Bunas tardes me podrian ayudar soy nuevo en el desarrollo de openkm eh intentado autenticar usando kerberos siguiendo el ejemplo que existe toda va bien hasta que intento ingresar y me pide una preautorizacion mi imagino es porque en la empresa donde usamos el kerberos lo usamos con un pre comando llamado kinit como puedo hacer para que el openkm me reconozca al usuario y contraseña
mis parametros son:
Code: Select allprincipal.adapter com.openkm.principal.LdapPrincipalAdapter
principal.database.filter.inactive.users true
principal.ldap.referral follow
principal.ldap.mail.attribute mail
principal.ldap.mail.search.base cn=users,cn=accounts,dc=ipa,dc=derfe,dc=ine,dc=mx
principal.ldap.mail.search.filter (objectClass=Person)
principal.ldap.role.attribute cn
principal.ldap.role.search.base cn=roles,cn=accounts,dc=ipa,dc=derfe,dc=ine,dc=mx
principal.ldap.role.search.filter (objectClass=groupOfNames)
principal.ldap.roles.by.user.attribute memberOf
principal.ldap.roles.by.user.search.base cn=users,cn=accounts,dc=ipa,dc=derfe,dc=ine,dc=mx
principal.ldap.roles.by.user.search.filter (objectClass=inetUser)
principal.ldap.security.credentials prueba123
principal.ldap.security.principal uid=antonio.lopez,cn=users,cn=accounts,dc=ipa,dc=derfe,dc=ine,dc=mx
principal.ldap.server ldaps://ejemplo.mx:636/
principal.ldap.user.attribute uid
principal.ldap.user.search.base cn=users,cn=accounts,dc=ipa,dc=derfe,dc=ine,dc=mx
principal.ldap.user.search.filter (objectClass=inetUser)
principal.ldap.username.attribute cn
principal.ldap.username.search.base cn=users,cn=accounts,dc=ipa,dc=derfe,dc=ine,dc=mx
principal.ldap.username.search.filter (objectClass=inetUser)
principal.ldap.users.by.role.attribute member
principal.ldap.users.by.role.search.base cn=roles,cn=accounts,dc=ipa,dc=derfe,dc=ine,dc=mx
principal.ldap.users.by.role.search.filter (objectClass=groupOfNames)
mi archivo de 0penKM.xml es
Code: Select all<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd">
<!-- Security configuration -->
<beans:bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
<beans:bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="kerberosServiceAuthenticationProvider" /> <!-- Used with SPNEGO -->
<security:authentication-provider ref="kerberosAuthenticationProvider"/> <!-- Used with form login -->
</security:authentication-manager>
<beans:bean id="kerberosAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
<beans:property name="kerberosClient">
<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
<beans:property name="debug" value="true"/>
</beans:bean>
</beans:property>
<beans:property name="userDetailsService" ref="ldapUserService"/>
</beans:bean>
<beans:bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
<beans:property name="ticketValidator">
<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
<beans:property name="servicePrincipal" value="HTTP/sigedocs.ipa.derfe.ine.mx" />
<!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE application Server -->
<!-- See the Javadoc for more information on that -->
<beans:property name="keyTabLocation" value="file:/etc/krb5.keytab" />
<beans:property name="debug" value="true" />
</beans:bean>
</beans:property>
<beans:property name="userDetailsService" ref="ldapUserService" />
</beans:bean>
<beans:bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
<beans:property name="debug" value="true" />
<!-- You can point to a different kerberos config location here, if you don't want the default one -->
<!-- <property name="krbConfLocation" value="/etc/krb5.conf"/> -->
</beans:bean>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldaps://m1.ipa.derfe.ine.mx:636"/>
<beans:property name="userDn" value="uid=antonio.lopez,cn=users,cn=accounts,dc=ipa,dc=derfe,dc=ine,dc=mx"/>
<beans:property name="password" value="prueba123"/>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry>
<beans:key>
<beans:value>java.naming.referral</beans:value>
</beans:key>
<beans:value>follow</beans:value>
</beans:entry>
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="ldapUserService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<beans:constructor-arg index="0">
<beans:bean class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg value="cn=users,cn=accounts,dc=ipa,dc=derfe,dc=ine,dc=mx"/>
<beans:constructor-arg index="1" value="(uid={0})" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg index="1">
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="cn=groups,cn=accounts,dc=ipa,dc=derfe,dc=ine,dc=mx"/>
<beans:property name="groupSearchFilter" value="(objectClass=groupOfNames)"/>
<beans:property name="groupRoleAttribute" value="ipausers"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
</beans:beans>
y mi archivo de applicationContext.xml es
Code: Select all<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:jaxrs="http://cxf.apache.org/jaxrs"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<!-- http://cxf.apache.org/jaxrs
http://cxf.apache.org/schemas/jaxrs.xsd"> -->
<context:component-scan base-package="com.openkm"/>
<!-- <task:annotation-driven/> -->
<!-- Tasks configuration moved to $CATALINA_HOME/OpenKM.xml -->
<!-- Apache CXF Web Services -->
<beans:import resource="classpath:META-INF/cxf/cxf.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<!--
<beans:bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<beans:property name="targetClass" value="org.springframework.security.core.context.SecurityContextHolder" />
<beans:property name="targetMethod" value="setStrategyName" />
<beans:property name="arguments" value="_INHERITABLETHREADLOCAL" />
</beans:bean>
-->
<beans:bean id="WSS4JInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<beans:constructor-arg>
<beans:map>
<beans:entry key="action" value="UsernameToken" />
<beans:entry key="passwordType" value="PasswordText" />
<beans:entry key="passwordCallbackClass" value="com.openkm.spring.ClientPasswordCallback" />
</beans:map>
</beans:constructor-arg>
</beans:bean>
<!-- SOAP -->
<jaxws:endpoint id="authService" implementor="com.openkm.ws.endpoint.AuthService" address="/OKMAuth"/>
<jaxws:endpoint id="bookmarkService" implementor="com.openkm.ws.endpoint.BookmarkService" address="/OKMBookmark"/>
<jaxws:endpoint id="documentService" implementor="com.openkm.ws.endpoint.DocumentService" address="/OKMDocument"/>
<jaxws:endpoint id="folderService" implementor="com.openkm.ws.endpoint.FolderService" address="/OKMFolder"/>
<jaxws:endpoint id="mailService" implementor="com.openkm.ws.endpoint.MailService" address="/OKMMail"/>
<jaxws:endpoint id="noteService" implementor="com.openkm.ws.endpoint.NoteService" address="/OKMNote"/>
<jaxws:endpoint id="notificationService" implementor="com.openkm.ws.endpoint.NotificationService" address="/OKMNotification"/>
<jaxws:endpoint id="propertyGroupService" implementor="com.openkm.ws.endpoint.PropertyGroupService" address="/OKMPropertyGroup"/>
<jaxws:endpoint id="propertyService" implementor="com.openkm.ws.endpoint.PropertyService" address="/OKMProperty"/>
<jaxws:endpoint id="repositoryService" implementor="com.openkm.ws.endpoint.RepositoryService" address="/OKMRepository"/>
<jaxws:endpoint id="searchService" implementor="com.openkm.ws.endpoint.SearchService" address="/OKMSearch"/>
<jaxws:endpoint id="dashboardService" implementor="com.openkm.ws.endpoint.DashboardService" address="/OKMDashboard"/>
<jaxws:endpoint id="workflowService" implementor="com.openkm.ws.endpoint.WorkflowService" address="/OKMWorkflow"/>
<jaxws:endpoint id="testService" implementor="com.openkm.ws.endpoint.TestService" address="/OKMTest">
<!--
<jaxws:inInterceptors>
<beans:ref bean="WSS4JInInterceptor"/>
</jaxws:inInterceptors>
-->
</jaxws:endpoint>
<!--
OpenCMIS -->
<jaxws:endpoint id="cmisNavigationService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.NavigationService" address="/cmis/NavigationService"/>
<jaxws:endpoint id="cmisPolicyService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.PolicyService" address="/cmis/PolicyService"/>
<jaxws:endpoint id="cmisDiscoveryService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.DiscoveryService" address="/cmis/DiscoveryService"/>
<jaxws:endpoint id="cmisMultiFilingService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.MultiFilingService" address="/cmis/MultiFilingService"/>
<jaxws:endpoint id="cmisRepositoryService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.RepositoryService" address="/cmis/RepositoryService"/>
<jaxws:endpoint id="cmisRelationshipService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.RelationshipService" address="/cmis/RelationshipService"/>
<jaxws:endpoint id="cmisVersioningService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.VersioningService" address="/cmis/VersioningService"/>
<jaxws:endpoint id="cmisObjectService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.ObjectService" address="/cmis/ObjectService"/>
<jaxws:endpoint id="cmisAclService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.AclService" address="/cmis/ACLService"/>
<!--
REST
<jaxrs:server id="restAuth" address="/rest/auth">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.AuthService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restDocument" address="/rest/document">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.DocumentService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restFolder" address="/rest/folder">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.FolderService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restMail" address="/rest/mail">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.MailService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restNote" address="/rest/note">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.NoteService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restPropertyGroup" address="/rest/propertyGroup">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.PropertyGroupService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restSearch" address="/rest/search">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.SearchService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restRepository" address="/rest/repository">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.RepositoryService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restProperty" address="/rest/property">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.PropertyService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restTest" address="/rest/test">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.TestService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
-->
<security:global-method-security secured-annotations="enabled"/>
<!-- Remove prefix to be able of use custom roles
<beans:bean class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="ROLE_"/>
</beans:bean> -->
<!-- OpenCMIS -->
<beans:bean id="CmisLifecycleBean" class="com.openkm.cmis.CmisLifecycleBean">
<beans:property name="cmisServiceFactory" ref="CmisServiceFactory" />
</beans:bean>
<beans:bean id="CmisServiceFactory" class="com.openkm.cmis.CmisServiceFactory" />
<!-- Web Services using Basic authentication -->
<security:http pattern="/services/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:http-basic />
</security:http>
<!-- Status -->
<security:http pattern="/Status" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Download -->
<security:http pattern="/Download" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Workflow deploy -->
<security:http pattern="/workflow-register" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- WebDAV using Basic authentication -->
<security:http pattern="/webdav/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Syndication using Basic authentication -->
<security:http pattern="/feed/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- OpenCMIS (Browser) using Basic authentication
<security:http pattern="/cmis/browser/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http> -->
<!-- OpenCMIS (AtomPub) using Basic authentication
<security:http pattern="/cmis/atom/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http> -->
<!-- OpenCMIS (AtomPub) using Basic authentication
<security:http pattern="/cmis/atom11/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http> -->
<!-- REST
<security:http pattern="/services/rest/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http> -->
<!-- Additional filter chain for normal users, matching all other requests -->
<!-- http://info.michael-simons.eu/2011/01/28/disable-jsessionid-path-parameter-in-java-web-applications/ -->
<!-- <security:http access-denied-page="/unauthorized.jsp"> -->
<security:http entry-point-ref="spnegoEntryPoint">
<!-- GWT -->
<security:intercept-url pattern="/frontend/**" access="IS_AUTHENTICATED_FULLY" />
<!-- JSPs -->
<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/admin/**" access="ROLE_OTHER_ADMIN" />
<!-- <security:intercept-url pattern="/mobile/**" access="IS_AUTHENTICATED_FULLY" /> -->
<!-- Servlets -->
<security:intercept-url pattern="/RepositoryStartup" access="IS_AUTHENTICATED_FULLY" />
<!-- <security:intercept-url pattern="/TextToSpeech" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/HtmlPreview" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/SyntaxHighlighter" access="IS_AUTHENTICATED_FULLY" /> -->
<security:intercept-url pattern="/Test" access="IS_AUTHENTICATED_FULLY" />
<!-- Extensions -->
<!-- <security:intercept-url pattern="/extension/ZohoFileUpload" access="IS_AUTHENTICATED_ANONYMOUSLY" /> -->
<security:intercept-url pattern="/extension/**" access="IS_AUTHENTICATED_FULLY" />
<!-- Login page -->
<security:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1"/>
</security:http>
<!-- Security access logger -->
<!-- <beans:bean id="loggerListener" class="com.openkm.spring.LoggerListener" /> -->
<!-- <jee:jndi-lookup id="dataSource" jndi-name="jdbc/OpenKMDS" resource-ref="true" /> -->
<!-- Security configuration moved to $CATALINA_HOME/OpenKM.xml -->
<!-- WINFIX
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:password-encoder hash="md5"/>
<security:jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
</security:authentication-provider>
</security:authentication-manager>
WINFIX -->
<!-- ############################################################################################################### -->
</beans:beans>
El error que me manda es
Code: Select all2015-08-07 14:42:31,915 [http-bio-172.19.84.132-8090-exec-5] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter- Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@44245b2a
2015-08-07 14:42:31,915 [http-bio-172.19.84.132-8090-exec-5]DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository- SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-08-07 14:42:31,927 [http-bio-172.19.84.132-8090-exec-5] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter- Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90572420: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: RemoteIpAddress: 172.19.1.148; SessionId: 5E9C8175F80B3080375C16F71C6DE6B2; Granted Authorities: ROLE_ANONYMOUS'
2015-08-07 14:42:31,929 [http-bio-172.19.84.132-8090-exec-5] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor- Secure object: FilterInvocation: URL: /login.jsp?error=1; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
2015-08-07 14:42:31,930 [http-bio-172.19.84.132-8090-exec-5] DEBUG org.springframework.security.access.vote.AffirmativeBased- Voter: org.springframework.security.access.vote.RoleVoter@28ab7479, returned: 0
2015-08-07 14:42:31,930 [http-bio-172.19.84.132-8090-exec-5] DEBUG org.springframework.security.access.vote.AffirmativeBased- Voter: org.springframework.security.access.vote.AuthenticatedVoter@106bc8cb, returned: 1
2015-08-07 14:42:31,931 [http-bio-172.19.84.132-8090-exec-5] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor- Authorization successful
2015-08-07 14:42:31,931 [http-bio-172.19.84.132-8090-exec-5] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor- RunAsManager did not change Authentication object