inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-24 17:32:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0a7fef92aaf375d0cf5ae44d3a39ae6689e0d8d5
alfresco-community-repo/config/alfresco/authentication-services-context.xml
Jan Vonka 0a7fef92aa MT fixes to provide initial support for tenant-specific guests 
- explicit guest access is required, such as "guest@tenant1" (note: implicit/anonymous guest access can only login to the default domain)
- also fixes issue with "Show All" users, when logged in as a tenant admin

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@7748 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2008-01-03 15:06:07 +00:00

377 lines
16 KiB
XML
Raw Blame History

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<!-- =================================================================== -->
<!-- This file contains the bean definitions that support authentication -->
<!-- =================================================================== -->
<!-- -->
<!-- Acegi is used for authentication and protecting method calls on public -->
<!-- services. To do this requires our authentication mechanism to work -->
<!-- within the acegi framework. -->
<!-- -->
<!-- It is important to decide if user names are case sensitive or not. -->
<!-- This is configured in repository.properties. -->
<!-- -->
<!-- -->
<!-- TODO: -->
<!-- -->
<!-- The transactional wrappers should be removed from the beans in this -->
<!-- file. This should be done in the public services definitions. -->
<!-- This requires some tests to be fixed up. -->
<!-- -->
<beans>
<!-- -->
<!-- The Acegi authentication manager. -->
<!-- -->
<!-- Provders are asked to authenticate in order. -->
<!-- First, is a provider that checks if an acegi authentication object -->
<!-- is already bound to the executing thread. If it is, and it is set -->
<!-- as authenticated then no further authentication is required. If -->
<!-- this is absent, Acegi validates the password for every method -->
<!-- invocation, which is too CPU expensive. If we set an -->
<!-- authentication based on a ticket etc .... or we want to set the -->
<!-- the system user as the current user ... we do not have the -->
<!-- password. So if we have set an authentication and set it as -->
<!-- authenticated that is sufficient to validate the user. -->
<!-- -->
<!-- If the authentication bound to the current thread is not set as -->
<!-- authenticated the standard Acegi DAO Authentication provider -->
<!-- is used to authenticate. -->
<!-- -->
<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="authenticatedAuthenticationPassthroughProvider" />
<ref bean="daoAuthenticationProvider" />
</list>
</property>
</bean>
<!-- We provide a DAO to plug into the Acegi DaoAuthenticationProvider -->
<bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="authenticationDao">
<ref bean="authenticationDao" />
</property>
<property name="saltSource">
<ref bean="saltSource" />
</property>
<property name="passwordEncoder">
<ref bean="passwordEncoder" />
</property>
</bean>
<!-- An authentication Provider that just believes authentications -->
<!-- bound to the local thread are valid if they are set as -->
<!-- authenticated. -->
<bean id="authenticatedAuthenticationPassthroughProvider" class="org.alfresco.repo.security.authentication.AuthenticatedAuthenticationPassthroughProvider" />
<!-- The authroity DAO implements an interface extended from the Acegi -->
<!-- DAO that supports CRUD. -->
<bean id="authenticationDao" class="org.alfresco.repo.security.authentication.RepositoryAuthenticationDao">
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="tenantService">
<ref bean="tenantService"/>
</property>
<property name="dictionaryService">
<ref bean="dictionaryService" />
</property>
<property name="namespaceService">
<ref bean="namespaceService" />
</property>
<property name="searchService">
<ref bean="admSearchService" />
</property>
<property name="userNamesAreCaseSensitive">
<value>${user.name.caseSensitive}</value>
</property>
<property name="passwordEncoder">
<ref bean="passwordEncoder" />
</property>
</bean>
<!-- The DAO also acts as a salt provider. -->
<alias alias="saltSource" name="authenticationDao"/>
<!-- Passwords are encoded using MD4 -->
<!-- This is not ideal and only done to be compatible with NTLM -->
<!-- authentication against the default authentication mechanism. -->
<bean id="passwordEncoder" class="org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl"></bean>
<!-- The Authentication Service implementation. -->
<!-- -->
<!-- This delegates its work to two services: -->
<!-- an AuthenticationComponent and a MutableAuthenticationDAO. -->
<!-- -->
<!-- The permissions service is required so that permissions can be -->
<!-- cleaned up when a user is deleted. -->
<bean id="authenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
<property name="authenticationDao">
<ref bean="authenticationDao" />
</property>
<property name="ticketComponent">
<ref bean="ticketComponent" />
</property>
<property name="authenticationComponent">
<ref bean="authenticationComponent" />
</property>
</bean>
<!-- The authentication component. -->
<bean id="AuthenticationComponent" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
<property name="proxyInterfaces">
<value>org.alfresco.repo.security.authentication.AuthenticationComponent</value>
</property>
<property name="transactionManager">
<ref bean="transactionManager" />
</property>
<property name="target">
<ref bean="authenticationComponent" />
</property>
<property name="transactionAttributes">
<props>
<prop key="*">${server.transaction.mode.default}</prop>
</props>
</property>
</bean>
<bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.AuthenticationComponentImpl">
<property name="authenticationDao">
<ref bean="authenticationDao" />
</property>
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
<property name="allowGuestLogin">
<value>true</value>
</property>
<property name="tenantService">
<ref bean="tenantService"/>
</property>
</bean>
<!-- Simple Authentication component that rejects all authentication requests -->
<!-- Use this defintion for Novell IChain integration. -->
<!-- It should never go to the login screen so this is not required -->
<!--
<bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.SimpleAcceptOrRejectAllAuthenticationComponentImpl">
<property name="accept">
<value>true</value>
</property>
</bean>
-->
<!-- The person service. -->
<bean id="personService" class="org.alfresco.repo.security.person.PersonServiceImpl" init-method="init">
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="tenantService">
<ref bean="tenantService"/>
</property>
<property name="searchService">
<ref bean="admSearchService" />
</property>
<property name="permissionServiceSPI">
<ref bean="permissionServiceImpl" />
</property>
<property name="authorityService">
<ref bean="authorityService" />
</property>
<property name="namespacePrefixResolver">
<ref bean="namespaceService" />
</property>
<property name="policyComponent">
<ref bean="policyComponent"/>
</property>
<property name="personCache">
<ref bean="personCache" />
</property>
<!-- Configurable properties. -->
<!-- -->
<!-- TODO: -->
<!-- Add support for creating real home spaces adn setting -->
<!-- permissions on the hame space and people created. -->
<!-- -->
<!-- The store in which people are persisted. -->
<property name="storeUrl">
<value>${spaces.store}</value>
</property>
<!-- Some authentication mechanisms may need to create people -->
<!-- in the repository on demand. This enables that feature. -->
<!-- If dsiabled an error will be generated for missing -->
<!-- people. If enabled then a person will be created and -->
<!-- persisted. -->
<!-- Valid values are -->
<!-- ${server.transaction.allow-writes} -->
<!-- false -->
<property name="createMissingPeople">
<value>${server.transaction.allow-writes}</value>
</property>
<property name="userNamesAreCaseSensitive">
<value>${user.name.caseSensitive}</value>
</property>
<!-- New properties after 1.4.0 to deal with duplicate user ids when found -->
<property name="processDuplicates">
<value>true</value>
</property>
<!-- one of: LEAVE, SPLIT, DELETE -->
<property name="duplicateMode">
<value>SPLIT</value>
</property>
<property name="lastIsBest">
<value>true</value>
</property>
<property name="includeAutoCreated">
<value>false</value>
</property>
</bean>
<bean name="homeFolderManager" class="org.alfresco.repo.security.person.HomeFolderManager">
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="policyComponent">
<ref bean="policyComponent" />
</property>
<property name="defaultProvider">
<ref bean="userHomesHomeFolderProvider" />
</property>
</bean>
<bean name="companyHomeFolderProvider" class="org.alfresco.repo.security.person.ExistingPathBasedHomeFolderProvider">
<property name="serviceRegistry">
<ref bean="ServiceRegistry" />
</property>
<property name="path">
<value>/${spaces.company_home.childname}</value>
</property>
<property name="storeUrl">
<value>${spaces.store}</value>
</property>
<property name="homeFolderManager">
<ref bean="homeFolderManager" />
</property>
</bean>
<bean name="guestHomeFolderProvider" class="org.alfresco.repo.security.person.ExistingPathBasedHomeFolderProvider">
<property name="serviceRegistry">
<ref bean="ServiceRegistry" />
</property>
<property name="path">
<value>/${spaces.company_home.childname}/${spaces.guest_home.childname}</value>
</property>
<property name="storeUrl">
<value>${spaces.store}</value>
</property>
<property name="homeFolderManager">
<ref bean="homeFolderManager" />
</property>
<property name="userPemissions">
<set>
<value>Consumer</value>
</set>
</property>
</bean>
<bean name="bootstrapHomeFolderProvider" class="org.alfresco.repo.security.person.BootstrapHomeFolderProvider">
<property name="homeFolderManager">
<ref bean="homeFolderManager" />
</property>
</bean>
<bean name="personalHomeFolderProvider" class="org.alfresco.repo.security.person.UIDBasedHomeFolderProvider">
<property name="serviceRegistry">
<ref bean="ServiceRegistry" />
</property>
<property name="path">
<value>/${spaces.company_home.childname}</value>
</property>
<property name="storeUrl">
<value>${spaces.store}</value>
</property>
<property name="homeFolderManager">
<ref bean="homeFolderManager" />
</property>
<property name="inheritsPermissionsOnCreate">
<value>false</value>
</property>
<property name="ownerPemissionsToSetOnCreate">
<set>
<value>All</value>
</set>
</property>
<property name="userPemissions">
<set>
<value>All</value>
</set>
</property>
</bean>
<bean name="userHomesHomeFolderProvider" class="org.alfresco.repo.security.person.UIDBasedHomeFolderProvider">
<property name="serviceRegistry">
<ref bean="ServiceRegistry" />
</property>
<property name="path">
<value>/${spaces.company_home.childname}/${spaces.user_homes.childname}</value>
</property>
<property name="storeUrl">
<value>${spaces.store}</value>
</property>
<property name="homeFolderManager">
<ref bean="homeFolderManager" />
</property>
<property name="inheritsPermissionsOnCreate">
<value>false</value>
</property>
<property name="ownerPemissionsToSetOnCreate">
<set>
<value>All</value>
</set>
</property>
<property name="userPemissions">
<set>
<value>All</value>
</set>
</property>
</bean>
<!-- The ticket component. -->
<!-- Used for reauthentication -->
<bean id="ticketComponent" class="org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl">
<property name="ticketsCache">
<ref bean="ticketsCache"/>
</property>
<!-- The period for which tickets are valid in XML duration format. -->
<!-- The default is P1H for one hour. -->
<property name="validDuration">
<value>P1H</value>
</property>
<!-- Do tickets expire or live for ever? -->
<property name="ticketsExpire">
<value>false</value>
</property>
<!-- Are tickets only valid for a single use? -->
<property name="oneOff">
<value>false</value>
</property>
</bean>
</beans>
Reference in New Issue View Git Blame Copy Permalink