123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661
<alfresco-config>
<!-- Global config section -->
<config replace="true">
<flags>
<!--
Developer debugging setting to turn on DEBUG mode for client scripts in the browser
-->
<client-debug>false</client-debug>
<!--
LOGGING can always be toggled at runtime when in DEBUG mode (Ctrl, Ctrl, Shift, Shift).
This flag automatically activates logging on page load.
-->
<client-debug-autologging>false</client-debug-autologging>
</flags>
</config>
<config evaluator="string-compare" condition="WebFramework">
<web-framework>
<!-- SpringSurf Autowire Runtime Settings -->
<!--
Developers can set mode to 'development' to disable; SpringSurf caches,
FreeMarker template caching and Rhino JavaScript compilation.
-->
<autowire>
<!-- Pick the mode: "production" or "development" -->
<mode>production</mode>
</autowire>
<!-- Allows extension modules with <auto-deploy> set to true to be automatically deployed -->
<module-deployment>
<mode>manual</mode>
<enable-auto-deploy-modules>true</enable-auto-deploy-modules>
</module-deployment>
</web-framework>
</config>
<!-- Disable the CSRF Token Filter -->
<!--
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter/>
</config>
-->
<!--
To run the CSRF Token Filter behind 1 or more proxies that do not rewrite the Origin or Referere headers:
1. Copy the "CSRFPolicy" default config in share-security-config.xml and paste it into this file.
2. Replace the old config by setting the <config> element's "replace" attribute to "true" like below:
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
3. To every <action name="assertReferer"> element add the following child element
<param name="referer">http://www.proxy1.com/.*|http://www.proxy2.com/.*</param>
4. To every <action name="assertOrigin"> element add the following child element
<param name="origin">http://www.proxy1.com|http://www.proxy2.com</param>
-->
<!--
Added by Vipin kp(685340) on 2/6/2015 to bypass the alf-csrfTOKEN check while login via curl(POST)
-->
<!-- Configuration for Apache reverse proxy on localhost:8089 -->
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<!--
Will be used and exposed to the client side code in Alfresco.contants.CSRF_POLICY.
Use the Alfresco.util.CSRFPolicy.getHeader() or Alfresco.util.CSRFPolicy.getParameter() with Alfresco.util.CSRFPolicy.getToken()
to set the token in custom 3rd party code.
-->
<client>
<cookie>Alfresco-CSRFToken</cookie>
<header>Alfresco-CSRFToken</header>
<parameter>Alfresco-CSRFToken</parameter>
</client>
<!-- The first rule with a matching request will get its action invoked, the remaining rules will be ignored. -->
<filter>
<!--
Certain Surf POST requests form the WebScript console must be allowed to pass without a token since
the Surf WebScript console code can't be dependent on a Share specific filter.
-->
<rule>
<request>
<method>POST</method>
<path>^\/page\/caches\/dependency\/clear|^\/page\/index|^\/page\/surfBugStatus|^\/page\/modules\/deploy|^\/page\/modules\/module|^\/page\/api\/javascript\/debugger</path>
</request>
<action name="assertReferer">
<param name="always">false</param>
<param name="referer">https://myfdqn.com/.*</param>
</action>
<action name="assertOrigin">
<param name="always">false</param>
<param name="origin">https://myfdqn.com</param>
</action>
</rule>
<!-- Certain Share POST requests does NOT require a token -->
<rule>
<request>
<method>POST</method>
<path>^/page/dologin.*|^\/page/site\/[^\/]+\/start-workflow|^\/page/start-workflow</path>
</request>
<action name="assertReferer">
<param name="always">false</param>
<param name="referer">https://myfdqn.com/.*</param>
</action>
<action name="assertOrigin">
<param name="always">false</param>
<param name="origin">https://myfdqn.com</param>
</action>
</rule>
<!-- Clear the token when logging out -->
<rule>
<request>
<method>GET</method>
<path>^/page/dologout.*</path>
</request>
<action name="clearToken">
<param name="session">Alfresco-CSRFToken</param>
<param name="cookie">Alfresco-CSRFToken</param>
</action>
</rule>
<!-- Make sure the first token is generated -->
<rule>
<request>
<session>
<attribute name="_alf_USER_ID">.*</attribute>
<attribute name="Alfresco-CSRFToken"/>
<!-- empty attribute element indicates null -->
</session>
</request>
<action name="generateToken">
<param name="session">Alfresco-CSRFToken</param>
<param name="cookie">Alfresco-CSRFToken</param>
</action>
</rule>
<!-- Refresh token on new "page" visit when a user is logged in -->
<rule>
<request>
<method>GET</method>
<path>^/page/.*</path>
<session>
<attribute name="_alf_USER_ID">.*</attribute>
<attribute name="Alfresco-CSRFToken">.*</attribute>
</session>
</request>
<action name="generateToken">
<param name="session">Alfresco-CSRFToken</param>
<param name="cookie">Alfresco-CSRFToken</param>
</action>
</rule>
<!-- Verify multipart requests contains the token as a parameter and also correct referer & origin header if available -->
<rule>
<request>
<method>POST</method>
<header name="Content-Type">^multipart/.*</header>
<session>
<attribute name="_alf_USER_ID">.*</attribute>
</session>
</request>
<action name="assertToken">
<param name="session">Alfresco-CSRFToken</param>
<param name="parameter">Alfresco-CSRFToken</param>
</action>
<action name="assertReferer">
<param name="always">false</param>
<param name="referer">https://myfdqn.com/.*</param>
</action>
<action name="assertOrigin">
<param name="always">false</param>
<param name="origin">https://myfdqn.com</param>
</action>
</rule>
<!--
Verify there is a token in the header for remaining state changing requests and also correct
referer & origin headers if available. We "catch" all content types since just setting it to
"application/json.*" since a webscript that doesn't require a json request body otherwise would be
successfully executed using i.e. "text/plain".
-->
<rule>
<request>
<method>POST|PUT|DELETE</method>
<session>
<attribute name="_alf_USER_ID">.*</attribute>
</session>
</request>
<action name="assertToken">
<param name="session">Alfresco-CSRFToken</param>
<param name="header">Alfresco-CSRFToken</param>
</action>
<action name="assertReferer">
<param name="always">false</param>
<param name="referer">https://myfdqn.com/.*</param>
</action>
<action name="assertOrigin">
<param name="always">false</param>
<param name="origin">https://myfdqn.com</param>
</action>
</rule>
</filter>
</config>
<!--- End of CSRF token config -->
<!--
Remove the default wildcard setting and use instead a strict whitelist of the only domains that shall be allowed
to be used inside iframes (i.e. in the WebView dashlet on the dashboards)
-->
<!--
<config evaluator="string-compare" condition="IFramePolicy" replace="true">
<cross-domain>
<url>http://www.trusted-domain-1.com/</url>
<url>http://www.trusted-domain-2.com/</url>
</cross-domain>
</config>
-->
<!-- Turn off header that stops Share from being displayed in iframes on pages from other domains -->
<!--
<config evaluator="string-compare" condition="SecurityHeadersPolicy">
<headers>
<header>
<name>X-Frame-Options</name>
<enabled>false</enabled>
</header>
</headers>
</config>
-->
<!-- Prevent browser communication over HTTP (for HTTPS servers) -->
<!--
<config evaluator="string-compare" condition="SecurityHeadersPolicy">
<headers>
<header>
<name>Strict-Transport-Security</name>
<value>max-age=31536000</value>
</header>
</headers>
</config>
-->
<config evaluator="string-compare" condition="Replication">
<share-urls>
<!--
To discover a Repository Id, browse to the remote server's CMIS landing page at:
http://{server}:{port}/alfresco/service/cmis/index.html
The Repository Id field is found under the "CMIS Repository Information" expandable panel.
Example config entry:
<share-url repositoryId="622f9533-2a1e-48fe-af4e-ee9e41667ea4">http://new-york-office:8080/share/</share-url>
-->
</share-urls>
</config>
<!-- Document Library config section -->
<config evaluator="string-compare" condition="DocumentLibrary" replace="true">
<tree>
<!--
Whether the folder Tree component should enumerate child folders or not.
This is a relatively expensive operation, so should be set to "false" for Repositories with broad folder structures.
-->
<evaluate-child-folders>false</evaluate-child-folders>
<!--
Optionally limit the number of folders shown in treeview throughout Share.
-->
<maximum-folder-count>1000</maximum-folder-count>
<!--
Default timeout in milliseconds for folder Tree component to recieve response from Repository
-->
<timeout>7000</timeout>
</tree>
<!--
Used by the "Manage Aspects" action
For custom aspects, remember to also add the relevant i18n string(s)
cm_myaspect=My Aspect
-->
<aspects>
<!-- Aspects that a user can see -->
<visible>
<aspect name="cm:generalclassifiable" />
<aspect name="cm:complianceable" />
<aspect name="cm:dublincore" />
<aspect name="cm:effectivity" />
<aspect name="cm:summarizable" />
<aspect name="cm:versionable" />
<aspect name="cm:templatable" />
<aspect name="cm:emailed" />
<aspect name="emailserver:aliasable" />
<aspect name="cm:taggable" />
<aspect name="app:inlineeditable" />
<aspect name="cm:geographic" />
<aspect name="exif:exif" />
<aspect name="audio:audio" />
<aspect name="cm:indexControl" />
<aspect name="dp:restrictable" />
<aspect name="kb:referencable" />
</visible>
<!-- Aspects that a user can add. Same as "visible" if left empty -->
<addable>
</addable>
<!-- Aspects that a user can remove. Same as "visible" if left empty -->
<removeable>
</removeable>
</aspects>
<!-- Added by vipin kp to add new aspects to alfresco -->
<!--*********************************************************************************************************-->
<!-- cm:content type (existing nodes) -->
<!-- cm:content type (existing nodes) -->
<config evaluator="aspect" condition="kb:referencable">
<forms>
<form>
<field-visibility>
<!-- fields from my example aspect -->
<show id="kb:documentRef" />
</field-visibility>
<appearance>
<field id="kb:documentRef" />
</appearance>
</form>
</forms>
</config>
<!-- End of Form customization for whitepaper -->
<!--*********************************************************************************************************-->
<!--
Used by the "Change Type" action
Define valid subtypes using the following example:
<type name="cm:content">
<subtype name="cm:mysubtype" />
</type>
Remember to also add the relevant i18n string(s):
cm_mysubtype=My SubType
-->
<types>
<type name="cm:content">
</type>
<type name="cm:folder">
</type>
<type name="trx:transferTarget">
<subtype name="trx:fileTransferTarget" />
</type>
</types>
<!--
If set, will present a WebDAV link for the current item on the Document and Folder details pages.
Also used to generate the "View in Alfresco Explorer" action for folders.
-->
<repository-url>http://localhost:8084/alfresco</repository-url>
<!--
Google Docs™ integration
-->
<google-docs>
<!--
Enable/disable the Google Docs UI integration (Extra types on Create Content menu, Google Docs actions).
-->
<enabled>false</enabled>
<!--
The mimetypes of documents Google Docs allows you to create via the Share interface.
The I18N label is created from the "type" attribute, e.g. google-docs.doc=Google Docs™ Document
-->
<creatable-types>
<creatable type="doc">application/vnd.openxmlformats-officedocument.wordprocessingml.document</creatable>
<creatable type="xls">application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</creatable>
<creatable type="ppt">application/vnd.ms-powerpoint</creatable>
</creatable-types>
</google-docs>
<!--
File upload configuration
-->
<file-upload>
<!--
Adobe Flash™
In certain environments, an HTTP request originating from Flash cannot be authenticated using an existing session.
See: http://bugs.adobe.com/jira/browse/FP-4830
For these cases, it is useful to disable the Flash-based uploader for Share Document Libraries.
-->
<adobe-flash-enabled>true</adobe-flash-enabled>
</file-upload>
</config>
<!-- Custom DocLibActions config section -->
<config evaluator="string-compare" condition="DocLibActions">
<actionGroups>
<actionGroup id="document-browse">
<!-- Simple Repo Actions -->
<!--
<action index="340" id="document-extract-metadata" />
<action index="350" id="document-increment-counter" />
-->
<!-- Dialog Repo Actions -->
<!--
<action index="360" id="document-transform" />
<action index="370" id="document-transform-image" />
<action index="380" id="document-execute-script" />
-->
</actionGroup>
</actionGroups>
</config>
<!-- Global folder picker config section -->
<config evaluator="string-compare" condition="GlobalFolder">
<siteTree>
<container type="cm:folder">
<!-- Use a specific label for this container type in the tree -->
<rootLabel>location.path.documents</rootLabel>
<!-- Use a specific uri to retreive the child nodes for this container type in the tree -->
<uri>slingshot/doclib/treenode/site/{site}/{container}{path}?children={evaluateChildFoldersSite}&max={maximumFolderCountSite}</uri>
</container>
</siteTree>
</config>
<!-- Repository Library config section -->
<config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
<!--
Root nodeRef or xpath expression for top-level folder.
e.g. alfresco://user/home, /app:company_home/st:sites/cm:site1
If using an xpath expression, ensure it is properly ISO9075 encoded here.
-->
<root-node>alfresco://company/home</root-node>
<tree>
<!--
Whether the folder Tree component should enumerate child folders or not.
This is a relatively expensive operation, so should be set to "false" for Repositories with broad folder structures.
-->
<evaluate-child-folders>false</evaluate-child-folders>
<!--
Optionally limit the number of folders shown in treeview throughout Share.
-->
<maximum-folder-count>500</maximum-folder-count>
</tree>
<!--
Whether the link to the Repository Library appears in the header component or not.
-->
<visible>true</visible>
</config>
<!-- Kerberos settings -->
<!-- To enable kerberos rename this condition to "Kerberos" -->
<config evaluator="string-compare" condition="KerberosDisabled" replace="true">
<kerberos>
<!--
Password for HTTP service account.
The account name *must* be built from the HTTP server name, in the format :
HTTP/<server_name>@<realm>
(NB this is because the web browser requests an ST for the
HTTP/<server_name> principal in the current realm, so if we're to decode
that ST, it has to match.)
-->
<password>secret</password>
<!--
Kerberos realm and KDC address.
-->
<realm>ALFRESCO.ORG</realm>
<!--
Service Principal Name to use on the repository tier.
This must be like: HTTP/host.name@REALM
-->
<endpoint-spn>HTTP/[email protected]</endpoint-spn>
<!--
JAAS login configuration entry name.
-->
<config-entry>ShareHTTP</config-entry>
<!--
A Boolean which when true strips the @domain sufix from Kerberos authenticated usernames.
Use together with stripUsernameSuffix property in alfresco-global.properties file.
-->
<stripUserNameSuffix>true</stripUserNameSuffix>
</kerberos>
</config>
<!-- Uncomment and modify the URL to Activiti Admin Console if required. -->
<!--
<config evaluator="string-compare" condition="ActivitiAdmin" replace="true">
<activiti-admin-url>http://localhost:8080/alfresco/activiti-admin</activiti-admin-url>
</config>
-->
<config evaluator="string-compare" condition="Remote">
<remote>
<endpoint>
<id>alfresco-noauth</id>
<name>Alfresco - unauthenticated access</name>
<description>Access to Alfresco Repository WebScripts that do not require authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8084/alfresco/s</endpoint-url>
<identity>none</identity>
</endpoint>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfresco</connector-id>
<endpoint-url>http://localhost:8084/alfresco/s</endpoint-url>
<identity>user</identity>
</endpoint>
<endpoint>
<id>alfresco-feed</id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>http</connector-id>
<endpoint-url>http://localhost:8084/alfresco/s</endpoint-url>
<basic-auth>true</basic-auth>
<identity>user</identity>
</endpoint>
<!--
<endpoint>
<id>activiti-admin</id>
<name>Activiti Admin UI - user access</name>
<description>Access to Activiti Admin UI, that requires user authentication</description>
<connector-id>activiti-admin-connector</connector-id>
<endpoint-url>http://localhost:8080/alfresco/activiti-admin</endpoint-url>
<identity>user</identity>
</endpoint>
-->
</remote>
</config>
<!--
Overriding endpoints to reference an Alfresco server with external SSO enabled
NOTE: If utilising a load balancer between web-tier and repository cluster, the "sticky
sessions" feature of your load balancer must be used.
NOTE: If alfresco server location is not localhost:8080 then also combine changes from the
"example port config" section below.
*Optional* keystore contains SSL client certificate + trusted CAs.
Used to authenticate share to an external SSO system such as CAS
Remove the keystore section if not required i.e. for NTLM.
NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos"
NOTE: For external SSO, switch the endpoint connector to "AlfrescoHeader" and set
the userHeader to the name of the HTTP header that the external SSO
uses to provide the authenticated user name.
-->
<!--
<config evaluator="string-compare" condition="Remote">
<remote>
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>SsoUserHeader</userHeader>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoCookie</connector-id>
<endpoint-url>http://localhost:8084/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
</config>
-->
<!-- Cookie settings -->
<!-- To disable alfUsername2 cookie set enableCookie value to "false" -->
<!--
<plug-ins>
<element-readers>
<element-reader element-name="cookie" class="org.alfresco.web.config.cookie.CookieElementReader"/>
</element-readers>
</plug-ins>
<config evaluator="string-compare" condition="Cookie" replace="true">
<cookie>
<enableCookie>false</enableCookie>
<cookies-to-remove>
<cookie-to-remove>alfUsername3</cookie-to-remove>
<cookie-to-remove>alfLogin</cookie-to-remove>
</cookies-to-remove>
</cookie>
</config>
-->
</alfresco-config>