AnsweredAssumed Answered

unable to find valid certification path to requested target

Question asked by eskuel on Jun 23, 2014
Latest reply on Sep 18, 2014 by mlagneaux
Bonjour,
je rédige aujourd'hui ce poste je souhaiterais obtenir de l'aide concernant mon problème.

Je suis actuellement en train de mettre en place le lien entre Alfresco et le serveur CAS de mon entreprise en utilisant le tutoriel suivant: http://wiki.alfresco.com/wiki/Central_Authentication_Service_Configuration

Cependant, j'obtiens l'erreur suivante

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://monserveurcas.com/serviceValidate] ticket=[ST-88-GmvVTBxb93FCcJalXm7Y-cas] service=[http%3A%2F%2F10.13.65.128%3A8080%2Falfresco%2Ffaces%2Fjsp%2Fdashboards%2Fcontainer.jsp] renew=false]]]
causé par :
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
causé par :
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
causé par :
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



Après plusieurs recherche sur internet, j'ai trouvé qu'il s'agissais d'un problème de certificat SSL. j'ai donc essayé de résoudre le problème des façons suivantes:

-importer le certificat dans le fichier %JAVA_HOME%/jre/lib/security/cacerts
-ajouter la ligne : -Djavax.net.ssl.trustStore=%JAVA_HOME%/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit  dans la variable JAVA_OPTS et la variable CATALINA_OPTS

Cependant, je n'ai toujours pas résolu le problème. J'ai pourtant vérifié que mon JAVA_HOME et mon JRE_HOME pointent bien vers les bons fichiers.

<strong> Auriez-vous une solution pour mon problème? je vous remercie par avance pour vos contributions</strong>

Vous trouverez ci-après mes fichiers de configurations:

<strong>server.xml</strong>


<?xml version='1.0' encoding='utf-8'?>
<!–
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
–>
<!– Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
–>
<Server port="8005" shutdown="SHUTDOWN">
  <!– Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  –>
  <!–APR library loader. Documentation at /docs/apr.html –>
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!–Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html –>
  <Listener className="org.apache.catalina.core.JasperListener" />
  <!– Prevent memory leaks due to use of particular java/javax APIs–>
  <!– Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /–>
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <!– Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /–>

  <!– Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  –>
  <GlobalNamingResources>
    <!– Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    –>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <!– A "Service" is a collection of one or more "Connectors" that share
       a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   –>
  <Service name="Catalina">

    <!–The connectors can use a shared executor, you can define one or more named thread pools–>
    <!–
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    –>


    <!– A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL HTTP/1.1 Connector on port 8080
    –>
    <Connector port="8080" URIEncoding="UTF-8" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" maxHttpHeaderSize="32768" />
    <!– A "Connector" using the shared thread pool–>
    <!–
    <Connector executor="tomcatThreadPool"
               port="8080" URIEncoding="UTF-8" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" maxHttpHeaderSize="32768" />
    –>
    <!– Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation –>
    <!–
    <Connector port="8443" URIEncoding="UTF-8" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" maxHttpHeaderSize="32768" />
    –>

    <!– Define an AJP 1.3 Connector on port 8009 –>
    <Connector port="8009" URIEncoding="UTF-8" protocol="AJP/1.3" redirectPort="8443" />

    <Connector port="8443" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="D:\Alfresco/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS"
secure="true" connectionTimeout="240000" truststoreFile="D:\Alfresco/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"
               clientAuth="want" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" maxHttpHeaderSize="32768" /> 

           

    <!– An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html –>

    <!– You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    –>
    <Engine name="Catalina" defaultHost="localhost">

      <!–For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) –>
      <!–
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      –>

      <!– Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack –>
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!– This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  –>
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <!– SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html –>
        <!–
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        –>

        <!– Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" –>
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
  </Service>
</Server>


<strong>Alfresco-globale.properties</strong>



###############################
## Common Alfresco Properties #
###############################

dir.root=D:/Alfresco/alf_data

alfresco.context=alfresco
alfresco.host=127.0.0.1
alfresco.port=8080
alfresco.protocol=http

share.context=share
share.host=10.13.65.128
share.host=10.13.65.128
share.port=8080
share.protocol=http

### database connection properties ###
db.driver=org.postgresql.Driver
db.username=alfresco
db.password=admin
db.name=alfresco
db.url=jdbc:postgresql://localhost:5432/${db.name}

### FTP Server Configuration ###
ftp.enabled=true
ftp.port=21

### RMI service ports ###
alfresco.rmi.services.port=50500
avm.rmi.service.port=0
avmsync.rmi.service.port=0
attribute.rmi.service.port=0
authentication.rmi.service.port=0
repo.rmi.service.port=0
action.rmi.service.port=0
deployment.rmi.service.port=0

### External executable locations ###
ooo.exe=D:/Alfresco/libreoffice/App/libreoffice/program/soffice.exe
ooo.enabled=true
ooo.port=8100
img.root=D:\\Alfresco\\imagemagick
img.coders=${img.root}\\modules\\coders
img.config=${img.root}\\config
img.gslib=${img.root}\\lib
img.exe=${img.root}\\convert.exe
swf.exe=D:/Alfresco/swftools/pdf2swf.exe
swf.languagedir=D:/Alfresco/swftools/japanese

jodconverter.enabled=false
jodconverter.officeHome=D:/Alfresco/libreoffice/App/libreoffice
jodconverter.portNumbers=8100

### Initial admin password ###
alfresco_user_store.adminpassword=209c6174da490caeb422f3fa5a7ae634

### E-mail site invitation setting ###
#notification.email.siteinvite=false


### n'envoye pas de email d'actualité par email automatiquement ###
activities.feed.notifier.enabled=false

### License location ###
dir.license.external=D:/Alfresco

### Solr indexing ###
index.subsystem.name=solr
dir.keystore=${dir.root}/keystore
solr.port.ssl=8443

### BPM Engine ###


system.workflow.engine.jbpm.enabled=false
#authentication.chain=alfrescoNtlm1:alfrescoNtlm
#authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
#authentication.chain=external1:external
authentication.chain=external1:external


<strong>web.xml</strong>


<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE web-app PUBLIC
  "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
  "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
   <display-name>Alfresco Web Client</display-name>

   <description>Alfresco Web Client</description>

   <context-param>
      <param-name>org.jboss.jbossfaces.WAR_BUNDLES_JSF_IMPL</param-name>
      <param-value>true</param-value>
   </context-param>

   <context-param>
      <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
      <param-value>server</param-value>
   </context-param>

   <context-param>
      <param-name>javax.faces.PARTIAL_STATE_SAVING_METHOD</param-name>
      <param-value>false</param-value>
   </context-param>

   <context-param>
      <param-name>javax.faces.CONFIG_FILES</param-name>
      <param-value>/WEB-INF/faces-config-app.xml,/WEB-INF/faces-config-beans.xml,/WEB-INF/faces-config-navigation.xml,/WEB-INF/faces-config-common.xml,/WEB-INF/faces-config-repo.xml,/WEB-INF/faces-config-wcm.xml,/WEB-INF/faces-config-custom.xml</param-value>
   </context-param>

   <context-param>
      <param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name>
      <param-value>true</param-value>
   </context-param>

   <context-param>
      <param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name>
      <param-value>false</param-value>
      <description>This is an EXPERIMENTAL feature, so leave it off for now!</description>
   </context-param>

   <context-param>
      <param-name>org.apache.myfaces.SERIALIZE_STATE_IN_SESSION</param-name>
      <param-value>false</param-value>
      <description>Stop MyFaces from Serializing the state to the session</description>
   </context-param>

    <!– TODO: Change this to false for production –>
    <context-param>
        <param-name>org.apache.myfaces.PRETTY_HTML</param-name>
        <param-value>true</param-value>
        <description>
            If true, rendered HTML code will be formatted, so that it is "human readable".
            i.e. additional line separators and whitespace will be written, that do not
            influence the HTML code.
            Default: "true"
        </description>
    </context-param>

    <context-param>
        <param-name>org.apache.myfaces.AUTO_SCROLL</param-name>
        <param-value>false</param-value>
        <description>
            If true, a javascript function will be rendered that is able to restore the
            former vertical scroll on every request. Convenient feature if you have pages
            with long lists and you do not want the browser page to always jump to the top
            if you trigger a link or button action that stays on the same page.
            Default: "false"
        </description>
    </context-param>

   <!– Spring Application Context location –>
   <context-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>/WEB-INF/web-application-context.xml</param-value>
      <description>Spring config file location</description>
   </context-param>
  
   <context-param>
      <param-name>log4jExposeWebAppRoot</param-name>
      <param-value>false</param-value>
      <description>Do not try to resolve web app root as file</description>
   </context-param>

   <!–  These were previously init params for the WebDAV servlet,
         but since they are also needed to MT-enable the
         ExternalAccess servlet, I have made them context wide. –>
   <context-param>
         <param-name>store</param-name>
         <param-value>workspace://SpacesStore</param-value>
   </context-param>
   <context-param>
         <param-name>rootPath</param-name>
         <param-value>/app:company_home</param-value>
   </context-param>

   <context-param>
      <param-name>org.apache.myfaces.ERROR_HANDLING</param-name>
      <param-value>false</param-value>
   </context-param>
  
   <!– Activiti context param placeholder –>

   <context-param>
      <param-name>com.ibm.ws.jsf.loadExternalDtd</param-name>
      <param-value>false</param-value>
      <description>Sets "http://apache.org/xml/features/nonvalidating/load-external-dtd" feature on the SAXParser to false if this parameter is false</description>
   </context-param>
  
   <filter>
      <filter-name>Authentication Filter</filter-name>
      <description>Authentication filter mapped only to faces URLs. Other URLs generally use proprietary means to talk to the AuthenticationComponent</description>
      <filter-class>org.alfresco.repo.web.filter.beans.BeanProxyFilter</filter-class>
      <init-param>
         <param-name>beanName</param-name>
         <param-value>AuthenticationFilter</param-value>
      </init-param>
   </filter>
  
   <filter>
      <filter-name>Global Authentication Filter</filter-name>
      <description>Authentication filter mapped to all authenticated URLs. Mainly for SSO support</description>
      <filter-class>org.alfresco.repo.web.filter.beans.BeanProxyFilter</filter-class>
      <init-param>
         <param-name>beanName</param-name>
         <param-value>GlobalAuthenticationFilter</param-value>
      </init-param>
   </filter>

   <filter>
      <filter-name>WebScript Authentication Filter</filter-name>
      <description>Authentication filter mapped to web script URLs. Mainly for SSO support</description>
      <filter-class>org.alfresco.repo.web.filter.beans.BeanProxyFilter</filter-class>
      <init-param>
         <param-name>beanName</param-name>
         <param-value>WebscriptAuthenticationFilter</param-value>
      </init-param>
   </filter>
  
   <filter>
      <filter-name>WebDAV Authentication Filter</filter-name>
      <filter-class>org.alfresco.repo.web.filter.beans.BeanProxyFilter</filter-class>
      <init-param>
         <param-name>beanName</param-name>
         <param-value>WebDavAuthenticationFilter</param-value>
      </init-param>
   </filter>

   <filter>
      <filter-name>Admin Authentication Filter</filter-name>
      <filter-class>org.alfresco.web.app.servlet.AdminAuthenticationFilter</filter-class>
   </filter>
  
   <filter>
      <filter-name>CacheExpiresFilter</filter-name>
      <description>Set HTTP cache Expires header 30 days forward for a mapping.</description>
      <filter-class>org.alfresco.web.scripts.servlet.StaticAssetCacheFilter</filter-class>
      <init-param>
         <param-name>expires</param-name>
         <param-value>30</param-value>
         <description>Add an Expires Header 30 days forward</description>
      </init-param>
   </filter>

   <filter>
      <filter-name>Global Localization Filter</filter-name>
      <description>Sets fallback default locale for ALL requests</description>
      <filter-class>org.alfresco.web.app.servlet.GlobalLocalizationFilter</filter-class>
   </filter>

     <filter>
      <filter-name>Authentication Filter</filter-name>
      <filter-class>com.keembay.alfresco.web.app.servlet.CASAuthenticationFilter</filter-class>
      <init-param>
         <param-name>cas.user.label</param-name>
         <param-value>edu.yale.its.tp.cas.client.filter.user</param-value>
      </init-param>
   </filter>
    <!– CAS client filter –>
<filter>
     <filter-name>CAS Filter</filter-name>
     <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
     <init-param>
         <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
         <param-value>https://monserveurcas/login</param-value>
     </init-param>
     <init-param>
         <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
         <param-value>https://monserveurcas/serviceValidate</param-value>
     </init-param>
     <init-param>
         <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
         <param-value>10.13.65.128:8080</param-value>
     </init-param>
</filter>

<filter-mapping>
     <filter-name>CAS Filter</filter-name>
     <url-pattern>/faces/*</url-pattern>
</filter-mapping>
<!– end of CAS client filter –>
  
  
  
  
   <filter>
      <filter-name>JSF Session Synchronized Filter</filter-name>
      <filter-class>org.alfresco.repo.web.filter.beans.SessionSynchronizedFilter</filter-class>
   </filter>

   <filter-mapping>
      <filter-name>Global Localization Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/navigate/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/command/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/download/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/template/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/n/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/c/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/t/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/d/*</url-pattern>
   </filter-mapping>
  
   <!– The WebScript Authentication filter sits in front of web service URLs in addition to the global authentication filter –>
   <filter-mapping>
      <filter-name>WebScript Authentication Filter</filter-name>
      <url-pattern>/wcservice/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>WebScript Authentication Filter</filter-name>
      <url-pattern>/wcs/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/wcservice/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/wcs/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/ajax/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>Global Authentication Filter</filter-name>
      <url-pattern>/faces/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Authentication Filter</filter-name>
      <url-pattern>/faces/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>WebDAV Authentication Filter</filter-name>
      <url-pattern>/webdav/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Admin Authentication Filter</filter-name>
      <url-pattern>/faces/jsp/admin/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Admin Authentication Filter</filter-name>
      <url-pattern>/faces/jsp/categories/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Admin Authentication Filter</filter-name>
      <url-pattern>/faces/jsp/groups/*</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Admin Authentication Filter</filter-name>
      <url-pattern>/faces/jsp/users/delete-user.jsp</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Admin Authentication Filter</filter-name>
      <url-pattern>/faces/jsp/users/users.jsp</url-pattern>
   </filter-mapping>

   <filter-mapping>
      <filter-name>Admin Authentication Filter</filter-name>
      <url-pattern>/faces/jsp/admin/system-info.jsp</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>JSF Session Synchronized Filter</filter-name>
      <url-pattern>/faces/*</url-pattern>
   </filter-mapping>
  
   <filter-mapping>
      <filter-name>CacheExpiresFilter</filter-name>
      <url-pattern>*.jpg</url-pattern>
   </filter-mapping>
   <filter-mapping>
      <filter-name>CacheExpiresFilter</filter-name>
      <url-pattern>*.png</url-pattern>
   </filter-mapping>
   <filter-mapping>
      <filter-name>CacheExpiresFilter</filter-name>
      <url-pattern>*.gif</url-pattern>
   </filter-mapping>
   <filter-mapping>
      <filter-name>CacheExpiresFilter</filter-name>
      <url-pattern>*.css</url-pattern>
   </filter-mapping>
   <filter-mapping>
      <filter-name>CacheExpiresFilter</filter-name>
      <url-pattern>*.js</url-pattern>
   </filter-mapping>

   <listener>
      <listener-class>org.apache.myfaces.webapp.StartupServletContextListener</listener-class>
   </listener>

   <listener>
      <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
   </listener>
  
   <!– Spring Context Loader listener - can disable loading of context if runtime config changes are needed –>
   <listener>
      <listener-class>org.alfresco.web.app.ContextLoaderListener</listener-class>
   </listener>

   <!– Web Application Context listener - session create/destroy debugging and bootstrap Spring init –>
   <listener>
      <listener-class>org.alfresco.web.app.ContextListener</listener-class>
   </listener>

   <!– WebDAV session listener - ensures that no locked resources is left after session expires –>
   <listener>
      <listener-class>org.alfresco.repo.webdav.WebDAVSessionListener</listener-class>
   </listener>

   <!– Web Services context listener for OpenCMIS –>
   <listener>
      <listener-class>com.sun.xml.ws.transport.http.servlet.WSServletContextListener</listener-class>
   </listener>
  
   <!– Activiti listener placeholder –>


   <!– Faces Servlet –>
   <servlet>
      <servlet-name>Faces Servlet</servlet-name>
      <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
   </servlet>

   <servlet>
      <servlet-name>uploadFile</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.UploadFileServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>uploadContent</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.UploadContentServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>downloadContent</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.DownloadContentServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>downloadRawContent</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.DownloadRawContentServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>guestDownloadContent</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.GuestDownloadContentServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>guestTemplateContent</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.GuestTemplateContentServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>externalAccess</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.ExternalAccessServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>templateContent</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.TemplateContentServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>commandServlet</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.CommandServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>ajaxServlet</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.ajax.AjaxServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>axis</servlet-name>
      <servlet-class>org.apache.axis.transport.http.AxisServlet</servlet-class>
      <load-on-startup>5</load-on-startup>
   </servlet>

   <servlet>
      <servlet-name>CXFServlet</servlet-name>
      <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
      <load-on-startup>6</load-on-startup>
   </servlet>

   <servlet>
      <servlet-name>WebDAV</servlet-name>
      <servlet-class>org.alfresco.repo.webdav.WebDAVServlet</servlet-class>
      <load-on-startup>5</load-on-startup>
   </servlet>

   <servlet>
      <servlet-name>apiServlet</servlet-name>
      <servlet-class>org.springframework.extensions.webscripts.servlet.WebScriptServlet</servlet-class>
      <init-param>
         <param-name>authenticator</param-name>
         <param-value>webscripts.authenticator.basic</param-value>
      </init-param>
   </servlet>
  
   <servlet>
      <servlet-name>wcapiServlet</servlet-name>
      <servlet-class>org.springframework.extensions.webscripts.servlet.WebScriptServlet</servlet-class>
      <init-param>
         <param-name>authenticator</param-name>
         <param-value>webscripts.authenticator.webclient</param-value>
      </init-param>
   </servlet>

   <servlet>
      <servlet-name>portalapiServlet</servlet-name>
      <servlet-class>org.springframework.extensions.webscripts.servlet.WebScriptServlet</servlet-class>
      <init-param>
         <param-name>authenticator</param-name>
         <param-value>webscripts.authenticator.webclient</param-value>
      </init-param>
   </servlet>

   <servlet>
      <servlet-name>facebookServlet</servlet-name>
      <servlet-class>org.alfresco.repo.web.scripts.facebook.FacebookServlet</servlet-class>
      <init-param>
         <param-name>authenticator</param-name>
         <param-value>webscripts.authenticator.facebook</param-value>
      </init-param>
   </servlet>

   <servlet>
      <servlet-name>fbapiServlet</servlet-name>
      <servlet-class>org.alfresco.repo.web.scripts.facebook.FacebookAPIServlet</servlet-class>
      <init-param>
         <param-name>authenticator</param-name>
         <param-value>webscripts.authenticator.facebook</param-value>
      </init-param>
   </servlet>

   <servlet>
      <servlet-name>proxyServlet</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.HTTPProxyServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>workflowDefinitionImageServlet</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.WorkflowDefinitionImageServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>JBPMDeployProcessServlet</servlet-name>
      <servlet-class>org.alfresco.web.app.servlet.JBPMDeployProcessServlet</servlet-class>
   </servlet>

   <servlet>
      <servlet-name>CMISFileShareServlet</servlet-name>
      <servlet-class>org.apache.chemistry.opencmis.browser.BrowseServlet</servlet-class>
      <init-param>
         <param-name>auxroot</param-name>
         <param-value>cmisfs/browser/</param-value>
      </init-param>
      <init-param>
         <param-name>allow</param-name>
         <param-value>http.*</param-value>
      </init-param>
      <init-param>
         <param-name>stylesheet:application/atomsvc+xml</param-name>
         <param-value>/cmisfs/stylesheets/service.xsl</param-value>
      </init-param>
      <init-param>
         <param-name>stylesheet:application/atom+xml;type=feed</param-name>
         <param-value>/cmisfs/stylesheets/feed.xsl</param-value>
      </init-param>
      <init-param>
         <param-name>stylesheet:application/cmistree+xml</param-name>
         <param-value>/cmisfs/stylesheets/feed.xsl</param-value>
      </init-param>
      <init-param>
         <param-name>stylesheet:application/atom+xml;type=entry</param-name>
         <param-value>/cmisfs/stylesheets/entry.xsl</param-value>
      </init-param>
      <init-param>
         <param-name>stylesheet:application/cmisallowableactions+xml</param-name>
         <param-value>/cmisfs/stylesheets/actions.xsl</param-value>
      </init-param>
      <init-param>
         <param-name>stylesheet:application/cmisacl+xml</param-name>
         <param-value>/cmisfs/stylesheets/acl.xsl</param-value>
      </init-param>
      <init-param>
         <param-name>override-stylesheet:renditions</param-name>
         <param-value>/cmisfs/stylesheets/renditions.xsl</param-value>
      </init-param>
      <init-param>
         <param-name>override-stylesheet:relationships</param-name>
         <param-value>/cmisfs/stylesheets/relationships.xsl</param-value>
      </init-param>
      <init-param>
         <param-name>override-stylesheet:thumbnails</param-name>
         <param-value>/cmisfs/stylesheets/thumbnails.xsl</param-value>
      </init-param>
   </servlet>

   <servlet>
      <servlet-name>cmisws</servlet-name>
      <servlet-class>com.sun.xml.ws.transport.http.servlet.WSServlet</servlet-class>
      <load-on-startup>7</load-on-startup>
   </servlet>

   <servlet>
      <servlet-name>cmisatom</servlet-name>
      <servlet-class>org.apache.chemistry.opencmis.server.impl.atompub.CmisAtomPubServlet</servlet-class>
      <init-param>
         <param-name>callContextHandler</param-name>
         <param-value>org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler</param-value>
      </init-param>
      <load-on-startup>8</load-on-startup>
   </servlet>

   <servlet>
      <servlet-name>cmisbrowser</servlet-name>
      <servlet-class>org.apache.chemistry.opencmis.server.impl.browser.CmisBrowserBindingServlet</servlet-class>
      <init-param>
         <param-name>callContextHandler</param-name>
         <param-value>org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler</param-value>
      </init-param>
      <load-on-startup>8</load-on-startup>
   </servlet>

   <servlet>
      <servlet-name>cmistck</servlet-name>
      <servlet-class>org.apache.chemistry.opencmis.tck.runner.WebRunnerServlet</servlet-class>
      <load-on-startup>8</load-on-startup>
   </servlet>

   <servlet>
      <servlet-name>authenticatorServlet</servlet-name>
      <servlet-class>org.alfresco.repo.web.scripts.servlet.AuthenticatorServlet</servlet-class>
   </servlet>
  
   <!– Activiti servlet placeholder –>
   
   <servlet-mapping>
      <servlet-name>Faces Servlet</servlet-name>
      <url-pattern>/faces/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>uploadFile</servlet-name>
      <url-pattern>/uploadFileServlet</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>uploadContent</servlet-name>
      <url-pattern>/upload/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>downloadContent</servlet-name>
      <url-pattern>/download/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>downloadContent</servlet-name>
      <url-pattern>/d/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>downloadRawContent</servlet-name>
      <url-pattern>/dr</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>guestDownloadContent</servlet-name>
      <url-pattern>/guestDownload/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>guestDownloadContent</servlet-name>
      <url-pattern>/gd/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>templateContent</servlet-name>
      <url-pattern>/template/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>templateContent</servlet-name>
      <url-pattern>/t/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>guestTemplateContent</servlet-name>
      <url-pattern>/guestTemplate/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>guestTemplateContent</servlet-name>
      <url-pattern>/gt/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>externalAccess</servlet-name>
      <url-pattern>/navigate/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>externalAccess</servlet-name>
      <url-pattern>/n/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>commandServlet</servlet-name>
      <url-pattern>/command/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>commandServlet</servlet-name>
      <url-pattern>/c/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>ajaxServlet</servlet-name>
      <url-pattern>/ajax/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>axis</servlet-name>
      <url-pattern>/api/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>CXFServlet</servlet-name>
      <url-pattern>/cmis/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
        <servlet-name>WebDAV</servlet-name>
        <url-pattern>/webdav/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>apiServlet</servlet-name>
      <url-pattern>/service/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>apiServlet</servlet-name>
      <url-pattern>/s/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>wcapiServlet</servlet-name>
      <url-pattern>/wcservice/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>wcapiServlet</servlet-name>
      <url-pattern>/wcs/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>portalapiServlet</servlet-name>
      <url-pattern>/168service/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>portalapiServlet</servlet-name>
      <url-pattern>/168s/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>facebookServlet</servlet-name>
      <url-pattern>/facebook/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>facebookServlet</servlet-name>
      <url-pattern>/fb/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>fbapiServlet</servlet-name>
      <url-pattern>/fbservice/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>fbapiServlet</servlet-name>
      <url-pattern>/fbs/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>proxyServlet</servlet-name>
      <url-pattern>/proxy</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>JBPMDeployProcessServlet</servlet-name>
      <url-pattern>/jbpm/deployprocess</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>workflowDefinitionImageServlet</servlet-name>
      <url-pattern>/workflowdefinitionimage/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>CMISFileShareServlet</servlet-name>
      <url-pattern>/cmisbrowse</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>cmisws</servlet-name>
      <url-pattern>/cmisws/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>cmisatom</servlet-name>
      <url-pattern>/cmisatom/*</url-pattern>
   </servlet-mapping>

   <servlet-mapping>
      <servlet-name>cmisbrowser</servlet-name>
      <url-pattern>/cmisbrowser/*</url-pattern>
   </servlet-mapping>
   
   <!– The CMIS TCK is deactivated by default. –>
   <!– CMISTCK
   <servlet-mapping>
      <servlet-name>cmistck</servlet-name>
      <url-pattern>/cmistck</url-pattern>
   </servlet-mapping>
   CMISTCK –>
  
   <!– Activiti servlet mapping placeholder –>

   <session-config>
      <session-timeout>60</session-timeout>
   </session-config>

   <welcome-file-list>
      <welcome-file>index.jsp</welcome-file>
   </welcome-file-list>

   <error-page>
      <exception-type>java.lang.Exception</exception-type>
      <location>/jsp/error.jsp</location>
   </error-page>

   <resource-ref>
      <description>The Alfresco database connection</description>
      <res-ref-name>jdbc/dataSource</res-ref-name>
      <res-type>javax.sql.DataSource</res-type>
      <res-auth>Container</res-auth>
      <res-sharing-scope>Unshareable</res-sharing-scope>
   </resource-ref>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>SOLR</web-resource-name>
         <url-pattern>/service/api/solr/*</url-pattern>
      </web-resource-collection>

      <auth-constraint>
         <role-name>repoclient</role-name>
      </auth-constraint>

      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
   </security-constraint>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>SOLR</web-resource-name>
         <url-pattern>/s/api/solr/*</url-pattern>
      </web-resource-collection>

      <auth-constraint>
         <role-name>repoclient</role-name>
      </auth-constraint>

      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
   </security-constraint>
  
   <security-constraint>
      <web-resource-collection>
         <web-resource-name>SOLR</web-resource-name>
         <url-pattern>/wcservice/api/solr/*</url-pattern>
      </web-resource-collection>

      <auth-constraint>
         <role-name>repoclient</role-name>
      </auth-constraint>

      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
   </security-constraint>
  
   <security-constraint>
      <web-resource-collection>
         <web-resource-name>SOLR</web-resource-name>
         <url-pattern>/wcs/api/solr/*</url-pattern>
      </web-resource-collection>

      <auth-constraint>
         <role-name>repoclient</role-name>
      </auth-constraint>

      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
   </security-constraint>
  
   <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      <realm-name>Repository</realm-name>
   </login-config>

   <security-role>
     <role-name>repoclient</role-name>
   </security-role>

   <env-entry>
      <description>A flag that globally enables or disables startup of the major Alfresco subsystems.</description>
      <env-entry-name>properties/startup.enable</env-entry-name>
      <env-entry-value>true</env-entry-value>
      <env-entry-type>java.lang.Boolean</env-entry-type>
   </env-entry>

   <env-entry>
      <description>The filesystem directory below which content and index data is stored. Should be on a shared disk
         if this is a clustered installation.</description>
      <env-entry-name>properties/dir.root</env-entry-name>
      <env-entry-value/> <!– Empty value included for JBoss compatibility –>
      <env-entry-type>java.lang.String</env-entry-type>
   </env-entry>

   <env-entry>
      <description>The fully qualified name of a org.hibernate.dialect.Dialect subclass that allows Hibernate to
         generate SQL optimized for a particular relational database. Choose from org.hibernate.dialect.DerbyDialect,
         org.hibernate.dialect.MySQLInnoDBDialect,
         org.alfresco.repo.domain.hibernate.dialect.AlfrescoOracle9Dialect,
         org.alfresco.repo.domain.hibernate.dialect.AlfrescoSybaseAnywhereDialect,
         org.alfresco.repo.domain.hibernate.dialect.AlfrescoSQLServerDialect, org.hibernate.dialect.PostgreSQLDialect</description>
      <env-entry-name>properties/hibernate.dialect</env-entry-name>
      <env-entry-value/> <!– Empty value included for JBoss compatibility –>
      <env-entry-type>java.lang.String</env-entry-type>
   </env-entry>

   <env-entry>
      <description>Mapping from tokens in Hibernate queries to SQL tokens. For PostgreSQL, set this to "true
         TRUE, false FALSE".</description>
      <env-entry-name>properties/hibernate.query.substitutions</env-entry-name>
      <env-entry-value/> <!– Empty value included for JBoss compatibility –>
      <env-entry-type>java.lang.String</env-entry-type>
   </env-entry>

   <env-entry>
      <description>Enable use of JDBC3 PreparedStatement.getGeneratedKeys() to retrieve natively generated keys
         after insert. Requires JDBC3+ driver. Set to false if your driver has problems with the Hibernate identifier
         generators. By default, tries to determine the driver capabilities using connection metadata. </description>
      <env-entry-name>properties/hibernate.jdbc.use_get_generated_keys</env-entry-name>
      <env-entry-value/> <!– Empty value included for JBoss compatibility –>
      <env-entry-type>java.lang.String</env-entry-type>
   </env-entry>

   <env-entry>
      <description>Qualify unqualified table names with the given schema/tablespace in generated SQL. It may be
         necessary to set this when the target database has more than one schema.</description>
      <env-entry-name>properties/hibernate.default_schema</env-entry-name>
      <env-entry-value/> <!– Empty value included for JBoss compatibility –>
      <env-entry-type>java.lang.String</env-entry-type>
   </env-entry>

</web-app>

Outcomes