How are users in OKM_USER and OKM_USER_CONFIG associated with each other? For example: I create new user in web-interface and give him ADMIN role and then I log in into OpenKM. Spring Security checks user role in AD and then logs in with user from OKM_USER_CONFIG with role USER.
P.S. Config files for CAS configuration below.
OpenKM.xml
Code: Select all<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<property name="service" value=""/>
</bean>
<bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value=""/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="casAuthenticationProvider"/>
</sec:authentication-manager>
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService">
<bean
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<constructor-arg ref="userService"/>
</bean>
</property>
<property name="serviceProperties" ref="serviceProperties"/>
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value=""/>
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>
<!-- LDAP config -->
<sec:ldap-user-service id="userService" server-ref="ldapServer"
user-search-base=""
user-search-filter="(sAMAccountName={0})" role-prefix="ROLE_"
group-search-base=""
group-search-filter="(member={0})" />
<sec:ldap-server id="ldapServer"
manager-dn=""
manager-password="" url="" port="389"
root="" />
<!-- End of LDAP config -->
<!-- DB config -->
<!--
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"/>
<sec:jdbc-user-service id="userService" data-source-ref="securityDataSource"
users-by-username-query="SELECT login, password, TRUE FROM user_ WHERE login = ?"
authorities-by-username-query="SELECT login, name FROM user_ LEFT JOIN group_ ON role_id = group_.id WHERE login = ?"/>
<bean id="securityDataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="${db.driver.classname}"/>
<property name="url" value="${db.security.url}"/>
<property name="username" value="${db.security.credentials.username}"/>
<property name="password" value="${db.security.credentials.password}"/>
</bean>
-->
<!-- End of DB config -->
<bean id="singleLogoutFilter"
class="org.jasig.cas.client.session.SingleSignOutFilter"/>
</beans>
applicationContext.xml
Code: Select all<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:jaxrs="http://cxf.apache.org/jaxrs"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/jaxrs
http://cxf.apache.org/schemas/jaxrs.xsd">
<context:property-placeholder location="file:${catalina.home}/conf/openkm.properties"/>
<context:component-scan base-package="com.openkm"/>
<!-- <task:annotation-driven/> -->
<!-- Tasks configuration moved to $CATALINA_HOME/OpenKM.xml -->
<!-- Apache CXF Web Services -->
<beans:import resource="classpath:META-INF/cxf/cxf.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<!--
<beans:bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<beans:property name="targetClass" value="org.springframework.security.core.context.SecurityContextHolder" />
<beans:property name="targetMethod" value="setStrategyName" />
<beans:property name="arguments" value="_INHERITABLETHREADLOCAL" />
</beans:bean>
-->
<beans:bean id="WSS4JInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<beans:constructor-arg>
<beans:map>
<beans:entry key="action" value="UsernameToken" />
<beans:entry key="passwordType" value="PasswordText" />
<beans:entry key="passwordCallbackClass" value="com.openkm.spring.ClientPasswordCallback" />
</beans:map>
</beans:constructor-arg>
</beans:bean>
<!-- SOAP -->
<jaxws:endpoint id="authService" implementor="com.openkm.ws.endpoint.AuthService" address="/OKMAuth"/>
<jaxws:endpoint id="bookmarkService" implementor="com.openkm.ws.endpoint.BookmarkService" address="/OKMBookmark"/>
<jaxws:endpoint id="documentService" implementor="com.openkm.ws.endpoint.DocumentService" address="/OKMDocument"/>
<jaxws:endpoint id="folderService" implementor="com.openkm.ws.endpoint.FolderService" address="/OKMFolder"/>
<jaxws:endpoint id="mailService" implementor="com.openkm.ws.endpoint.MailService" address="/OKMMail"/>
<jaxws:endpoint id="noteService" implementor="com.openkm.ws.endpoint.NoteService" address="/OKMNote"/>
<jaxws:endpoint id="notificationService" implementor="com.openkm.ws.endpoint.NotificationService" address="/OKMNotification"/>
<jaxws:endpoint id="propertyGroupService" implementor="com.openkm.ws.endpoint.PropertyGroupService" address="/OKMPropertyGroup"/>
<jaxws:endpoint id="propertyService" implementor="com.openkm.ws.endpoint.PropertyService" address="/OKMProperty"/>
<jaxws:endpoint id="repositoryService" implementor="com.openkm.ws.endpoint.RepositoryService" address="/OKMRepository"/>
<jaxws:endpoint id="searchService" implementor="com.openkm.ws.endpoint.SearchService" address="/OKMSearch"/>
<jaxws:endpoint id="dashboardService" implementor="com.openkm.ws.endpoint.DashboardService" address="/OKMDashboard"/>
<jaxws:endpoint id="workflowService" implementor="com.openkm.ws.endpoint.WorkflowService" address="/OKMWorkflow"/>
<jaxws:endpoint id="testService" implementor="com.openkm.ws.endpoint.TestService" address="/OKMTest">
<!--
<jaxws:inInterceptors>
<beans:ref bean="WSS4JInInterceptor"/>
</jaxws:inInterceptors>
-->
</jaxws:endpoint>
<!-- OpenCMIS -->
<jaxws:endpoint id="cmisNavigationService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.NavigationService" address="/cmis/NavigationService"/>
<jaxws:endpoint id="cmisPolicyService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.PolicyService" address="/cmis/PolicyService"/>
<jaxws:endpoint id="cmisDiscoveryService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.DiscoveryService" address="/cmis/DiscoveryService"/>
<jaxws:endpoint id="cmisMultiFilingService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.MultiFilingService" address="/cmis/MultiFilingService"/>
<jaxws:endpoint id="cmisRepositoryService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.RepositoryService" address="/cmis/RepositoryService"/>
<jaxws:endpoint id="cmisRelationshipService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.RelationshipService" address="/cmis/RelationshipService"/>
<jaxws:endpoint id="cmisVersioningService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.VersioningService" address="/cmis/VersioningService"/>
<jaxws:endpoint id="cmisObjectService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.ObjectService" address="/cmis/ObjectService"/>
<jaxws:endpoint id="cmisAclService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.AclService" address="/cmis/ACLService"/>
<!-- REST -->
<jaxrs:server id="restAuth" address="/rest/auth">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.AuthService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restDocument" address="/rest/document">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.DocumentService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restFolder" address="/rest/folder">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.FolderService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restMail" address="/rest/mail">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.MailService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restNote" address="/rest/note">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.NoteService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restPropertyGroup" address="/rest/propertyGroup">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.PropertyGroupService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restSearch" address="/rest/search">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.SearchService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restRepository" address="/rest/repository">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.RepositoryService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restProperty" address="/rest/property">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.PropertyService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restTest" address="/rest/test">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.TestService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<security:global-method-security secured-annotations="enabled"/>
<!-- Remove prefix to be able of use custom roles -->
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="ROLE_"/>
</beans:bean>
<!-- OpenCMIS -->
<beans:bean id="CmisLifecycleBean" class="com.openkm.cmis.CmisLifecycleBean">
<beans:property name="cmisServiceFactory" ref="CmisServiceFactory" />
</beans:bean>
<beans:bean id="CmisServiceFactory" class="com.openkm.cmis.CmisServiceFactory" />
<security:http pattern="/services/rest/**" security="none"/>
<!-- Status -->
<security:http pattern="/Status" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- Download -->
<security:http pattern="/Download" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- Workflow deploy -->
<security:http pattern="/workflow-register" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- WebDAV using Basic authentication -->
<security:http pattern="/webdav/**" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- Syndication using Basic authentication -->
<security:http pattern="/feed/**" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- OpenCMIS (Browser) using Basic authentication -->
<security:http pattern="/cmis/browser/**" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- OpenCMIS (AtomPub) using Basic authentication -->
<security:http pattern="/cmis/atom/**" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- OpenCMIS (AtomPub) using Basic authentication -->
<security:http pattern="/cmis/atom11/**" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- REST -->
<!--
<security:http pattern="/services/rest/**" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
-->
<!-- Additional filter chain for normal users, matching all other requests -->
<!-- http://info.michael-simons.eu/2011/01/28/disable-jsessionid-path-parameter-in-java-web-applications/ -->
<!-- <security:http access-decision-manager-ref="accessDecisionManager" access-denied-page="/unauthorized.jsp"> -->
<security:http access-denied-page="/unauthorized.jsp" entry-point-ref="casEntryPoint" use-expressions="true">
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
<!-- GWT -->
<security:intercept-url pattern="/frontend/**" access="isAuthenticated()" />
<!-- JSPs -->
<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/admin/**" access="isAuthenticated()" />
<security:intercept-url pattern="/mobile/**" access="isAuthenticated()" />
<!-- Servlets -->
<security:intercept-url pattern="/RepositoryStartup" access="isAuthenticated()" />
<security:intercept-url pattern="/TextToSpeech" access="isAuthenticated()" />
<security:intercept-url pattern="/HtmlPreview" access="isAuthenticated()" />
<security:intercept-url pattern="/SyntaxHighlighter" access="isAuthenticated()" />
<security:intercept-url pattern="/Test" access="isAuthenticated()" />
<!-- Extensions -->
<security:intercept-url pattern="/extension/ZohoFileUpload" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/extension/**" access="isAuthenticated()" />
<!-- Login page -->
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1"/>
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
<security:logout logout-url="/logout" logout-success-url=""/>
<security:session-management invalid-session-url=""/>
</security:http>
<!-- Needed for changing default role prefix -->
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
<beans:ref bean="roleVoter" />
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<!-- Security access logger -->
<beans:bean id="loggerListener" class="com.openkm.spring.LoggerListener" />
<jee:jndi-lookup id="dataSource" jndi-name="jdbc/OpenKMDS" resource-ref="true" />
<!-- Security configuration moved to $CATALINA_HOME/OpenKM.xml -->
<!-- WINFIX
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:password-encoder hash="md5"/>
<security:jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
</security:authentication-provider>
</security:authentication-manager>
WINFIX -->
</beans:beans>
web.xml (first part)
Code: Select all<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>OpenKM</display-name>
<!-- Tomcat resources -->
<!-- Already defined in $TOMCAT_HOME/conf/context.xml -->
<!--
<resource-ref>
<description>OKM Datasource</description>
<res-ref-name>jdbc/OpenKMDS</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<resource-ref>
<description>OKM Mail</description>
<res-ref-name>mail/OpenKM</res-ref-name>
<res-type>javax.mail.Session</res-type>
<res-auth>Container</res-auth>
</resource-ref>
-->
<jsp-config>
<taglib>
<taglib-uri>http://www.openkm.com/tags/utils</taglib-uri>
<taglib-location>/WEB-INF/tlds/utils.tld</taglib-location>
</taglib>
</jsp-config>
<!-- Filters -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>WebDAVFilter</filter-name>
<filter-class>com.openkm.webdav.WebDAVFilter</filter-class>
</filter>
<filter>
<filter-name>UploadThrottleFilter</filter-name>
<filter-class>com.openkm.servlet.frontend.UploadThrottleFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value></param-value>
</init-param>
</filter>
<!-- Filter Mappings -->
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WebDAVFilter</filter-name>
<url-pattern>/webdav/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>UploadThrottleFilter</filter-name>
<url-pattern>/frontend/FileUpload</url-pattern>
</filter-mapping>
<!-- Listeners -->
<listener>
<listener-class>com.openkm.servlet.SessionListener</listener-class>
</listener>
<listener>
<listener-class>org.apache.commons.fileupload.servlet.FileCleanerCleanup</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>net.sf.ehcache.constructs.web.ShutdownListener</listener-class>
</listener>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
file:${catalina.home}/OpenKM.xml
</param-value>
</context-param>
</web-app>