Difference between revisions of "OpenKM authentication"

From OpenKM Documentation
Jump to: navigation, search
(Created page with 'Authentication (from Greek: αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, …')
 
Line 5: Line 5:
 
OpenKM relies the authentication on the standard JAAS implemented in JBoss application server. JBoss comes with some interesting modules which can be used to authenticate against a plain-text file, a database or an LDAP, for example. On recent versions, OpenKM uses the DatabaseServerLoginModule class to manage authentication.  
 
OpenKM relies the authentication on the standard JAAS implemented in JBoss application server. JBoss comes with some interesting modules which can be used to authenticate against a plain-text file, a database or an LDAP, for example. On recent versions, OpenKM uses the DatabaseServerLoginModule class to manage authentication.  
  
The JBoss security is configured in the file $JBOSS_HOME/server/default/conf/login-config.xml.
+
The JBoss security is configured in the file ''$JBOSS_HOME/server/default/conf/login-config.xml''.
  
 
Also remember the principal.adapter configuration option. OpenKM need this configuration to create a list of users and roles available in the changing permissions dialog. This is done by the '''DatabasePrincipalAdapter''' class. This is an implementation of the '''es.git.openkm.principal.PrincipalAdapter''' interface:
 
Also remember the principal.adapter configuration option. OpenKM need this configuration to create a list of users and roles available in the changing permissions dialog. This is done by the '''DatabasePrincipalAdapter''' class. This is an implementation of the '''es.git.openkm.principal.PrincipalAdapter''' interface:
Line 37: Line 37:
 
}
 
}
 
</source>
 
</source>
 +
 +
== Plain-text file ==
 +
This is the simplest security configuration. This was the default authentication method in older OpenKM versions. It is achieved using the JBoss UsersRolesLoginModule login module. User are stored in the file ''$JBOSS_HOME/server/default/conf/props/openkm-users.properties'' in this form:
 +
 +
<source lang="java">
 +
user1=pass1
 +
user2=pass2
 +
...
 +
</source>
 +
 +
The password in not encrypted. The roles are in the file ''$JBOSS_HOME/server/default/conf/props/openkm-roles.properties'' in this form:
 +
 +
<source lang="java">
 +
user1=Rol1,Rol2,...
 +
user1=Rol1,Rol2,...
 +
...
 +
</source>
 +
 +
This is the JBoss configuration for this method:
 +
 +
<source lang="xml">
 +
<application-policy name = "OpenKM">
 +
  <authentication>
 +
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
 +
        <module-option name="usersProperties">props/openkm-users.properties</module-option>
 +
        <module-option name="rolesProperties">props/openkm-roles.properties</module-option>
 +
    </login-module>
 +
    <login-module code="org.jboss.security.ClientLoginModule" flag="required" />
 +
  </authentication>
 +
</application-policy>
 +
</source>
 +
 +
The principal.adapter should be set to es.git.openkm.principal.UsersRolesPrincipalAdapter.

Revision as of 18:28, 21 January 2010

Authentication (from Greek: αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true. This might involve confirming the identity of a person, the origins of an artifact, or assuring that a computer program is a trusted one. This task is addressed by JAAS.

JAAS uses a service provider approach to its authentication features, meaning that it is possible to configure different login modules for an application without changing any code. The application remains unaware of the underlying authentication logic. It's even possible for an application to contain multiple login modules, somewhat akin to a stack of authentication procedures.

OpenKM relies the authentication on the standard JAAS implemented in JBoss application server. JBoss comes with some interesting modules which can be used to authenticate against a plain-text file, a database or an LDAP, for example. On recent versions, OpenKM uses the DatabaseServerLoginModule class to manage authentication.

The JBoss security is configured in the file $JBOSS_HOME/server/default/conf/login-config.xml.

Also remember the principal.adapter configuration option. OpenKM need this configuration to create a list of users and roles available in the changing permissions dialog. This is done by the DatabasePrincipalAdapter class. This is an implementation of the es.git.openkm.principal.PrincipalAdapter interface:

public interface PrincipalAdapter {
    /**
     * Method to retrieve all users from a authentication source.
     *
     * @return A Collection with all the users.
     * @throws PrincipalAdapterException If any error occurs.
     */
    public Collection<String> getUsers() throws PrincipalAdapterException;

    /**
     * Method to retrieve all roles from a authentication source.
     *
     * @return A Collection with all the roles.
     * @throws PrincipalAdapterException If any error occurs.
     */
    public Collection<String> getRoles() throws PrincipalAdapterException;

    /**
     * Method to retrieve the mail from a list of users.
     *
     * @param users A list of users.
     * @return A list of user emails.
     * @throws PrincipalAdapterException If any error occurs.
     */
    public Collection<String> getMails(Collection<String> users) throws PrincipalAdapterException;
}

Plain-text file

This is the simplest security configuration. This was the default authentication method in older OpenKM versions. It is achieved using the JBoss UsersRolesLoginModule login module. User are stored in the file $JBOSS_HOME/server/default/conf/props/openkm-users.properties in this form:

user1=pass1
user2=pass2
...

The password in not encrypted. The roles are in the file $JBOSS_HOME/server/default/conf/props/openkm-roles.properties in this form:

user1=Rol1,Rol2,...
user1=Rol1,Rol2,...
...

This is the JBoss configuration for this method:

<application-policy name = "OpenKM">
   <authentication>
     <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
        <module-option name="usersProperties">props/openkm-users.properties</module-option>
        <module-option name="rolesProperties">props/openkm-roles.properties</module-option>
     </login-module>
     <login-module code="org.jboss.security.ClientLoginModule" flag="required" />
   </authentication>
</application-policy>

The principal.adapter should be set to es.git.openkm.principal.UsersRolesPrincipalAdapter.