· 5 years ago · Jul 28, 2020, 10:14 AM
1<alfresco-config>
2
3 <!-- Global config section -->
4 <config replace="true">
5 <flags>
6 <!--
7 Developer debugging setting to turn on DEBUG mode for client scripts in the browser
8 -->
9 <client-debug>false</client-debug>
10
11 <!--
12 LOGGING can always be toggled at runtime when in DEBUG mode (Ctrl, Ctrl, Shift, Shift).
13 This flag automatically activates logging on page load.
14 -->
15 <client-debug-autologging>false</client-debug-autologging>
16 </flags>
17 </config>
18
19 <config evaluator="string-compare" condition="WebFramework">
20 <web-framework>
21 <!-- SpringSurf Autowire Runtime Settings -->
22 <!--
23 Developers can set mode to 'development' to disable; SpringSurf caches,
24 FreeMarker template caching and Rhino JavaScript compilation.
25 -->
26 <autowire>
27 <!-- Pick the mode: "production" or "development" -->
28 <mode>production</mode>
29 </autowire>
30
31 <!-- Allows extension modules with <auto-deploy> set to true to be automatically deployed -->
32 <module-deployment>
33 <mode>manual</mode>
34 <enable-auto-deploy-modules>true</enable-auto-deploy-modules>
35 </module-deployment>
36 </web-framework>
37 </config>
38
39 <!-- Disable the CSRF Token Filter -->
40
41 <config evaluator="string-compare" condition="CSRFPolicy" replace="true">
42 <filter/>
43 </config>
44
45 <!--
46 To run the CSRF Token Filter behind 1 or more proxies that do not rewrite the Origin or Referere headers:
47
48 1. Copy the "CSRFPolicy" default config in share-security-config.xml and paste it into this file.
49 2. Replace the old config by setting the <config> element's "replace" attribute to "true" like below:
50 <config evaluator="string-compare" condition="CSRFPolicy" replace="true">
51 3. To every <action name="assertReferer"> element add the following child element
52 <param name="referer">http://www.proxy1.com/.*|http://www.proxy2.com/.*</param>
53 4. To every <action name="assertOrigin"> element add the following child element
54 <param name="origin">http://www.proxy1.com|http://www.proxy2.com</param>
55 -->
56
57 <!--
58 Remove the default wildcard setting and use instead a strict whitelist of the only domains that shall be allowed
59 to be used inside iframes (i.e. in the WebView dashlet on the dashboards)
60 -->
61 <!--
62 <config evaluator="string-compare" condition="IFramePolicy" replace="true">
63 <cross-domain>
64 <url>http://www.trusted-domain-1.com/</url>
65 <url>http://www.trusted-domain-2.com/</url>
66 </cross-domain>
67 </config>
68 -->
69
70 <!-- Turn off header that stops Share from being displayed in iframes on pages from other domains -->
71 <!--
72 <config evaluator="string-compare" condition="SecurityHeadersPolicy">
73 <headers>
74 <header>
75 <name>X-Frame-Options</name>
76 <enabled>false</enabled>
77 </header>
78 </headers>
79 </config>
80 -->
81
82 <!-- Prevent browser communication over HTTP (for HTTPS servers) -->
83 <!--
84 <config evaluator="string-compare" condition="SecurityHeadersPolicy">
85 <headers>
86 <header>
87 <name>Strict-Transport-Security</name>
88 <value>max-age=31536000</value>
89 </header>
90 </headers>
91 </config>
92 -->
93
94 <config evaluator="string-compare" condition="Replication">
95 <share-urls>
96 <!--
97 To locate your current repositoryId go to Admin Console > General > Repository Information:
98 http://localhost:8080/alfresco/s/enterprise/admin/admin-repositoryinfo
99
100 Example config entry:
101 <share-url repositoryId="622f9533-2a1e-48fe-af4e-ee9e41667ea4">http://new-york-office:8080/share/</share-url>
102 -->
103 </share-urls>
104 </config>
105
106 <!-- Document Library config section -->
107 <config evaluator="string-compare" condition="DocumentLibrary" replace="true">
108
109 <tree>
110 <!--
111 Whether the folder Tree component should enumerate child folders or not.
112 This is a relatively expensive operation, so should be set to "false" for Repositories with broad folder structures.
113 -->
114 <evaluate-child-folders>false</evaluate-child-folders>
115
116 <!--
117 Optionally limit the number of folders shown in treeview throughout Share.
118 -->
119 <maximum-folder-count>1000</maximum-folder-count>
120
121 <!--
122 Default timeout in milliseconds for folder Tree component to recieve response from Repository
123 -->
124 <timeout>7000</timeout>
125 </tree>
126
127 <!--
128 Used by "Manage Rules" -> "Add aspect" action.
129
130 If an aspect has been specified without a title element in the content model,
131 or you need to support multiple languages,
132 then an i18n file is needed on the Repo AMP/JAR extension side for the aspect to
133 be visible when creating rules:
134
135 custom_customModel.aspect.custom_myaspect.title=My Aspect
136
137 Used by the "Manage Aspects" action.
138
139 For the aspect to have a localised label add relevant i18n string(s) in a Share AMP/JAR extension:
140
141 aspect.custom_myaspect=My Aspect
142 -->
143 <aspects>
144 <!-- Aspects that a user can see -->
145 <visible>
146 <aspect name="cm:generalclassifiable" />
147 <aspect name="cm:complianceable" />
148 <aspect name="cm:dublincore" />
149 <aspect name="cm:effectivity" />
150 <aspect name="cm:summarizable" />
151 <aspect name="cm:versionable" />
152 <aspect name="cm:templatable" />
153 <aspect name="cm:emailed" />
154 <aspect name="emailserver:aliasable" />
155 <aspect name="cm:taggable" />
156 <aspect name="app:inlineeditable" />
157 <aspect name="cm:geographic" />
158 <aspect name="exif:exif" />
159 <aspect name="audio:audio" />
160 <aspect name="cm:indexControl" />
161 <aspect name="dp:restrictable" />
162 <aspect name="smf:customConfigSmartFolder" />
163 <aspect name="smf:systemConfigSmartFolder" />
164 </visible>
165
166 <!-- Aspects that a user can add. Same as "visible" if left empty -->
167 <addable>
168 </addable>
169
170 <!-- Aspects that a user can remove. Same as "visible" if left empty -->
171 <removeable>
172 </removeable>
173 </aspects>
174
175 <!--
176 Used by "Manage Rules" -> "Specialise type" action.
177
178 If a type has been specified without a title element in the content model,
179 or you need to support multiple languages,
180 then an i18n file is needed on the Repo AMP/JAR extension side for the type to
181 be visible when creating rules:
182
183 custom_customModel.type.custom_mytype.title=My SubType
184
185 Used by the "Change Type" action.
186
187 For the type to have a localised label add relevant i18n string(s) in a Share AMP/JAR extension:
188
189 type.custom_mytype=My SubType
190
191 Define valid subtypes using the following example:
192
193 <type name="cm:content">
194 <subtype name="custom:mytype" />
195 </type>
196 -->
197 <types>
198 <type name="cm:content">
199 <subtype name="smf:smartFolderTemplate" />
200 </type>
201
202 <type name="cm:folder">
203 </type>
204
205 <type name="trx:transferTarget">
206 <subtype name="trx:fileTransferTarget" />
207 </type>
208 </types>
209
210 <!--
211 If set, will present a WebDAV link for the current item on the Document and Folder details pages.
212 Also used to generate the "View in Alfresco Explorer" action for folders.
213 -->
214 <repository-url>http://localhost:8080/alfresco</repository-url>
215
216 <!--
217 Google Docs™ integration
218 -->
219 <google-docs>
220 <!--
221 Enable/disable the Google Docs UI integration (Extra types on Create Content menu, Google Docs actions).
222 -->
223 <enabled>false</enabled>
224
225 <!--
226 The mimetypes of documents Google Docs allows you to create via the Share interface.
227 The I18N label is created from the "type" attribute, e.g. google-docs.doc=Google Docs™ Document
228 -->
229 <creatable-types>
230 <creatable type="doc">application/vnd.openxmlformats-officedocument.wordprocessingml.document</creatable>
231 <creatable type="xls">application/vnd.openxmlformats-officedocument.spreadsheetml.sheet</creatable>
232 <creatable type="ppt">application/vnd.ms-powerpoint</creatable>
233 </creatable-types>
234 </google-docs>
235
236 <!--
237 File upload configuration
238 -->
239 <file-upload>
240 <!--
241 Adobe Flash™
242 In certain environments, an HTTP request originating from Flash cannot be authenticated using an existing session.
243 See: http://bugs.adobe.com/jira/browse/FP-4830
244 For these cases, it is useful to disable the Flash-based uploader for Share Document Libraries.
245 -->
246 <adobe-flash-enabled>true</adobe-flash-enabled>
247 </file-upload>
248 </config>
249
250
251 <!-- Custom DocLibActions config section -->
252 <config evaluator="string-compare" condition="DocLibActions">
253 <actionGroups>
254 <actionGroup id="document-browse">
255
256 <!-- Simple Repo Actions -->
257 <!--
258 <action index="340" id="document-extract-metadata" />
259 <action index="350" id="document-increment-counter" />
260 -->
261
262 <!-- Dialog Repo Actions -->
263 <!--
264 <action index="360" id="document-transform" />
265 <action index="370" id="document-transform-image" />
266 <action index="380" id="document-execute-script" />
267 -->
268
269 </actionGroup>
270 </actionGroups>
271 </config>
272
273 <!-- Global folder picker config section -->
274 <config evaluator="string-compare" condition="GlobalFolder">
275 <siteTree>
276 <container type="cm:folder">
277 <!-- Use a specific label for this container type in the tree -->
278 <rootLabel>location.path.documents</rootLabel>
279 <!-- Use a specific uri to retreive the child nodes for this container type in the tree -->
280 <uri>slingshot/doclib/treenode/site/{site}/{container}{path}?children={evaluateChildFoldersSite}&max={maximumFolderCountSite}</uri>
281 </container>
282 </siteTree>
283 </config>
284
285 <!-- Repository Library config section -->
286 <config evaluator="string-compare" condition="RepositoryLibrary" replace="true">
287 <!--
288 Root nodeRef or xpath expression for top-level folder.
289 e.g. alfresco://user/home, /app:company_home/st:sites/cm:site1
290 If using an xpath expression, ensure it is properly ISO9075 encoded here.
291 -->
292 <root-node>alfresco://company/home</root-node>
293
294 <tree>
295 <!--
296 Whether the folder Tree component should enumerate child folders or not.
297 This is a relatively expensive operation, so should be set to "false" for Repositories with broad folder structures.
298 -->
299 <evaluate-child-folders>false</evaluate-child-folders>
300
301 <!--
302 Optionally limit the number of folders shown in treeview throughout Share.
303 -->
304 <maximum-folder-count>500</maximum-folder-count>
305 </tree>
306
307 <!--
308 Whether the link to the Repository Library appears in the header component or not.
309 -->
310 <visible>true</visible>
311 </config>
312
313 <!-- Kerberos settings -->
314 <!-- To enable kerberos rename this condition to "Kerberos" -->
315 <config evaluator="string-compare" condition="KerberosDisabled" replace="true">
316 <kerberos>
317 <!--
318 Password for HTTP service account.
319 The account name *must* be built from the HTTP server name, in the format :
320 HTTP/<server_name>@<realm>
321 (NB this is because the web browser requests an ST for the
322 HTTP/<server_name> principal in the current realm, so if we're to decode
323 that ST, it has to match.)
324 -->
325 <password>secret</password>
326 <!--
327 Kerberos realm and KDC address.
328 -->
329 <realm>ALFRESCO.ORG</realm>
330 <!--
331 Service Principal Name to use on the repository tier.
332 This must be like: HTTP/host.name@REALM
333 -->
334 <endpoint-spn>HTTP/repository.server.com@ALFRESCO.ORG</endpoint-spn>
335 <!--
336 JAAS login configuration entry name.
337 -->
338 <config-entry>ShareHTTP</config-entry>
339 <!--
340 A Boolean which when true strips the @domain sufix from Kerberos authenticated usernames.
341 Use together with stripUsernameSuffix property in alfresco-global.properties file.
342 -->
343 <stripUserNameSuffix>true</stripUserNameSuffix>
344 </kerberos>
345 </config>
346
347 <!-- Uncomment and modify the URL to Activiti Admin Console if required. -->
348 <!--
349 <config evaluator="string-compare" condition="ActivitiAdmin" replace="true">
350 <activiti-admin-url>http://localhost:8080/alfresco/activiti-admin</activiti-admin-url>
351 </config>
352 -->
353
354 <config evaluator="string-compare" condition="Remote">
355 <remote>
356 <endpoint>
357 <id>alfresco-noauth</id>
358 <name>Alfresco - unauthenticated access</name>
359 <description>Access to Alfresco Repository WebScripts that do not require authentication</description>
360 <connector-id>alfresco</connector-id>
361 <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
362 <identity>none</identity>
363 </endpoint>
364
365 <endpoint>
366 <id>alfresco</id>
367 <name>Alfresco - user access</name>
368 <description>Access to Alfresco Repository WebScripts that require user authentication</description>
369 <connector-id>alfresco</connector-id>
370 <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
371 <identity>user</identity>
372 </endpoint>
373
374 <endpoint>
375 <id>alfresco-feed</id>
376 <name>Alfresco Feed</name>
377 <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
378 <connector-id>http</connector-id>
379 <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
380 <basic-auth>true</basic-auth>
381 <identity>user</identity>
382 </endpoint>
383
384 <endpoint>
385 <id>alfresco-api</id>
386 <parent-id>alfresco</parent-id>
387 <name>Alfresco Public API - user access</name>
388 <description>Access to Alfresco Repository Public API that require user authentication.
389 This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
390 <connector-id>alfresco</connector-id>
391 <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
392 <identity>user</identity>
393 </endpoint>
394 </remote>
395 </config>
396
397 <!--
398 Overriding endpoints to reference an Alfresco server with external SSO enabled
399 NOTE: If utilising a load balancer between web-tier and repository cluster, the "sticky
400 sessions" feature of your load balancer must be used.
401 NOTE: If alfresco server location is not localhost:8080 then also combine changes from the
402 "example port config" section below.
403 *Optional* ssl-config contains:
404 keystore for managing client key and certificate.
405 truststore for managing trusted CAs.
406 Used to authenticate share to an external SSO system such as CAS or
407 to make share talk to SSL layers that require client certificates.
408 Remove the ssl-config section if not required i.e. for NTLM.
409
410 NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos"
411
412 NOTE: For external SSO, switch the endpoint connector to "alfrescoHeader" and set
413 the userHeader value to the name of the HTTP header that the external SSO
414 uses to provide the authenticated user name.
415 NOTE: For external SSO, Share now supports the "userIdPattern" mechanism as is available
416 on the repository config for External Authentication sub-system. Add the following
417 element to your "alfrescoHeader" connector config:
418 <userIdPattern>^ignore-(\w+)-ignore</userIdPattern>
419 This is an example, ensure the Id pattern matches your repository config.
420 NOTE: For external SSO, Share now supports stateless (no Http Session or sticky session)
421 connection to the repository when using the alfrescoHeader remote user connector.
422 e.g. You can change endpoint config to use the faster /service URL instead of the
423 /wcs URL if you are using External Authentication and then remove sticky session config
424 from your proxy between Share and Alfresco. Note that this is also faster because Share
425 will no longer call the /touch REST API before every remote call to the repository.
426 -->
427
428 <!-- Security warning -->
429 <!-- For production environment set verify-hostname to true.-->
430
431 <config evaluator="string-compare" condition="Remote">
432 <remote>
433 <ssl-config>
434 <keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
435 <keystore-type>pkcs12</keystore-type>
436 <keystore-password>alfresco-system</keystore-password>
437
438 <truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
439 <truststore-type>JCEKS</truststore-type>
440 <truststore-password>password</truststore-password>
441
442 <verify-hostname>true</verify-hostname>
443 </ssl-config>
444
445 <connector>
446 <id>alfrescoCookie</id>
447 <name>Alfresco Connector</name>
448 <description>Connects to an Alfresco instance using cookie-based authentication</description>
449 <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
450 </connector>
451
452 <connector>
453 <id>alfrescoHeader</id>
454 <name>Alfresco Connector</name>
455 <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
456 <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
457 <userHeader>X-Alfresco-Remote-User</userHeader>
458 </connector>
459
460 <endpoint>
461 <id>alfresco</id>
462 <name>Alfresco - user access</name>
463 <description>Access to Alfresco Repository WebScripts that require user authentication</description>
464 <connector-id>alfrescoHeader</connector-id>
465 <endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
466 <identity>user</identity>
467 <external-auth>true</external-auth>
468 </endpoint>
469
470 <endpoint>
471 <id>alfresco-feed</id>
472 <parent-id>alfresco</parent-id>
473 <name>Alfresco Feed</name>
474 <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
475 <connector-id>alfrescoHeader</connector-id>
476 <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
477 <identity>user</identity>
478 <external-auth>true</external-auth>
479 </endpoint>
480
481 <endpoint>
482 <id>alfresco-api</id>
483 <parent-id>alfresco</parent-id>
484 <name>Alfresco Public API - user access</name>
485 <description>Access to Alfresco Repository Public API that require user authentication.
486 This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
487 <connector-id>alfrescoHeader</connector-id>
488 <endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
489 <identity>user</identity>
490 <external-auth>true</external-auth>
491 </endpoint>
492 </remote>
493 </config>
494
495 <!-- Cookie settings -->
496 <!-- To disable alfUsername2 cookie set enableCookie value to "false" -->
497 <!--
498 <plug-ins>
499 <element-readers>
500 <element-reader element-name="cookie" class="org.alfresco.web.config.cookie.CookieElementReader"/>
501 </element-readers>
502 </plug-ins>
503
504 <config evaluator="string-compare" condition="Cookie" replace="true">
505 <cookie>
506 <enableCookie>false</enableCookie>
507 <cookies-to-remove>
508 <cookie-to-remove>alfUsername3</cookie-to-remove>
509 <cookie-to-remove>alfLogin</cookie-to-remove>
510 </cookies-to-remove>
511 </cookie>
512 </config>
513 -->
514</alfresco-config>
515