3

I'm using Alfresco 5.0.a, the newest version. I've followed the wiki guides about restricting permissions about the creation of the Alfresco sites. I want only Alfresco administrators able to create them. I've followed this guide taken from Alfresco Wiki:

Controlling site creation permissions in Alfresco 3.4.6 and later

In Alfresco Versions 3.4.6 (and higher) and 4.0, the permissions on the Sites root has >been changed. To ensure that only Site objects are created within the Sites root, the >Contributor permissions have been removed from the Sites root, and site creation >permissions are now handled on the Site Service itself.

For Alfresco 4.0, to change who is able to create sites, you need to alter the spring >context to set the permissioning. One way is to change the alfresco/public-services-security-context.xml file (in the default install found in webapps/alfresco/WEB-INF/classes/alfresco/public-services-security-context.xml)

Change from

org.alfresco.service.cmr.site.SiteService.createSite=ACL_ALLOW

to

org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.ROLE_ADMINISTRATOR

I found another Spring file, similar to the file in the wiki, in $TOMCAT_HOME/shared/classes/alfresco/extension/unsecured-public-services-security-context.xml

But I did not find those Spring bean lines. So I added this code:

<bean id="SiteService_security"     class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
 <property name="authenticationManager">
  <ref bean="authenticationManager"/>
 </property>
 <property name="accessDecisionManager">
  <ref local="accessDecisionManager"/>
 </property>
 <property name="afterInvocationManager">
  <ref local="afterInvocationManager"/>
 </property>
 <property name="objectDefinitionSource">
  <value>
   org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.ROLE_ADMINISTRATOR
   org.alfresco.service.cmr.site.SiteService.*=ACL_ALLOW
  </value>
 </property>
</bean>

I get this ( and a lot of other exceptions, but probably this is the most interesting one )

I add the exception that could be interesting from catalina.out :

Jul 17, 2014 11:59:38 PM org.apache.catalina.core.StandardContext listenerStart SEVERE: Exception sending context initialized event to listener instance of class org.alfresco.web.app.ContextLoaderListener org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Failed to import bean definitions from URL location [classpath:alfresco/application-context.xml] Offending resource: ServletContext resource [/WEB-INF/web-application-context.xml]; nested exception is org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Failed to import bean definitions from URL location [classpath*:alfresco/extension/*-context.xml] Offending resource: class path resource [alfresco/application-context.xml]; nested exception is org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 29 in XML document from file [/opt/alfresco-5.0.a/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/extension/public-services-security-context.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 29; columnNumber: 9; An element with the identifier "afterInvocationManager" must appear in the document.

I don't know how to proceed. I can't find the public-services-security-context.xml Spring file. Altough I found a similar file, any changes suggested from the guide are useless. Any thoughts? Thank you very much. With my best regards.

Mattia Parise

Pliskin
  • 187
  • 1
  • 9
  • I'm not talking about professional server, networking, or related infrastructure administration, it's only about permissions on Alfresco for managing sites. There's nothing about networking inside this question, nore servers. – Pliskin Jul 17 '14 at 22:38
  • You are talking about config settings for administering websites. That's why this has been targeted for SuperUser. If you are talking about writing code for user-level programs - then we could talk. Seriously - you are likely to get better help on SuperUser - I'd strongly consider asking this question there. – Taryn East Jul 17 '14 at 23:25
  • It's something like this. http://stackoverflow.com/questions/22531555/how-to-hide-create-site-link-for-particular-user?answertab=active#tab-top They are Alfresco Sites, I need to edit some Spring configuration files, and every question I found similar is in Stackoverflow. I don't know why I should go to Super User or ServerFault while that question was not redirected there. I'm sorry but I don't think I'm in the wrong place. My question directly involves programming or programming tools... I'm not talking about simply websites. – Pliskin Jul 17 '14 at 23:30
  • Please be aware that the reviewers that flag your post... are not necessarily familiar with Alfresco. The language in your post speaks of administering websites and updating config files for websites and tomcat... thus your question *sounds* like a superuser question. Now - if that is an incorrect impression - I recommend you update your question to make it clearer :) But if not... we are recommending S/U to you for your own good - we think you'd get better results there (you clearly didn't get good results here)... – Taryn East Jul 17 '14 at 23:35
  • 1
    You're right. Sorry for being not so precise. I will update my question... I'll try, if I won't get right results here I'll try there. Let's hope. Thanks for the patience! :) – Pliskin Jul 17 '14 at 23:41

2 Answers2

5

There's a more specific implementation example for this here: https://forums.alfresco.com/forum/end-user-discussions/alfresco-share/siteservicesecurity-bean-override-causes-severe-error

Specifically, you need to add a file in to your shared/classes/alfresco/extension/ folder in your tomcat instance named something like custom-public-services-security-context.xml. Add the corresponding bean definition as mentioned in the Alfresco wiki, restart Alfresco and voila.

You may also need to override the bean definition from site-services-context.xml as per the instructions and this is done in much the same way.

For reference, the file changes required are here: http://wiki.alfresco.com/wiki/Site_Service#Controlling_who_can_create_sites

For Alfresco 5.0.a specifically I added the following file to shared/classes/alfresco/extension/.

custom-public-services-security-context.xml:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>

    <bean id="SiteService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
        <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
        <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>
        <property name="objectDefinitionSource">
            <value>
                org.alfresco.service.cmr.site.SiteService.cleanSitePermissions=ACL_NODE.0.sys:base.ReadProperties
                org.alfresco.service.cmr.site.SiteService.createContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
                org.alfresco.service.cmr.site.SiteService.createSite=ACL_METHOD.ROLE_ADMINISTRATOR
                org.alfresco.service.cmr.site.SiteService.deleteSite=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.findSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
                org.alfresco.service.cmr.site.SiteService.getContainer=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
                org.alfresco.service.cmr.site.SiteService.listContainers=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
                org.alfresco.service.cmr.site.SiteService.getMembersRole=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.getMembersRoleInfo=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.resolveSite=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.getSite=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
                org.alfresco.service.cmr.site.SiteService.getSiteShortName=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
                org.alfresco.service.cmr.site.SiteService.getSiteGroup=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.getSiteRoleGroup=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.getSiteRoles=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.getSiteRoot=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
                org.alfresco.service.cmr.site.SiteService.hasContainer=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.hasCreateSitePermissions=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.hasSite=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.isMember=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.listMembers=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.listMembersInfo=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.listMembersPaged=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.listSites=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
                org.alfresco.service.cmr.site.SiteService.listSitesPaged=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
                org.alfresco.service.cmr.site.SiteService.removeMembership=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.canAddMember=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.*=ACL_DENY
            </value>
        </property>
    </bean>

</beans>
Mardoz
  • 1,617
  • 1
  • 13
  • 26
  • Sorry, what do you mean with "ou may also need to override the bean definition from site-services-context.xml as per the instructions and this is done in much the same way"? I don't have that file ( version 5.0.a of Alfresco does not have that files, they are inside the repository. ) . Should I make a custom-site-services-context.xml file with only that bean? – Pliskin Jul 18 '14 at 21:06
  • The solution is not working... I got a list of exceptions: ERROR [extensions.webscripts.AbstractRuntime] [http-apr-8080-exec-8] Exception from executeScript - redirecting to status template error: No authentication provider for net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken net.sf.acegisecurity.providers.ProviderNotFoundException: No authentication provider for net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken. I don't know what I should do. Even setting org.alfresco.service.cmr.site.SiteService.createSite=ACL_ALLOW gives error – Pliskin Jul 18 '14 at 21:23
  • @Pliskin Is this still not working for you? It's been marked correct but I can take another look if required. – Mardoz Jul 19 '14 at 16:18
  • 1
    Can You check With alfresco 5.0.a? it's Not working unfortunately. Thanks for your support! – Pliskin Jul 19 '14 at 16:19
  • @Pliskin Updated the answer for you. Indeed they have hidden this context file away in this version, I guess it's in one of the JARs. The above modified bean is from the Alfresco source at 5.0.a. – Mardoz Jul 20 '14 at 18:38
  • Thank You @Mardoz. I'll test and let you know. – Pliskin Jul 20 '14 at 18:41
  • whats needs to be updated in site-services-context.xml ??? I have updated the custom-public-services-security.xml file and placed it in the extension folder but still seeing the create site option for all the user. Any help is appreciated. – nikhil84 Apr 04 '17 at 17:13
  • @nikhil84 If you still need help on this the the instructions for the site-services-context.xml are in the wiki link. If you're struggling in your specific scenario I recommend the alfresco forums. – Mardoz May 09 '17 at 10:29
  • @Pliskin I'm good now.. I am able to achieve the goal. Thank you! – nikhil84 Jun 21 '17 at 18:04
0

In case you come over this post, here is Module ready for deployment:
https://github.com/jpotts/share-site-creators/releases

elsadek
  • 1,028
  • 12
  • 39