Open Source Document Management System | OpenKM

Hi,

Release: OpenKM-5.1.7_JBoss-4.2.3.GA.zip
OS: Ubuntu 10.04.3 LTS, Linux nebulae 2.6.32-33-server #70-Ubuntu SMP Thu Jul 7 22:28:30 UTC 2011 x86_64 GNU/Linux
Java: Java(TM) SE Runtime Environment (build 1.6.0_26-b03), Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)
Browser: Firefox 5.0, Opera 11.50, Chrome 13.0.782.109 beta

Have been testing the overall functionality and some corner cases and am currently stuck on a WebDAV point. I have read through copious amounts of documentation (subscribed to OKM Network) but have not found an answer there.

Background:
1. Completed install and configuration of OpenKM without a snag.
2. Login to the web frontend with okmAdmin and able to configure all aspects as per the best practice. I.e. created new roles and removed UserRole from propogating in Taxonomy, Templates and Categories, substituting it with the new ones.
3. Create users with both UserRole and new role added to the account.
4. At this point okm:personal has not been touched regarding security settings.

So Far So Good:
1. When logging in with a regular user everything is OK: frontend loads, Taxonomy, Templates and Categories are read-only as per my settings, and under "My Documents" one can only view your own folder. okm:personal is not visible.
2. The same is OK when logging in with a another regular user. Only their own folder is visible and nobody else's under "My Documents".

Issue 1:
1. Inconsistency happens when enabling WebDAV and not using a client to access the repository, but a regular web browser window going to the URL - http://server:8080/OpenKM/repository/de ... onal/user1.
2. Even giving an entirely different username/password combination at the prompt (for example user2), one is still logged in to the folder.
3. Using the in browser navigation presented by Jackrabbit for going one level up, all folders beneath okm_personal are accessible and can be browsed to!

Issue 2:
1. When removing UserRole as a group permission from the personal folders and only having the specific user role, one is still able to log in to any folder with the a different username/password combination. I.e. access user1 folder with user2 credentials.
2. Now, using the in browser navigation presented by Jackrabbit for going one level up, the "okm_root", "okm_templates" and "okm_personal" folders are displayed.
3. When selecting "okm_personal" the folder that is tied to the user we logged in with is presented, eg. http://server:8080.../user2

Workaround:
1. When browsing to the "okm_personal" folder instead of a user's specific subfolder, this problem does not appear.
2. Example going to http://server:8080/OpenKM/repository/de ... _personal/ and logging in with user1 will only present the user1 folder.

Logs:
When this happens the application is constantly logging the following: Going through the repository.xml I have not been able to find anything useful to change. The AccessManager used is "OKMAccessManager" which should(?) be better than the Jackrabbit default module included (check http://wiki.openkm.com/index.php/Reposi ... figuration) :

The default SimpleLoginModule class included in Jackrabbit implements a trivially simple authentication mechanism that accepts any username and any password as valid authentication credentials.

I have tested this by using a complete bogus username/password combination which did not work, so that it is OK. No anonymous access.

Any help would be appreciated on this, at this stage I am publishing the URL http://server:8080/OpenKM/repository/de ... _personal/ for WebDAV connections and hope that nobody tries to access other folders.

Security by obscurity.

Many thanks.

rgds
Marthin

About issue 1 I added at http://issues.openkm.com/view.php?id=1744 ( probably could be solved removing UserRole from okm:personal ( I'm not sure about it, that could ocasionate an error on user Creation ( test it ), can not removed all roles from okm:personal but mut not be propagated to user folders ( now it might be done manually, setting secutiry there after first user login ). I propose other solution on core ( that sure runs correctly ).

About issue 2, I need some screenshot with okm:personal grants and user1, user2 folders grants to understanding why user2 is able to see user1 folder information.

Fix for issue 1 will be included in the next OpenKM release. Until released, you can grab a night build from http://integration.openkm.com/5.1.x/ . Also you will need to remove the UserRole from the already created personal folders.

Thanks for the response!

jllort wrote:About issue 1 I added at http://issues.openkm.com/view.php?id=1744 ( probably could be solved removing UserRole from okm:personal ( I'm not sure about it, that could ocasionate an error on user Creation ( test it ), can not removed all roles from okm:personal but mut not be propagated to user folders ( now it might be done manually, setting secutiry there after first user login ). I propose other solution on core ( that sure runs correctly ).

I have recreated the scenario and attached 5307-screenshots-1.tgz showing the steps. The names of the images themselves explain what is happening. In summary, it tests the results when UserRole is removed from okm:personal and an user that does not have a folder created tries to log in. Login fails.

jllort wrote:About issue 2, I need some screenshot with okm:personal grants and user1, user2 folders grants to understanding why user2 is able to see user1 folder information.

For the scenario when users are getting access to other personal folders that is not their own, after they have logged in with their own account. Please see 5307-screenshots-2.tgz, 5307-screenshots-3.tgz, 5307-screenshots-4.tgz. The names of the images themselves explain what is happening. In summary, one has to manually remove UserRole from the group grants for each personal folder, or else everybody with UserRole assigned will have access to the folder. This does not happen when access the repository via the Web Desktop but only via WebDAV.

ps. 5307-screenshots-4.tgz is added in the following post due to attachment limit.

Added 5307-screenshots-4.tgz as referenced in previous post.

pavila wrote:Fix for issue 1 will be included in the next OpenKM release. Until released, you can grab a night build from http://integration.openkm.com/5.1.x/ . Also you will need to remove the UserRole from the already created personal folders.

We have recently launched this for production and I would not like to move to a nightly build? From what I understand upgrade/migration is not supported on the beta releases?

In the new release will one still have to remove UserRole from the already created personal folders to secure WebDAV access, or will it be taken care of like in the Web Desktop interface? Currently we are removing the UserRole group grant manually.

ps. I have sent two requests for Pro Support quotes/pricing, but it has not come through yet. Is there a number one can dial? Please pm me a number if you can, we are in South Africa and timezones is not a problem.

Already created "personal document" folder (for example) will have the UserRole assigned, so need to be manually removed. The fix is for the new folder creation.

For support price, please send me a PM with your contact info ( email, phone, skype, etc.) and I will forward this data to our sales department.

In addition, you can contact us filling this form http://www.openkm.com/Contact/ . I'm not sure how did you tried to contact us in the past.

Regards.