manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phillip Rhodes <>
Subject Re: ManifoldCF + Alfresco + Solr security filtering problem
Date Sat, 02 Dec 2017 10:15:18 GMT
I think I'm starting to see what's going on.   If I make a direct call
to the authority service like this:

I get back:


which explains why I can see the documents from the public folder,
because they all have an allow_token_document for

But what I would expect (perhaps incorrectly) is that when passing a
discrete username like that, I'd also get back something like:


which would then presumably match the tokens I'm seeing in the
"secured" documents.

So the question is, should I really be getting back a token like that
from the authority service?  Or am I misunderstanding how this works?
And if I should be getting that back, any idea(s) what might explain
why I'm not getting them?



This message optimized for indexing by NSA PRISM

On Sat, Dec 2, 2017 at 5:09 AM, Phillip Rhodes
<> wrote:
> FWIW, I only have one repository connection defined, and only one
> authority group.
> Phil
> This message optimized for indexing by NSA PRISM
> On Sat, Dec 2, 2017 at 4:55 AM, Karl Wright <> wrote:
>> Hi Phil,
>> If you are using a different repository connection for the second Alfresco
>> crawl, is it possible you may have misconfigured the connection to refer to
>> the wrong authority group, or none at all?  All connections that you need to
>> be authorized together need to be part of the same group.
>> Karl
>> On Sat, Dec 2, 2017 at 4:32 AM, Phillip Rhodes <>
>> wrote:
>>> Hello all, I thought I had this all figured out, but I built a new
>>> environment and it's not behaving as expected.  Not sure if I changed
>>> something I shouldn't have or if it was never really working, but
>>> here's the situation:
>>> 1. I have an Alfresco server storing documents.   There are 65 docs in
>>> the built in "sample" space, which defaults to allowing access to
>>> everyone.
>>> 2. With the MCF SearchComponent installed into Solr, if I pass the
>>> AuthenticatedUserName parameter with any value, I get back all 65
>>> documents as expected.
>>> 3. I added another space in Alfresco that only allows access for 4
>>> specific users... testuser1, testuser2, testuser3, and testuser4. If I
>>> log into Alfresco as any of those users I can view and/or upload
>>> content to the space.
>>> 4. I put 7 documents in that space, and re-indexed with MCF.
>>> 5. Solr now shows a total of 72 documents for the core in question.
>>> 6. But, if I pass AuthenticatedUserName=testuser1 with my query, I
>>> still only see the 65 docs from the other space.
>>> 7. If I temporarily turn off the MCF SearchComponent in Solr, I can
>>> see the docs from the "locked down" space.
>>> I set the various token fields to stored="true" so I can see what is
>>> getting stored, and here's what I see for one sample document (one
>>> that isn't being returned with the SearchComponent enabled, but which
>>> should be).
>>> "allow_token_document":["Alfresco:testuser1", "Alfresco:testuser2",
>>> "Alfresco:testuser3", "Alfresco:testuser4"],
>>> "deny_token_document":["__nosecurity__"],
>>> "deny_token_parent":["__nosecurity__"],
>>> "allow_token_share":["__nosecurity__"],
>>> "allow_token_parent":["__nosecurity__"],
>>> "deny_token_share":["__nosecurity__"],
>>> Two things jump out to me:
>>> 1. I don't have entries for those users in allow_token_share and
>>> allow_token_parent (and I'm not sure why not.  This part seems to be a
>>> black box from the perspective of configuring MCF to crawl Alfresco)
>>> 2. The "domain" part in the entries in allow_token_document is coming
>>> up as "Alfresco".  I tried adding AuthenticatedUserDomain=Alfresco to
>>> my queries, but that didn't make any difference.
>>> Can anybody see what is is that I'm missing here?  Is there maybe
>>> something I need to do either in MCF or in Alfresco to make sure those
>>> allow_token_share and allow_token_parent entries get populated, or is
>>> it something else?
>>> Any thoughts / suggestions are greatly appreciated.
>>> Phil
>>> This message optimized for indexing by NSA PRISM

View raw message