topic Re: Get documents based on permissions over CMIS in Alfresco Forum

Get documents based on permissions over CMIS

del007 — Fri, 31 Mar 2017 10:37:24 GMT

Hello,We are working on web application which provides documents to users. We use SSO to allow access – so we have only username of a person who is connected (we don´t have password). Documents are stored in Alfresco. We suppose we have all access information (permission) to concrete document set on

Re: Get documents based on permissions over CMIS

mehe — Fri, 31 Mar 2017 12:13:59 GMT

Hi,

this seems to be a concept, that wouldn't use alfresco's potential.

What about getting an alfresco ticket via SSO and connect over cmis with user "ROLE_TICKET" and use the ticket as password?

Re: Get documents based on permissions over CMIS

del007 — Mon, 03 Apr 2017 05:54:41 GMT

Thank you for your advice. I will try to get more information about using the ticket as a password.

Re: Get documents based on permissions over CMIS

del007 — Tue, 04 Apr 2017 12:00:32 GMT

I'm trying to find out how it works and what is neccessary to configure. We have Alfresco Community v5.1.0 and CAS SSO.
I suppose web application gets a ticket from SSO server after user login. This ticket is used to connect to Alfresco via CMIS. Alfresco connect to SSO to get information about user based on ticket.

I found an example of CAS configuration for share. But I suppose in this case Alfresco has to be configure to connect to SSO.

Is any tutorial or example available?

Thanks

Re: Get documents based on permissions over CMIS

mehe — Tue, 04 Apr 2017 13:37:38 GMT

Have you already looked at Using Alfresco with CAS authentication through Apache mod_auth_cas | Alfresco Documentation

Re: Get documents based on permissions over CMIS

del007 — Wed, 05 Apr 2017 09:00:16 GMT

I found several examples but I wasn't sure which one should work with CMIS. Thank you for link. I'm going to test it.

Re: Get documents based on permissions over CMIS

del007 — Wed, 17 May 2017 11:56:32 GMT

Hi,

I had a lot of problems to find working configuration but finally I use CAS SSO to login to share. It works as I expected (mod_auth_cas is used as described in documentation above).

I can also get proxy ticket from SSO. When I tryied to connect over cmis with user "ROLE_TICKET" and the ticket as password an exception was thrown: org.apache.chemistry.opencmis.commons.exceptions.CmisConnectionException: Unexpected document! Received: HTML document.

I suppose it is because sso login page is send. Therefore I changed mod_auth_cas.conf - URL to cmis is not under SSO. The exception has change to org.apache.chemistry.opencmis.commons.exceptions.CmisUnauthorizedException.

I think cmis(alfresco) has to have information where CAS SSO server is located (URL). Without this information alfresco can't send query to SSO to get user (based on ticket). But SSO server information is set only in "apache" configuration. Am I right? Is it possible to let alfresco know the SSO server URL?

Thanks

Regards

Petr

Re: Get documents based on permissions over CMIS

mehe — Wed, 17 May 2017 13:49:19 GMT

Try to debug it a little - try to access the cmis url directly over tomcat, avoiding apache. There it should accept the ROLE_TICKET. I think that OpenCMIS itself has no CAS Plugin, so you're on the right way when you try to avoid CAS when accessing the CMIS endpoint (you want the ROLE_TICKET user).

Is the ticket you describe a valid alf_ticket?

I use a "dummy" webscript consisting just of a free marker template to obtain a valid ticket and some user data via the configured SSO mechanism

autoticket.desc.xml

<webscript>
  <shortname>AutoTicket</shortname>
  <description>returns SSO ticket</description>
  <url>/autoticket</url>
  <format default="json">extension</format>
  <authentication>user</authentication>
</webscript>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

autoticket.get.json.ftl

alfUserData={
  "ticket":"${sessionticket.ticket}",
  "firstName":"${person.properties.firstName}",
  "lastName":"${person.properties.lastName}", 
  "userName":"${person.properties.userName}",
  "email":"${person.properties.email!''}"
};‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I needed the json form, because I'm using it in an angular SPA, but you can also return XML or HTML (see WebScript documentation)

When you invoke this webscript over .../alfresco/wcservice/autoticket.json it uses the configured SSO mechanism. Then use this ticket, when accessing cmis - avoid CAS then.

${sessionticket.ticket} is only valid for new alfresco versions. In older versions it was ${session.ticket}

Maybe this helps.

Re: Get documents based on permissions over CMIS

del007 — Wed, 24 May 2017 12:19:15 GMT

When I read your response I think I understand everything wrong before.
I thought I have to configure alfresco/share to use CAS SSO. Then a user use SSO to connect to my web application. This application gets from CAS SSO Proxy Ticket and use it to connect Alfresco over CMIS.

Ticket which I thought has nothing with alf_ticket.

So, understand I it well now that I have to write some webscript which will return alf_ticket (the input parameter will be only user name)? My web application has information of connected user so it will call this script to get alt_ticket and then this ticket will be used to connect over CMIS.

Re: Get documents based on permissions over CMIS

mehe — Wed, 24 May 2017 12:50:52 GMT

ahhh, there is too much ticketing here and we lost context on the way 🙂

Yes, the virtual user ROLE_TICKET needs a valid alf_ticket used as password. You can obtain this ticket with a simple WebScript when you login to alfresco manually or supported by a SSO solution like CAS.

Obtain the alf_ticket from, for example .../alfresco/wcservice/autoticket.json (if you provided it to alfresco - you should be authenticated automatically via your CAS SSO when accessing a webSript over wcservice) and use the returned alf_ticket as password for the user ROLE_TICKET when opening a cmis session.

Re: Get documents based on permissions over CMIS

del007 — Thu, 25 May 2017 09:43:10 GMT

Thank you very much for your responses and advices. It is working now 🙂

Re: Get documents based on permissions over CMIS

kranthi — Mon, 04 Sep 2017 05:37:26 GMT

Hello petr Delong ,

I am also trying for role based ticket.Right now I am able to get the alf_ticket to access the alfresco/services to open the documents but I want to get the document based on the user permissions.In my application also I pushing documents through the CMIS to alfresco.