Kerberos
This documentation is based on forum post [Alternate auth method for WS]. |
Setup we use:
- Samba4 AD
- OpenKM Community 6.2.1. hosted on Ubuntu 12.04 within a OpenVZ container
- Java version: 1.6.0_27 OpenJDK 64-Bit
I won't go into details on how to set up Samba4 AD or kerberize a server since there's plenty of documentation vailable, so this config assumes you already have a working AD/Kerberos environment or know how to set up one.
- Base DN in AD: DC=fictional,DC=company
- Bind user: ldap-lookup, pass 'secret01'
- Users are stored in: OU=Employees,DC=fictional,DC=company
- Groups are stored in: OU=Groups,DC=fictional,DC=company
- AD hostname: ad
- OpenKM server hostname: openkm
- Keytab is located in /etc/krb5.keytab and has a HTTP/openkm.fictional.company service name.
Before starting the install,create ROLE_USER and ROLE_ADMIN roles in your AD (if that isn't possible you can also use custom roles in your OpenKM config).
Configure your OpenKM Admin/Config tab like this:
Property | Value |
---|---|
principal.adapter | com.openkm.principal.LdapPrincipalAdapter |
principal.database.filter.inactive.users | true |
principal.ldap.mail.attribute | |
principal.ldap.mail.search.base | ou=Employees,dc=fictional,dc=company |
principal.ldap.mail.search.filter | (&(objectClass=person)(userPrincipalName={0})) |
principal.ldap.referral | follow |
principal.ldap.role.attribute | cn |
principal.ldap.role.search.base | ou=Groups,dc=fictional,dc=company |
principal.ldap.role.search.filter | objectClass=group |
principal.ldap.roles.by.user.attribute | memberOf |
principal.ldap.roles.by.user.search.base | ou=Employees,dc=fictional,dc=company |
principal.ldap.roles.by.user.search.filter | (&(objectClass=person)(userPrincipalName={0})) |
principal.ldap.security.credentials | secret01 |
principal.ldap.security.principal | cn=ldap-lookup,cn=Users,dc=fictional,dc=company |
principal.ldap.server | ldap://ad.fictional.company:389 |
principal.ldap.user.attribute | userPrincipalName |
principal.ldap.user.search.base | ou=Employees,dc=fictional,dc=company |
principal.ldap.user.search.filter | objectClass=person |
principal.ldap.username.attribute | cn |
principal.ldap.username.search.base | ou=Employees,dc=fictional,dc=company |
principal.ldap.username.search.filter | (&(objectClass=person)(userPrincipalName={0})) |
principal.ldap.users.by.role.attribute | userPrincipalName |
principal.ldap.users.by.role.search.base | ou=Employees,dc=fictional,dc=company |
principal.ldap.users.by.role.search.filter | (&(objectClass=person)(memberOf=cn={0},ou=Groups,dc=fictional,dc=company)) |
At this point you can also decide to use custom default roles, however, this requires setting read permissions on every repository node - this can be done through the interface for every node except Trash folder, for which you will have to manually add an entry into the database.
1) Download and install OpenKM using your prefered method 2) Download the Spring Security Kerberos Extension .jar file and put it into your OpenKM lib folder ( for example, /opt/tomcat/webapps/OpenKM/WEB-INF/lib) spring-security-kerberos-core-1.0.0.CI-SNAPSHOT.jar. Alternatively you can download and compile the file yourself from Spring Security Kerberos (note that this is a newer version which I have not yet tested) 3) Create the keytab for your OpenKM server and make sure it will be readable by tomcat 4) Open OpenKM.xml and comment out the authentication manager, since you will be doing all the changes directly in applicationContext.xml 5) Change the applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<context:component-scan base-package="com.openkm"/>
<!-- <task:annotation-driven/> -->
<!-- Tasks configuration moved to $CATALINA_HOME/OpenKM.xml -->
<!-- Apache CXF Web Services -->
<beans:import resource="classpath:META-INF/cxf/cxf.xml" />
<beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
<!--
<beans:bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<beans:property name="targetClass" value="org.springframework.security.core.context.SecurityContextHolder" />
<beans:property name="targetMethod" value="setStrategyName" />
<beans:property name="arguments" value="_INHERITABLETHREADLOCAL" />
</beans:bean>
-->
<beans:bean id="WSS4JInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<beans:constructor-arg>
<beans:map>
<beans:entry key="action" value="UsernameToken" />
<beans:entry key="passwordType" value="PasswordText" />
<beans:entry key="passwordCallbackClass" value="com.openkm.spring.ClientPasswordCallback" />
</beans:map>
</beans:constructor-arg>
</beans:bean>
<jaxws:endpoint id="authService" implementor="com.openkm.ws.endpoint.AuthService" address="/OKMAuth"/>
<jaxws:endpoint id="bookmarkService" implementor="com.openkm.ws.endpoint.BookmarkService" address="/OKMBookmark"/>
<jaxws:endpoint id="documentService" implementor="com.openkm.ws.endpoint.DocumentService" address="/OKMDocument"/>
<jaxws:endpoint id="folderService" implementor="com.openkm.ws.endpoint.FolderService" address="/OKMFolder"/>
<jaxws:endpoint id="mailService" implementor="com.openkm.ws.endpoint.MailService" address="/OKMMail"/>
<jaxws:endpoint id="noteService" implementor="com.openkm.ws.endpoint.NoteService" address="/OKMNote"/>
<jaxws:endpoint id="notificationService" implementor="com.openkm.ws.endpoint.NotificationService" address="/OKMNotification"/>
<jaxws:endpoint id="propertyGroupService" implementor="com.openkm.ws.endpoint.PropertyGroupService" address="/OKMPropertyGroup"/>
<jaxws:endpoint id="propertyService" implementor="com.openkm.ws.endpoint.PropertyService" address="/OKMProperty"/>
<jaxws:endpoint id="repositoryService" implementor="com.openkm.ws.endpoint.RepositoryService" address="/OKMRepository"/>
<jaxws:endpoint id="searchService" implementor="com.openkm.ws.endpoint.SearchService" address="/OKMSearch"/>
<jaxws:endpoint id="dashboardService" implementor="com.openkm.ws.endpoint.DashboardService" address="/OKMDashboard"/>
<jaxws:endpoint id="workflowService" implementor="com.openkm.ws.endpoint.WorkflowService" address="/OKMWorkflow"/>
<jaxws:endpoint id="testService" implementor="com.openkm.ws.endpoint.TestService" address="/OKMTest">
<!--
<jaxws:inInterceptors>
<beans:ref bean="WSS4JInInterceptor"/>
</jaxws:inInterceptors>
-->
</jaxws:endpoint>
<security:global-method-security secured-annotations="enabled"/>
<!-- Remove prefix to be able of use custom roles
<beans:bean class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value=""/>
</beans:bean> -->
<!-- Web Services using Basic authentication -->
<security:http pattern="/services/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:http-basic />
</security:http>
<!-- Status -->
<security:http pattern="/Status" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Download -->
<security:http pattern="/Download" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Workflow deploy -->
<security:http pattern="/workflow-register" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- WebDAV using Basic authentication -->
<security:http pattern="/webdav/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<!-- Syndication using Basic authentication -->
<security:http pattern="/feed/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:http-basic />
</security:http>
<security:http entry-point-ref="spnegoEntryPoint">
<!-- GWT -->
<security:intercept-url pattern="/frontend/**" access="IS_AUTHENTICATED_FULLY" />
<!-- JSPs -->
<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/admin/**" access="IS_AUTHENTICATED_FULLY" />
<!-- Servlets -->
<security:intercept-url pattern="/RepositoryStartup" access="IS_AUTHENTICATED_FULLY" />
<security:intercept-url pattern="/Test" access="IS_AUTHENTICATED_FULLY" />
<!-- Extensions -->
<security:intercept-url pattern="/extension/**" access="IS_AUTHENTICATED_FULLY" />
<!-- Login page -->
<security:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1"/>
</security:http>
<beans:bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
<beans:bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="kerberosServiceAuthenticationProvider" /> <!-- Used with SPNEGO -->
<security:authentication-provider ref="kerberosAuthenticationProvider"/> <!-- Used with form login -->
</security:authentication-manager>
<beans:bean id="kerberosAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
<beans:property name="kerberosClient">
<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
<beans:property name="debug" value="true"/>
</beans:bean>
</beans:property>
<beans:property name="userDetailsService" ref="ldapUserService"/>
</beans:bean>
<beans:bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
<beans:property name="ticketValidator">
<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
<beans:property name="servicePrincipal" value="HTTP/openkm.fictional.company" />
<!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE application Server -->
<!-- See the Javadoc for more information on that -->
<beans:property name="keyTabLocation" value="file:/etc/krb5.keytab" />
<beans:property name="debug" value="true" />
</beans:bean>
</beans:property>
<beans:property name="userDetailsService" ref="ldapUserService" />
</beans:bean>
<beans:bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
<beans:property name="debug" value="true" />
<!-- You can point to a different kerberos config location here, if you don't want the default one -->
<!-- <property name="krbConfLocation" value="/etc/krb5.conf"/> -->
</beans:bean>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://ad.fictional.company:389/ "/>
<beans:property name="userDn" value="CN=ldap-lookup,cn=Users,dc=fictional,dc=company"/>
<beans:property name="password" value="secret01"/>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry>
<beans:key>
<beans:value>java.naming.referral</beans:value>
</beans:key>
<beans:value>follow</beans:value>
</beans:entry>
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="ldapUserService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<beans:constructor-arg index="0">
<beans:bean class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg value="ou=Employees,DC=,fictional,DC=company"/>
<beans:constructor-arg value="userPrincipalName={0}"/>
<beans:constructor-arg ref="contextSource"/>
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg index="1">
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=Groups,dc=fictional,dc=company"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="false"/>
<beans:property name="rolePrefix" value=""/>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
</beans:beans>
Make sure to restart Tomcat.
Open up a browser that supports SPNEGO (Firefox) and add the url of your openkm server to trusted urls (open about:config, search for 'network.n' and add 'openkm.fictional.company' in this case to the list of trusted urls)
If you have a valid kerberos ticket you can then log in to your OpenKM via http://openkm.fictional.company:8080/OpenKM OR log in manually via http://openkm.fictional.company:8080/OpenKM/login.jsp where you type in your AD username/pass. I still have to figure out how to make the server redirect me to login page if the spnego fails, but it's not critical at this point.