>
+
+   <!-- Repository Library config section -->
+   <config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
+      <!--
+         Root nodeRef or xpath expression for top-level folder.
+         e.g. alfresco://user/home, /app:company_home/st:sites/cm:site1
+         If using an xpath expression, ensure it is properly ISO9075 encoded here.
+      -->
+      <root-node>alfresco://company/home</root-node>
+
+      <tree>
+         <!--
+            Whether the folder Tree component should enumerate child folders or not.
+            This is a relatively expensive operation, so should be set to "false" for Repositories with broad folder structures.
+         -->
+         <evaluate-child-folders>false</evaluate-child-folders>
+         
+         <!--
+            Optionally limit the number of folders shown in treeview throughout Share.
+         -->
+         <maximum-folder-count>500</maximum-folder-count>
+      </tree>
+
+      <!--
+         Whether the link to the Repository Library appears in the header component or not.
+      -->
+      <visible>true</visible>
+   </config>
+   
+   <!-- Kerberos settings -->
+   <!-- To enable kerberos rename this condition to "Kerberos" -->
+   <config evaluator="string-compare" condition="KerberosDisabled" replace="true">
+      <kerberos>
+         <!--
+            Password for HTTP service account.
+            The account name *must* be built from the HTTP server name, in the format :
+               HTTP/<server_name>@<realm>
+            (NB this is because the web browser requests an ST for the
+            HTTP/<server_name> principal in the current realm, so if we're to decode
+            that ST, it has to match.)
+         -->
+         <password>secret</password>
+         <!--
+            Kerberos realm and KDC address.
+         -->
+         <realm>ALFRESCO.ORG</realm>
+         <!--
+            Service Principal Name to use on the repository tier.
+            This must be like: HTTP/host.name@REALM
+         -->
+         <endpoint-spn>HTTP/repository.server.com@ALFRESCO.ORG</endpoint-spn>
+         <!--
+            JAAS login configuration entry name.
+         -->
+         <config-entry>ShareHTTP</config-entry>
+        <!--
+           A Boolean which when true strips the @domain sufix from Kerberos authenticated usernames.
+           Use together with stripUsernameSuffix property in alfresco-global.properties file.
+        -->
+        <stripUserNameSuffix>true</stripUserNameSuffix>
+      </kerberos>
+   </config>
+
+   <!-- Uncomment and modify the URL to Activiti Admin Console if required. -->
+   <!--
+   <config evaluator="string-compare" condition="ActivitiAdmin" replace="true">
+      <activiti-admin-url>http://localhost:8080/alfresco/activiti-admin</activiti-admin-url>
+   </config>
+   -->
+
+   <config evaluator="string-compare" condition="Remote">
+      <remote>
+         <endpoint>
+            <id>alfresco-noauth</id>
+            <name>Alfresco - unauthenticated access</name>
+            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
+            <connector-id>alfresco</connector-id>
+            <endpoint-url>http://REPO_HOST:REPO_PORT/alfresco/s</endpoint-url>
+            <identity>none</identity>
+         </endpoint>
+
+         <endpoint>
+            <id>alfresco</id>
+            <name>Alfresco - user access</name>
+            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
+            <connector-id>alfresco</connector-id>
+            <endpoint-url>http://REPO_HOST:REPO_PORT/alfresco/s</endpoint-url>
+            <identity>user</identity>
+         </endpoint>
+
+         <endpoint>
+            <id>alfresco-feed</id>
+            <name>Alfresco Feed</name>
+            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
+            <connector-id>http</connector-id>
+            <endpoint-url>http://REPO_HOST:REPO_PORT/alfresco/s</endpoint-url>
+            <basic-auth>true</basic-auth>
+            <identity>user</identity>
+         </endpoint>
+         
+         <endpoint>
+            <id>alfresco-api</id>
+            <parent-id>alfresco</parent-id>
+            <name>Alfresco Public API - user access</name>
+            <description>Access to Alfresco Repository Public API that require user authentication.
+                         This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
+            <connector-id>alfresco</connector-id>
+            <endpoint-url>http://REPO_HOST:REPO_PORT/alfresco/api</endpoint-url>
+            <identity>user</identity>
+         </endpoint>
+      </remote>
+   </config>
+
+   <config evaluator="string-compare" condition="Users" replace="true">
+      <users>
+         <!-- minimum length for username and password -->
+         <username-min-length>2</username-min-length>
+         <password-min-length>8</password-min-length>
+         <show-authorization-status>true</show-authorization-status>
+      </users>
+      <!-- This enables/disables the Add External Users Panel on the Add Users page. -->
+      <enable-external-users-panel>false</enable-external-users-panel>
+   </config>
+
+   <!-- 
+        Overriding endpoints to reference an Alfresco server with external SSO enabled
+        NOTE: If utilising a load balancer between web-tier and repository cluster, the "sticky
+              sessions" feature of your load balancer must be used.
+        NOTE: If alfresco server location is not localhost:8080 then also combine changes from the
+              "example port config" section below.
+        *Optional* ssl-config contains:
+              keystore for managing client key and certificate.
+              truststore for managing trusted CAs.
+        Used to authenticate share to an external SSO system such as CAS or 
+        to make share talk to SSL layers that require client certificates.
+        Remove the ssl-config section if not required i.e. for NTLM.
+        
+        NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos"
+        
+        NOTE: For external SSO, switch the endpoint connector to "alfrescoHeader" and set
+              the userHeader value to the name of the HTTP header that the external SSO
+              uses to provide the authenticated user name.
+        NOTE: For external SSO, Share now supports the "userIdPattern" mechanism as is available
+              on the repository config for External Authentication sub-system. Add the following
+              element to your "alfrescoHeader" connector config:
+              <userIdPattern>^ignore-(\w+)-ignore</userIdPattern>
+              This is an example, ensure the Id pattern matches your repository config.
+        NOTE: For external SSO, Share now supports stateless (no Http Session or sticky session)
+              connection to the repository when using the alfrescoHeader remote user connector.
+              e.g. You can change endpoint config to use the faster /service URL instead of the
+              /wcs URL if you are using External Authentication and then remove sticky session config
+              from your proxy between Share and Alfresco. Note that this is also faster because Share
+              will no longer call the /touch REST API before every remote call to the repository.
+   -->
+
+   <!-- Security warning -->
+   <!-- For production environment set verify-hostname to true.-->
+   <!--
+   <config evaluator="string-compare" condition="Remote">
+      <remote>
+         <ssl-config>
+            <keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
+            <keystore-type>pkcs12</keystore-type>
+            <keystore-password>alfresco-system</keystore-password>
+
+            <truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
+            <truststore-type>JCEKS</truststore-type>
+            <truststore-password>password</truststore-password>
+
+            <verify-hostname>true</verify-hostname>
+         </ssl-config>
+
+         <connector>
+            <id>alfrescoCookie</id>
+            <name>Alfresco Connector</name>
+            <description>Connects to an Alfresco instance using cookie-based authentication</description>
+            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
+         </connector>
+         
+         <connector>
+            <id>alfrescoHeader</id>
+            <name>Alfresco Connector</name>
+            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
+            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
+            <userHeader>SsoUserHeader</userHeader>
+         </connector>
+
+         <endpoint>
+            <id>alfresco</id>
+            <name>Alfresco - user access</name>
+            <description>Access to Alfresco Repository WebScripts that require user authentication</description>
+            <connector-id>alfrescoCookie</connector-id>
+            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
+            <identity>user</identity>
+            <external-auth>true</external-auth>
+         </endpoint>
+         
+         <endpoint>
+            <id>alfresco-feed</id>
+            <parent-id>alfresco</parent-id>
+            <name>Alfresco Feed</name>
+            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description> 
+            <connector-id>alfrescoHeader</connector-id> 
+            <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
+            <identity>user</identity>
+            <external-auth>true</external-auth>
+         </endpoint>
+         
+         <endpoint>
+            <id>alfresco-api</id>
+            <parent-id>alfresco</parent-id>
+            <name>Alfresco Public API - user access</name>
+            <description>Access to Alfresco Repository Public API that require user authentication.
+                         This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
+            <connector-id>alfrescoHeader</connector-id>
+            <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
+            <identity>user</identity>
+            <external-auth>true</external-auth>
+         </endpoint>
+      </remote>
+   </config>
+   -->
+
+   <!-- Cookie settings -->
+   <!-- To disable alfUsername2 cookie set enableCookie value to "false" -->
+   <!--
+   <plug-ins>
+      <element-readers>
+         <element-reader element-name="cookie" class="org.alfresco.web.config.cookie.CookieElementReader"/>
+      </element-readers>
+   </plug-ins>
+   
+   <config evaluator="string-compare" condition="Cookie" replace="true">
+      <cookie>
+         <enableCookie>false</enableCookie>
+         <cookies-to-remove>
+            <cookie-to-remove>alfUsername3</cookie-to-remove>
+            <cookie-to-remove>alfLogin</cookie-to-remove>
+         </cookies-to-remove>
+      </cookie>
+   </config>
+   -->
+</alfresco-config>
diff --git a/share/substituter.sh b/share/substituter.sh
new file mode 100644
index 00000000..92c3431b
--- /dev/null
+++ b/share/substituter.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+set -e
+
+if [[ $REPO_HOST == "" ]]; then
+    REPO_HOST=localhost
+fi
+
+if [[ $REPO_PORT == "" ]]; then
+    REPO_PORT=8080
+fi
+
+if [[ $USE_SSL == "true" ]]; then
+    sed -ie 's_port="8080"_port="8080" scheme="https"_' "$CATALINA_HOME"/conf/server.xml
+fi
+
+echo "Replace 'REPO_HOST' with '$REPO_HOST' and 'REPO_PORT' with '$REPO_PORT'"
+
+xmlstarlet ed --inplace \
+-u "//config[@evaluator='string-compare' and @condition='DocumentLibrary']//repository-url" -v "http://"$REPO_HOST:$REPO_PORT"/alfresco" \
+-u "//config[@evaluator='string-compare' and @condition='Remote']//remote//endpoint//endpoint-url" -v "http://"$REPO_HOST:$REPO_PORT"/alfresco/s" \
+"$CATALINA_HOME"/shared/classes/alfresco/web-extension/share-config-custom.xml
+
+echo "NEW -csrf.filter.referer is '$CSRF_FILTER_REFERER'"
+echo "NEW -csrf.filter.origin is '$CSRF_FILTER_ORIGIN'"
+
+if [ "${CSRF_FILTER_REFERER}" != "" ] && [  "${CSRF_FILTER_ORIGIN}" != "" ]; then
+    # set CSRFPolicy to true and set both properties referer and origin
+    xmlstarlet ed --inplace \
+    -u "//config[@evaluator='string-compare' and @condition='CSRFPolicy']/@replace" -v "true" \
+    -u "//config[@evaluator='string-compare' and @condition='CSRFPolicy']//referer" -v "$CSRF_FILTER_REFERER" \
+    -u "//config[@evaluator='string-compare' and @condition='CSRFPolicy']//origin" -v "$CSRF_FILTER_ORIGIN" \
+    "$CATALINA_HOME"/shared/classes/alfresco/web-extension/share-config-custom.xml
+fi
+
+bash -c "$@"
diff --git a/test/helm/test-overrides.yaml b/test/helm/test-overrides.yaml
index 0dfdaf06..3ef76115 100644
--- a/test/helm/test-overrides.yaml
+++ b/test/helm/test-overrides.yaml
@@ -3,7 +3,10 @@ alfresco-repository:
   image:
     repository: localhost/alfresco-content-repository
     tag: latest
-#share:
+share:
+  image:
+    repository: localhost/alfresco-share
+    tag: latest
 alfresco-search-enterprise:
   liveIndexing:
     content: