Get documents based on permissions over CMIS

cancel
Showing results for 
Search instead for 
Did you mean: 
del007
Active Member II

Get documents based on permissions over CMIS

Jump to solution

Hello,

We are working on web application which provides documents to users. We use SSO to allow access – so we have only username of a person who is connected (we don´t have password). Documents are stored in Alfresco. We suppose we have all access information (permission) to concrete document set only in Alfresco (ACL).

We would like to connect web application to Alfresco over CMIS.

How can we get (over CMIS) documents for which have permission rights only one concrete user? Is it possible to connect over CMIS as “administrator” and get permission rights as some concrete user? Or is it possible to use some query to filter documents results based on permission rights?

Thank you for advice

1 Solution

Accepted Solutions
mehe
Senior Member II

Re: Get documents based on permissions over CMIS

Jump to solution

ahhh, there is too much ticketing here and we lost context on the way :-) 

Yes, the virtual user ROLE_TICKET needs a valid alf_ticket used as password.  You can obtain this ticket with a simple WebScript when you login to alfresco manually or supported by a SSO solution like CAS.

Obtain the alf_ticket from, for example .../alfresco/wcservice/autoticket.json (if you provided it to alfresco - you should be authenticated automatically via your CAS SSO when accessing a webSript over wcservice) and use the returned alf_ticket as password for the user ROLE_TICKET when opening a cmis session.

View solution in original post

11 Replies
mehe
Senior Member II

Re: Get documents based on permissions over CMIS

Jump to solution

Hi,

this seems to be a concept, that wouldn't use alfresco's potential.

What about getting an alfresco ticket via SSO and connect over cmis with user "ROLE_TICKET" and use the ticket as password?

del007
Active Member II

Re: Get documents based on permissions over CMIS

Jump to solution

Thank you for your advice. I will try to get more information about using the ticket as a password.

del007
Active Member II

Re: Get documents based on permissions over CMIS

Jump to solution

I'm trying to find out how it works and what is neccessary to configure. We have Alfresco Community v5.1.0 and CAS SSO.
I suppose web application gets a ticket from SSO server after user login. This ticket is used to connect to Alfresco via CMIS. Alfresco connect to SSO to get information about user based on ticket.


I found an example of CAS configuration for share. But I suppose in this case Alfresco has to be configure to connect to SSO.

Is any tutorial or example available?

Thanks

mehe
Senior Member II
del007
Active Member II

Re: Get documents based on permissions over CMIS

Jump to solution

I found several examples but I wasn't sure which one should work with CMIS. Thank you for link. I'm going to test it.

del007
Active Member II

Re: Get documents based on permissions over CMIS

Jump to solution

Hi,

I had a lot of problems to find working configuration but finally I use CAS SSO to login to share. It works as I expected (mod_auth_cas is used as described in documentation above).

I can also get proxy ticket from SSO. When I tryied to connect over cmis with user "ROLE_TICKET" and the ticket as password an exception was thrown: org.apache.chemistry.opencmis.commons.exceptions.CmisConnectionException: Unexpected document! Received: HTML document.

I suppose it is because sso login page is send. Therefore I changed mod_auth_cas.conf - URL to cmis is not under SSO. The exception has change to org.apache.chemistry.opencmis.commons.exceptions.CmisUnauthorizedException.


I think cmis(alfresco) has to have information where CAS SSO server is located (URL). Without this information alfresco can't send query to SSO to get user (based on ticket). But SSO server information is set only in "apache" configuration. Am I right? Is it possible to let alfresco know the SSO server URL? 

Thanks

Regards

Petr

mehe
Senior Member II

Re: Get documents based on permissions over CMIS

Jump to solution

Try to debug it a little - try to access the cmis url directly over tomcat, avoiding apache. There it should accept the ROLE_TICKET. I think that OpenCMIS itself has no CAS Plugin, so you're on the right way when you try to avoid CAS when accessing the CMIS endpoint (you want the ROLE_TICKET user).

Is the ticket you describe a valid alf_ticket?

I use a "dummy" webscript consisting just of a free marker template to obtain a valid ticket and some user data via the configured SSO mechanism

autoticket.desc.xml

<webscript>
  <shortname>AutoTicket</shortname>
  <description>returns SSO ticket</description>
  <url>/autoticket</url>
  <format default="json">extension</format>
  <authentication>user</authentication>
</webscript>
‍‍‍‍‍‍‍

autoticket.get.json.ftl

alfUserData={
  "ticket":"${sessionticket.ticket}",
  "firstName":"${person.properties.firstName}",
  "lastName":"${person.properties.lastName}",
  "userName":"${person.properties.userName}",
  "email":"${person.properties.email!''}"
};‍‍‍‍‍‍‍

I needed the json form, because I'm using it in an angular SPA, but you can also return XML or HTML (see WebScript documentation) 

When you invoke this webscript over .../alfresco/wcservice/autoticket.json it uses the configured SSO mechanism. Then use this ticket, when accessing cmis - avoid CAS then.

${sessionticket.ticket} is only valid for new alfresco versions. In older versions it was ${session.ticket}

Maybe this helps. 

del007
Active Member II

Re: Get documents based on permissions over CMIS

Jump to solution

When I read your response I think I understand everything wrong before.
I thought I have to configure alfresco/share to use CAS SSO. Then a user use SSO to connect to my web application. This application gets from CAS SSO Proxy Ticket and use it to connect Alfresco over CMIS.

Ticket which I thought has nothing with alf_ticket.

So, understand I it well now that I have to write some webscript which will return alf_ticket (the input parameter will be only user name)?  My web application has information of connected user so it will call this script to get alt_ticket and then this ticket will be used to connect over CMIS.

mehe
Senior Member II

Re: Get documents based on permissions over CMIS

Jump to solution

ahhh, there is too much ticketing here and we lost context on the way :-) 

Yes, the virtual user ROLE_TICKET needs a valid alf_ticket used as password.  You can obtain this ticket with a simple WebScript when you login to alfresco manually or supported by a SSO solution like CAS.

Obtain the alf_ticket from, for example .../alfresco/wcservice/autoticket.json (if you provided it to alfresco - you should be authenticated automatically via your CAS SSO when accessing a webSript over wcservice) and use the returned alf_ticket as password for the user ROLE_TICKET when opening a cmis session.