server/default/conf/login-config.xmlWith this modification :
<application-policy name="OpenKM"> <authentication> <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required"> <module-option name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option> <module-option name="casServerUrlPrefix">https://URL:8443/cas/</module-option> <module-option name="service">https://URL:8443/OpenKM/</module-option> <module-option name="defaultRoles">UserRole</module-option> <module-option name="roleAttributeNames">roleAttributeNames</module-option> <module-option name="principalGroupName">CallerPrincipal</module-option> <module-option name="roleGroupName">Roles</module-option> <module-option name="cacheAssertions">true</module-option> <module-option name="tolerance">20000</module-option> <module-option name="cacheTimeout">480</module-option> </login-module> </authentication> </application-policy>and this file :
WEB-INF/web.xml
<!-- CAS SSO--> <!-- Facilitates CAS single sign-out --> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- Following is needed only if CAS single-sign out is desired --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <!-- Only 2 CAS filters are required for JAAS support --> <context-param> <param-name>service</param-name> <param-value>https://URL:8443/OpenKM</param-value> </context-param> <context-param> <param-name>casServerLoginUrl</param-name> <param-value>https://URL:8443/cas/login</param-value> </context-param> <filter> <filter-name>CASWebAuthenticationFilter</filter-name> <filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class> </filter> <filter> <filter-name>CASAuthenticationFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> </filter> <!-- CAS client filter mappings --> <!-- The order of the following filters is vitally important --> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>*.jsp</url-pattern> <!-- GWT --> <url-pattern>/frontend/*</url-pattern> <!-- JSPs --> <url-pattern>/admin/*</url-pattern> <url-pattern>/mobile/*</url-pattern> <url-pattern>/mobile-nt/*</url-pattern> <!-- Servlets --> <url-pattern>/RepositoryStartup</url-pattern> <url-pattern>/TextToSpeech</url-pattern> <url-pattern>/Test</url-pattern> <url-pattern>/frontend/*</url-pattern> <url-pattern>/extension/*</url-pattern> <!--url-pattern>/*</url-pattern--> </filter-mapping> <filter-mapping> <filter-name>CASWebAuthenticationFilter</filter-name> <url-pattern>*.jsp</url-pattern> <!-- GWT --> <url-pattern>/frontend/*</url-pattern> <!-- JSPs --> <url-pattern>/admin/*</url-pattern> <url-pattern>/mobile/*</url-pattern> <url-pattern>/mobile-nt/*</url-pattern> <!-- Servlets --> <url-pattern>/RepositoryStartup</url-pattern> <url-pattern>/TextToSpeech</url-pattern> <url-pattern>/Test</url-pattern> <url-pattern>/frontend/*</url-pattern> <url-pattern>/extension/*</url-pattern> <!--url-pattern>/*</url-pattern--> </filter-mapping> <filter-mapping> <filter-name>CASAuthenticationFilter</filter-name> <url-pattern>*.jsp</url-pattern> <!-- GWT --> <url-pattern>/frontend/*</url-pattern> <!-- JSPs --> <url-pattern>/admin/*</url-pattern> <url-pattern>/mobile/*</url-pattern> <url-pattern>/mobile-nt/*</url-pattern> <!-- Servlets --> <url-pattern>/RepositoryStartup</url-pattern> <url-pattern>/TextToSpeech</url-pattern> <url-pattern>/Test</url-pattern> <url-pattern>/frontend/*</url-pattern> <url-pattern>/extension/*</url-pattern> <!--url-pattern>/*</url-pattern--> </filter-mapping> <!-- /CAS SSO -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://URL:389/ou=service,dc=domaine,dc=fr"/>
<beans:property name="userDn" value="cn=admin,dc=domaine,dc=fr"/>
<beans:property name="password" value="PASSWORD"/>
</beans:bean>
<beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"></beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=groups"/>
<beans:property name="groupSearchFilter" value="memberUid={1}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
<beans:property name="defaultRole" value="ROLE_USER" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=people" />
<beans:constructor-arg index="1" value="cn={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
<jsp-config>
<taglib>
<taglib-uri>http://www.openkm.com/tags/utils</taglib-uri>
<taglib-location>/WEB-INF/tlds/utils.tld</taglib-location>
</taglib>
</jsp-config>
<!-- Filters -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>WebDAVFilter</filter-name>
<filter-class>com.openkm.webdav.WebDAVFilter</filter-class>
</filter>
<filter>
<filter-name>UploadThrottleFilter</filter-name>
<filter-class>com.openkm.servlet.frontend.UploadThrottleFilter</filter-class>
</filter>
<!-- Filter Mappings -->
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WebDAVFilter</filter-name>
<url-pattern>/webdav/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>UploadThrottleFilter</filter-name>
<url-pattern>/frontend/FileUpload</url-pattern>
</filter-mapping>
<!-- Listeners -->
<listener>
<listener-class>com.openkm.servlet.SessionListener</listener-class>
</listener>
<listener>
<listener-class>org.apache.commons.fileupload.servlet.FileCleanerCleanup</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
file:${catalina.home}/OpenKM.xml
</param-value>
</context-param>
<!-- Startup Servlets -->
<servlet>
<servlet-name>RepositoryStartup</servlet-name>
<servlet-class>com.openkm.servlet.RepositoryStartupServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>CXFServlet</servlet-name>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<!-- Frontend Servlets -->
<servlet>
<servlet-name>WorkspaceServlet</servlet-name>
<servlet-class>com.openkm.servlet.frontend.WorkspaceServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>DocumentServlet</servlet-name>
<servlet-class>com.openkm.servlet.frontend.DocumentServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>FrontendAuthServlet</servlet-name>
<servlet-class>com.openkm.servlet.frontend.AuthServlet</servlet-class>
</servlet>
.....
<!-- Test Servlets -->
<servlet>
<servlet-name>Test</servlet-name>
<servlet-class>com.openkm.servlet.TestServlet</servlet-class>
</servlet>
<!-- Startup servlets -->
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<!-- Frontend Servlet Mappings -->
<servlet-mapping>
<servlet-name>WorkspaceServlet</servlet-name>
<url-pattern>/frontend/Workspace</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DocumentServlet</servlet-name>
<url-pattern>/frontend/Document</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>FrontendAuthServlet</servlet-name>
<url-pattern>/frontend/Auth</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>RepositoryServlet</servlet-name>
<url-pattern>/frontend/Repository</url-pattern>
</servlet-mapping>
.....
<!-- Test Servlets -->
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/frontend/Test</url-pattern>
</servlet-mapping>
<!-- Extensions Servlet Mappings -->
<servlet-mapping>
<servlet-name>DataBrowserServlet</servlet-name>
<url-pattern>/extension/DataBrowser</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MacrosServlet</servlet-name>
<url-pattern>/extension/Macros</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DropboxServlet</servlet-name>
<url-pattern>/extension/Dropbox</url-pattern>
</servlet-mapping>
<!-- Misc servlets mappings -->
<servlet-mapping>
<servlet-name>SyndicationServlet</servlet-name>
<url-pattern>/feed/*</url-pattern>
</servlet-mapping>
.....
<!-- Admin Servlet Mappings -->
<servlet-mapping>
<servlet-name>StatsGraphServlet</servlet-name>
<url-pattern>/admin/StatsGraph</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>RepositoryCheckerServlet</servlet-name>
<url-pattern>/admin/RepositoryChecker</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WorkflowGraphServlet</servlet-name>
<url-pattern>/admin/WorkflowGraph</url-pattern>
.....
<!-- Test Servlet Mapping -->
<servlet-mapping>
<servlet-name>Test</servlet-name>
<url-pattern>/Test</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<error-page>
<exception-type>com.openkm.frontend.client.OKMException</exception-type>
<location>/error.jsp</location>
</error-page>
<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/error.jsp</location>
</error-page>
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
<beans:property name="defaultRole" value="ROLE_USER"
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.util.AntPathRequestMatcher -
Checking match of request : '/services/okmauth'; against
'/services/**'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth at position 1 of 6 in additional filter chain;
firing Filter: 'SecurityContextPersistenceFilter'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth at position 2 of 6 in additional filter chain;
firing Filter: 'BasicAuthenticationFilter'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth at position 3 of 6 in additional filter chain;
firing Filter: 'SecurityContextHolderAwareRequestFilter'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth at position 4 of 6 in additional filter chain;
firing Filter: 'AnonymousAuthenticationFilter'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.authentication.AnonymousAuthenticationFilter
- Populated SecurityContextHolder with anonymous token:
'org.springframework.security.authentication.AnonymousAuthenticationToken@6faad796:
Principal: anonymousUser; Credentials: [PROTECTED];
Authenticated: true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e:
RemoteIpAddress: 217.112.50.18; SessionId: null; Granted
Authorities: ROLE_ANONYMOUS'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth at position 5 of 6 in additional filter chain;
firing Filter: 'ExceptionTranslationFilter'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth at position 6 of 6 in additional filter chain;
firing Filter: 'FilterSecurityInterceptor'
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.access.intercept.FilterSecurityInterceptor
- Secure object: FilterInvocation: URL: /services/OKMAuth;
Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.access.intercept.FilterSecurityInterceptor
- Previously Authenticated:
org.springframework.security.authentication.AnonymousAuthenticationToken@6faad796:
Principal: anonymousUser; Credentials: [PROTECTED];
Authenticated: true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e:
RemoteIpAddress: 217.112.50.18; SessionId: null; Granted
Authorities: ROLE_ANONYMOUS
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.access.vote.AffirmativeBased -
Voter:
org.springframework.security.access.vote.RoleVoter@2b054ac8,
returned: 0
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.access.vote.AffirmativeBased -
Voter:
org.springframework.security.access.vote.AuthenticatedVoter@6870a688,
returned: 1
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.access.intercept.FilterSecurityInterceptor
- Authorization successful
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.access.intercept.FilterSecurityInterceptor
- RunAsManager did not change Authentication object
2013-10-01 10:47:25,445 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.FilterChainProxy -
/services/OKMAuth reached end of additional filter chain;
proceeding with original chain
2013-10-01 10:47:25,447 [http-bio-8443-exec-2] WARN
org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for
{http://ws.openkm.com}OKMAuth has thrown exception, unwinding
now
java.lang.RuntimeException: Cannot create a secure
XMLInputFactory
at
org.apache.cxf.staxutils.StaxUtils.createXMLInputFactory(StaxUtils.java:302)
at
org.apache.cxf.staxutils.StaxUtils.getXMLInputFactory(StaxUtils.java:257)
at
org.apache.cxf.staxutils.StaxUtils.createXMLStreamReader(StaxUtils.java:1403)
at
org.apache.cxf.interceptor.StaxInInterceptor.handleMessage(StaxInInterceptor.java:112)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:214)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:194)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:131)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:266)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:186)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:242)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)
2013-10-01 10:47:25,463 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.access.ExceptionTranslationFilter
- Chain processed normally
2013-10-01 10:47:25,463 [http-bio-8443-exec-2] DEBUG
org.springframework.security.web.context.SecurityContextPersistenceFilter
- SecurityContextHolder now cleared, as request processing
completed