Difference between revisions of "OpenKM authentication"
m (→Roles) |
|||
(33 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | + | {{TOCright}} __TOC__ | |
− | + | Authentication (from Greek: αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true. This might involve confirming the identity of a person, the origins of an artifact, or assuring that a computer program is a trusted one. | |
− | OpenKM | + | {{Note|Authentication is handled by '''SpringSecurity in OpenKM 6.2''' and '''JBoss and JAAS in OpenKM 5.1'''.}} |
− | + | {{Advice|OpenKM 5.1.x is deployed in JBoss which uses JAAS. Read [[Debugging_OpenKM#Debugging_JAAS_configuration|Debugging JAAS configuration]] to learn how to debug a problematic JAAS configuration.}} | |
− | Also remember the principal.adapter configuration option. OpenKM need this configuration to create a list of users and roles available in the changing permissions dialog. This is done by the '''DatabasePrincipalAdapter''' class. This is an implementation of the ''' | + | Also remember the '''principal.adapter''' configuration option. OpenKM need this configuration to create a list of users and roles available in the changing permissions dialog. This is done by the '''DatabasePrincipalAdapter''' class. This is an implementation of the '''com.openkm.principal.PrincipalAdapter''' interface: |
<source lang="java"> | <source lang="java"> | ||
Line 13: | Line 13: | ||
/** | /** | ||
* Method to retrieve all users from a authentication source. | * Method to retrieve all users from a authentication source. | ||
− | * | + | * |
* @return A Collection with all the users. | * @return A Collection with all the users. | ||
* @throws PrincipalAdapterException If any error occurs. | * @throws PrincipalAdapterException If any error occurs. | ||
*/ | */ | ||
− | public | + | public List<String> getUsers() throws PrincipalAdapterException; |
/** | /** | ||
* Method to retrieve all roles from a authentication source. | * Method to retrieve all roles from a authentication source. | ||
− | * | + | * |
* @return A Collection with all the roles. | * @return A Collection with all the roles. | ||
* @throws PrincipalAdapterException If any error occurs. | * @throws PrincipalAdapterException If any error occurs. | ||
*/ | */ | ||
− | public Collection<String> | + | public List<String> getRoles() throws PrincipalAdapterException; |
− | + | ||
+ | /** | ||
+ | * Method to retrieve all users from a role. | ||
+ | * | ||
+ | * @return A Collection with all the users within a role. | ||
+ | * @throws PrincipalAdapterException If any error occurs. | ||
+ | */ | ||
+ | public List<String> getUsersByRole(String role) throws PrincipalAdapterException; | ||
+ | |||
+ | /** | ||
+ | * Method to retrieve all roles from a user. | ||
+ | * | ||
+ | * @return A Collection with all the roles of the user. | ||
+ | * @throws PrincipalAdapterException If any error occurs. | ||
+ | */ | ||
+ | public List<String> getRolesByUser(String user) throws PrincipalAdapterException; | ||
+ | |||
+ | /** | ||
+ | * Method to retrieve the mail from a user. | ||
+ | * | ||
+ | * @param users A user id. | ||
+ | * @return The email of the user. | ||
+ | * @throws PrincipalAdapterException If any error occurs. | ||
+ | */ | ||
+ | public String getMail(String user) throws PrincipalAdapterException; | ||
+ | |||
/** | /** | ||
− | * Method to retrieve the | + | * Method to retrieve the name from a user. |
− | * | + | * |
− | * @param users A | + | * @param users A user id. |
− | * @return | + | * @return The name of the user. |
* @throws PrincipalAdapterException If any error occurs. | * @throws PrincipalAdapterException If any error occurs. | ||
*/ | */ | ||
− | public | + | public String getName(String user) throws PrincipalAdapterException; |
} | } | ||
</source> | </source> | ||
− | == | + | == Roles == |
− | + | OpenKM has two roles defined by default: '''ROLE_ADMIN''' and '''ROLE_USER'''. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | '''ROLE_USER''' is mandatory for all users, because is internally used by OpenKM for connection purposes. Without this right, users can not connect to OpenKM and you'll get a 403 status code error. | |
− | |||
− | + | You can give '''ROLE_ADMIN''' to any user, and he'll get administrator privileges, seeing any folder and doing any operation without retrictions. Users with '''ROLE_ADMIN''' have access to the administrator tab in the web user interface. | |
− | + | [[Category: Installation Guide]] | |
− | |||
− |
Latest revision as of 19:25, 1 December 2012
Contents |
Authentication (from Greek: αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true. This might involve confirming the identity of a person, the origins of an artifact, or assuring that a computer program is a trusted one.
Authentication is handled by SpringSecurity in OpenKM 6.2 and JBoss and JAAS in OpenKM 5.1. |
OpenKM 5.1.x is deployed in JBoss which uses JAAS. Read Debugging JAAS configuration to learn how to debug a problematic JAAS configuration. |
Also remember the principal.adapter configuration option. OpenKM need this configuration to create a list of users and roles available in the changing permissions dialog. This is done by the DatabasePrincipalAdapter class. This is an implementation of the com.openkm.principal.PrincipalAdapter interface:
public interface PrincipalAdapter {
/**
* Method to retrieve all users from a authentication source.
*
* @return A Collection with all the users.
* @throws PrincipalAdapterException If any error occurs.
*/
public List<String> getUsers() throws PrincipalAdapterException;
/**
* Method to retrieve all roles from a authentication source.
*
* @return A Collection with all the roles.
* @throws PrincipalAdapterException If any error occurs.
*/
public List<String> getRoles() throws PrincipalAdapterException;
/**
* Method to retrieve all users from a role.
*
* @return A Collection with all the users within a role.
* @throws PrincipalAdapterException If any error occurs.
*/
public List<String> getUsersByRole(String role) throws PrincipalAdapterException;
/**
* Method to retrieve all roles from a user.
*
* @return A Collection with all the roles of the user.
* @throws PrincipalAdapterException If any error occurs.
*/
public List<String> getRolesByUser(String user) throws PrincipalAdapterException;
/**
* Method to retrieve the mail from a user.
*
* @param users A user id.
* @return The email of the user.
* @throws PrincipalAdapterException If any error occurs.
*/
public String getMail(String user) throws PrincipalAdapterException;
/**
* Method to retrieve the name from a user.
*
* @param users A user id.
* @return The name of the user.
* @throws PrincipalAdapterException If any error occurs.
*/
public String getName(String user) throws PrincipalAdapterException;
}
Roles
OpenKM has two roles defined by default: ROLE_ADMIN and ROLE_USER.
ROLE_USER is mandatory for all users, because is internally used by OpenKM for connection purposes. Without this right, users can not connect to OpenKM and you'll get a 403 status code error.
You can give ROLE_ADMIN to any user, and he'll get administrator privileges, seeing any folder and doing any operation without retrictions. Users with ROLE_ADMIN have access to the administrator tab in the web user interface.