Hi,
Release: OpenKM-5.1.7_JBoss-4.2.3.GA.zip
OS: Ubuntu 10.04.3 LTS, Linux nebulae 2.6.32-33-server #70-Ubuntu SMP Thu Jul 7 22:28:30 UTC 2011 x86_64 GNU/Linux
Java: Java(TM) SE Runtime Environment (build 1.6.0_26-b03), Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)
Browser: Firefox 5.0, Opera 11.50, Chrome 13.0.782.109 beta
Have been testing the overall functionality and some corner cases and am currently stuck on a WebDAV point. I have read through copious amounts of documentation (subscribed to OKM Network) but have not found an answer there.
Background:
1. Completed install and configuration of OpenKM without a snag.
2. Login to the web frontend with okmAdmin and able to configure all aspects as per the best practice. I.e. created new roles and removed UserRole from propogating in Taxonomy, Templates and Categories, substituting it with the new ones.
3. Create users with both UserRole and new role added to the account.
4. At this point okm:personal has not been touched regarding security settings.
So Far So Good:
1. When logging in with a regular user everything is OK: frontend loads, Taxonomy, Templates and Categories are read-only as per my settings, and under "My Documents" one can only view your own folder. okm:personal is not visible.
2. The same is OK when logging in with a another regular user. Only their own folder is visible and nobody else's under "My Documents".
Issue 1:
1. Inconsistency happens when enabling WebDAV and not using a client to access the repository, but a regular web browser window going to the URL - http://server:8080/OpenKM/repository/de ... onal/user1.
2. Even giving an entirely different username/password combination at the prompt (for example user2), one is still logged in to the folder.
3. Using the in browser navigation presented by Jackrabbit for going one level up, all folders beneath okm_personal are accessible and can be browsed to!
Issue 2:
1. When removing UserRole as a group permission from the personal folders and only having the specific user role, one is still able to log in to any folder with the a different username/password combination. I.e. access user1 folder with user2 credentials.
2. Now, using the in browser navigation presented by Jackrabbit for going one level up, the "okm_root", "okm_templates" and "okm_personal" folders are displayed.
3. When selecting "okm_personal" the folder that is tied to the user we logged in with is presented, eg. http://server:8080.../user2
Workaround:
1. When browsing to the "okm_personal" folder instead of a user's specific subfolder, this problem does not appear.
2. Example going to http://server:8080/OpenKM/repository/de ... _personal/ and logging in with user1 will only present the user1 folder.
Logs:
When this happens the application is constantly logging the following:
Any help would be appreciated on this, at this stage I am publishing the URL http://server:8080/OpenKM/repository/de ... _personal/ for WebDAV connections and hope that nobody tries to access other folders.
Security by obscurity.
Many thanks.
rgds
Marthin
Release: OpenKM-5.1.7_JBoss-4.2.3.GA.zip
OS: Ubuntu 10.04.3 LTS, Linux nebulae 2.6.32-33-server #70-Ubuntu SMP Thu Jul 7 22:28:30 UTC 2011 x86_64 GNU/Linux
Java: Java(TM) SE Runtime Environment (build 1.6.0_26-b03), Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)
Browser: Firefox 5.0, Opera 11.50, Chrome 13.0.782.109 beta
Have been testing the overall functionality and some corner cases and am currently stuck on a WebDAV point. I have read through copious amounts of documentation (subscribed to OKM Network) but have not found an answer there.
Background:
1. Completed install and configuration of OpenKM without a snag.
2. Login to the web frontend with okmAdmin and able to configure all aspects as per the best practice. I.e. created new roles and removed UserRole from propogating in Taxonomy, Templates and Categories, substituting it with the new ones.
3. Create users with both UserRole and new role added to the account.
4. At this point okm:personal has not been touched regarding security settings.
So Far So Good:
1. When logging in with a regular user everything is OK: frontend loads, Taxonomy, Templates and Categories are read-only as per my settings, and under "My Documents" one can only view your own folder. okm:personal is not visible.
2. The same is OK when logging in with a another regular user. Only their own folder is visible and nobody else's under "My Documents".
Issue 1:
1. Inconsistency happens when enabling WebDAV and not using a client to access the repository, but a regular web browser window going to the URL - http://server:8080/OpenKM/repository/de ... onal/user1.
2. Even giving an entirely different username/password combination at the prompt (for example user2), one is still logged in to the folder.
3. Using the in browser navigation presented by Jackrabbit for going one level up, all folders beneath okm_personal are accessible and can be browsed to!
Issue 2:
1. When removing UserRole as a group permission from the personal folders and only having the specific user role, one is still able to log in to any folder with the a different username/password combination. I.e. access user1 folder with user2 credentials.
2. Now, using the in browser navigation presented by Jackrabbit for going one level up, the "okm_root", "okm_templates" and "okm_personal" folders are displayed.
3. When selecting "okm_personal" the folder that is tied to the user we logged in with is presented, eg. http://server:8080.../user2
Workaround:
1. When browsing to the "okm_personal" folder instead of a user's specific subfolder, this problem does not appear.
2. Example going to http://server:8080/OpenKM/repository/de ... _personal/ and logging in with user1 will only present the user1 folder.
Logs:
When this happens the application is constantly logging the following:
Code: Select all
Going through the repository.xml I have not been able to find anything useful to change. The AccessManager used is "OKMAccessManager" which should(?) be better than the Jackrabbit default module included (check http://wiki.openkm.com/index.php/Reposi ... figuration) :
17:48:11,448 WARN [OKMAccessManager] [user2, Roles(members:Resident,UserRole)] PathNotFoundException(okm:authUsersRead) in rep:system
17:48:11,452 WARN [OKMAccessManager] [user2, Roles(members:Resident,UserRole)] PathNotFoundException(okm:authUsersRead) in okm:sysConfig
The default SimpleLoginModule class included in Jackrabbit implements a trivially simple authentication mechanism that accepts any username and any password as valid authentication credentials.I have tested this by using a complete bogus username/password combination which did not work, so that it is OK. No anonymous access.
Any help would be appreciated on this, at this stage I am publishing the URL http://server:8080/OpenKM/repository/de ... _personal/ for WebDAV connections and hope that nobody tries to access other folders.
Security by obscurity.
Many thanks.
rgds
Marthin
