This document will help you configure the Opencast security policy.
Opencast service endpoints and user interfaces are secured by default using a set of servlet filters. The following diagram illustrates the flow of an HTTP request and response through these filters.
The Spring Security filters used here are very powerful, but are also somewhat complicated. Please familiarize yourself
with the basic concepts and vocabulary described in the Spring Security documentation, then edit the xml files in
etc/security, as described below.
To configure access roles and URL patterns for a tenant, modify
If you are not hosting multiple tenants on your Opencast server or cluster,
all configuration should be done in
<!-- Allow anonymous access to the welcome.html URLs -->
<sec:intercept-url pattern='/welcome.html' access='ROLE_ANONYMOUS,ROLE_USER'/>
<!-- Allow anonymous GET to the search service, but not POST or PUT -->
<sec:intercept-url pattern='/search/**' method="GET" access='ROLE_ANONYMOUS,ROLE_USER' />
<!-- Allow users with the admin role to do anything -->
<sec:intercept-url pattern='/**' access='ROLE_ADMIN'/>
Opencast specifies an AuthenticationProvider by default, using a UserDetailService that is obtained from the OSGI service registry.
You can use this simple provider as is, loading users into the
oc_role database tables, and specifying
an administrative username and password in
User and Role Providers
Opencast allows user and role information to be supplied from external systems through user and role providers. Four user providers are available by default:
- LDAP User Provider, described in LDAP Security and Authorization
- Sakai User Provider
- Moodle User Provider
- Brightspace D2L User Provider
- Canvas LMS User Provider
The set of user and role providers can be configured. If you do not want to keep users and passwords in Opencast's database, you can replace the JpaUserAndRoleProvider with the LdapUserProvider by replacing the userdirectory-jpa jar with the userdirectory-ldap jar.
Further Authentication Configuration
- Configure Central Authentication Service (CAS)
- Configure LDAP Authentication and Authorization
- Configure Authentication and Authorization Infrastructure (AAI)
- Configure JWT-based Authentication and Authorization (e.g. for OIDC)