LDAP not working correctly in 6.2

[jllort]

Yes is a second security control at jsp files but that not mean could be break down from Servlet. Where're I want to go it that if you replaced "ROLE_ADMIN" to "IS_FULLY_AUTHENTICATED" I suggest you change IS_FULLY_AUTHENTICATED to your actual role name ( that is a best aproximation than allow access to any authenticated user -> then you should get direct permission denied ).

[Catscratch]

If I try to set the regarding role (my ldap admin role) I get an exception:

Code: Select all

2013-01-30 12:54:00,055 [pool-2-thread-1] ERROR org.springframework.web.context.ContextLoader - Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChains': Cannot resolve reference to bean 'org.springframework.security.web.DefaultSecurityFilterChain#6' while setting bean property 'sourceList' with key [6]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#6': Cannot resolve reference to bean 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#6' while setting constructor argument with key [7]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#6': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [OpenKMAdmins]

Unsupported configuration attribute. Can't I chose ldap roles here?

[jllort]

In the same place you got ROLE_ADMIN if you change by your own role you get this error ? sure it's the only change you've done ( revise the xml file with attention to ensure there's no missing character etc... and you really are replacing one role name to other.

[Catscratch]

Yeah. I double checked it.

[dejanfc]

I had the same problem in another app that was using spring security, but I never checked the source files to see if the values are hardcoded somewhere. However, quick google search returned this:

Code: Select all

<http use-expressions="true">
    <intercept-url pattern="/index.jsp" access="permitAll" />
    <intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')" />
    <intercept-url pattern="/secure/**" access="isAuthenticated()" />
    <intercept-url pattern="/listAccounts.html" access="isAuthenticated()" />
    <intercept-url pattern="/post.html" access="hasAnyRole('supervisor','teller')" />
    <intercept-url pattern="/**" access="denyAll" />
    <form-login />
</http>

If you feel like experimenting you could try with hasRole. Please report back on results, I'm interested too .

[Catscratch]

Nice idea!

But sadly it is not working.

Code: Select all

Unsupported configuration attributes: [hasRole('OpenKMAdmins')]

[dejanfc]

Yeah, it only works with expressions. If I get some more time to play around with this I'll try to find a solution, but for now I'll consider it a minor inconvenience . As for your /okm:trash problem from previous page - you were right. The problem in my testing was that I used a user that had been previously logged in under ROLE_USER role so he was able to create his trash folder, which made the role change afterwards not cause any issue. However, when I tried this with a freshly created user I got the same error as you. After editing the fields in mysql (OKM_NODE_PERMISSION - NRP_PERMISSION field, for anyone interested) I was able to log in. It would be great if new version of OpenKM could add an option to edit the security on trash node through the interface as well, so we don't have to resort to measures such as this .

[richbcph]

Catscratch,

I have the same issues as you did. How did you manually set the permissions? I have been banging my head against the wall and cannot get past the trash problem.

[jllort]

Take a look here http://wiki.openkm.com/index.php/Active ... OpenKM_6.2 and specially here where you can find full examples http://wiki.openkm.com/index.php/LDAP_examples

[richbcph]

never mind we got it solved in another thread. I did not have the groups set as case sensitive.