[cas-user] OpenKM Cas client how to adapt from jboss to tomcat
541 views
Skip to first unread message
Michael EDLICH
Aug 29, 2013, 3:58:47 AM8/29/13
to cas-...@lists.jasig.org
Hi,
I was using OpenKM (5.1.10) with cas-client (and ldap) without problem; the client application was on Jboss Server.
Now i'd like to install OpenKM 6.2 with Tomcat.
I try to apply the old configuration to the new but having some trouble (the ldap part is operational, but not the auth via CAS-client). The cas server is unchanged.
With Jboss i used to change the file :
with that modification :
And all was OK.
Now with Tomcat i'm little bit lost...
so, I don't know how to adapt this file :
And the web.xml :
I've tried lot of things but without success,
Someone have an idee ?
regards,
Michael.
I was using OpenKM (5.1.10) with cas-client (and ldap) without problem; the client application was on Jboss Server.
Now i'd like to install OpenKM 6.2 with Tomcat.
I try to apply the old configuration to the new but having some trouble (the ldap part is operational, but not the auth via CAS-client). The cas server is unchanged.
With Jboss i used to change the file :
server/default/conf/login-config.xmlWith this modification :
<application-policy name="OpenKM"> <authentication> <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required"> <module-option name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option> <module-option name="casServerUrlPrefix">https://URL:8443/cas/</module-option> <module-option name="service">https://URL:8443/OpenKM/</module-option> <module-option name="defaultRoles">UserRole</module-option> <module-option name="roleAttributeNames">roleAttributeNames</module-option> <module-option name="principalGroupName">CallerPrincipal</module-option> <module-option name="roleGroupName">Roles</module-option> <module-option name="cacheAssertions">true</module-option> <module-option name="tolerance">20000</module-option> <module-option name="cacheTimeout">480</module-option> </login-module> </authentication> </application-policy>and this file :
WEB-INF/web.xml
with that modification :
<!-- CAS SSO--> <!-- Facilitates CAS single sign-out --> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- Following is needed only if CAS single-sign out is desired --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <!-- Only 2 CAS filters are required for JAAS support --> <context-param> <param-name>service</param-name> <param-value>https://URL:8443/OpenKM</param-value> </context-param> <context-param> <param-name>casServerLoginUrl</param-name> <param-value>https://URL:8443/cas/login</param-value> </context-param> <filter> <filter-name>CASWebAuthenticationFilter</filter-name> <filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class> </filter> <filter> <filter-name>CASAuthenticationFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> </filter> <!-- CAS client filter mappings --> <!-- The order of the following filters is vitally important --> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>*.jsp</url-pattern> <!-- GWT --> <url-pattern>/frontend/*</url-pattern> <!-- JSPs --> <url-pattern>/admin/*</url-pattern> <url-pattern>/mobile/*</url-pattern> <url-pattern>/mobile-nt/*</url-pattern> <!-- Servlets --> <url-pattern>/RepositoryStartup</url-pattern> <url-pattern>/TextToSpeech</url-pattern> <url-pattern>/Test</url-pattern> <url-pattern>/frontend/*</url-pattern> <url-pattern>/extension/*</url-pattern> <!--url-pattern>/*</url-pattern--> </filter-mapping> <filter-mapping> <filter-name>CASWebAuthenticationFilter</filter-name> <url-pattern>*.jsp</url-pattern> <!-- GWT --> <url-pattern>/frontend/*</url-pattern> <!-- JSPs --> <url-pattern>/admin/*</url-pattern> <url-pattern>/mobile/*</url-pattern> <url-pattern>/mobile-nt/*</url-pattern> <!-- Servlets --> <url-pattern>/RepositoryStartup</url-pattern> <url-pattern>/TextToSpeech</url-pattern> <url-pattern>/Test</url-pattern> <url-pattern>/frontend/*</url-pattern> <url-pattern>/extension/*</url-pattern> <!--url-pattern>/*</url-pattern--> </filter-mapping> <filter-mapping> <filter-name>CASAuthenticationFilter</filter-name> <url-pattern>*.jsp</url-pattern> <!-- GWT --> <url-pattern>/frontend/*</url-pattern> <!-- JSPs --> <url-pattern>/admin/*</url-pattern> <url-pattern>/mobile/*</url-pattern> <url-pattern>/mobile-nt/*</url-pattern> <!-- Servlets --> <url-pattern>/RepositoryStartup</url-pattern> <url-pattern>/TextToSpeech</url-pattern> <url-pattern>/Test</url-pattern> <url-pattern>/frontend/*</url-pattern> <url-pattern>/extension/*</url-pattern> <!--url-pattern>/*</url-pattern--> </filter-mapping> <!-- /CAS SSO -->
And all was OK.
Now with Tomcat i'm little bit lost...
so, I don't know how to adapt this file :
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://URL:389/ou=service,dc=domaine,dc=fr"/>
<beans:property name="userDn" value="cn=admin,dc=domaine,dc=fr"/>
<beans:property name="password" value="PASSWORD"/>
</beans:bean>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"></beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=groups"/>
<beans:property name="groupSearchFilter" value="memberUid={1}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
<beans:property name="defaultRole" value="ROLE_USER" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=people" />
<beans:constructor-arg index="1" value="cn={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
And the web.xml :
<jsp-config>
<taglib>
<taglib-uri>http://www.openkm.com/tags/utils</taglib-uri>
<taglib-location>/WEB-INF/tlds/utils.tld</taglib-location>
</taglib>
</jsp-config>
<!-- Filters -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>WebDAVFilter</filter-name>
<filter-class>com.openkm.webdav.WebDAVFilter</filter-class>
</filter>
<filter>
<filter-name>UploadThrottleFilter</filter-name>
<filter-class>com.openkm.servlet.frontend.UploadThrottleFilter</filter-class>
</filter>
<!-- Filter Mappings -->
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WebDAVFilter</filter-name>
<url-pattern>/webdav/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>UploadThrottleFilter</filter-name>
<url-pattern>/frontend/FileUpload</url-pattern>
</filter-mapping>
<!-- Listeners -->
<listener>
<listener-class>com.openkm.servlet.SessionListener</listener-class>
</listener>
<listener>
<listener-class>org.apache.commons.fileupload.servlet.FileCleanerCleanup</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
file:${catalina.home}/OpenKM.xml
</param-value>
</context-param>
<!-- Startup Servlets -->
<servlet>
<servlet-name>RepositoryStartup</servlet-name>
<servlet-class>com.openkm.servlet.RepositoryStartupServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>CXFServlet</servlet-name>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<!-- Frontend Servlets -->
<servlet>
<servlet-name>WorkspaceServlet</servlet-name>
<servlet-class>com.openkm.servlet.frontend.WorkspaceServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>DocumentServlet</servlet-name>
<servlet-class>com.openkm.servlet.frontend.DocumentServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>FrontendAuthServlet</servlet-name>
<servlet-class>com.openkm.servlet.frontend.AuthServlet</servlet-class>
</servlet>
.....
<!-- Test Servlets -->
<servlet>
<servlet-name>Test</servlet-name>
<servlet-class>com.openkm.servlet.TestServlet</servlet-class>
</servlet>
<!-- Startup servlets -->
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<!-- Frontend Servlet Mappings -->
<servlet-mapping>
<servlet-name>WorkspaceServlet</servlet-name>
<url-pattern>/frontend/Workspace</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DocumentServlet</servlet-name>
<url-pattern>/frontend/Document</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>FrontendAuthServlet</servlet-name>
<url-pattern>/frontend/Auth</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>RepositoryServlet</servlet-name>
<url-pattern>/frontend/Repository</url-pattern>
</servlet-mapping>
.....
<!-- Test Servlets -->
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/frontend/Test</url-pattern>
</servlet-mapping>
<!-- Extensions Servlet Mappings -->
<servlet-mapping>
<servlet-name>DataBrowserServlet</servlet-name>
<url-pattern>/extension/DataBrowser</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MacrosServlet</servlet-name>
<url-pattern>/extension/Macros</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DropboxServlet</servlet-name>
<url-pattern>/extension/Dropbox</url-pattern>
</servlet-mapping>
<!-- Misc servlets mappings -->
<servlet-mapping>
<servlet-name>SyndicationServlet</servlet-name>
<url-pattern>/feed/*</url-pattern>
</servlet-mapping>
.....
<!-- Admin Servlet Mappings -->
<servlet-mapping>
<servlet-name>StatsGraphServlet</servlet-name>
<url-pattern>/admin/StatsGraph</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>RepositoryCheckerServlet</servlet-name>
<url-pattern>/admin/RepositoryChecker</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WorkflowGraphServlet</servlet-name>
<url-pattern>/admin/WorkflowGraph</url-pattern>
.....
<!-- Test Servlet Mapping -->
<servlet-mapping>
<servlet-name>Test</servlet-name>
<url-pattern>/Test</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<error-page>
<exception-type>com.openkm.frontend.client.OKMException</exception-type>
<location>/error.jsp</location>
</error-page>
<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/error.jsp</location>
</error-page>
I've tried lot of things but without success,
Someone have an idee ?
regards,
Michael.
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Marvin S. Addison
Sep 2, 2013, 11:37:20 AM9/2/13
to cas-...@lists.jasig.org
> I try to apply the old configuration to the new but having some trouble
> (the ldap part is operational, but not the auth via CAS-client). The cas
> server is unchanged.
Just to confirm, the CAS server should not change when porting a CAS
> (the ldap part is operational, but not the auth via CAS-client). The cas
> server is unchanged.
client application from one container to another.
> <application-policy name="OpenKM">
> <authentication>
> <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required">
> <module-option name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option>
> <module-option name="casServerUrlPrefix">https://URL:8443/cas/</module-option>
> <module-option name="service">https://URL:8443/OpenKM/</module-option>
> <module-option name="defaultRoles">UserRole</module-option>
> <module-option name="roleAttributeNames">roleAttributeNames</module-option>
> <module-option name="principalGroupName">CallerPrincipal</module-option>
> <module-option name="roleGroupName">Roles</module-option>
> <module-option name="cacheAssertions">true</module-option>
> <module-option name="tolerance">20000</module-option>
> <module-option name="cacheTimeout">480</module-option>
> </login-module>
> </authentication>
> </application-policy>
roleAttributeNames but the value doesn't look right to me. That should
be an LDAP attribute name or database field containing role data; e.g.
"memberOf", "eduPersonAffiliation".
> I've tried lot of things but without success,
doesn't work the same way on Tomcat. I can imagine that if you want to
translate the JAAS role-based authorization to Spring Security, that
will be the most difficult task in porting. If you're running into
errors, please post those; it will help draw attention to particular
problems.
M
Michael EDLICH
Sep 2, 2013, 5:47:39 PM9/2/13
to cas-...@lists.jasig.org
Hi,
Thanx for your answer,
Yes it's a role-based authorisation, but i want that all users are authorised, that's why i add this :
Thanx for your answer,
Yes it's a role-based authorisation, but i want that all users are authorised, that's why i add this :
<beans:property name="defaultRole" value="ROLE_USER"
It works well with LdapAuthenticationProvider. (And the cas server
work well with others applications.)
I'm definitly not a java expert, so, with some exemple on the net and on the Jasig wiki, i try to replace the "ldapAuthProvider" by "casAuthenticationProvider".
This is where i am :
OpenKM.xml looks like this:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
<beans:bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>
<beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service" value="https://URLCASSERVER:8443/cas/j_spring_cas_security_check"/>
<beans:property name="sendRenew" value="false"/>
</beans:bean>
<beans:bean id="casAuthenticationEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="https://URLCASSERVER:8443/cas/login"/>
<beans:property name="serviceProperties" ref="serviceProperties"/>
</beans:bean>
<beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="userDetailsService" ref="userService"/>
<beans:property name="serviceProperties" ref="serviceProperties"/>
<beans:property name="key" value="etpourquoipas"/>
<beans:property name="ticketValidator" ref="ticketValidator"/>
</beans:bean>
<beans:bean id="ticketValidator"
class="org.jasig.cas.client.validation.Saml11TicketValidator">
<beans:constructor-arg index="0" value="https://URLCASSERVER:8443/cas">
</beans:constructor-arg>
</beans:bean>
<beans:bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="filterProcessesUrl" value="/auth_check" />
</beans:bean>
<!-- The users available for this application. -->
<security:user-service id="userService">
<security:user name="user" password="user" authorities="ROLE_USER"></security:user>
</security:user-service>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
webapps/OpenKM/WEB-INF/web.xml :
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://URLCASSERVER:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://URLCASCLIENT:8080</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://URLCASSERVER:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://URLCASCLEINT:8080</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>tolerance</param-name>
<param-value>5000</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<!-- Other filters as needed -->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
I'm definitly not a java expert, so, with some exemple on the net and on the Jasig wiki, i try to replace the "ldapAuthProvider" by "casAuthenticationProvider".
This is where i am :
OpenKM.xml looks like this:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
<beans:bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>
<beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service" value="https://URLCASSERVER:8443/cas/j_spring_cas_security_check"/>
<beans:property name="sendRenew" value="false"/>
</beans:bean>
<beans:bean id="casAuthenticationEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="https://URLCASSERVER:8443/cas/login"/>
<beans:property name="serviceProperties" ref="serviceProperties"/>
</beans:bean>
<beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="userDetailsService" ref="userService"/>
<beans:property name="serviceProperties" ref="serviceProperties"/>
<beans:property name="key" value="etpourquoipas"/>
<beans:property name="ticketValidator" ref="ticketValidator"/>
</beans:bean>
<beans:bean id="ticketValidator"
class="org.jasig.cas.client.validation.Saml11TicketValidator">
<beans:constructor-arg index="0" value="https://URLCASSERVER:8443/cas">
</beans:constructor-arg>
</beans:bean>
<beans:bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="filterProcessesUrl" value="/auth_check" />
</beans:bean>
<!-- The users available for this application. -->
<security:user-service id="userService">
<security:user name="user" password="user" authorities="ROLE_USER"></security:user>
</security:user-service>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
webapps/OpenKM/WEB-INF/web.xml :
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://URLCASSERVER:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://URLCASCLIENT:8080</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://URLCASSERVER:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://URLCASCLEINT:8080</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>tolerance</param-name>
<param-value>5000</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<!-- Other filters as needed -->
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation
Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper
Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>com.openkm.servlet.SessionListener</listener-class>
</listener>
<listener>
<listener-class>org.apache.commons.fileupload.servlet.FileCleanerCleanup</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
file:${catalina.home}/OpenKM.xml
</param-value>
</context-param>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The server start correctly, the only WARN is this two lines :
WARN org.jasig.cas.client.authentication.Saml11AuthenticationFilter - SAML1.1 compliance requires the [artifactParameterName] and [serviceParameterName] to be set to specified values.
WARN org.jasig.cas.client.authentication.Saml11AuthenticationFilter - This filter will overwrite any user-provided values (if any are provided)
This is the problem :
=> I try to go to the application and i'm correctly redirecting to the login of the cas server
=> the login is accepted and i'm redirecting to the client application
=> error of the client (OpenKM) : com.openkm.core.RepositoryException: User not authenticated
I don't have lot of thing in logs :
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Placing URL parameters in map.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Calling template URL attribute map.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Loading custom parameters from configuration.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Constructing validation url: https://URLCASSERVER:8443/cas/samlValidate?TARGET=http%3A%2F%2FURLCASCLIENT%3A8080%2FOpenKM%2Flogo%2Flogin%3FTARGET%3Dhttp%253A%252F%252FURLCASCLIENT%253A8080%252FOpenKM%252Flogo%252Flogin
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Retrieving response from server.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Server response: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2013-09-02T21:36:13.944Z" MajorVersion="1" MinorVersion="1" Recipient="http://URLCASCLIENT:8080/OpenKM/logo/login" ResponseID="_14ce5945f0cce6759da22bafb98facd4"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_5216abc4e65335471bb6a5330a3bf9a3" IssueInstant="2013-09-02T21:36:13.944Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2013-09-02T21:36:13.944Z" NotOnOrAfter="2013-09-02T21:36:43.944Z"><AudienceRestrictionCondition><Audience>http://URLCASCLIENT:8080/OpenKM/logo/login</Audience></AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier>g.lemaire</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject><Attribute AttributeName="roleAttributeNames" AttributeNamespace="http://www.ja-sig.org/products/cas/"><AttributeValue>DEMOVILLE</AttributeValue></Attribute></AttributeStatement><AuthenticationStatement AuthenticationInstant="2013-09-02T21:18:02.862Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier>g.lemaire</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
DEBUG org.jasig.cas.client.validation.Saml11TicketValidationFilter - Successfully authenticated user: g.lemaire
DEBUG org.jasig.cas.client.validation.Saml11TicketValidationFilter - Redirecting after successful ticket validation.
DEBUG org.jasig.cas.client.util.CommonUtils - serviceUrl generated: http://URLCASCLIENT:8080/OpenKM/logo/login?TARGET=http%3A%2F%2FURLCASCLIENT%3A8080%2FOpenKM%2Flogo%2Flogin
DEBUG com.openkm.core.UINotification - *** Clean UI notification ***
DEBUG com.openkm.servlet.frontend.UINotificationServlet - clean()
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
For information this is the code who show the exception :
Do you have an idea ?
Thanks !
Michael.
The server start correctly, the only WARN is this two lines :
WARN org.jasig.cas.client.authentication.Saml11AuthenticationFilter - SAML1.1 compliance requires the [artifactParameterName] and [serviceParameterName] to be set to specified values.
WARN org.jasig.cas.client.authentication.Saml11AuthenticationFilter - This filter will overwrite any user-provided values (if any are provided)
This is the problem :
=> I try to go to the application and i'm correctly redirecting to the login of the cas server
=> the login is accepted and i'm redirecting to the client application
=> error of the client (OpenKM) : com.openkm.core.RepositoryException: User not authenticated
I don't have lot of thing in logs :
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Placing URL parameters in map.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Calling template URL attribute map.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Loading custom parameters from configuration.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Constructing validation url: https://URLCASSERVER:8443/cas/samlValidate?TARGET=http%3A%2F%2FURLCASCLIENT%3A8080%2FOpenKM%2Flogo%2Flogin%3FTARGET%3Dhttp%253A%252F%252FURLCASCLIENT%253A8080%252FOpenKM%252Flogo%252Flogin
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Retrieving response from server.
DEBUG org.jasig.cas.client.validation.Saml11TicketValidator - Server response: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="2013-09-02T21:36:13.944Z" MajorVersion="1" MinorVersion="1" Recipient="http://URLCASCLIENT:8080/OpenKM/logo/login" ResponseID="_14ce5945f0cce6759da22bafb98facd4"><Status><StatusCode Value="samlp:Success"></StatusCode></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_5216abc4e65335471bb6a5330a3bf9a3" IssueInstant="2013-09-02T21:36:13.944Z" Issuer="localhost" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2013-09-02T21:36:13.944Z" NotOnOrAfter="2013-09-02T21:36:43.944Z"><AudienceRestrictionCondition><Audience>http://URLCASCLIENT:8080/OpenKM/logo/login</Audience></AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier>g.lemaire</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject><Attribute AttributeName="roleAttributeNames" AttributeNamespace="http://www.ja-sig.org/products/cas/"><AttributeValue>DEMOVILLE</AttributeValue></Attribute></AttributeStatement><AuthenticationStatement AuthenticationInstant="2013-09-02T21:18:02.862Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier>g.lemaire</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
DEBUG org.jasig.cas.client.validation.Saml11TicketValidationFilter - Successfully authenticated user: g.lemaire
DEBUG org.jasig.cas.client.validation.Saml11TicketValidationFilter - Redirecting after successful ticket validation.
DEBUG org.jasig.cas.client.util.CommonUtils - serviceUrl generated: http://URLCASCLIENT:8080/OpenKM/logo/login?TARGET=http%3A%2F%2FURLCASCLIENT%3A8080%2FOpenKM%2Flogo%2Flogin
DEBUG com.openkm.core.UINotification - *** Clean UI notification ***
DEBUG com.openkm.servlet.frontend.UINotificationServlet - clean()
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
For information this is the code who show the exception :
@Override
Do you have an idea ?
Thanks !
Michael.
Marvin S. Addison
Sep 3, 2013, 9:45:06 AM9/3/13
to cas-...@lists.jasig.org
response even contains attributes that presumably are required for
authorization. Everything following is a matter of CAS-OpenKM
integration, and I can't provide any help in that regard.
> DEBUG org.jasig.cas.client.util.CommonUtils - serviceUrl generated:
> http://URLCASCLIENT:8080/OpenKM/logo/login?TARGET=http%3A%2F%2FURLCASCLIENT%3A8080%2FOpenKM%2Flogo%2Flogin
> DEBUG com.openkm.core.UINotification - *** Clean UI notification ***
> DEBUG com.openkm.servlet.frontend.UINotificationServlet - clean()
Thanks,
Michael EDLICH
Sep 3, 2013, 10:35:05 AM9/3/13
to cas-...@lists.jasig.org
Hi Marvin,
I know this is a matter of CAS-OpenKM integration, but the think i don't
uderstand is that with spring.ldap it works and not with spring.cas ....
Le 03/09/2013 15:45, Marvin S. Addison a �crit :
I know this is a matter of CAS-OpenKM integration, but the think i don't
uderstand is that with spring.ldap it works and not with spring.cas ....
Le 03/09/2013 15:45, Marvin S. Addison a �crit :
Michael EDLICH
Oct 1, 2013, 8:10:49 AM10/1/13
to cas-...@lists.jasig.org
Hi all !
I've finally managed to CASsified OpenKM!! (houra!)
There is only 2 files to adapt :
----------------------------------------------------------------------------------------------------------------------------------
OpenKM.xml :
I've finally managed to CASsified OpenKM!! (houra!)
There is only 2 files to adapt :
----------------------------------------------------------------------------------------------------------------------------------
OpenKM.xml :
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd">
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd">
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
<security:authentication-provider ref="ldapAuthProvider"
/>
</security:authentication-manager>
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg
value="ldap://URLSERVEURLDAP:389/ou=sde,dc=SITE,dc=fr"/>
<beans:property name="userDn" value="cn=admin,dc=SITE,dc=fr"/>
<beans:property name="password" value="PASSLDAP"/>
</beans:bean>
<beans:property name="userDn" value="cn=admin,dc=SITE,dc=fr"/>
<beans:property name="password" value="PASSLDAP"/>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"></beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=groups"/>
<beans:property name="groupSearchFilter" value="memberUid={1}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=people" />
<beans:constructor-arg index="1" value="cn={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:bean>
<beans:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service"
<beans:property name="sendRenew" value="false"/>
</beans:bean>
<beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="authenticationUserDetailsService">
<beans:bean class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
<beans:constructor-arg>
<beans:array>
<beans:value>groupe</beans:value>
</beans:array>
</beans:constructor-arg>
</beans:bean>
</beans:property>
<beans:bean class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
<beans:constructor-arg>
<beans:array>
<beans:value>groupe</beans:value>
</beans:array>
</beans:constructor-arg>
</beans:bean>
</beans:property>
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
<beans:constructor-arg index="0" value="https://URLSERVEURCAS:8443/cas" />
</beans:bean>
</beans:property>
<beans:property name="key" value="an_id_for_this_auth_provider_only"/>
</beans:bean>
<beans:bean id="casFilter"
<beans:bean class="org.jasig.cas.client.validation.Saml11TicketValidator">
<beans:constructor-arg index="0" value="https://URLSERVEURCAS:8443/cas" />
</beans:bean>
</beans:property>
<beans:property name="key" value="an_id_for_this_auth_provider_only"/>
</beans:bean>
<beans:bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<beans:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="https://URLSERVEURCAS:8443/cas/login"/>
<beans:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="https://URLSERVEURCAS:8443/cas/login"/>
<beans:property name="serviceProperties" ref="serviceProperties"/>
</beans:bean>
<!--
<security:user-service id="userService">
<security:user name="m.edlich" password="user" authorities="ROLE_USER"></security:user>
</security:user-service>
-->
</beans:beans>
----------------------------------------------------------------------------------------------------------------------------------
and applicationContext.xml :
<security:user-service id="userService">
<security:user name="m.edlich" password="user" authorities="ROLE_USER"></security:user>
</security:user-service>
-->
</beans:beans>
----------------------------------------------------------------------------------------------------------------------------------
and applicationContext.xml :
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<context:component-scan base-package="com.openkm"/>
<!-- <task:annotation-driven/> -->
<!-- Tasks configuration moved to $CATALINA_HOME/OpenKM.xml -->
<!-- Apache CXF Web Services -->
<beans:import resource="classpath:META-INF/cxf/cxf.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<!--
<beans:bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<beans:property name="targetClass" value="org.springframework.security.core.context.SecurityContextHolder" />
<beans:property name="targetMethod" value="setStrategyName" />
<beans:property name="arguments" value="_INHERITABLETHREADLOCAL" />
</beans:bean>
-->
<beans:bean id="WSS4JInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<beans:constructor-arg>
<beans:map>
<beans:entry key="action" value="UsernameToken" />
<beans:entry key="passwordType" value="PasswordText" />
<beans:entry key="passwordCallbackClass" value="com.openkm.spring.ClientPasswordCallback" />
</beans:map>
</beans:constructor-arg>
</beans:bean>
<jaxws:endpoint id="authService" implementor="com.openkm.ws.endpoint.AuthService" address="/OKMAuth"/>
<jaxws:endpoint id="bookmarkService" implementor="com.openkm.ws.endpoint.BookmarkService" address="/OKMBookmark"/>
<jaxws:endpoint id="documentService" implementor="com.openkm.ws.endpoint.DocumentService" address="/OKMDocument"/>
<jaxws:endpoint id="folderService" implementor="com.openkm.ws.endpoint.FolderService" address="/OKMFolder"/>
<jaxws:endpoint id="mailService" implementor="com.openkm.ws.endpoint.MailService" address="/OKMMail"/>
<jaxws:endpoint id="noteService" implementor="com.openkm.ws.endpoint.NoteService" address="/OKMNote"/>
<jaxws:endpoint id="notificationService" implementor="com.openkm.ws.endpoint.NotificationService" address="/OKMNotification"/>
<jaxws:endpoint id="propertyGroupService" implementor="com.openkm.ws.endpoint.PropertyGroupService" address="/OKMPropertyGroup"/>
<jaxws:endpoint id="propertyService" implementor="com.openkm.ws.endpoint.PropertyService" address="/OKMProperty"/>
<jaxws:endpoint id="repositoryService" implementor="com.openkm.ws.endpoint.RepositoryService" address="/OKMRepository"/>
<jaxws:endpoint id="searchService" implementor="com.openkm.ws.endpoint.SearchService" address="/OKMSearch"/>
<jaxws:endpoint id="dashboardService" implementor="com.openkm.ws.endpoint.DashboardService" address="/OKMDashboard"/>
<jaxws:endpoint id="workflowService" implementor="com.openkm.ws.endpoint.WorkflowService" address="/OKMWorkflow"/>
<jaxws:endpoint id="testService" implementor="com.openkm.ws.endpoint.TestService" address="/OKMTest">
<!--
<jaxws:inInterceptors>
<beans:ref bean="WSS4JInInterceptor"/>
</jaxws:inInterceptors>
-->
</jaxws:endpoint>
<security:global-method-security secured-annotations="enabled"/>
<!-- Remove prefix to be able of use custom roles -->
<beans:bean class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="ROLE_"/>
</beans:bean>
<!-- Web Services using Basic authentication -->
<security:http pattern="/services/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:http-basic />
</security:http>
<!-- Status -->
<security:http pattern="/Status" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Download -->
<security:http pattern="/Download" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Workflow deploy -->
<security:http pattern="/workflow-register" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- WebDAV using Basic authentication -->
<security:http pattern="/webdav/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Syndication using Basic authentication -->
<security:http pattern="/feed/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Additional filter chain for normal users, matching all other requests -->
<!-- http://info.michael-simons.eu/2011/01/28/disable-jsessionid-path-parameter-in-java-web-applications/ -->
<!-- <security:http access-denied-page="/unauthorized.jsp"> -->
<security:http entry-point-ref="casEntryPoint" >
<!-- GWT -->
<security:intercept-url pattern="/frontend/**" access="IS_AUTHENTICATED_FULLY"/>
<!-- JSPs -->
<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<!-- Servlets -->
<security:intercept-url pattern="/RepositoryStartup" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/Test" access="IS_AUTHENTICATED_FULLY" />
<!-- Extensions -->
<security:intercept-url pattern="/extension/**" access="IS_AUTHENTICATED_FULLY" />
<security:custom-filter ref="casFilter" position="BASIC_AUTH_FILTER" />
<!-- Login page -->
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1"/>
</security:http>
<!-- </security:http> -->
<!-- Security access logger -->
<beans:bean id="loggerListener" class="com.openkm.spring.LoggerListener" />
<jee:jndi-lookup id="dataSource" jndi-name="jdbc/OpenKMDS" resource-ref="true" />
<!-- Security configuration moved to $CATALINA_HOME/OpenKM.xml -->
<!-- WINFIX
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<context:component-scan base-package="com.openkm"/>
<!-- <task:annotation-driven/> -->
<!-- Tasks configuration moved to $CATALINA_HOME/OpenKM.xml -->
<!-- Apache CXF Web Services -->
<beans:import resource="classpath:META-INF/cxf/cxf.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<!--
<beans:bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<beans:property name="targetClass" value="org.springframework.security.core.context.SecurityContextHolder" />
<beans:property name="targetMethod" value="setStrategyName" />
<beans:property name="arguments" value="_INHERITABLETHREADLOCAL" />
</beans:bean>
-->
<beans:bean id="WSS4JInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<beans:constructor-arg>
<beans:map>
<beans:entry key="action" value="UsernameToken" />
<beans:entry key="passwordType" value="PasswordText" />
<beans:entry key="passwordCallbackClass" value="com.openkm.spring.ClientPasswordCallback" />
</beans:map>
</beans:constructor-arg>
</beans:bean>
<jaxws:endpoint id="authService" implementor="com.openkm.ws.endpoint.AuthService" address="/OKMAuth"/>
<jaxws:endpoint id="bookmarkService" implementor="com.openkm.ws.endpoint.BookmarkService" address="/OKMBookmark"/>
<jaxws:endpoint id="documentService" implementor="com.openkm.ws.endpoint.DocumentService" address="/OKMDocument"/>
<jaxws:endpoint id="folderService" implementor="com.openkm.ws.endpoint.FolderService" address="/OKMFolder"/>
<jaxws:endpoint id="mailService" implementor="com.openkm.ws.endpoint.MailService" address="/OKMMail"/>
<jaxws:endpoint id="noteService" implementor="com.openkm.ws.endpoint.NoteService" address="/OKMNote"/>
<jaxws:endpoint id="notificationService" implementor="com.openkm.ws.endpoint.NotificationService" address="/OKMNotification"/>
<jaxws:endpoint id="propertyGroupService" implementor="com.openkm.ws.endpoint.PropertyGroupService" address="/OKMPropertyGroup"/>
<jaxws:endpoint id="propertyService" implementor="com.openkm.ws.endpoint.PropertyService" address="/OKMProperty"/>
<jaxws:endpoint id="repositoryService" implementor="com.openkm.ws.endpoint.RepositoryService" address="/OKMRepository"/>
<jaxws:endpoint id="searchService" implementor="com.openkm.ws.endpoint.SearchService" address="/OKMSearch"/>
<jaxws:endpoint id="dashboardService" implementor="com.openkm.ws.endpoint.DashboardService" address="/OKMDashboard"/>
<jaxws:endpoint id="workflowService" implementor="com.openkm.ws.endpoint.WorkflowService" address="/OKMWorkflow"/>
<jaxws:endpoint id="testService" implementor="com.openkm.ws.endpoint.TestService" address="/OKMTest">
<!--
<jaxws:inInterceptors>
<beans:ref bean="WSS4JInInterceptor"/>
</jaxws:inInterceptors>
-->
</jaxws:endpoint>
<security:global-method-security secured-annotations="enabled"/>
<!-- Remove prefix to be able of use custom roles -->
<beans:bean class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="ROLE_"/>
</beans:bean>
<!-- Web Services using Basic authentication -->
<security:http pattern="/services/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:http-basic />
</security:http>
<!-- Status -->
<security:http pattern="/Status" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Download -->
<security:http pattern="/Download" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Workflow deploy -->
<security:http pattern="/workflow-register" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- WebDAV using Basic authentication -->
<security:http pattern="/webdav/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Syndication using Basic authentication -->
<security:http pattern="/feed/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Additional filter chain for normal users, matching all other requests -->
<!-- http://info.michael-simons.eu/2011/01/28/disable-jsessionid-path-parameter-in-java-web-applications/ -->
<!-- <security:http access-denied-page="/unauthorized.jsp"> -->
<security:http entry-point-ref="casEntryPoint" >
<!-- GWT -->
<security:intercept-url pattern="/frontend/**" access="IS_AUTHENTICATED_FULLY"/>
<!-- JSPs -->
<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<!-- Servlets -->
<security:intercept-url pattern="/RepositoryStartup" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/Test" access="IS_AUTHENTICATED_FULLY" />
<!-- Extensions -->
<security:intercept-url pattern="/extension/**" access="IS_AUTHENTICATED_FULLY" />
<security:custom-filter ref="casFilter" position="BASIC_AUTH_FILTER" />
<!-- Login page -->
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1"/>
</security:http>
<!-- </security:http> -->
<!-- Security access logger -->
<beans:bean id="loggerListener" class="com.openkm.spring.LoggerListener" />
<jee:jndi-lookup id="dataSource" jndi-name="jdbc/OpenKMDS" resource-ref="true" />
<!-- Security configuration moved to $CATALINA_HOME/OpenKM.xml -->
<!-- WINFIX
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:password-encoder hash="md5"/>
<security:jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
</security:authentication-provider>
</security:authentication-manager>
WINFIX -->
</beans:beans>
----------------------------------------------------------------------------------------------------------------------------------
NOW,
The frontend (web) authentification is redirected to the CAS ser correctly,
The basic authentification for webdav (or feed) work correctly,
But the basic authentification for webservice dosen't work, i've got this error :
catalina.log : ----------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------
I've tried lot of things but without success, where can be the mistake ?
Thanks for your help !
Michael.
<security:jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
</security:authentication-provider>
</security:authentication-manager>
WINFIX -->
</beans:beans>
----------------------------------------------------------------------------------------------------------------------------------
NOW,
The frontend (web) authentification is redirected to the CAS ser correctly,
The basic authentification for webdav (or feed) work correctly,
But the basic authentification for webservice dosen't work, i've got this error :
catalina.log : ----------------------------------------------------------------------------------------------------------------------------------
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.util.AntPathRequestMatcher -
Checking match of request : '/services/okmauth'; against
'/services/**'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth at position 1 of 6 in additional filter chain;
firing Filter: 'SecurityContextPersistenceFilter'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth at position 2 of 6 in additional filter chain;
firing Filter: 'BasicAuthenticationFilter'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth at position 3 of 6 in additional filter chain;
firing Filter: 'SecurityContextHolderAwareRequestFilter'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth at position 4 of 6 in additional filter chain;
firing Filter: 'AnonymousAuthenticationFilter'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.authentication.AnonymousAuthenticationFilter
- Populated SecurityContextHolder with anonymous token:
'org.springframework.security.authentication.AnonymousAuthenticationToken@6faad796:
Principal: anonymousUser; Credentials: [PROTECTED];
Authenticated: true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e:
RemoteIpAddress: 217.112.50.18; SessionId: null; Granted
Authorities: ROLE_ANONYMOUS'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth at position 5 of 6 in additional filter chain;
firing Filter: 'ExceptionTranslationFilter'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth at position 6 of 6 in additional filter chain;
firing Filter: 'FilterSecurityInterceptor'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.access.intercept.FilterSecurityInterceptor
- Secure object: FilterInvocation: URL: /services/OKMAuth;
Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.access.intercept.FilterSecurityInterceptor
- Previously Authenticated:
org.springframework.security.authentication.AnonymousAuthenticationToken@6faad796:
Principal: anonymousUser; Credentials: [PROTECTED];
Authenticated: true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e:
RemoteIpAddress: 217.112.50.18; SessionId: null; Granted
Authorities: ROLE_ANONYMOUS
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.access.vote.AffirmativeBased -
Voter:
org.springframework.security.access.vote.RoleVoter@2b054ac8,
returned: 0
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.access.vote.AffirmativeBased -
Voter:
org.springframework.security.access.vote.AuthenticatedVoter@6870a688,
returned: 1
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.access.intercept.FilterSecurityInterceptor
- Authorization successful
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.access.intercept.FilterSecurityInterceptor
- RunAsManager did not change Authentication object
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth reached end of additional filter chain;
proceeding with original chain
2013-10-01 10:47:25,447 [http-bio-8443-exec-2] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
{http://ws.openkm.com}OKMAuth has thrown exception, unwinding
now
java.lang.RuntimeException: Cannot create a secure
XMLInputFactory
at
org.apache.cxf.staxutils.StaxUtils.createXMLInputFactory(StaxUtils.java:302)
at
org.apache.cxf.staxutils.StaxUtils.getXMLInputFactory(StaxUtils.java:257)
at
org.apache.cxf.staxutils.StaxUtils.createXMLStreamReader(StaxUtils.java:1403)
at
org.apache.cxf.interceptor.StaxInInterceptor.handleMessage(StaxInInterceptor.java:112)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:214)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:194)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:131)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:266)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:186)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:242)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)
2013-10-01 10:47:25,463 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.access.ExceptionTranslationFilter
- Chain processed normally
2013-10-01 10:47:25,463 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.context.SecurityContextPersistenceFilter
- SecurityContextHolder now cleared, as request processing
completed----------------------------------------------------------------------------------------------------------------------------------
I've tried lot of things but without success, where can be the mistake ?
Thanks for your help !
Michael.
Reply all
Reply to author
Forward
0 new messages