Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SiteService_security bean override causes SEVERE error

gerryr
Champ in-the-making
Champ in-the-making

‎01-11-2014 07:46 PM

I'm trying to restrict ability to create/delete Sites to just admins.

So I copy the SiteService_security bean from  tomcat/webapps/alfresco/WEB-INF/classes/alfresco/public-services-security-context.xml and put it into a custom file:  tomcat/shared/classes/alfresco/web-extension/custom-public-services-security-context.xml.

Then I change these two lines:
org.alfresco.service.cmr.site.SiteService.createSite=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_ALLOW
to:
org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_METHOD.ROLE_ADMINISTRATOR

and restart Tomcat

This results is a listener error in the catalina.log file:
        INFO: Deploying web application archive C:\Alfresco\tomcat\webapps\share.war
        Jan 11, 2014 6:33:05 PM org.apache.catalina.core.StandardContext startInternal
==>    SEVERE: Error listenerStart
        Jan 11, 2014 6:33:05 PM org.apache.catalina.core.StandardContext startInternal
        SEVERE: Context [/share] startup failed due to previous errors

So I run netstat and see this:
$ netstat -a | grep 8080
  TCP    127.0.0.1:8080         XX-XXXXXXXX-XXX:57564  TIME_WAIT
  TCP    127.0.0.1:8080         XX-XXXXXXXX-XXX:57566  TIME_WAIT

There are two processes listening on 8080 and of course nothing works.  You get the Tomcat error page everywhere.

I reran this several times making sure that netstat showed nothing on 8080 before restarting Tomcat and got same results.

Shouldn't the bean declaration in the custom file supercede the same bean in the war?

Labels:
0 Kudos
6 REPLIES 6

afaust
Legendary Innovator
Legendary Innovator

‎01-12-2014 08:41 AM

Hello,

the custom-public-services-security-context.xml is in the wrong directory. It should be in the tomcat/shared/classes/alfresco/extension directory instead, since it affects the Repository. All files in web-extension are meant to affect Share and since the security configuration contains elements that are particular to the Repository (Share doesn't know about), this may cause your error.

Regards
Axel
0 Kudos

gerryr
Champ in-the-making
Champ in-the-making
In response to afaust

‎01-12-2014 12:17 PM

Yes, makes perfect sense.  Thanks.

I placed the file into tomcat/shared/classes/alfresco/extension and it's trying to load the bean definition but now it's giving me an initialization error about 'afterInvocationManager' not being in document.

11:53:08,405 ERROR [org.springframework.web.context.ContextLoader] Context initialization failed
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Failed to import bean definitions from URL location [classpath:alfresco/application-context.xml]
Offending resource: ServletContext resource [/WEB-INF/web-application-context.xml]; nested exception is org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Failed to import bean definitions from URL location [classpath*:alfresco/extension/*-context.xml]
Offending resource: class path resource [alfresco/application-context.xml]; nested exception is org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 47 in XML document from file [C:\Alfresco\tomcat\shared\classes\alfresco\extension\custom-public-services-security-context.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 47; columnNumber: 9; An element with the identifier "afterInvocationManager" must appear in the document.
        at org.springframework.beans.factory.parsing.FailFastProblemReporter.error(FailFastProblemReporter.java:68)
        at org.springframework.beans.factory.parsing.ReaderContext.error(ReaderContext.java:85)
        at org.springframework.beans.factory.parsing.ReaderContext.error(ReaderContext.java:76)


I then changed the following two lines in the bean declaration:
        <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
        <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>

to:
        <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
        <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>


and now this appears to be working properly.  The Create and Delete Sites authority is restricted to admins.

0 Kudos

nwali
Star Contributor
Star Contributor
In response to gerryr

‎04-04-2017 01:05 PM

I have created the custom-public-services-security-context.xml and placed it in tomcat/shared/classes/alfresco/extension. Still I'm able to see the create site option for all the users.

Below is custom-public-services-security-context.xml file:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>

<bean id="SiteService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.Group_Site_Creator
org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW
org.alfresco.service.cmr.site.SiteService.*=ACL_DENY
</value>
</property>
</bean>

</beans>

Please let me know if anything else needs to change.

0 Kudos

idwright
Star Collaborator
Star Collaborator

‎04-05-2017 04:12 AM

I recommend GitHub - jpotts/share-site-creators: An Alfresco add-on that limits site creation to those in a spec... 

Even if you don't want to use it as is, then it will give a guide as to what to do.

0 Kudos

nwali
Star Contributor
Star Contributor
In response to idwright

‎04-05-2017 10:10 AM

Thank you for quick reply.

I know about this plugin and that targets for Alfresoc  5.1.f where as I'm using Alfresco 5.0.d

But my main concern is why is the above changes not running properly. What reason is behind this unsuccessful runnning? Is there any step or file missed out to be modified?

Appreciate your help!

0 Kudos

idwright
Star Collaborator
Star Collaborator
In response to nwali

‎04-05-2017 11:37 AM

There is an older version for 5.0.d

The change you have made will prevent the user from making the change however it's running on the back end alfresco/repo/platform (whatever it's called these days!)

If you want to hide the menu option as well, then you'll have to look at the share side code as well.

I think you'll find that it is working but only to the extent that if somebody without permission tries to create a site then they will get an error message.

Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC