Leveraging Alfresco Framework for WCM[ 354 ] Membership and Security Mechanism The Alfresco security model is flexible and allows you to choose either its built-in security or an externa
Trang 2Leveraging Alfresco Framework for WCM Alfresco is the leading provider of open source Enterprise Content Management and provides Enterprise grade, scalable, robust, portable, and reliable solutions for managing any type of content, including documents, digital assets, and web content Alfresco has different modules to manage different kinds of content Document Management (DM) and Web Content Management (WCM) are the two main and widely used modules of Alfresco
Alfresco Document Management captures, shares, and retains content, enabling users to version, search, and simply build their own content applications The
Alfresco Web Content Management allows organizations to rapidly create and
more effectively maintain dynamic Internet, intranet, and extranet sites, enabling
a shortened web development cycle, providing high return on investment and
low cost of ownership Alfresco framework is built on state-of-the-art open source frameworks such as Spring, Hibernate, Lucene, and JSF DM and WCM are two different feature sets that are built on the common infrastructure framework of
Alfresco and also have services such as security, workflow, library, search, and so
on, which can be used across the application for any module In this chapter, we will discuss how you can leverage the Alfresco DM features for the WCM and cover the following topics for WCM:
• Membership and Security Mechanisms
• FFMPEG Integration
• DM content in WCM
• Image Transformation
• Advance Search
• Metadata Extractor
Trang 3Leveraging Alfresco Framework for WCM
[ 354 ]
Membership and Security Mechanism
The Alfresco security model is flexible and allows you to choose either its
built-in security or an external security model defbuilt-ined by your organization, by usbuilt-ing systems such as LDAP and Active Directory You will understand various
security models and learn to choose the one that is most suited to your enterprise's requirements The Alfresco membership system is highly scalable and can cater to
a number of users and content managers The Alfresco WCM can also leverage the security mechanism provided by Alfresco DM
Consider a case where we have people from different departments for any company who need to access the Alfresco WCM system These companies already have their own directory-based Central Authentication System Here you can have
two possibilities:
• Use Alfresco's out-of-the-box membership system and create the user
accounts for all those users in Alfresco
• Configure Alfresco with LDAP for centralized Identity Management where all the users from existing directory LDAP will be imported in Alfresco
if they need to access Alfresco and will be authenticated via Central
Authentication System-LDAP
As the company is already having their own directory, the second approach would
be proffered We can configure Alfresco with LDAP and import the users in Alfresco Once the users are available in Alfresco, we can easily associate the users to the web
project in Alfresco WCM This is already described in Chapter 3, Getting Started with
Alfresco WCM You can refer to this chapter for further details.
Configuring LDAP for centralized identity
management
LDAP evolved from X.500 OSI Directory Access Protocol LDAP directory is
the central authentication engine for the enterprise, and serves as the yellow
pages for user access and profile information The biggest advantage of LDAP is that your enterprise can access the LDAP directory from almost any computing platform, using any one of the increasing number of readily available LDAP-aware applications In fact, LDAP is finding much wider industrial acceptance because of its status as an Internet standard
Trang 4You can use LDAP with any directory server, such as iPlanet, Novell's eDirectory, Microsoft's Active Directory, or OpenLDAP If you are planning to implement
an LDAP directory in your organization, you may consider OpenLDAP, Active Directory, or eDirectory OpenLDAP is a stable and widely accepted open source directory server
LDAP configuration with Active Directory
Active Directory supports LDAP-based authentication It can also support
authentication using JAAS+Kerberos and NTLM authentication Only NTLM will give you a Single-Sign-On solution It is possible to use any authentication methods against an Active Directory server and extract user and group information via LDAP For the LDAP to work with Alfresco, you have to make some changes in the
configuration files
Follow the steps given below to configure LDAP-based authentication with
Active Directory
1 Open the <alfresco>/tomcat/webapps/alfresco/WEBINF/classes/ alfresco/subsystems/Authentication/ldap/ldap-authentication properties file and modify the properties to your required value as follows All other properties can be kept as it is in the file
° ldap.authentication.active=true (this flag enables the LDAP as authentication mechanism; if set to false, LDAP will be used only for synchronization)
DC=com (this maps the user ID entered by the user to pass through LDAP; the %s is replaced with whatever the user types in as their user ID on the login screen)
openldap.domain.com:389 (the name and port of your LDAP server; the standard port for LDAP is 389)
authentication=simple (the authentication mechanism you want to use)
dmin,User1 (LDAP users' names who should be considered as
administrators, separated by a comma)
Trang 5Leveraging Alfresco Framework for WCM
[ 356 ]
2 Open the <alfresco>/tomcat/shared/classes/alfresco-global
properties file and uncomment the following line:
authentication.chain=alfrescoNtlm1:alfrescoNtlm
To configure LDAP as an authentication mechanism, you need to change this property Provide ldap:ldap for LDAP Authentication as follows:
authentication.chain=ldap:ldap
3 Open the file-server-custom.xml file Add the following code:
<config evaluator="string-compare" condition="CIFS Server"
replace="true">
<serverEnable enabled="false"/>
<host name="${cifs.localname}A" domain="${cifs.domain}"/> <comment>Alfresco CIFS Server</comment>
<! Set to the broadcast mask for the subnet >
<broadcast>${cifs.broadcast}</broadcast>
<! Use Java socket based NetBIOS over TCP/IP and native SMB
on linux >
<tcpipSMB platforms="linux,solaris,macosx"/>
<netBIOSSMB platforms="linux,solaris,macosx"/>
<! Can be mapped to non-privileged ports, then use firewall rules to forward requests from the standard ports >
<tcpipSMB port="1445" platforms="linux,solaris,macosx"/> <netBIOSSMB sessionPort="1139" namePort="1137"
datagramPort="1138" platforms="linux,solaris,macosx"/>
>
<hostAnnounce interval="5"/>
<! Use Win32 NetBIOS interface on Windows >
<Win32NetBIOS/>
<Win32Announce interval="5"/>
<! CIFS authentication >
<authenticator type="passthru">
<LocalDomain/>
</authenticator>
<WINS>
<primary>1.2.3.4</primary>
Trang 6<secondary>5.6.7.8</secondary>
</WINS>
>
<sessionDebug flags="Negotiate,Socket"/>
</config>
<config evaluator="string-compare" condition="FTP Server"
replace="true">
<serverEnable enabled="false"/>
<! Run on a non-privileged port >
<port>1121</port>
>
<! FTP authentication >
<authenticator type="alfresco"/>
<! <debug flags="File,Search,Error,Directory,Info,DataPort"/> >
</config>
<config evaluator="string-compare" condition="Filesystem Security" replace="true">
<authenticator type=" passthru ">
<! the name of your ldap server >
<Server>openldap.domain.com</Server>
</authenticator>
</config>
This authentication mechanism sends usernames and passwords in plain text It is the most simple to set up This is supported by both Active Directory and OpenLDAP
LDAP synchronization
As you have already configured LDAP with Active Directory, the next step will be
to extract information from Active Directory This synchronization of people and groups between the Alfresco repository and LDAP is supported by scheduled jobs These jobs extract the user or group information from the LDAP repository and create the appropriate information as an Alfresco import XML file This file is then imported into the repository
Trang 7Leveraging Alfresco Framework for WCM
[ 358 ]
Follow these steps to export users and groups from Active Directory:
1 Open the <alfresco>/tomcat/webapps/alfresco/WEB-INF/classes/ alfresco/subsystems/Authentication/ldap/ldap-authentication properties file Modify the properties to the required value as follows All other properties can be kept as is in the file:
principal=admin (the user that has read access to the group and people information to be extracted from Active Directory server)
credentials=secret (the password for the user defined above)
inetOrgPerson)
(these two options combine to make the query to find people In the
previous example, you will find all objects of type inetOrgPerson
anywhere in the directory)
groupOfNames)
(these two options combine to make the query to find groups In the
previous example, you will find all objects of type groupOfNames anywhere
in the directory)
2 Ensure that your earlier changes are saved Start Alfresco On restarting, you will be able to log into the Alfresco repository with LDAP users only
Daisy Chaining
If you want to log into the Alfresco repository with Alfresco users also, then you have to make some more changes in the configuration files This concept is called Daisy Chaining, allowing the users to configure multiple authentication components for Authentication
With version 3.2, Alfresco has introduced the concept of sub-systems
A sub-system is a configurable module responsible for a subpart of Alfresco
functionality Authentication is one of such sub-systems available in 3.2, which
is a stack of multiple components responsible for Authentication in Alfresco
Trang 8For more information on Alfresco Authentication sub-systems, you can refer to the Wiki link: http://wiki.alfresco.com/wiki/Alfresco_Authentication_ Subsystems
With this approach, Authentication sub-systems are easily chained So, now it's very easy to configure the Chaining authentication The steps to configure Chaining are as follows:
1 Open the <alfresco>/tomcat/shared/classes/alfresco-global
properties file and uncomment the following line:
authentication.chain=alfrescoNtlm1:alfrescoNtlm
2 To configure more than one authentication component for chaining, you can add as many authenticators as you want separated by a comma as mentioned below:
authentication.chain=ldap1:ldap,ldap2:ldap,
alfrescoNtlm:alfrescoNtlm
Here we have three different authenticators for Chaining Authentication; ldap1 and ldap2 are for LDAP Authentication and alfrescoNtlm is for Default Alfresco Authentication For authenticating the users, when a user logs into the system, Alfresco checks for authentication in the sequence as defined above
3 Configuration files for ldap1 and ldap2 are created as follows:
Copy <alfresco>/tomcat/webapps/alfresco/WEB-INF/classes/
alfresco/subsystems/Authentication/ldap/ldap-authentication properties to <alfresco>/tomcat/shared/classes/alfresco/
subsystems/Authentication/ldap1/ldap-authentication.properties Copy <alfresco>/tomcat/webapps/alfresco/WEB-INF/classes/
alfresco/subsystems/Authentication/ldap/ldap-authentication properties to <alfresco>/tomcat/shared/classes/alfresco/
subsystems/Authentication/ldap2/ldap-authentication.properties
4 Now, modify this property file for ldap1 and ldap2 accordingly to provide the LDAP configuration details in both the files Configuring LDAP is
already explained in the previous section
5 Restart the server and you can verify the chaining by logging in with an Alfresco local user and the LDAP user as well
Download the sample code from the Packt website
Trang 9Leveraging Alfresco Framework for WCM
[ 360 ]
User roles
In the previous section, we discussed the different Authentication mechanisms for users in Alfresco Once the user is part of Alfresco, either created in Alfresco or imported from LDAP or any other system, you can assign different roles to the user for providing specific permissions The users and default roles to these users are controlled globally in Alfresco, which also affects the WCM
By default, only the admin user has permission to create a web project in the
Company Home | Web Projects folder All the users of the system will have
Consumer role by default for this folder That means those users can have just "read"
permission for the Web Projects folder; they really cannot create a web project If
you want to allow any other user to create a web project other than admin, then an admin can assign a Contributor or higher role to that user and then that user can get rights to create a new web project
There are different roles available in Alfresco, which users can be assigned to
Following are the five basic roles:
• Consumer: Read only permission
• Contributor: Consumer + Permission to add/create new content
• Editor: Consumer + Permission to edit the existing content
• Collaborator: Contributor + Editor
• Coordinator: Collaborator + Permission to delete the content
As mentioned here, to create a web project, a user at least needs the Contributor role Another scenario is if you remove the default consumer roles available to all the users
for the Company Home | Web Projects space, then even if the user is a member of
some web project, he will not be able to see the Web Project folder Therefore, the user will not have access to that web project of which he is also a member
So, in this way you are controlling the users from outside the Web
Content Management
Trang 10Common repository
As a Content Management Product, Alfresco has two different modules, DM
and WCM
In this section, we will see how we can use Alfresco with the combination of DM and WCM both as a single repository Consider a use case of a company where they are using Alfresco WCM for managing their website but at the same time they have an Intranet application, which is more for managing documents and other assets For this Intranet, they are using the Alfresco DM Now suppose some of the documents/ assets need to be managed in DM but are basically part of the website and need to be deployed In this scenario, we can get the advantage of both the DM and WCM in the same repository
Let's take the example of the Cignex company As we have already seen in the earlier chapter, the website for Cignex is managed by Alfresco WCM But in this website, some of the images, videos, and so on are being used, which are managed
in DM There are some departments such as Marketing, Sales, HR, IT, and many more available that are using this Intranet application Now if a Marketing person is uploading a video, then he or she may have some requirements such as it should be transformed into different formats like 3GP (for cell phones), MPEG4 (for iPod), and Flash (the default format for the website) Alfresco can be integrated with FFMPEG, using which we can easily transform the videos to other formats
Integrating Alfresco with the FFMPEG Video Transcoder
FFMPEG is a very popular high performance video and audio transcoder It has various widely used commercial tools to convert audio and video files from one format to another It is basically a command-line interface We can easily integrate any such command-line applications with Alfresco
You need to download the FFMPEG binary version for Microsoft Windows and put it into the <alfresco_install>/bin directory The command used for
transformation is:
ffmpeg.exe -i [input_file.extension] [options] [output_file.extension]