Online demo
Download
Contact

Because information matters

  • LDAP - evitando usar ROLE_ADMIN

  • OpenKM tiene muchas características interesantes, pero es necesario un proceso de configuración para mostrar todo su potencial.
It is currently Tue Jun 17, 2025 10:51 pm

LDAP - evitando usar ROLE_ADMIN

OpenKM tiene muchas características interesantes, pero es necesario un proceso de configuración para mostrar todo su potencial.
Forum rules: Por favor, antes de preguntar algo consulta el wiki de documentación o utiliza la función de búsqueda del foro. Recuerda que no tenemos una bola de cristal ni poderes mentales, o sea que que para informar sobre un error es necesario que nos indiques tanto la versión de OpenKM que usas como la del navegador y sistema operativo. Para más información consulta Cómo informar de fallos de forma efectiva.
 Reply

LDAP - evitando usar ROLE_ADMIN

 #29191  by dantix
 
Hola, he configurado OKM para autenticar via LDAP contra mi AD.
He definido default.user.role = a mi grupo general y funciona, he podido administrar sus accesos usándolo.
Mi problema actual es con el default.admin.role al que también hice igual a mi grupo de administradores pero no logro que OKM los asuma como tal.
OKM sólo ve un administrador si el usuario pertenece al grupo de AD ROLE_ADMIN, pero et aquí que por política empresarial los grupos tienen que respetar una convención de nombres y ROLE_ADMIN no calza en ella.

En qué otro lugar de OKM debería modificar el grupo asignado a los administradores?

Gracias

Re: LDAP - evitando usar ROLE_ADMIN

 #29209  by jllort
 
Tendras que aplicar un parche a un fichero que se encuentra dentro del OpenKM.war ( estas en linux o en windows ? )

Re: LDAP - evitando usar ROLE_ADMIN

 #29272  by jllort
 
- Parar OpenKM
- Coges el OpenKM.war ( haces un backup ) y te lo copias en otro directorio
- Con el winrar mismame, puedes abrir el OpenKM.war y extraes el fichero WEB-INF/applicationContext.xml
- Editas el fichero y realizas los siguientes cambios

Esto seria un script en linux que por ejemplo modificaria la entrada <security:http-basic por <security:temp-http-basic, etc... creo que se puede entender bien sin mas explicaciones. En este caso se ha reemplazado el ROLE_USER por un OPENKM_ROLE_USER y OPENKM_ROLE_ADMIN. Antes de modificar el fichero busca la cadena ROLE_ ( esta en pocos sitios y así veras la idea ). En tu caso vas a tener que realizar los cambios con un editor de texto.
Code: Select all
#!/bin/bash
sed -i "s|<security:http-basic|<security:temp-http-basic|g" applicationContext.xml
sed -i "s|ROLE_|OPENKM_ROLE_|g" applicationContext.xml
sed -i 's|IS_AUTHENTICATED_FULLY|isFullyAuthenticated()|g' applicationContext.xml
sed -i 's|IS_AUTHENTICATED_ANONYMOUSLY|permitAll|g' applicationContext.xml
sed -i 's|<security:http|<security:http use-expressions="true"|g' applicationContext.xml
sed -i "s|<security:temp-http-basic|<security:http-basic|g" applicationContext.xml
Al final te quedará algo parecido a esto:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:context="http://www.springframework.org/schema/context"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:jee="http://www.springframework.org/schema/jee"
             xmlns:jaxws="http://cxf.apache.org/jaxws"
             xmlns:jaxrs="http://cxf.apache.org/jaxrs"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/context
                                 http://www.springframework.org/schema/context/spring-context-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd
                                 http://www.springframework.org/schema/jee
                                 http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
                                 http://cxf.apache.org/jaxws
                                 http://cxf.apache.org/schemas/jaxws.xsd
                                 http://cxf.apache.org/jaxrs
                                 http://cxf.apache.org/schemas/jaxrs.xsd">
    
    <context:component-scan base-package="com.openkm"/>
    
    <!-- <task:annotation-driven/> -->
    <!-- Tasks configuration moved to $CATALINA_HOME/OpenKM.xml -->
    
    <!-- Apache CXF Web Services -->
    <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
    <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
    
    <!--
    <beans:bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <beans:property name="targetClass" value="org.springframework.security.core.context.SecurityContextHolder" />
        <beans:property name="targetMethod" value="setStrategyName" />
        <beans:property name="arguments" value="_INHERITABLETHREADLOCAL" />
    </beans:bean>
    -->
    
    <beans:bean id="WSS4JInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
        <beans:constructor-arg>
            <beans:map>
                <beans:entry key="action" value="UsernameToken" />
                <beans:entry key="passwordType" value="PasswordText" />
                <beans:entry key="passwordCallbackClass" value="com.openkm.spring.ClientPasswordCallback" />
            </beans:map>
        </beans:constructor-arg>
    </beans:bean>
    
    <!-- SOAP -->
    <jaxws:endpoint id="authService" implementor="com.openkm.ws.endpoint.AuthService" address="/OKMAuth"/>
    <jaxws:endpoint id="bookmarkService" implementor="com.openkm.ws.endpoint.BookmarkService" address="/OKMBookmark"/>
    <jaxws:endpoint id="documentService" implementor="com.openkm.ws.endpoint.DocumentService" address="/OKMDocument"/>
    <jaxws:endpoint id="folderService" implementor="com.openkm.ws.endpoint.FolderService" address="/OKMFolder"/>
    <jaxws:endpoint id="mailService" implementor="com.openkm.ws.endpoint.MailService" address="/OKMMail"/>
    <jaxws:endpoint id="noteService" implementor="com.openkm.ws.endpoint.NoteService" address="/OKMNote"/>
    <jaxws:endpoint id="notificationService" implementor="com.openkm.ws.endpoint.NotificationService" address="/OKMNotification"/>
    <jaxws:endpoint id="propertyGroupService" implementor="com.openkm.ws.endpoint.PropertyGroupService" address="/OKMPropertyGroup"/>
    <jaxws:endpoint id="propertyService" implementor="com.openkm.ws.endpoint.PropertyService" address="/OKMProperty"/>
    <jaxws:endpoint id="repositoryService" implementor="com.openkm.ws.endpoint.RepositoryService" address="/OKMRepository"/>
    <jaxws:endpoint id="searchService" implementor="com.openkm.ws.endpoint.SearchService" address="/OKMSearch"/>
    <jaxws:endpoint id="dashboardService" implementor="com.openkm.ws.endpoint.DashboardService" address="/OKMDashboard"/>
    <jaxws:endpoint id="workflowService" implementor="com.openkm.ws.endpoint.WorkflowService" address="/OKMWorkflow"/>
    <jaxws:endpoint id="testService" implementor="com.openkm.ws.endpoint.TestService" address="/OKMTest">
        <!--
            <jaxws:inInterceptors>
                <beans:ref bean="WSS4JInInterceptor"/>
            </jaxws:inInterceptors>
        -->
    </jaxws:endpoint>
    
    <!-- OpenCMIS -->
    <jaxws:endpoint id="cmisNavigationService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.NavigationService" address="/cmis/NavigationService"/>
    <jaxws:endpoint id="cmisPolicyService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.PolicyService" address="/cmis/PolicyService"/>
    <jaxws:endpoint id="cmisDiscoveryService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.DiscoveryService" address="/cmis/DiscoveryService"/>
    <jaxws:endpoint id="cmisMultiFilingService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.MultiFilingService" address="/cmis/MultiFilingService"/>
    <jaxws:endpoint id="cmisRepositoryService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.RepositoryService" address="/cmis/RepositoryService"/>
    <jaxws:endpoint id="cmisRelationshipService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.RelationshipService" address="/cmis/RelationshipService"/>
    <jaxws:endpoint id="cmisVersioningService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.VersioningService" address="/cmis/VersioningService"/>
    <jaxws:endpoint id="cmisObjectService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.ObjectService" address="/cmis/ObjectService"/>
    <jaxws:endpoint id="cmisAclService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.AclService" address="/cmis/ACLService"/>
    
    <!-- REST -->
    <jaxrs:server id="restAuth" address="/rest/auth">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.AuthService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restDocument" address="/rest/document">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.DocumentService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restFolder" address="/rest/folder">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.FolderService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restNote" address="/rest/note">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.NoteService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restPropertyGroup" address="/rest/propertyGroup">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.PropertyGroupService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restSearch" address="/rest/search">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.SearchService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restRepository" address="/rest/repository">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.RepositoryService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restProperty" address="/rest/property">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.PropertyService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    <jaxrs:server id="restTest" address="/rest/test">
        <jaxrs:serviceBeans>
            <beans:bean class="com.openkm.rest.endpoint.TestService"/>
        </jaxrs:serviceBeans>
    </jaxrs:server>
    
    <security:global-method-security secured-annotations="enabled"/>
    
    <!-- Remove prefix to be able of use custom roles -->
    <beans:bean class="org.springframework.security.access.vote.RoleVoter">
        <beans:property name="rolePrefix" value="OPENKM_ROLE_"/>
    </beans:bean>
    
    <!-- OpenCMIS -->
    <beans:bean id="CmisLifecycleBean" class="com.openkm.cmis.CmisLifecycleBean">
        <beans:property name="cmisServiceFactory" ref="CmisServiceFactory" />
    </beans:bean>
    <beans:bean id="CmisServiceFactory" class="com.openkm.cmis.CmisServiceFactory" />
    
    <!-- Status -->
    <security:http use-expressions="true" pattern="/Status" create-session="stateless">
        <security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- Download -->
    <security:http use-expressions="true" pattern="/Download" create-session="stateless">
        <security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- Workflow deploy -->
    <security:http use-expressions="true" pattern="/workflow-register" create-session="stateless">
        <security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- WebDAV using Basic authentication -->
    <security:http use-expressions="true" pattern="/webdav/**" create-session="stateless">
        <security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- Syndication using Basic authentication -->
    <security:http use-expressions="true" pattern="/feed/**" create-session="stateless">
        <security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- OpenCMIS (Browser) using Basic authentication -->
    <security:http use-expressions="true" pattern="/cmis/browser/**" create-session="stateless">
        <security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- OpenCMIS (AtomPub) using Basic authentication -->
    <security:http use-expressions="true" pattern="/cmis/atom/**" create-session="stateless">
        <security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- OpenCMIS (AtomPub) using Basic authentication -->
    <security:http use-expressions="true" pattern="/cmis/atom11/**" create-session="stateless">
        <security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- REST -->
    <security:http use-expressions="true" pattern="/services/rest/**" create-session="stateless">
        <security:intercept-url pattern="/**" access="isFullyAuthenticated()" />
        <security:http-basic />
    </security:http>
    
    <!-- Additional filter chain for normal users, matching all other requests -->
    <!-- http://info.michael-simons.eu/2011/01/28/disable-jsessionid-path-parameter-in-java-web-applications/ -->
    <security:http use-expressions="true" access-denied-page="/unauthorized.jsp">
    
        <!-- GWT -->
        <security:intercept-url pattern="/frontend/**" access="isFullyAuthenticated()" />
        
        <!-- JSPs -->
        <security:intercept-url pattern="/login.jsp" access="permitAll" />
        <security:intercept-url pattern="/admin/**" access="hasRole('OPENKM_ROLE_ADMIN')" />
        <security:intercept-url pattern="/mobile/**" access="isFullyAuthenticated()" />
        
        <!-- Servlets -->
        <security:intercept-url pattern="/RepositoryStartup" access="isFullyAuthenticated()" />
        <security:intercept-url pattern="/TextToSpeech" access="isFullyAuthenticated()" />
        <security:intercept-url pattern="/HtmlPreview" access="isFullyAuthenticated()" />
        <security:intercept-url pattern="/SyntaxHighlighter" access="isFullyAuthenticated()" />
        <security:intercept-url pattern="/Test" access="isFullyAuthenticated()" />
        
        <!-- Extensions -->
        <security:intercept-url pattern="/extension/ZohoFileUpload" access="permitAll" />
        <security:intercept-url pattern="/extension/**" access="isFullyAuthenticated()" />
        
        <!-- Login page -->
        <security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1"/>
        
    </security:http>
    
    <!-- Security access logger -->
    <beans:bean id="loggerListener" class="com.openkm.spring.LoggerListener" />
    
    <jee:jndi-lookup id="dataSource" jndi-name="jdbc/OpenKMDS" resource-ref="true" />
    
    <!-- Security configuration moved to $CATALINA_HOME/OpenKM.xml -->
    <!-- WINFIX
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider>
            <security:password-encoder hash="md5"/>
            <security:jdbc-user-service 
                data-source-ref="dataSource"
                users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
                authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
        </security:authentication-provider>
    </security:authentication-manager>
    WINFIX -->
</beans:beans>
- Finalmente vuelves a poner el fichero dentro del OpenKM.war ( en la misma localización -> lo remplazas por el existente ). O utilizas el winrar nuevamente o te creas un pequeño script.
Code: Select all
echo "Parcheando WAR...";
jar uvf OpenKM.war WEB-INF/applicationContext.xml
echo "Hecho!"
pause
- Sobreescribes el OpenKM.war
- Eliminas las carpetas webapps/OpenKM y work/Calina/locahost
- Arrancas el OpenKM y ya esta.
 Reply
 Return to “Configuración”

Favorites

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.

Powered By phpBB -
 ©OpenKM 2021
 - All times are UTC -