Page 1 of 1
User administration
PostPosted:Tue Jul 12, 2016 10:47 am
by loty
Hello.
We use OpenKM community v6.3.1 and already configured integration with CAS. When the user logs into the system in the database he is created in "okm_user_config" table, despite the fact, that there is still "okm_user" table, users of which are displayed on the portal. What is the difference between these two types of users?
Thanks.
Re: User administration
PostPosted:Wed Jul 13, 2016 5:30 am
by jllort
The OKM_USER is the table where are set the user id, password etc... the user_config_table is used to store information like the user home ( uuid what will be used as default home when login ).
About CAS, congratulations for it. If you can share this configuration we will include ( extending ) existing one in our wiki ( because the configuration described there it has about 2 years more or less and possible needs some update ).
Re: User administration
PostPosted:Thu Jul 14, 2016 11:47 am
by loty
How are users in OKM_USER and OKM_USER_CONFIG associated with each other? For example: I create new user in web-interface and give him ADMIN role and then I log in into OpenKM. Spring Security checks user role in AD and then logs in with user from OKM_USER_CONFIG with role USER.
P.S. Config files for CAS configuration below.
OpenKM.xml
Code: Select all<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<property name="service" value=""/>
</bean>
<bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value=""/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="casAuthenticationProvider"/>
</sec:authentication-manager>
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService">
<bean
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<constructor-arg ref="userService"/>
</bean>
</property>
<property name="serviceProperties" ref="serviceProperties"/>
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value=""/>
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>
<!-- LDAP config -->
<sec:ldap-user-service id="userService" server-ref="ldapServer"
user-search-base=""
user-search-filter="(sAMAccountName={0})" role-prefix="ROLE_"
group-search-base=""
group-search-filter="(member={0})" />
<sec:ldap-server id="ldapServer"
manager-dn=""
manager-password="" url="" port="389"
root="" />
<!-- End of LDAP config -->
<!-- DB config -->
<!--
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"/>
<sec:jdbc-user-service id="userService" data-source-ref="securityDataSource"
users-by-username-query="SELECT login, password, TRUE FROM user_ WHERE login = ?"
authorities-by-username-query="SELECT login, name FROM user_ LEFT JOIN group_ ON role_id = group_.id WHERE login = ?"/>
<bean id="securityDataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="${db.driver.classname}"/>
<property name="url" value="${db.security.url}"/>
<property name="username" value="${db.security.credentials.username}"/>
<property name="password" value="${db.security.credentials.password}"/>
</bean>
-->
<!-- End of DB config -->
<bean id="singleLogoutFilter"
class="org.jasig.cas.client.session.SingleSignOutFilter"/>
</beans>
applicationContext.xml
Code: Select all<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:jaxrs="http://cxf.apache.org/jaxrs"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/jaxrs
http://cxf.apache.org/schemas/jaxrs.xsd">
<context:property-placeholder location="file:${catalina.home}/conf/openkm.properties"/>
<context:component-scan base-package="com.openkm"/>
<!-- <task:annotation-driven/> -->
<!-- Tasks configuration moved to $CATALINA_HOME/OpenKM.xml -->
<!-- Apache CXF Web Services -->
<beans:import resource="classpath:META-INF/cxf/cxf.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<!--
<beans:bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<beans:property name="targetClass" value="org.springframework.security.core.context.SecurityContextHolder" />
<beans:property name="targetMethod" value="setStrategyName" />
<beans:property name="arguments" value="_INHERITABLETHREADLOCAL" />
</beans:bean>
-->
<beans:bean id="WSS4JInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<beans:constructor-arg>
<beans:map>
<beans:entry key="action" value="UsernameToken" />
<beans:entry key="passwordType" value="PasswordText" />
<beans:entry key="passwordCallbackClass" value="com.openkm.spring.ClientPasswordCallback" />
</beans:map>
</beans:constructor-arg>
</beans:bean>
<!-- SOAP -->
<jaxws:endpoint id="authService" implementor="com.openkm.ws.endpoint.AuthService" address="/OKMAuth"/>
<jaxws:endpoint id="bookmarkService" implementor="com.openkm.ws.endpoint.BookmarkService" address="/OKMBookmark"/>
<jaxws:endpoint id="documentService" implementor="com.openkm.ws.endpoint.DocumentService" address="/OKMDocument"/>
<jaxws:endpoint id="folderService" implementor="com.openkm.ws.endpoint.FolderService" address="/OKMFolder"/>
<jaxws:endpoint id="mailService" implementor="com.openkm.ws.endpoint.MailService" address="/OKMMail"/>
<jaxws:endpoint id="noteService" implementor="com.openkm.ws.endpoint.NoteService" address="/OKMNote"/>
<jaxws:endpoint id="notificationService" implementor="com.openkm.ws.endpoint.NotificationService" address="/OKMNotification"/>
<jaxws:endpoint id="propertyGroupService" implementor="com.openkm.ws.endpoint.PropertyGroupService" address="/OKMPropertyGroup"/>
<jaxws:endpoint id="propertyService" implementor="com.openkm.ws.endpoint.PropertyService" address="/OKMProperty"/>
<jaxws:endpoint id="repositoryService" implementor="com.openkm.ws.endpoint.RepositoryService" address="/OKMRepository"/>
<jaxws:endpoint id="searchService" implementor="com.openkm.ws.endpoint.SearchService" address="/OKMSearch"/>
<jaxws:endpoint id="dashboardService" implementor="com.openkm.ws.endpoint.DashboardService" address="/OKMDashboard"/>
<jaxws:endpoint id="workflowService" implementor="com.openkm.ws.endpoint.WorkflowService" address="/OKMWorkflow"/>
<jaxws:endpoint id="testService" implementor="com.openkm.ws.endpoint.TestService" address="/OKMTest">
<!--
<jaxws:inInterceptors>
<beans:ref bean="WSS4JInInterceptor"/>
</jaxws:inInterceptors>
-->
</jaxws:endpoint>
<!-- OpenCMIS -->
<jaxws:endpoint id="cmisNavigationService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.NavigationService" address="/cmis/NavigationService"/>
<jaxws:endpoint id="cmisPolicyService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.PolicyService" address="/cmis/PolicyService"/>
<jaxws:endpoint id="cmisDiscoveryService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.DiscoveryService" address="/cmis/DiscoveryService"/>
<jaxws:endpoint id="cmisMultiFilingService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.MultiFilingService" address="/cmis/MultiFilingService"/>
<jaxws:endpoint id="cmisRepositoryService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.RepositoryService" address="/cmis/RepositoryService"/>
<jaxws:endpoint id="cmisRelationshipService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.RelationshipService" address="/cmis/RelationshipService"/>
<jaxws:endpoint id="cmisVersioningService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.VersioningService" address="/cmis/VersioningService"/>
<jaxws:endpoint id="cmisObjectService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.ObjectService" address="/cmis/ObjectService"/>
<jaxws:endpoint id="cmisAclService" implementor="org.apache.chemistry.opencmis.server.impl.webservices.AclService" address="/cmis/ACLService"/>
<!-- REST -->
<jaxrs:server id="restAuth" address="/rest/auth">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.AuthService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restDocument" address="/rest/document">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.DocumentService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restFolder" address="/rest/folder">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.FolderService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restMail" address="/rest/mail">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.MailService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restNote" address="/rest/note">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.NoteService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restPropertyGroup" address="/rest/propertyGroup">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.PropertyGroupService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restSearch" address="/rest/search">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.SearchService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restRepository" address="/rest/repository">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.RepositoryService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restProperty" address="/rest/property">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.PropertyService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<jaxrs:server id="restTest" address="/rest/test">
<jaxrs:serviceBeans>
<beans:bean class="com.openkm.rest.endpoint.TestService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<security:global-method-security secured-annotations="enabled"/>
<!-- Remove prefix to be able of use custom roles -->
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="ROLE_"/>
</beans:bean>
<!-- OpenCMIS -->
<beans:bean id="CmisLifecycleBean" class="com.openkm.cmis.CmisLifecycleBean">
<beans:property name="cmisServiceFactory" ref="CmisServiceFactory" />
</beans:bean>
<beans:bean id="CmisServiceFactory" class="com.openkm.cmis.CmisServiceFactory" />
<security:http pattern="/services/rest/**" security="none"/>
<!-- Status -->
<security:http pattern="/Status" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- Download -->
<security:http pattern="/Download" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- Workflow deploy -->
<security:http pattern="/workflow-register" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- WebDAV using Basic authentication -->
<security:http pattern="/webdav/**" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- Syndication using Basic authentication -->
<security:http pattern="/feed/**" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- OpenCMIS (Browser) using Basic authentication -->
<security:http pattern="/cmis/browser/**" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- OpenCMIS (AtomPub) using Basic authentication -->
<security:http pattern="/cmis/atom/**" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- OpenCMIS (AtomPub) using Basic authentication -->
<security:http pattern="/cmis/atom11/**" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
<!-- REST -->
<!--
<security:http pattern="/services/rest/**" create-session="stateless" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:http-basic />
</security:http>
-->
<!-- Additional filter chain for normal users, matching all other requests -->
<!-- http://info.michael-simons.eu/2011/01/28/disable-jsessionid-path-parameter-in-java-web-applications/ -->
<!-- <security:http access-decision-manager-ref="accessDecisionManager" access-denied-page="/unauthorized.jsp"> -->
<security:http access-denied-page="/unauthorized.jsp" entry-point-ref="casEntryPoint" use-expressions="true">
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
<!-- GWT -->
<security:intercept-url pattern="/frontend/**" access="isAuthenticated()" />
<!-- JSPs -->
<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/admin/**" access="isAuthenticated()" />
<security:intercept-url pattern="/mobile/**" access="isAuthenticated()" />
<!-- Servlets -->
<security:intercept-url pattern="/RepositoryStartup" access="isAuthenticated()" />
<security:intercept-url pattern="/TextToSpeech" access="isAuthenticated()" />
<security:intercept-url pattern="/HtmlPreview" access="isAuthenticated()" />
<security:intercept-url pattern="/SyntaxHighlighter" access="isAuthenticated()" />
<security:intercept-url pattern="/Test" access="isAuthenticated()" />
<!-- Extensions -->
<security:intercept-url pattern="/extension/ZohoFileUpload" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/extension/**" access="isAuthenticated()" />
<!-- Login page -->
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1"/>
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
<security:logout logout-url="/logout" logout-success-url=""/>
<security:session-management invalid-session-url=""/>
</security:http>
<!-- Needed for changing default role prefix -->
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
<beans:ref bean="roleVoter" />
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<!-- Security access logger -->
<beans:bean id="loggerListener" class="com.openkm.spring.LoggerListener" />
<jee:jndi-lookup id="dataSource" jndi-name="jdbc/OpenKMDS" resource-ref="true" />
<!-- Security configuration moved to $CATALINA_HOME/OpenKM.xml -->
<!-- WINFIX
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:password-encoder hash="md5"/>
<security:jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
</security:authentication-provider>
</security:authentication-manager>
WINFIX -->
</beans:beans>
web.xml (first part)
Code: Select all<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>OpenKM</display-name>
<!-- Tomcat resources -->
<!-- Already defined in $TOMCAT_HOME/conf/context.xml -->
<!--
<resource-ref>
<description>OKM Datasource</description>
<res-ref-name>jdbc/OpenKMDS</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<resource-ref>
<description>OKM Mail</description>
<res-ref-name>mail/OpenKM</res-ref-name>
<res-type>javax.mail.Session</res-type>
<res-auth>Container</res-auth>
</resource-ref>
-->
<jsp-config>
<taglib>
<taglib-uri>http://www.openkm.com/tags/utils</taglib-uri>
<taglib-location>/WEB-INF/tlds/utils.tld</taglib-location>
</taglib>
</jsp-config>
<!-- Filters -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>WebDAVFilter</filter-name>
<filter-class>com.openkm.webdav.WebDAVFilter</filter-class>
</filter>
<filter>
<filter-name>UploadThrottleFilter</filter-name>
<filter-class>com.openkm.servlet.frontend.UploadThrottleFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value></param-value>
</init-param>
</filter>
<!-- Filter Mappings -->
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WebDAVFilter</filter-name>
<url-pattern>/webdav/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>UploadThrottleFilter</filter-name>
<url-pattern>/frontend/FileUpload</url-pattern>
</filter-mapping>
<!-- Listeners -->
<listener>
<listener-class>com.openkm.servlet.SessionListener</listener-class>
</listener>
<listener>
<listener-class>org.apache.commons.fileupload.servlet.FileCleanerCleanup</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>net.sf.ehcache.constructs.web.ShutdownListener</listener-class>
</listener>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
file:${catalina.home}/OpenKM.xml
</param-value>
</context-param>
</web-app>
Re: User administration
PostPosted:Thu Jul 14, 2016 8:22 pm
by sethu
Hi Team,
I have created a new profile and assigned to one existing user. When i try to login i am getting the error message. Please see attached error message for your reference.
Thanks in advance.
Regards,
Sethu. B
Re: User administration
PostPosted:Fri Jul 15, 2016 7:24 am
by jllort
The problem is caused because the user has not grants for accessing root nodes ( okm:root, etc... ). If you have not changed security in main nodes, then user has not assigned the ROLE_USER.
Re: User administration
PostPosted:Fri Jul 15, 2016 11:14 am
by loty
What about my last question?
Thanks.
Re: User administration
PostPosted:Tue Jul 19, 2016 11:28 am
by jllort
OKM_USER_CONFIG is used to set the default openkm node what must be shown when the user login into the application. If you do not change default home, then by default is set to /okm:root, but as all the users, you can change in favour to another node ( see contextual menus option -> "set user home" ).