Security Configuration

This document will help you configure the Opencast security policy.


Opencast service endpoints and user interfaces are secured by default using a set of servlet filters. The following diagram illustrates the flow of an HTTP request and response through these filters.


The Spring Security filters used here are very powerful, but are also somewhat complicated. Please familiarize yourself with the basic concepts and vocabulary described in the Spring Security documentation, then edit the xml files in etc/security, as described below.

Configure Access

To configure access roles and URL patterns for a tenant, modify /etc/security/{{tenant_identifier.xml}}. If you are not hosting multiple tenants on your Opencast server or cluster, all configuration should be done in mh_default_org.xml.

Some examples:

<!-- Allow anonymous access to the welcome.html URLs -->
<sec:intercept-url pattern='/welcome.html' access='ROLE_ANONYMOUS,ROLE_USER'/>

<!-- Allow anonymous GET to the search service, but not POST or PUT -->
<sec:intercept-url pattern='/search/**' method="GET" access='ROLE_ANONYMOUS,ROLE_USER' />

<!-- Allow users with the admin role to do anything -->
<sec:intercept-url pattern='/**' access='ROLE_ADMIN'/>

Authentication Provider

Opencast specifies an AuthenticationProvider by default, using a UserDetailService that is obtained from the OSGI service registry.

You can use this simple provider as is, loading users into the mh_user and mh_role database tables, and specifying an administrative username and password in

The set of user and role providers can be configured. If you do not want to keep users and passwords in Opencast's database, you can replace the JpaUserAndRoleProvider with the LdapUserProvider by replacing the matterhorn-userdirectory-jpa jar with the matterhorn-userdirectory-ldap jar.

Adding Users to the Opencast Database

Additional users can be created by adding a username, organization and password hash to the mh_user table in the Opencast database. The default hash method is MD5 and the password must be salted with the username in curly braces.

At the moment, there is no graphical user interface for this task. It has to be done in the database.

Example: Adding Garfield with the password 'monday' (in MySQL)

INSERT INTO `opencast`.`mh_user` (`username`, `organization`, `password`) VALUES ('garfield', 'mh_default_org', MD5('monday{garfield}'));

In the next step roles for the newly created user can be added to the mh_role table. After that the created user and role id can be added to the mh_user_role table. Here we set ROLE_USER for Garfield:

INSERT INTO `opencast`.`mh_role` (`organization`, `name`, `description`) VALUES ('mh_default_org', 'ROLE_USER', 'The user role');
INSERT INTO `opencast`.`mh_user_role` (`user_id`, `role_id`) VALUES ('220', '221');

Note that you must set the value of the organization field to the organization ID specified in one of the .../etc/org.opencast.organization-<organization_name>.cfg files. In a default installation this is mh_default_org.

Further Authentication Configuration

Configure Central Authentication Service (CAS)