User administration

[loty]

Hello.

We use OpenKM community v6.3.1 and already configured integration with CAS. When the user logs into the system in the database he is created in "okm_user_config" table, despite the fact, that there is still "okm_user" table, users of which are displayed on the portal. What is the difference between these two types of users?

Thanks.

[jllort]

The OKM_USER is the table where are set the user id, password etc... the user_config_table is used to store information like the user home ( uuid what will be used as default home when login ).

About CAS, congratulations for it. If you can share this configuration we will include ( extending ) existing one in our wiki ( because the configuration described there it has about 2 years more or less and possible needs some update ).

[loty]

How are users in OKM_USER and OKM_USER_CONFIG associated with each other? For example: I create new user in web-interface and give him ADMIN role and then I log in into OpenKM. Spring Security checks user role in AD and then logs in with user from OKM_USER_CONFIG with role USER.

P.S. Config files for CAS configuration below.
OpenKM.xml

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
       http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans.xsd                   
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security.xsd">

    <bean id="serviceProperties"
          class="org.springframework.security.cas.ServiceProperties">
        <property name="service" value=""/>
    </bean>

    <bean id="casFilter"
          class="org.springframework.security.cas.web.CasAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
    </bean>

    <bean id="casEntryPoint"
          class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
        <property name="loginUrl" value=""/>
        <property name="serviceProperties" ref="serviceProperties"/>
    </bean>

    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="casAuthenticationProvider"/>
    </sec:authentication-manager>

    <bean id="casAuthenticationProvider"
          class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
        <property name="authenticationUserDetailsService">
            <bean
                    class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
                <constructor-arg ref="userService"/>
            </bean>
        </property>
        <property name="serviceProperties" ref="serviceProperties"/>
        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value=""/>
            </bean>
        </property>
        <property name="key" value="an_id_for_this_auth_provider_only"/>
    </bean>

    <!-- LDAP config -->

    <sec:ldap-user-service id="userService" server-ref="ldapServer"
                           user-search-base=""
                           user-search-filter="(sAMAccountName={0})" role-prefix="ROLE_"
                           group-search-base=""
                           group-search-filter="(member={0})" />

    <sec:ldap-server id="ldapServer"
                     manager-dn=""
                     manager-password="" url="" port="389"
                     root="" />

    <!-- End of LDAP config -->

    <!-- DB config -->
<!--
    <bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"/>

    <sec:jdbc-user-service id="userService" data-source-ref="securityDataSource"
        users-by-username-query="SELECT login, password, TRUE FROM user_ WHERE login = ?"
        authorities-by-username-query="SELECT login, name FROM user_ LEFT JOIN group_ ON role_id = group_.id WHERE login = ?"/>

    <bean id="securityDataSource"
          class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        <property name="driverClassName" value="${db.driver.classname}"/>
        <property name="url" value="${db.security.url}"/>
        <property name="username" value="${db.security.credentials.username}"/>
        <property name="password" value="${db.security.credentials.password}"/>
    </bean>
-->
    <!-- End of DB config -->

    <bean id="singleLogoutFilter"
          class="org.jasig.cas.client.session.SingleSignOutFilter"/>

</beans>

applicationContext.xml

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:context="http://www.springframework.org/schema/context"
             xmlns:jee="http://www.springframework.org/schema/jee"
             xmlns:jaxws="http://cxf.apache.org/jaxws"
             xmlns:jaxrs="http://cxf.apache.org/jaxrs"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/context
                                 http://www.springframework.org/schema/context/spring-context-3.1.xsd
                                 http://www.springframework.org/schema/jee
                                 http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
                                 http://cxf.apache.org/jaxws
                                 http://cxf.apache.org/schemas/jaxws.xsd
                                 http://cxf.apache.org/jaxrs
                                 http://cxf.apache.org/schemas/jaxrs.xsd">

    <context:property-placeholder location="file:${catalina.home}/conf/openkm.properties"/>
    
    <context:component-scan base-package="com.openkm"/>
    
    <!-- <task:annotation-driven/> -->
    <!-- Tasks configuration moved to $CATALINA_HOME/OpenKM.xml -->
    
    <!-- Apache CXF Web Services -->
    <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
    <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
    
    <!--
    <beans:bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <beans:property name="targetClass" value="org.springframework.security.core.context.SecurityContextHolder" />
        <beans:property name="targetMethod" value="setStrategyName" />
        <beans:property name="arguments" value="_INHERITABLETHREADLOCAL" />
    </beans:bean>
    -->
    
    <beans:bean id="WSS4JInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
        <beans:constructor-arg>
            <beans:map>
                <beans:entry key="action" value="UsernameToken" />
                <beans:entry key="passwordType" value="PasswordText" />
                <beans:entry key="passwordCallbackClass" value="com.openkm.spring.ClientPasswordCallback" />
            </beans:map>
        </beans:constructor-arg>
    </beans:bean>
    
    <!-- SOAP -->
    <jaxws:endpoint id="authService" implementor="com.openkm.ws.endpoint.AuthService" address="/OKMAuth"/>
    <jaxws:endpoint id="bookmarkService" implementor="com.openkm.ws.endpoint.BookmarkService" address="/OKMBookmark"/>
    <jaxws:endpoint id="documentService" implementor="com.openkm.ws.endpoint.DocumentService" address="/OKMDocument"/>
    <jaxws:endpoint id="folderService" implementor="com.openkm.ws.endpoint.FolderService" address="/OKMFolder"/>
    <jaxws:endpoint id="mailService" implementor="com.openkm.ws.endpoint.MailService" address="/OKMMail"/>
    <jaxws:endpoint id="noteService" implementor="com.openkm.ws.endpoint.NoteService" address="/OKMNote"/>
    <jaxws:endpoint id="notificationService" implementor="com.openkm.ws.endpoint.NotificationService" address="/OKMNotification"/>
    <jaxws:endpoint id="propertyGroupService" implementor="com.openkm.ws.endpoint.PropertyGroupService" address="/OKMPropertyGroup"/>
    <jaxws:endpoint id="propertyService" implementor="com.openkm.ws.endpoint.PropertyService" address="/OKMProperty"/>
    <jaxws:endpoint id="repositoryService" implementor="com.openkm.ws.endpoint.RepositoryService" address="/OKMRepository"/>
    <jaxws:endpoint id="searchService" implementor="com.openkm.ws.endpoint.SearchService" address="/OKMSearch"/>
    <jaxws:endpoint id="dashboardService" implementor="com.openkm.ws.endpoint.DashboardService" address="/OKMDashboard"/>
    <jaxws:endpoint id="workflowService" implementor="com.openkm.ws.endpoint.WorkflowService" address="/OKMWorkflow"/>
    <jaxws:endpoint id="testService" implementor="com.openkm.ws.endpoint.TestService" address="/OKMTest">
        <!--
            <jaxws:inInterceptors>
                <beans:ref bean="WSS4JInInterceptor"/>
            </jaxws:inInterceptors>
        -->
    </jaxws:endpoint>
    
    <!-- OpenCMIS -->
    <jaxws:endpoint id="cmisNavigationService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.NavigationService" address="/cmis/NavigationService"/>
    <jaxws:endpoint id="cmisPolicyService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.PolicyService" address="/cmis/PolicyService"/>
    <jaxws:endpoint id="cmisDiscoveryService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.DiscoveryService" address="/cmis/DiscoveryService"/>
    <jaxws:endpoint id="cmisMultiFilingService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.MultiFilingService" address="/cmis/MultiFilingService"/>
    <jaxws:endpoint id="cmisRepositoryService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.RepositoryService" address="/cmis/RepositoryService"/>
    <jaxws:endpoint id="cmisRelationshipService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.RelationshipService" address="/cmis/RelationshipService"/>
    <jaxws:endpoint id="cmisVersioningService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.VersioningService" address="/cmis/VersioningService"/>
    <jaxws:endpoint id="cmisObjectService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.ObjectService" address="/cmis/ObjectService"/>
    <jaxws:endpoint id="cmisAclService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.AclService" address="/cmis/ACLService"/>
    
    <!-- REST -->
    <jaxrs:server id="restAuth" address="/rest/auth">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.AuthService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restDocument" address="/rest/document">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.DocumentService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restFolder" address="/rest/folder">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.FolderService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restMail" address="/rest/mail">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.MailService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restNote" address="/rest/note">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.NoteService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restPropertyGroup" address="/rest/propertyGroup">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.PropertyGroupService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restSearch" address="/rest/search">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.SearchService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restRepository" address="/rest/repository">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.RepositoryService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restProperty" address="/rest/property">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.PropertyService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restTest" address="/rest/test">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.TestService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    
    <security:global-method-security secured-annotations="enabled"/>
    
    <!-- Remove prefix to be able of use custom roles -->
    <beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
        <beans:property name="rolePrefix" value="ROLE_"/>
    </beans:bean>
    
    <!-- OpenCMIS -->
    <beans:bean id="CmisLifecycleBean" class="com.openkm.cmis.CmisLifecycleBean">
        <beans:property name="cmisServiceFactory" ref="CmisServiceFactory" />
    </beans:bean>
    <beans:bean id="CmisServiceFactory" class="com.openkm.cmis.CmisServiceFactory" />

    <security:http pattern="/services/rest/**" security="none"/>
    
    <!-- Status -->
    <security:http pattern="/Status" create-session="stateless" use-expressions="true">
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- Download -->
    <security:http pattern="/Download" create-session="stateless" use-expressions="true">
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- Workflow deploy -->
    <security:http pattern="/workflow-register" create-session="stateless" use-expressions="true">
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- WebDAV using Basic authentication -->
    <security:http pattern="/webdav/**" create-session="stateless" use-expressions="true">
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- Syndication using Basic authentication -->
    <security:http pattern="/feed/**" create-session="stateless" use-expressions="true">
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- OpenCMIS (Browser) using Basic authentication -->
    <security:http pattern="/cmis/browser/**" create-session="stateless" use-expressions="true">
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- OpenCMIS (AtomPub) using Basic authentication -->
    <security:http pattern="/cmis/atom/**" create-session="stateless" use-expressions="true">
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- OpenCMIS (AtomPub) using Basic authentication -->
    <security:http pattern="/cmis/atom11/**" create-session="stateless" use-expressions="true">
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- REST -->
    <!--
    <security:http pattern="/services/rest/**" create-session="stateless" use-expressions="true">
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:http-basic />
    </security:http>
    -->
    
    <!-- Additional filter chain for normal users, matching all other requests -->
    <!-- http://info.michael-simons.eu/2011/01/28/disable-jsessionid-path-parameter-in-java-web-applications/ -->
    <!-- <security:http access-decision-manager-ref="accessDecisionManager" access-denied-page="/unauthorized.jsp"> -->
    <security:http access-denied-page="/unauthorized.jsp" entry-point-ref="casEntryPoint" use-expressions="true">
        <security:custom-filter position="CAS_FILTER" ref="casFilter" />
    
        <!-- GWT -->
        <security:intercept-url pattern="/frontend/**" access="isAuthenticated()" />
        
        <!-- JSPs -->
        <security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/admin/**" access="isAuthenticated()" />
        <security:intercept-url pattern="/mobile/**" access="isAuthenticated()" />
        
        <!-- Servlets -->
        <security:intercept-url pattern="/RepositoryStartup" access="isAuthenticated()" />
        <security:intercept-url pattern="/TextToSpeech" access="isAuthenticated()" />
        <security:intercept-url pattern="/HtmlPreview" access="isAuthenticated()" />
        <security:intercept-url pattern="/SyntaxHighlighter" access="isAuthenticated()" />
        <security:intercept-url pattern="/Test" access="isAuthenticated()" />
        
        <!-- Extensions -->
        <security:intercept-url pattern="/extension/ZohoFileUpload" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/extension/**" access="isAuthenticated()" />
        
        <!-- Login page -->
        <security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1"/>
        
        <security:intercept-url pattern="/**" access="isAuthenticated()"/>
        <security:logout logout-url="/logout" logout-success-url=""/>

	<security:session-management invalid-session-url=""/>
    </security:http>    
    
    <!-- Needed for changing default role prefix -->
    <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
        <beans:property name="decisionVoters">
          <beans:list>
             <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
             <beans:ref bean="roleVoter" />
             <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
          </beans:list>
       </beans:property>
    </beans:bean>
    
    <!-- Security access logger -->
    <beans:bean id="loggerListener" class="com.openkm.spring.LoggerListener" />
    
    <jee:jndi-lookup id="dataSource" jndi-name="jdbc/OpenKMDS" resource-ref="true" />
    
    <!-- Security configuration moved to $CATALINA_HOME/OpenKM.xml -->
    <!-- WINFIX
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider>
            <security:password-encoder hash="md5"/>
            <security:jdbc-user-service 
                data-source-ref="dataSource"
                users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
                authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
        </security:authentication-provider>
    </security:authentication-manager>
    WINFIX -->
</beans:beans>

web.xml (first part)

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                       xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> 
  <display-name>OpenKM</display-name>
  
  <!-- Tomcat resources -->
  <!-- Already defined in $TOMCAT_HOME/conf/context.xml -->
  <!--
  <resource-ref>
    <description>OKM Datasource</description>
    <res-ref-name>jdbc/OpenKMDS</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
  </resource-ref>
  <resource-ref>
    <description>OKM Mail</description>
    <res-ref-name>mail/OpenKM</res-ref-name>
    <res-type>javax.mail.Session</res-type>
    <res-auth>Container</res-auth>
  </resource-ref>
  -->
  
  <jsp-config>
    <taglib>
      <taglib-uri>http://www.openkm.com/tags/utils</taglib-uri>
      <taglib-location>/WEB-INF/tlds/utils.tld</taglib-location>
    </taglib>
  </jsp-config>
  
  <!-- Filters -->
  <filter>
	<filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter>
    <filter-name>WebDAVFilter</filter-name>
    <filter-class>com.openkm.webdav.WebDAVFilter</filter-class>
  </filter>
  <filter>
    <filter-name>UploadThrottleFilter</filter-name>
    <filter-class>com.openkm.servlet.frontend.UploadThrottleFilter</filter-class>
  </filter>
  <filter>
      <filter-name>CAS Single Sign Out Filter</filter-name>
      <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
      <init-param>
      	<param-name>casServerUrlPrefix</param-name>
	<param-value></param-value>
      </init-param>
  </filter>
  
  <!-- Filter Mappings -->
  <filter-mapping>
     <filter-name>CAS Single Sign Out Filter</filter-name>
     <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>WebDAVFilter</filter-name>
    <url-pattern>/webdav/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>UploadThrottleFilter</filter-name>
    <url-pattern>/frontend/FileUpload</url-pattern>
  </filter-mapping>
  
  <!-- Listeners -->
  <listener>
    <listener-class>com.openkm.servlet.SessionListener</listener-class>
  </listener>
  <listener>
    <listener-class>org.apache.commons.fileupload.servlet.FileCleanerCleanup</listener-class>
  </listener>
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
  <listener>
    <listener-class>net.sf.ehcache.constructs.web.ShutdownListener</listener-class>
  </listener>
  <listener>
     <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>
  
  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
      /WEB-INF/applicationContext.xml
      file:${catalina.home}/OpenKM.xml
    </param-value>
  </context-param>
</web-app>

[sethu]

Hi Team,

I have created a new profile and assigned to one existing user. When i try to login i am getting the error message. Please see attached error message for your reference.

Thanks in advance.

Regards,
Sethu. B

[jllort]

The problem is caused because the user has not grants for accessing root nodes ( okm:root, etc... ). If you have not changed security in main nodes, then user has not assigned the ROLE_USER.

[loty]

What about my last question?

Thanks.

[jllort]

OKM_USER_CONFIG is used to set the default openkm node what must be shown when the user login into the application. If you do not change default home, then by default is set to /okm:root, but as all the users, you can change in favour to another node ( see contextual menus option -> "set user home" ).