hammamitaha

CAS ALFRESCO SSH / HTTPS

Discussion created by hammamitaha on Oct 15, 2018

1         Introduction

 

Après installation alfresco ;

Vérifier le fichier /etc/hosts

192.168.1.x alfresco  alfcas.local.com

192.168.1.X cas cas.local.com

Arréter le service

/etc/init.d/alfresco stop

2         Configuration https

 

2.1       Modifier le fichier

/opt/alfresco/tomcat/conf/server.xml

***** Ajouter la connexion https ****

  <Connector port="8443" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" maxHttpHeaderSize="32768"

               keystoreFile="/root/MonKeystore.jks" keystorePass="changeit" />

2.2         Création de clé 

Créer le MonKeystore.jks

/opt/alfresco-5.0.c/java/bin/keytool -genkey -keyalg RSA -alias alfresco  -keystore /root/MonKeystore.jks -validity 3600 -keysize 2048 -storepass changeit -keypass changeit

2.3       Ajouter dans le trust

Ajouter dans le classer trust

./keytool  -export -alias alfresco -keystore /root/MonKeystore.jks -file export.cert

./keytool -import -alias alfresco -keystore ../lib/security/cacerts -file export.cert

Modifier le fichier /opt/alfresco/tomcat/bin/setenv.sh

JAVA_HOME=/opt/alfresco-5.0.c/java

JRE_HOME=$JAVA_HOME

JAVA_OPTS="-XX:+DisableExplicitGC -Djava.awt.headless=true  -Dalfresco.home=/opt/alfresco-5.0.c -Dcom.sun.management.jmxremote -XX:ReservedCodeCacheSize=128m "

JAVA_OPTS="-Djavax.net.ssl.trustStore=/opt/alfresco-5.0.c/java/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit"

JAVA_OPTS="-XX:MaxPermSize=256M -Xms512M -Xmx2048M $JAVA_OPTS " # java-memory-settings

export JAVA_HOME

export JRE_HOME

export JAVA_OPTS

 

3         Configuration CAS

 

Importer le certificat de cas (A fin de permettre la connexion serveur cas sur alfresco)

 

/opt/alfresco-5.0.c/java/bin/keytool -import -file /root/casserver.pem -alias alfcastaha  -trustcacerts -keystore   /opt/alfresco-5.0.c/java/lib/security/cacerts

 

NB: casserver.pem est générer a partir du serveur cas

 

Modifier les fichiers suivants :

/opt/alfresco-5.0.c/tomcat/shared/classes/alfresco-global.properties

/opt/alfresco-5.0.c/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

/opt/alfresco-5.0.c/tomcat/webapps/share/WEB-INF/web.xml

/opt/alfresco-5.0.c/tomcat/webapps/alfresco/WEB-INF/web.xml

 

3.1       alfresco-global.properties

 (On lui ajoute la connextion externe (CAS))

###############################

## Common Alfresco Properties #

###############################

dir.root=/opt/alfresco-5.0.c/alf_data

alfresco.context=alfresco

alfresco.host=127.0.0.1

alfresco.port=8080

alfresco.protocol=http

share.context=share

share.host=127.0.0.1

share.port=8080

share.protocol=http

### database connection properties ###

db.driver=org.postgresql.Driver

db.username=alfresco

db.password=adad

db.name=alfresco

db.url=jdbc:postgresql://localhost:5432/${db.name}

# Note: your database must also be able to accept at least this many connections.  Please see your database documentation for instructions on how to configure this.

db.pool.max=275

db.pool.validate.query=SELECT 1

# The server mode. Set value here

# UNKNOWN | TEST | BACKUP | PRODUCTION

system.serverMode=UNKNOWN

### FTP Server Configuration ###

ftp.port=21

### RMI registry port for JMX ###

alfresco.rmi.services.port=50500

### External executable locations ###

ooo.exe=/opt/alfresco-5.0.c/libreoffice/program/soffice

ooo.enabled=true

ooo.port=8100

img.root=/opt/alfresco-5.0.c/common

img.dyn=${img.root}/lib

img.exe=${img.root}/bin/convert

swf.exe=/opt/alfresco-5.0.c/common/bin/pdf2swf

swf.languagedir=/opt/alfresco-5.0.c/common/Japanese

jodconverter.enabled=false

jodconverter.officeHome=/opt/alfresco-5.0.c/libreoffice

jodconverter.portNumbers=8100

### Initial admin password ###

alfresco_user_store.adminpassword=a6cae0422a41582f4b68eed235051a5f

### E-mail site invitation setting ###

notification.email.siteinvite=false

 

### License location ###

dir.license.external=/opt/alfresco-5.0.c

### Solr indexing ###

index.subsystem.name=solr4

dir.keystore=${dir.root}/keystore

solr.port.ssl=8443

### BPM Engine ###

system.workflow.engine.jbpm.enabled=false

### Allow extended ResultSet processing

security.anyDenyDenies=false

authentication.chain=cas:external

external.authentication.proxyUserName=

external.authentication.enabled=true

external.authentication.defaultAdministratorUserNames=admin

external.authentication.proxyHeader=X-Alfresco-Remote-User

 

3.2       share-config-custom.xml

Modifier le fichier /opt/alfresco-5.0.c/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

 

<alfresco-config>

 

   <!-- Global config section -->

   <config replace="true">

      <flags>

         <!--

            Developer debugging setting to turn on DEBUG mode for client scripts in the browser

         -->

         <client-debug>false</client-debug>

 

         <!--

            LOGGING can always be toggled at runtime when in DEBUG mode (Ctrl, Ctrl, Shift, Shift).

            This flag automatically activates logging on page load.

         -->

         <client-debug-autologging>false</client-debug-autologging>

      </flags>

   </config>

  

   <config evaluator="string-compare" condition="WebFramework">

      <web-framework>

         <!-- SpringSurf Autowire Runtime Settings -->

         <!--

              Developers can set mode to 'development' to disable; SpringSurf caches,

              FreeMarker template caching and Rhino JavaScript compilation.

         -->

         <autowire>

            <!-- Pick the mode: "production" or "development" -->

            <mode>production</mode>

         </autowire>

 

         <!-- Allows extension modules with <auto-deploy> set to true to be automatically deployed -->

         <module-deployment>

            <mode>manual</mode>

            <enable-auto-deploy-modules>true</enable-auto-deploy-modules>

         </module-deployment>

      </web-framework>

   </config>

 

   <!-- Disable the CSRF Token Filter -->

   <!--

   <config evaluator="string-compare" condition="CSRFPolicy" replace="true">

      <filter/>

   </config>

   -->

 

   <!--

      To run the CSRF Token Filter behind 1 or more proxies that do not rewrite the Origin or Referere headers:

 

  1. Copy the "CSRFPolicy" default config in share-security-config.xml and paste it into this file.
  2. Replace the old config by setting the <config> element's "replace" attribute to "true" like below:

         <config evaluator="string-compare" condition="CSRFPolicy" replace="true">

  1. To every <action name="assertReferer"> element add the following child element

         <param name="referer">http://www.proxy1.com/.*|http://www.proxy2.com/.*</param>

  1. To every <action name="assertOrigin"> element add the following child element

         <param name="origin">http://www.proxy1.com|http://www.proxy2.com</param>

   -->

 

   <!--

      Remove the default wildcard setting and use instead a strict whitelist of the only domains that shall be allowed

      to be used inside iframes (i.e. in the WebView dashlet on the dashboards)

   -->

   <!--

   <config evaluator="string-compare" condition="IFramePolicy" replace="true">

      <cross-domain>

         <url>http://www.trusted-domain-1.com/</url>

         <url>http://www.trusted-domain-2.com/</url>

      </cross-domain>

   </config>

   -->

 

   <!-- Turn off header that stops Share from being displayed in iframes on pages from other domains -->

   <!--

   <config evaluator="string-compare" condition="SecurityHeadersPolicy">

      <headers>

         <header>

            <name>X-Frame-Options</name>

            <enabled>false</enabled>

         </header>

      </headers>

   </config>

   -->

 

   <!-- Prevent browser communication over HTTP (for HTTPS servers) -->

   <!--

   <config evaluator="string-compare" condition="SecurityHeadersPolicy">

      <headers>

         <header>

            <name>Strict-Transport-Security</name>

            <value>max-age=31536000</value>

         </header>

      </headers>

   </config>

   -->

 

   <config evaluator="string-compare" condition="Replication">

      <share-urls>

         <!--

            To discover a Repository Id, browse to the remote server's CMIS landing page at:

              http://{server}:{port}/alfresco/service/cmis/index.html

            The Repository Id field is found under the "CMIS Repository Information" expandable panel.

 

            Example config entry:

              <share-url repositoryId="622f9533-2a1e-48fe-af4e-ee9e41667ea4">http://new-york-office:8080/share/</share-url>

         -->

      </share-urls>

   </config>

 

   <!-- Document Library config section -->

   <config evaluator="string-compare" condition="DocumentLibrary" replace="true">

      <tree>

         <!--

            Whether the folder Tree component should enumerate child folders or not.

            This is a relatively expensive operation, so should be set to "false" for Repositories with broad folder structures.

         -->

         <evaluate-child-folders>false</evaluate-child-folders>

         <!--

            Optionally limit the number of folders shown in treeview throughout Share.

         -->

         <maximum-folder-count>1000</maximum-folder-count>

         <!-- 

            Default timeout in milliseconds for folder Tree component to recieve response from Repository

         -->

         <timeout>7000</timeout>

      </tree>

      <!--

         Used by the "Manage Aspects" action

         For custom aspects, remember to also add the relevant i18n string(s)

            cm_myaspect=My Aspect

      -->

      <aspects>

         <!-- Aspects that a user can see -->

         <visible>

            <aspect name="cm:generalclassifiable" />

            <aspect name="cm:complianceable" />

            <aspect name="cm:dublincore" />

            <aspect name="cm:effectivity" />

            <aspect name="cm:summarizable" />

            <aspect name="cm:versionable" />

            <aspect name="cm:templatable" />

            <aspect name="cm:emailed" />

            <aspect name="emailserver:aliasable" />

            <aspect name="cm:taggable" />

            <aspect name="app:inlineeditable" />

            <aspect name="cm:geographic" />

            <aspect name="exif:exif" />

            <aspect name="audio:audio" />

            <aspect name="cm:indexControl" />

            <aspect name="dp:restrictable" />

         </visible>

         <!-- Aspects that a user can add. Same as "visible" if left empty -->

         <addable>

         </addable>

         <!-- Aspects that a user can remove. Same as "visible" if left empty -->

         <removeable>

         </removeable>

      </aspects>

      <!--

         Used by the "Change Type" action

         Define valid subtypes using the following example:

            <type name="cm:content">

               <subtype name="cm:mysubtype" />

            </type>

         Remember to also add the relevant i18n string(s):

            cm_mysubtype=My SubType

      -->

      <types>

         <type name="cm:content">

         </type>

         <type name="cm:folder">

         </type>

         <type name="trx:transferTarget">

            <subtype name="trx:fileTransferTarget" />

         </type>

      </types>

      <!--

         If set, will present a WebDAV link for the current item on the Document and Folder details pages.

         Also used to generate the "View in Alfresco Explorer" action for folders.

      -->

      <repository-url>http://localhost:8080/alfresco</repository-url>

      <!--

         Google Docsâ„¢ integration

      -->

      <google-docs>

         <!--

            Enable/disable the Google Docs UI integration (Extra types on Create Content menu, Google Docs actions).

         -->

         <enabled>false</enabled>

         <!--

            The mimetypes of documents Google Docs allows you to create via the Share interface.

            The I18N label is created from the "type" attribute, e.g. google-docs.doc=Google Docs&trade; Document

         -->

         <creatable-types>

            <creatable type="doc">application/vnd.openxmlformats-officedocument.wordprocessingml.document</creatable>

            <creatable type="xls">application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</creatable>

            <creatable type="ppt">application/vnd.ms-powerpoint</creatable>

         </creatable-types>

      </google-docs>

      <!--

         File upload configuration

      -->

      <file-upload>

         <!--

            Adobe Flashâ„¢

            In certain environments, an HTTP request originating from Flash cannot be authenticated using an existing session.

            See: http://bugs.adobe.com/jira/browse/FP-4830

            For these cases, it is useful to disable the Flash-based uploader for Share Document Libraries.

         -->

         <adobe-flash-enabled>true</adobe-flash-enabled>

      </file-upload>

   </config>

   <!-- Custom DocLibActions config section -->

   <config evaluator="string-compare" condition="DocLibActions">

      <actionGroups>

         <actionGroup id="document-browse">

            <!-- Simple Repo Actions -->

            <!--

            <action index="340" id="document-extract-metadata" />

            <action index="350" id="document-increment-counter" />

            -->

            <!-- Dialog Repo Actions -->

            <!--

            <action index="360" id="document-transform" />

            <action index="370" id="document-transform-image" />

            <action index="380" id="document-execute-script" />

            -->

         </actionGroup>

      </actionGroups>

   </config>

   <!-- Global folder picker config section -->

   <config evaluator="string-compare" condition="GlobalFolder">

      <siteTree>

         <container type="cm:folder">

            <!-- Use a specific label for this container type in the tree -->

            <rootLabel>location.path.documents</rootLabel>

            <!-- Use a specific uri to retreive the child nodes for this container type in the tree -->

<uri>slingshot/doclib/treenode/site/{site}/{container}{path}?children={evaluateChildFoldersSite}&amp;max={maximumFolderCountSite}</uri>

         </container>

      </siteTree>

   </config>

   <!-- Repository Library config section -->

   <config evaluator="string-compare" condition="RepositoryLibrary" replace="true">

      <!--

         Root nodeRef or xpath expression for top-level folder.

         e.g. alfresco://user/home, /app:company_home/st:sites/cm:site1

         If using an xpath expression, ensure it is properly ISO9075 encoded here.

      -->

      <root-node>alfresco://company/home</root-node>

      <tree>

         <!--

            Whether the folder Tree component should enumerate child folders or not.

            This is a relatively expensive operation, so should be set to "false" for Repositories with broad folder structures.

         -->

         <evaluate-child-folders>false</evaluate-child-folders>

         <!--

            Optionally limit the number of folders shown in treeview throughout Share.

         -->

         <maximum-folder-count>500</maximum-folder-count>

      </tree>

      <!--

         Whether the link to the Repository Library appears in the header component or not.

      -->

      <visible>true</visible>

   </config>

   <!-- Kerberos settings -->

   <!-- To enable kerberos rename this condition to "Kerberos" -->

   <config evaluator="string-compare" condition="KerberosDisabled" replace="true">

      <kerberos>

         <!--

            Password for HTTP service account.

            The account name *must* be built from the HTTP server name, in the format :

               HTTP/<server_name>@<realm>

            (NB this is because the web browser requests an ST for the

            HTTP/<server_name> principal in the current realm, so if we're to decode

            that ST, it has to match.)

         -->

         <password>secret</password>

         <!--

            Kerberos realm and KDC address.

         -->

         <realm>ALFRESCO.ORG</realm>

         <!--

            Service Principal Name to use on the repository tier.

            This must be like: HTTP/host.name@REALM

         -->

         <endpoint-spn>HTTP/repository.server.com@ALFRESCO.ORG</endpoint-spn>

         <!--

            JAAS login configuration entry name.

         -->

         <config-entry>ShareHTTP</config-entry>

        <!--

           A Boolean which when true strips the @domain sufix from Kerberos authenticated usernames.

           Use together with stripUsernameSuffix property in alfresco-global.properties file.

        -->

        <stripUserNameSuffix>true</stripUserNameSuffix>

      </kerberos>

   </config>

   <!-- Uncomment and modify the URL to Activiti Admin Console if required. -->

   <!--

   <config evaluator="string-compare" condition="ActivitiAdmin" replace="true">

      <activiti-admin-url>http://localhost:8080/alfresco/activiti-admin</activiti-admin-url>

   </config>

   -->

 

   <config evaluator="string-compare" condition="Remote">

      <remote>

         <endpoint>

            <id>alfresco-noauth</id>

            <name>Alfresco - unauthenticated access</name>

            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>

            <connector-id>alfresco</connector-id>

            <endpoint-url>http://alfcas.local.com:8080/alfresco/s</endpoint-url>

            <identity>none</identity>

         </endpoint>

         <endpoint>

            <id>alfresco</id>

            <name>Alfresco - user access</name>

            <description>Access to Alfresco Repository WebScripts that require user authentication</description>

            <connector-id>alfresco</connector-id>

            <endpoint-url>http://alfcas.local.com:8080/alfresco/s</endpoint-url>

            <identity>user</identity>

         </endpoint>

         <endpoint>

            <id>alfresco-feed</id>

            <name>Alfresco Feed</name>

            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>

            <connector-id>http</connector-id>

            <endpoint-url>http://alfcas.local.com:8080/alfresco/s</endpoint-url>

            <basic-auth>true</basic-auth>

            <identity>user</identity>

         </endpoint>

         <!--

         <endpoint>

            <id>activiti-admin</id>

            <name>Activiti Admin UI - user access</name>

            <description>Access to Activiti Admin UI, that requires user authentication</description>

            <connector-id>activiti-admin-connector</connector-id>

            <endpoint-url>http://localhost:8080/alfresco/activiti-admin</endpoint-url>

            <identity>user</identity>

         </endpoint>

         -->

      </remote>

   </config>

   <!--

        Overriding endpoints to reference an Alfresco server with external SSO enabled

        NOTE: If utilising a load balancer between web-tier and repository cluster, the "sticky

              sessions" feature of your load balancer must be used.

        NOTE: If alfresco server location is not localhost:8080 then also combine changes from the

              "example port config" section below.

        *Optional* keystore contains SSL client certificate + trusted CAs.

        Used to authenticate share to an external SSO system such as CAS

        Remove the keystore section if not required i.e. for NTLM.

        NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos"

        NOTE: For external SSO, switch the endpoint connector to "AlfrescoHeader" and set

              the userHeader to the name of the HTTP header that the external SSO

              uses to provide the authenticated user name.

   -->

   <config evaluator="string-compare" condition="Remote">

      <remote>

         <keystore>

             <path>alfresco/web-extension/alfresco-system.p12</path>

             <type>pkcs12</type>

             <password>alfresco-system</password>

         </keystore>

         <connector>

            <id>alfrescoCookie</id>

            <name>Alfresco Connector</name>

            <description>Connects to an Alfresco instance using cookie-based authentication</description>

            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>

         </connector>

         <connector>

            <id>alfrescoHeader</id>

            <name>Alfresco Connector</name>

            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>

            <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>

            <userHeader>X-Alfresco-Remote-User</userHeader>

         </connector>

         <endpoint>

            <id>alfresco</id>

            <name>Alfresco - user access</name>

            <description>Access to Alfresco Repository WebScripts that require user authentication</description>

            <connector-id>alfrescoCookie</connector-id>

            <endpoint-url>https://alfcas.local.com:8443/alfresco/wcs</endpoint-url>

            <identity>user</identity>

            <external-auth>true</external-auth>

         </endpoint>

      </remote>

   </config>

   <!-- Cookie settings -->

   <!-- To disable alfUsername2 cookie set enableCookie value to "false" -->

   <!--

   <plug-ins>

      <element-readers>

         <element-reader element-name="cookie" class="org.alfresco.web.config.cookie.CookieElementReader"/>

      </element-readers>

   </plug-ins>

   <config evaluator="string-compare" condition="Cookie" replace="true">

      <cookie>

         <enableCookie>false</enableCookie>

         <cookies-to-remove>

            <cookie-to-remove>alfUsername3</cookie-to-remove>

            <cookie-to-remove>alfLogin</cookie-to-remove>

         </cookies-to-remove>

      </cookie>

   </config>

   -->

</alfresco-config>

 

3.3       Share- web.xml

Modifier le fichier /opt/alfresco-5.0.c/tomcat/webapps/share/WEB-INF/web.xml

<?xml version='1.0' encoding='UTF-8'?>

<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

   xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">

   <display-name>Alfresco Project Slingshot</display-name>

   <description>Alfresco Project Slingshot application</description>

   <context-param>

      <param-name>org.jboss.jbossfaces.WAR_BUNDLES_JSF_IMPL</param-name>

      <param-value>true</param-value>

   </context-param>

   <!-- Spring Application Context location and context class -->

   <context-param>

      <description>Spring config file location</description>

      <param-name>contextConfigLocation</param-name>

      <param-value>classpath:web-application-config.xml</param-value>

   </context-param>

   <filter>

      <description>Set HTTP cache Expires header 30 days forward for a mapping.</description>

      <filter-name>CacheExpiresFilter</filter-name>

      <filter-class>org.alfresco.web.scripts.servlet.StaticAssetCacheFilter</filter-class>

      <init-param>

         <description>Add an Expires Header 30 days forward</description>

         <param-name>expires</param-name>

         <param-value>30</param-value>

      </init-param>

   </filter>

   <filter>

      <description>MT authentication support</description>

      <filter-name>MTAuthentationFilter</filter-name>

      <filter-class>org.alfresco.web.site.servlet.MTAuthenticationFilter</filter-class>

   </filter>

   <filter>

      <description>Redirects view and service URLs to the dispatcher servlet.</description>

      <filter-name>UrlRewriteFilter</filter-name>

      <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>

   </filter>

   <filter>

      <description>Share SSO authentication support filter.</description>

      <filter-name>Authentication Filter</filter-name>

      <filter-class>org.alfresco.web.site.servlet.SSOAuthenticationFilter</filter-class>

      <init-param>

         <param-name>endpoint</param-name>

         <param-value>alfresco</param-value>

      </init-param>

   </filter>

   <filter>

      <description>Share CSRF Token filter. Checks for a session based CSRF token in request headers (or form parameters) based on config.</description>

      <filter-name>CSRF Token Filter</filter-name>

      <filter-class>org.alfresco.web.site.servlet.CSRFFilter</filter-class>

   </filter>

   <filter>

      <description>Share Security Headers filter. Adds security response headers based on config.</description>

      <filter-name>Security Headers Filter</filter-name>

      <filter-class>org.alfresco.web.site.servlet.SecurityHeadersFilter</filter-class>

   </filter>

   <!-- CAS -->

   <filter>

        <filter-name>CAS Authentication Filter</filter-name>

        <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>

        <init-param>

                <param-name>casServerLoginUrl</param-name>

                <param-value>https://cas.local.com:8443/cas</param-value>

        </init-param>

        <init-param>

                <param-name>serverName</param-name>

                <param-value>https://alfcas.local.com:8443/share</param-value>

        </init-param>

</filter>

<filter>

        <filter-name>CAS Validation Filter</filter-name>

        <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>

        <init-param>

                <param-name>casServerUrlPrefix</param-name>

                <param-value>https://cas.local.com:8443/cas</param-value>

        </init-param>

        <init-param>

                <param-name>serverName</param-name>

                <param-value>https://alfcas.local.com:8443/share</param-value>

        </init-param>

</filter>

<filter>

        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

        <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>

</filter>

<!-- /CAS -->

   <filter-mapping>

      <filter-name>CacheExpiresFilter</filter-name>

      <url-pattern>*.jpg</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>CacheExpiresFilter</filter-name>

      <url-pattern>*.png</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>CacheExpiresFilter</filter-name>

      <url-pattern>*.gif</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>CacheExpiresFilter</filter-name>

      <url-pattern>*.css</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>CacheExpiresFilter</filter-name>

      <url-pattern>*.js</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>Authentication Filter</filter-name>

      <url-pattern>/page/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>Authentication Filter</filter-name>

      <url-pattern>/p/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>Authentication Filter</filter-name>

      <url-pattern>/proxy/*</url-pattern>

   </filter-mapping>

<filter-mapping>

      <filter-name>CSRF Token Filter</filter-name>

      <url-pattern>/page/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>CSRF Token Filter</filter-name>

      <url-pattern>/p/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>CSRF Token Filter</filter-name>

      <url-pattern>/proxy/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>CSRF Token Filter</filter-name>

      <url-pattern>/service/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>Security Headers Filter</filter-name>

      <url-pattern>/page/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>Security Headers Filter</filter-name>

      <url-pattern>/p/*</url-pattern>

   </filter-mapping>

 

   <filter-mapping>

      <filter-name>Security Headers Filter</filter-name>

      <url-pattern>/proxy/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>Security Headers Filter</filter-name>

      <url-pattern>/service/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>UrlRewriteFilter</filter-name>

      <url-pattern>/proxy/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>UrlRewriteFilter</filter-name>

      <url-pattern>/service/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>UrlRewriteFilter</filter-name>

      <url-pattern>/feedservice/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>UrlRewriteFilter</filter-name>

      <url-pattern>/res/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>UrlRewriteFilter</filter-name>

      <url-pattern>/system/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>UrlRewriteFilter</filter-name>

      <url-pattern>/s/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>MTAuthentationFilter</filter-name>

      <url-pattern>/page/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>MTAuthentationFilter</filter-name>

      <url-pattern>/p/*</url-pattern>

   </filter-mapping>

<!-- CAS -->

   <filter-mapping>

      <filter-name>CAS Authentication Filter</filter-name>

      <url-pattern>/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>CAS Validation Filter</filter-name>

      <url-pattern>/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

      <url-pattern>/*</url-pattern>

   </filter-mapping>

<!-- /CAS -->

   <!-- Spring Context Loader listener - the name of the default global context is passed to the DispatcherServlet

        in the servlet definition below - this is to allow the NTLM filter etc. to find the single app context -->

   <listener>

      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

   </listener>

   <servlet>

      <servlet-name>Spring Surf Dispatcher Servlet</servlet-name>

      <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

      <init-param>

         <param-name>contextAttribute</param-name>

         <param-value>org.springframework.web.context.WebApplicationContext.ROOT</param-value>

      </init-param>

      <init-param>

         <param-name>dispatchOptionsRequest</param-name>

         <param-value>true</param-value>

      </init-param>

      <load-on-startup>1</load-on-startup>

   </servlet>

   <servlet-mapping>

      <servlet-name>Spring Surf Dispatcher Servlet</servlet-name>

      <url-pattern>/page/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>Spring Surf Dispatcher Servlet</servlet-name>

      <url-pattern>/p/*</url-pattern>

   </servlet-mapping>

   <session-config>

      <session-timeout>60</session-timeout>

   </session-config>

   <!-- welcome file list precedence order is index.jsp -->

   <welcome-file-list>

      <welcome-file>index.jsp</welcome-file>

   </welcome-file-list>

   <error-page>

      <error-code>500</error-code>

      <location>/error500.jsp</location>

   </error-page>

</web-app>

 

 

3.4       Alfresco- web.xml

 

Modifier le fichier /opt/alfresco-5.0.c/tomcat/webapps/alfresco/WEB-INF/web.xml

<?xml version='1.0' encoding='UTF-8'?>

<web-app xmlns="http://java.sun.com/xml/ns/j2ee"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"

    version="2.4">

   <display-name>Alfresco</display-name>

   <description>Alfresco</description>

   <!-- Spring Application Context location -->

   <context-param>

      <description>Spring config file location</description>

      <param-name>contextConfigLocation</param-name>

      <param-value>/WEB-INF/web-application-context.xml</param-value>

   </context-param>

   <context-param>

      <description>Do not try to resolve web app root as file</description>

      <param-name>log4jExposeWebAppRoot</param-name>

      <param-value>false</param-value>

   </context-param>

                <!--  These were previously init params for the WebDAV servlet,

                      but since they are also needed to MT-enable the

                      ExternalAccess servlet, I have made them context wide. -->

   <context-param>

         <param-name>store</param-name>

         <param-value>workspace://SpacesStore</param-value>

   </context-param>

   <context-param>

         <param-name>rootPath</param-name>

         <param-value>/app:company_home</param-value>

   </context-param>

   <!-- Enterprise context-param placeholder -->

<!-- CAS -->

   <filter>

        <filter-name>CAS Authentication Filter</filter-name>

        <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>

        <init-param>

                <param-name>casServerLoginUrl</param-name>

                <param-value>https://cas.local.com:8443/cas/login</param-value>

        </init-param>

        <init-param>

                <param-name>serverName</param-name>

                <param-value>https://alfcas.local.com:8443/share</param-value>

        </init-param>

</filter>

<filter>

        <filter-name>CasValidationFilter</filter-name>

        <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>

        <init-param>

                <param-name>casServerUrlPrefix</param-name>

                <param-value>https://cas.local.com/cas</param-value>

        </init-param>

        <init-param>

                <param-name>serverName</param-name>

                <param-value>https://alfcas.local.com:8443/share</param-value>

        </init-param>

</filter>

<filter>

        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

        <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>

</filter>

<!-- /CAS -->

   <filter-mapping>

      <filter-name>CAS Authentication Filter</filter-name>

      <url-pattern>/faces/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>CasValidationFilter</filter-name>

      <url-pattern>/faces/*</url-pattern>

   </filter-mapping>

   <filter-mapping>

      <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>

      <url-pattern>/faces/*</url-pattern>

   </filter-mapping>

<!-- /CAS -->

   <!-- Enterprise filter-mapping placeholder -->

   <listener>

      <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>

   </listener>

   <!-- Spring Context Loader listener - can disable loading of context if runtime config changes are needed -->

   <listener>

      <listener-class>org.alfresco.web.app.ContextLoaderListener</listener-class>

   </listener>

   <!-- Web Application Context listener - session create/destroy debugging and bootstrap Spring init -->

   <listener>

      <listener-class>org.alfresco.web.app.ContextListener</listener-class>

   </listener>

   <!-- WebDAV session listener - ensures that no locked resources is left after session expires -->

   <listener>

      <listener-class>org.alfresco.repo.webdav.WebDAVSessionListener</listener-class>

   </listener>

   <!-- Web Services context listener for OpenCMIS -->

   <listener>

        <listener-class>com.sun.xml.ws.transport.http.servlet.WSServletContextListener</listener-class>

   </listener>

   <!-- Enterprise listener placeholder -->

   <servlet>

      <servlet-name>uploadContent</servlet-name>

      <servlet-class>org.alfresco.web.app.servlet.UploadContentServlet</servlet-class>

   </servlet>

   <servlet>

      <servlet-name>downloadContent</servlet-name>

      <servlet-class>org.alfresco.web.app.servlet.DownloadContentServlet</servlet-class>

   </servlet>

   <servlet>

      <servlet-name>downloadRawContent</servlet-name>

      <servlet-class>org.alfresco.web.app.servlet.DownloadRawContentServlet</servlet-class>

   </servlet>

   <servlet>

      <servlet-name>guestDownloadContent</servlet-name>

      <servlet-class>org.alfresco.web.app.servlet.GuestDownloadContentServlet</servlet-class>

   </servlet>

   <servlet>

      <servlet-name>WebDAV</servlet-name>

      <servlet-class>org.alfresco.repo.webdav.WebDAVServlet</servlet-class>

      <load-on-startup>5</load-on-startup>

   </servlet>

   <servlet>

      <servlet-name>apiServlet</servlet-name>

      <servlet-class>org.springframework.extensions.webscripts.servlet.WebScriptServlet</servlet-class>

      <init-param>

         <param-name>authenticator</param-name>

         <param-value>webscripts.authenticator.basic</param-value>

      </init-param>

   </servlet>

   <servlet>

      <servlet-name>wcapiServlet</servlet-name>

      <servlet-class>org.springframework.extensions.webscripts.servlet.WebScriptServlet</servlet-class>

      <init-param>

         <param-name>authenticator</param-name>

         <param-value>webscripts.authenticator.webclient</param-value>

      </init-param>

   </servlet>

    <servlet>

        <servlet-name>cmisws10</servlet-name>

        <servlet-class>org.apache.chemistry.opencmis.server.impl.webservices.CmisWebServicesServlet</servlet-class>

        <init-param>

            <param-name>cmisVersion</param-name>

            <param-value>1.0</param-value>

        </init-param>

        <load-on-startup>7</load-on-startup>

    </servlet>

    <servlet>

        <servlet-name>cmisws11</servlet-name>

        <servlet-class>org.apache.chemistry.opencmis.server.impl.webservices.CmisWebServicesServlet</servlet-class>

        <init-param>

            <param-name>cmisVersion</param-name>

            <param-value>1.1</param-value>

        </init-param>

        <load-on-startup>7</load-on-startup>

    </servlet>

    <servlet>

        <servlet-name>cmisatom10</servlet-name>

        <servlet-class>org.apache.chemistry.opencmis.server.impl.atompub.CmisAtomPubServlet</servlet-class>

        <init-param>

            <param-name>callContextHandler</param-name>

            <param-value>org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler</param-value>

        </init-param>

        <init-param>

            <param-name>cmisVersion</param-name>

            <param-value>1.0</param-value>

        </init-param>

        <load-on-startup>8</load-on-startup>

    </servlet>

    <servlet>

        <servlet-name>cmisbrowser</servlet-name>

        <servlet-class>org.apache.chemistry.opencmis.server.impl.browser.CmisBrowserBindingServlet</servlet-class>

        <init-param>

            <param-name>callContextHandler</param-name>

            <param-value>org.apache.chemistry.opencmis.server.shared.BasicAuthCallContextHandler</param-value>

        </init-param>

        <load-on-startup>8</load-on-startup>

    </servlet>

   <servlet>

      <servlet-name>cmistck</servlet-name>

      <servlet-class>org.apache.chemistry.opencmis.tck.runner.WebRunnerServlet</servlet-class>

      <load-on-startup>8</load-on-startup>

   </servlet>

   <servlet>

      <servlet-name>publicapiServlet</servlet-name>

      <servlet-class>org.alfresco.rest.api.PublicApiWebScriptServlet</servlet-class>

      <init-param>

         <param-name>authenticator</param-name>

         <param-value>publicapi.authenticator</param-value>

      </init-param>

   </servlet>

   <!-- Enterprise servlet placeholder -->

   <servlet-mapping>

      <servlet-name>uploadContent</servlet-name>

      <url-pattern>/upload/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>downloadContent</servlet-name>

      <url-pattern>/download/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>downloadContent</servlet-name>

      <url-pattern>/d/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>downloadRawContent</servlet-name>

      <url-pattern>/dr</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>guestDownloadContent</servlet-name>

      <url-pattern>/guestDownload/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>guestDownloadContent</servlet-name>

      <url-pattern>/gd/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

        <servlet-name>WebDAV</servlet-name>

        <url-pattern>/webdav/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>apiServlet</servlet-name>

      <url-pattern>/service/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>apiServlet</servlet-name>

      <url-pattern>/s/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>wcapiServlet</servlet-name>

      <url-pattern>/wcservice/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>wcapiServlet</servlet-name>

      <url-pattern>/wcs/*</url-pattern>

   </servlet-mapping>

    <servlet-mapping>

      <servlet-name>cmisws10</servlet-name>

      <url-pattern>/cmisws/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>cmisatom10</servlet-name>

      <url-pattern>/cmisatom/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>cmisbrowser</servlet-name>

      <url-pattern>/cmisbrowser/*</url-pattern>

   </servlet-mapping>

   <servlet-mapping>

      <servlet-name>publicapiServlet</servlet-name>

      <url-pattern>/api/*</url-pattern>

   </servlet-mapping>

    <session-config>

      <session-timeout>60</session-timeout>

   </session-config>

   <welcome-file-list>

      <welcome-file>index.jsp</welcome-file>

   </welcome-file-list>

  <!-- Toggle securecomms placeholder start -->

   <security-constraint>

      <web-resource-collection>

         <web-resource-name>SOLR</web-resource-name>

         <url-pattern>/service/api/solr/*</url-pattern>

      </web-resource-collection>

      <auth-constraint>

         <role-name>repoclient</role-name>

      </auth-constraint>

 

      <user-data-constraint>

         <transport-guarantee>CONFIDENTIAL</transport-guarantee>

      </user-data-constraint>

   </security-constraint>

   <security-constraint>

      <web-resource-collection>

         <web-resource-name>SOLR</web-resource-name>

         <url-pattern>/s/api/solr/*</url-pattern>

      </web-resource-collection>

      <auth-constraint>

         <role-name>repoclient</role-name>

      </auth-constraint>

      <user-data-constraint>

         <transport-guarantee>CONFIDENTIAL</transport-guarantee>

      </user-data-constraint>

   </security-constraint>

   <security-constraint>

      <web-resource-collection>

         <web-resource-name>SOLR</web-resource-name>

         <url-pattern>/wcservice/api/solr/*</url-pattern>

      </web-resource-collection>

      <auth-constraint>

         <role-name>repoclient</role-name>

      </auth-constraint>

      <user-data-constraint>

         <transport-guarantee>CONFIDENTIAL</transport-guarantee>

      </user-data-constraint>

   </security-constraint>

   <security-constraint>

      <web-resource-collection>

         <web-resource-name>SOLR</web-resource-name>

         <url-pattern>/wcs/api/solr/*</url-pattern>

      </web-resource-collection>

      <auth-constraint>

         <role-name>repoclient</role-name>

      </auth-constraint>

      <user-data-constraint>

         <transport-guarantee>CONFIDENTIAL</transport-guarantee>

      </user-data-constraint>

   </security-constraint>

   <login-config>

      <auth-method>CLIENT-CERT</auth-method>

      <realm-name>Repository</realm-name>

   </login-config>

   <security-role>

     <role-name>repoclient</role-name>

   </security-role>

   <!-- Toggle securecomms placeholder end -->

   <env-entry>

      <description>A flag that globally enables or disables startup of the major Alfresco subsystems.</description>

      <env-entry-name>properties/startup.enable</env-entry-name>

      <env-entry-type>java.lang.Boolean</env-entry-type>

      <env-entry-value>true</env-entry-value>

   </env-entry>

   <env-entry>

      <description>The filesystem directory below which content and index data is stored. Should be on a shared disk

         if this is a clustered installation.</description>

      <env-entry-name>properties/dir.root</env-entry-name>

      <env-entry-type>java.lang.String</env-entry-type>

      <env-entry-value/> <!-- Empty value included for JBoss compatibility -->

   </env-entry>

   <env-entry>

      <description>The fully qualified name of a org.hibernate.dialect.Dialect subclass that allows Hibernate to

         generate SQL optimized for a particular relational database. Choose from org.hibernate.dialect.DerbyDialect,

         org.hibernate.dialect.MySQLInnoDBDialect,

         org.alfresco.repo.domain.hibernate.dialect.AlfrescoOracle9Dialect,

         org.alfresco.repo.domain.hibernate.dialect.AlfrescoSybaseAnywhereDialect,

         org.alfresco.repo.domain.hibernate.dialect.AlfrescoSQLServerDialect, org.hibernate.dialect.PostgreSQLDialect</description>

      <env-entry-name>properties/hibernate.dialect</env-entry-name>

      <env-entry-type>java.lang.String</env-entry-type>

      <env-entry-value/> <!-- Empty value included for JBoss compatibility -->

   </env-entry>

   <env-entry>

      <description>Mapping from tokens in Hibernate queries to SQL tokens. For PostgreSQL, set this to "true

         TRUE, false FALSE".</description>

      <env-entry-name>properties/hibernate.query.substitutions</env-entry-name>

      <env-entry-type>java.lang.String</env-entry-type>

      <env-entry-value/> <!-- Empty value included for JBoss compatibility -->

   </env-entry>

   <env-entry>

      <description>Enable use of JDBC3 PreparedStatement.getGeneratedKeys() to retrieve natively generated keys

         after insert. Requires JDBC3+ driver. Set to false if your driver has problems with the Hibernate identifier

         generators. By default, tries to determine the driver capabilities using connection metadata. </description>

      <env-entry-name>properties/hibernate.jdbc.use_get_generated_keys</env-entry-name>

      <env-entry-type>java.lang.String</env-entry-type>

      <env-entry-value/> <!-- Empty value included for JBoss compatibility -->

   </env-entry>

   <env-entry>

      <description>Qualify unqualified table names with the given schema/tablespace in generated SQL. It may be

         necessary to set this when the target database has more than one schema.</description>

      <env-entry-name>properties/hibernate.default_schema</env-entry-name>

      <env-entry-type>java.lang.String</env-entry-type>

      <env-entry-value/> <!-- Empty value included for JBoss compatibility -->

   </env-entry>

</web-app>

 

Redémarrer  alfresco /etc/init.d/alfresco start

Outcomes