Difference between revisions of "OpenKM authentication"

From OpenKM Documentation
Jump to: navigation, search
m (LDAP (Active Directory, Open Directory))
m (Roles)
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
{{TOCright}} __TOC__
 
{{TOCright}} __TOC__
  
Authentication (from Greek: αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true. This might involve confirming the identity of a person, the origins of an artifact, or assuring that a computer program is a trusted one. This task is addressed by JAAS.
+
Authentication (from Greek: αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true. This might involve confirming the identity of a person, the origins of an artifact, or assuring that a computer program is a trusted one.
  
JAAS uses a service provider approach to its authentication features, meaning that it is possible to configure different login modules for an application without changing any code. The application remains unaware of the underlying authentication logic. It's even possible for an application to contain multiple login modules, somewhat akin to a stack of authentication procedures.
+
{{Note|Authentication is handled by '''SpringSecurity in OpenKM 6.2''' and '''JBoss and JAAS in OpenKM 5.1'''.}}
  
{{Advice|Read [[Debugging_OpenKM#Debugging_JAAS_configuration|Debugging JAAS configuration]] to learn how to debug a problematic JAAS configuration.}}
+
{{Advice|OpenKM 5.1.x is deployed in JBoss which uses JAAS. Read [[Debugging_OpenKM#Debugging_JAAS_configuration|Debugging JAAS configuration]] to learn how to debug a problematic JAAS configuration.}}
  
OpenKM relies the authentication on the standard JAAS implemented in JBoss application server. JBoss comes with some interesting modules which can be used to authenticate against a plain-text file, a database or an LDAP, for example. On recent versions, OpenKM uses the DatabaseServerLoginModule class to manage authentication.
+
Also remember the '''principal.adapter''' configuration option. OpenKM need this configuration to create a list of users and roles available in the changing permissions dialog. This is done by the '''DatabasePrincipalAdapter''' class. This is an implementation of the '''com.openkm.principal.PrincipalAdapter''' interface:
 
 
{{Note|The JBoss security is configured in the file ''$JBOSS_HOME/server/default/conf/login-config.xml''.}}
 
 
 
Also remember the principal.adapter configuration option. OpenKM need this configuration to create a list of users and roles available in the changing permissions dialog. This is done by the '''DatabasePrincipalAdapter''' class. This is an implementation of the '''com.openkm.principal.PrincipalAdapter''' interface:
 
  
 
<source lang="java">
 
<source lang="java">
Line 17: Line 13:
 
     /**
 
     /**
 
     * Method to retrieve all users from a authentication source.
 
     * Method to retrieve all users from a authentication source.
     *
+
     *  
 
     * @return A Collection with all the users.
 
     * @return A Collection with all the users.
 
     * @throws PrincipalAdapterException If any error occurs.
 
     * @throws PrincipalAdapterException If any error occurs.
 
     */
 
     */
     public Collection<String> getUsers() throws PrincipalAdapterException;
+
     public List<String> getUsers() throws PrincipalAdapterException;
  
 
     /**
 
     /**
 
     * Method to retrieve all roles from a authentication source.
 
     * Method to retrieve all roles from a authentication source.
     *
+
     *  
 
     * @return A Collection with all the roles.
 
     * @return A Collection with all the roles.
 
     * @throws PrincipalAdapterException If any error occurs.
 
     * @throws PrincipalAdapterException If any error occurs.
 
     */
 
     */
     public Collection<String> getRoles() throws PrincipalAdapterException;
+
     public List<String> getRoles() throws PrincipalAdapterException;
 
+
   
 +
    /**
 +
    * Method to retrieve all users from a role.
 +
    *
 +
    * @return A Collection with all the users within a role.
 +
    * @throws PrincipalAdapterException If any error occurs.
 +
    */
 +
    public List<String> getUsersByRole(String role) throws PrincipalAdapterException;
 +
   
 +
    /**
 +
    * Method to retrieve all roles from a user.
 +
    *
 +
    * @return A Collection with all the roles of the user.
 +
    * @throws PrincipalAdapterException If any error occurs.
 +
    */
 +
    public List<String> getRolesByUser(String user) throws PrincipalAdapterException;
 +
   
 +
    /**
 +
    * Method to retrieve the mail from a user.
 +
    *
 +
    * @param users A user id.
 +
    * @return The email of the user.
 +
    * @throws PrincipalAdapterException If any error occurs.
 +
    */
 +
    public String getMail(String user) throws PrincipalAdapterException;
 +
   
 
     /**
 
     /**
     * Method to retrieve the mail from a list of users.
+
     * Method to retrieve the name from a user.
     *
+
     *  
     * @param users A list of users.
+
     * @param users A user id.
     * @return A list of user emails.
+
     * @return The name of the user.
 
     * @throws PrincipalAdapterException If any error occurs.
 
     * @throws PrincipalAdapterException If any error occurs.
 
     */
 
     */
     public Collection<String> getMails(Collection<String> users) throws PrincipalAdapterException;
+
     public String getName(String user) throws PrincipalAdapterException;
 
}
 
}
 
</source>
 
</source>
  
 
== Roles ==  
 
== Roles ==  
In OpenKM are defined by default two roles '''AdminRole''' and '''UserRole'''.
+
OpenKM has two roles defined by default: '''ROLE_ADMIN''' and '''ROLE_USER'''.
 
 
UserRole is mandatory for all users, because is internally used by OpenKM for connection grant purpose. Without this grant users can not connect to OpenKM and you'll get a 403 status code error.
 
 
 
You can set AdminRole to any user, and it'll get administrator privileges seeing any folder and making any operation without retrictions. Users with AdminRole have access to administrator tab in UI.
 
 
 
== Plain-text file ==
 
This is the simplest security configuration. This was the default authentication method in older OpenKM versions. It is achieved using the JBoss UsersRolesLoginModule login module. User are stored in the file ''$JBOSS_HOME/server/default/conf/props/openkm-users.properties'' in this form:
 
 
 
<source lang="java">
 
user1=pass1
 
user2=pass2
 
...
 
</source>
 
 
 
The password in not encrypted. The roles are in the file ''$JBOSS_HOME/server/default/conf/props/openkm-roles.properties'' in this form:
 
 
 
<source lang="java">
 
user1=UserRole,Rol1,Rol2,...
 
user1=UserRole,Rol1,Rol2,...
 
...
 
</source>
 
 
 
This is the JBoss configuration for this method:
 
 
 
<source lang="xml">
 
<application-policy name = "OpenKM">
 
  <authentication>
 
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
 
        <module-option name="usersProperties">props/openkm-users.properties</module-option>
 
        <module-option name="rolesProperties">props/openkm-roles.properties</module-option>
 
    </login-module>
 
    <login-module code="org.jboss.security.ClientLoginModule" flag="required" />
 
  </authentication>
 
</application-policy>
 
</source>
 
 
 
The principal.adapter should be set to es.git.openkm.principal.UsersRolesPrincipalAdapter.
 
 
 
== Database ==
 
This is the default security configuration for recent OpenKM version. Is a good option because simplifies user and role management: now user and roles can be managed from OpenKM administration. This module connect to the database using a data-source.
 
 
 
<source lang="xml">
 
<application-policy name = "OpenKM">
 
  <authentication>
 
    <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
 
      <module-option name="dsJndiName">java:/OKMAuthDS</module-option>
 
      <module-option name="principalsQuery">select usr_pass as PASSWD from users where usr_id=? and usr_active='true'</module-option>
 
      <module-option name="rolesQuery">select ur_role as ROLEID, 'Roles' from user_role where ur_user=?</module-option>
 
      <module-option name="hashAlgorithm">md5</module-option>
 
      <module-option name="hashEncoding">hex</module-option>
 
    </login-module>
 
  </authentication>
 
</application-policy>
 
</source>
 
 
 
The principal.adapter should be set to ''com.openkm.principal.DatabasePrincipalAdapter'', which is the default value.
 
 
 
== LDAP (Active Directory, Open Directory) ==
 
You can get LDAP integration through the LdapExtLoginModule login module.
 
 
 
<source lang="xml">
 
<application-policy name="OpenKM">
 
  <authentication>
 
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 
      <module-option name="java.naming.provider.url">ldap://my-company.com:389</module-option>
 
      <module-option name="bindDN">cn=My_adm_account,ou=Admin Accounts,dc=my-company,dc=br</module-option>
 
      <module-option name="java.naming.security.authentication">simple</module-option>
 
      <module-option name="bindCredential">My_adm_account_password</module-option>
 
      <module-option name="baseCtxDN">ou=Users Accounts,dc=my-company,dc=com</module-option>
 
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
 
      <module-option name="rolesCtxDN">ou=Users Accounts,dc=my-company,dc=com</module-option>
 
      <module-option name="roleFilter">(sAMAccountName={0})</module-option>
 
      <module-option name="roleAttributeID">memberOf</module-option>
 
      <module-option name="roleAttributeIsDN">true</module-option>
 
      <module-option name="roleNameAttributeID">cn</module-option>
 
      <module-option name="roleRecursion">-1</module-option>
 
      <module-option name="searchScope">SUBTREE_SCOPE</module-option>
 
      <module-option name="defaultRole">UserRole</module-option>
 
    </login-module>
 
  </authentication>
 
</application-policy>
 
</source>
 
 
 
Here are some configuration comments:
 
 
 
* '''bindDN''': This is some DN with read/search permissions on the baseCtxDN and rolesCtxDN.
 
* '''bindCredential''': The password for the bindDN.
 
* '''baseCtxDN''': The fixed DN of the context to start the user search from.
 
* '''rolesCtxDN''': The fixed DN of the context to search for user roles.
 
 
 
Don't forget the <module-option name="defaultRole">UserRole</module-option> (adds this role to every authenticated user, because only users with that role are allowed to access OpenKM).
 
 
 
See also:
 
 
 
* [[Active Directory]] [[File:Padlock.gif]]
 
* [[Open Directory]] [[File:Padlock.gif]]
 
* [[Testing LDAP configuration]] [[File:Padlock.gif]]
 
* [http://forum.openkm.com/viewtopic.php?f=13&t=3535 Forum: Usuario administrador LDAP v.4]
 
 
 
== Changes from version 3.0. to 4.0 ==
 
* '''UserRol''' now is called '''UserRole'''
 
* '''AdminRol''' now is called '''AdminRole'''
 
  
== More information ==
+
'''ROLE_USER''' is mandatory for all users, because is internally used by OpenKM for connection purposes. Without this right, users can not connect to OpenKM and you'll get a 403 status code error.
More information about JASS and other login modules can be found at:
 
  
* [http://primalcortex.wordpress.com/2007/11/28/jboss-and-jaas-debug/ JBoss and JAAS debug]
+
You can give '''ROLE_ADMIN''' to any user, and he'll get administrator privileges, seeing any folder and doing any operation without retrictions. Users with '''ROLE_ADMIN''' have access to the administrator tab in the web user interface.
* [http://community.jboss.org/wiki/SecurityFAQ JBoss Community: SecurityFAQ]
 
* [http://community.jboss.org/wiki/JBossSX JBoss Community: JBossSX]
 
* [http://community.jboss.org/wiki/LdapExtLoginModule JBoss Community: LdapExtLoginModule]
 
* [http://community.jboss.org/wiki/OSXOpenDirectoryLoginConfigxml JBoss Community: OSXOpenDirectoryLoginConfig.xml]
 
  
 
[[Category: Installation Guide]]
 
[[Category: Installation Guide]]
[[Category:OKM Network]]
 

Latest revision as of 19:25, 1 December 2012

Contents

Authentication (from Greek: αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true. This might involve confirming the identity of a person, the origins of an artifact, or assuring that a computer program is a trusted one.


Nota clasica.png Authentication is handled by SpringSecurity in OpenKM 6.2 and JBoss and JAAS in OpenKM 5.1.


Nota idea.png OpenKM 5.1.x is deployed in JBoss which uses JAAS. Read Debugging JAAS configuration to learn how to debug a problematic JAAS configuration.

Also remember the principal.adapter configuration option. OpenKM need this configuration to create a list of users and roles available in the changing permissions dialog. This is done by the DatabasePrincipalAdapter class. This is an implementation of the com.openkm.principal.PrincipalAdapter interface:

public interface PrincipalAdapter {
    /**
     * Method to retrieve all users from a authentication source.
     * 
     * @return A Collection with all the users.
     * @throws PrincipalAdapterException If any error occurs.
     */
    public List<String> getUsers() throws PrincipalAdapterException;

    /**
     * Method to retrieve all roles from a authentication source.
     * 
     * @return A Collection with all the roles.
     * @throws PrincipalAdapterException If any error occurs.
     */
    public List<String> getRoles() throws PrincipalAdapterException;
    
    /**
     * Method to retrieve all users from a role.
     * 
     * @return A Collection with all the users within a role.
     * @throws PrincipalAdapterException If any error occurs.
     */
    public List<String> getUsersByRole(String role) throws PrincipalAdapterException;
    
    /**
     * Method to retrieve all roles from a user.
     * 
     * @return A Collection with all the roles of the user.
     * @throws PrincipalAdapterException If any error occurs.
     */
    public List<String> getRolesByUser(String user) throws PrincipalAdapterException;
    
    /**
     * Method to retrieve the mail from a user.
     * 
     * @param users A user id.
     * @return The email of the user.
     * @throws PrincipalAdapterException If any error occurs.
     */
    public String getMail(String user) throws PrincipalAdapterException;
    
    /**
     * Method to retrieve the name from a user.
     * 
     * @param users A user id.
     * @return The name of the user.
     * @throws PrincipalAdapterException If any error occurs.
     */
    public String getName(String user) throws PrincipalAdapterException;
}

Roles

OpenKM has two roles defined by default: ROLE_ADMIN and ROLE_USER.

ROLE_USER is mandatory for all users, because is internally used by OpenKM for connection purposes. Without this right, users can not connect to OpenKM and you'll get a 403 status code error.

You can give ROLE_ADMIN to any user, and he'll get administrator privileges, seeing any folder and doing any operation without retrictions. Users with ROLE_ADMIN have access to the administrator tab in the web user interface.