Source Code Modifications
A few modifications were made to the confluence source code to work better in the Penn State Environment.
Default ACL
By default when creating a space, the default ACL only lets the local group "confluence-users" be able to view and modify the new space. Since we use LDAP for authorization and don't want to have a maintain a separate local group, some modification were made to make the default ACL use the LDAP group psu.facstaff.
In the file ./confluence/src/java/com/atlassian/confluence/util/actions/PermissionSetter.java, change the following line
spacePermissionManager.savePermission(new SpacePermission(permissionType, space, UserAccessor.GROUP_CONFLUENCE_USERS, null));
to:
spacePermissionManager.savePermission(new SpacePermission(permissionType, space, "psu.facstaff", null));
ALTERNATELY
you can change ./confluence/src/java/com/atlassian/confluence/user/UserAccessor.java"
String GROUP_CONFLUENCE_USERS = "confluence-users";
to
String GROUP_CONFLUENCE_USERS = "psu.facstaff";
AND
if (registeredCanEdit)
{
for (Iterator iterator = EDIT_SPACE_PERMISSIONS.iterator(); iterator.hasNext();)
{
String permissionType = (String) iterator.next();
spacePermissionManager.savePermission(new SpacePermission(permissionType, space, "psu.facstaff", null));
}
}
AND
if (anonymousCanView)
{
String permissionType = (String) SpacePermission.COMMENT_PERMISSION;
spacePermissionManager.savePermission(new SpacePermission(permissionType, space, null, null));
}
In ./confluence/target/classes/com/atlassian/confluence/core/ConfluenceActionSupport.properties, change create.space.permissions.registered to:
create.space.permissions.registered=Faculty and Staff
and
create.space.permissions.view.desc=Choose who can <b>view</b> content:
Not allowing anonymous to edit.
Only registered users are allowed to edit pages. Person must at least be logged in with FPS to make changes.
./conf-webapp/src/main/webapp/spaces/includes/createspace_permissions.vm
Comment out the following like so:
### #if ($permissionHelper.globalAnonymousAccessEnabled) ### #tag( Checkbox "label='create.space.permissions.anonymous'" ### "name='permissionSetter.anonymousCanEdit'" ### "value=permissionSetter.anonymousCanEdit" ### "theme='notable'" ) ### #end
Comment out code in ./confluence/conf-webapp/src/main/webapp/template/includes/macros.vm that allows anon to do anything other than view around line 1133.
Fixing the anonymous problem
If you allow anonymous to view a space but don't explicitly give specific userids access to view the space, only anonymous will be able to view the space.
./confluence/src/java/com/atlassian/confluence/security/DefaultSpacePermissionManager.java
Move this block of code:
if (hasPermissionAsAnonymousUser(space, permissionType))
return true;
and this block of code:
/**
* If it's not an anonymous user, and the user DOESN'T have SpacePermission.USE_CONFLUENCE_PERMISSION
* from their group or user membership, return false
*/
// if (remoteUser != null && !(hasPermissionViaGroups(remoteUser, null, SpacePermission.USE_CONFLUENCE_PERMISSION)
// || hasPermissionAsUser(remoteUser, null, SpacePermission.USE_CONFLUENCE_PERMISSION)))
// return false;
ie. if anonymous can view the space, that means anyone can view the space, don't do anymore permissions checks. The way Atlassian and most other people use Confluence is different than way do. They allow anyone to sign up for access to it via its built in user management service. The user that signs up is then joined to a local group called confluence-users. This group is explicitly given permission to use Confluence.
We don't use Confluence's built in user management authn, we use Webaccess. We also don't populate the local group confluence-users. We explicitly allow the LDAP group psu.facstaff to be able to view and create spaces. All other users (i.e. students) are not in an LDAP group that we can explicitly give permission to (ala confluence-users in the default setup). Therefore, the preceding code changes had to be made.
Cosmetic Changes
Changing the name of the dashboard to "WikiSpaces."
There are 7 instances of the word Dashboard in ./confluence/src/etc/java/com/atlassian/confluence/core/ConfluenceActionSupport.properties.
Change them all to WikiSpaces
dashboard.name=WikiSpaces go.to.dashboard=Go to the WikiSpaces title.dashboard=WikiSpaces 404.nav.dashboard=Your WikiSpaces alert.convert=Personal spaces will not be listed in the global space list on the WikiSpaces. This operation <b>cannot be undone</b>. dashboardlabels.name=WikiSpaces Labels default.dashboard=Default: WikiSpaces
Change some British spellings to American English:
Change all instances of "favourite" to "favorite"
favourite-pages=Favorite Pages
displaying.favourite.pages=Displaying pages recently added to <a href="{0}">your favorites list</a>.
no.favourite.pages=There are currently no pages on your favorites list. \
favourite.add.space=Add this space to your favorites list
favourite.remove.space=Remove this space from your favorites list
favourite.add.page=Add this page to your favorites list
favourite.remove.page=Remove this page from your favorites list
shortcut.description=Shortcut links can help you compose links to your favorite websites with greater ease. \
They do that by storing the portion of the URL that doesn''t change.
system.favourite.colour=System Favorite Colour
currently.no.spaces=You currently do not have any spaces on your favorites list. To add one, \
click the <em>All</em> tab and then on <img src={0}> next to the spaces you want to add as favorites.
error.occured.adding.to.favourites=An error occurred adding space to favorites.
favourite.spaces=Favorite Spaces
space.start.favourite=Add Space to Favorites
space.stop.favourite=Remove Space from Favorites
personal.space.mark.favourite=Mark personal space as favorite
favourite.people=Favorite People
person.favourite.add=Add {0} to Favorites
person.favourite.remove=Remove {0} from Favorites
no.people.in.favourites=You do not have any people in your favorites list.
Organisation and organise:
license.organisation=Organization
- the Enterprise wiki</a>.<br/> <a href="{2}">Learn more</a> or <a href="{3}">evaluate Confluence for your organization</a>.
<a href="{2}{3}">Evaluate Confluence</a> for your organization or read more about Confluence licensing <a href="{4}{5}">here</a>.
spaces.desc=All content in Confluence is organized into <em>spaces</em>. So to start browsing content, \
space.group.description=A space group is used to organize and manage related spaces.
no.space.groups.created=No space groups have been created yet. Space groups are used to organize and \
tables.desc=Tables allow you to organize content in a rows and columns, with a header row if required.
demo.content.space.description=A space to demonstrate what Confluence can do for your organization.
space.desc=<p>Content in Confluence is organized into <b>spaces</b>.</p> \
space.group.desc=A space''s <b>group</b> is a way to organize and manage related spaces.
customise to customize: ./confluence/src/etc/java/com/atlassian/confluence/core/ConfluenceActionSupport.properties
global.theme.default.desc=Assign the default Confluence look and feel. You can customize colour-schemes and \ desc.colourscheme = The following colours can be customized for this colour scheme. desc.decorators = The following decorators can be customized for this Confluence instance. desc.exportTemplates = The following export templates can be customized for this Confluence instance. You can easily customize the list and order of the columns being displayed, by specifying <b>columns</b> parameter. action.customize=Custom Installation error.no.setup.type=You must select one of 'Install' or 'Customize' theme.default.desc=Use the globally configured look and feel. You can customize colour schemes and \ theme.configure.desc=- further customize this theme''s options space.desc.colourscheme = The following colours can be customized in this space: create.space.permissions.desc=You can customize these permissions once the space is created. theme.set=You can not customize the site look and feel while a theme is active. You must first disable \ themes.description=Themes are Confluence plugin modules that customize the look of the site. themes.description.text.2=If you do not select a theme, the default look and feel will be applied, \ or you may customize the site''s appearance manually through colour-scheme and layout customisation. lookandfeel.page.description=Use this screen to customize the colour scheme of your site. \ Enter standard HTML/CSS2 colour codes, or use the \ choosetheme.theme.description=Themes are Confluence plugin modules that customize the look of the space. You can learn \ space, or you may customize the space''s appearance manually through colour-scheme and layout customisation. spaces.lookandfeel.help=Here you can customize the look of this Confluence space.
Allowing all authenticated users
Confluence allows you to set global access permissions based on LDAP membership and allows you to enable anonymous access. Unfortunately, no one is truly anonymous and has to be logged in to use the wiki. Since students aren't in an LDAP group you can specify to allow access, a modification had to be made to allow anyone to see the dashboard.
In the file ./confluence/src/java/com/atlassian/confluence/core/ConfluenceActionSupport.java, around line 193, change isPermitted to simply return true.
Around line 193:
public boolean isPermitted()
{
return true;
}
To remove the not authorized to view dashboard message, comment out the following lines in login.vm. login.vm is in either /var/confluence-2.5.6-std/confluence/login.vm or ./confluence/src/webapp/login.vm or (2.6) ./conf-webapp/src/main/webapp/login.vm
Around line 13:
### #if($req.remoteUser && $seraph.getOriginalURL($req))
### <div align="center" class="error">$action.getText("login.not.permitted.description",
### [$generalUtil.htmlEncode($seraph.getOriginalURL($req))])</div>
### #end
Null Pointer Exceptions
To Fix errant null pointer error when user isn't in any LDAP groups:
line 212
"OSUGroupManager.java" line 212
if (groupNamesForUser == null) {
return new DefaultPager(groupsForUser);
}
Building
You need to have maven 2.x to build the confluence source code. To build a war file for Tomcat, run the following command in the "confluence" directory under the root of the confluence source code (replacing the path to maven with the correct path to maven on your machine):
Give JAVA a little more memory, it's going to need it:
export MAVEN_OPTS='-Xms1532m -Xmx1532m'
Have maven build the war:
/usr/local/maven-2.0.7/bin/mvn -Dmaven.test.skip=true install
Newer Confuence > 2.6:
/usr/local/apache-maven-2.0.8/bin/mvn package -Pstandalone -Dmaven.test.skip=true
The unit tests take a long time. If you wish to run them, leave out -Dmaven.test.skip=true flag.
Apache config
Fixing logout to work with Webaccess
don't pass requests for login.action to the servlet, we want to intercept, expire cookies and redirect over to Webaccess
ProxyPass /logout.action ! Alias /logout.action /var/logout/logout.php ProxyPass / ajp://localhost:8009/
MySQL config
Changing max_allowed_packet setting
A communication packet is a single SQL statement sent to the MySQL server, a single row that is sent to the client, or a binary log event sent from a master replication server to a slave. This is controlled by the max_allowed_packet setting in my.cnf.
The default for max_allowed_packet is 16megs. This need to be set to something larger as attachments are allowed to be much bigger than this.
max_allowed_packet = 4096M
Internet2 Use of Confluence
We spoke with Michael Gettes on 24 Aug 2007. He is bringing up an instance of Confluence as part of what is being called "Community Organization." A link to his powerpoint slide on the topic will be placed into the wiki in this section.
He is facing the same issues with confluence (ownership and allowing non-anonymous access to the dashboard). We are sharing source code with him.
Michael is looking into setting up a Confluence BoF (Bird of a Feather) session at the Fall 2007 Internet2 member meeting.
Authenticator Notes
We use the RemoteUserAuthenticator code from Georgetown to authenticate the user using the REMOTE_USER variable.
To enable this and override confluence's built in authenticator, open /var/confluence-2.5.4-std/confluence/WEB-INF/classes/seraph-config.xml and replace the default authenticator of
<authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>
with
<authenticator class="edu.georgetown.middleware.confluence.RemoteUserAuthenticator"/>
Java Memory Usage
We noticed that Tomcat would occassionaly crash with OutOfMemoryErrors in the Permanent Generation. We modified /var/confluence-2.5.4-std/bin/setenv.sh to set
JAVA_OPTS="-Xms1532m -Xmx1532m -Dcom.sun.management.jxmremote -XX:MaxPermSize=256m $JAVA_OPTS -Djava.awt.headless=true "
The -Dcom.sun.management.jxmremote option enables the JConsole monitoring application.
-XX:MaxPermSize=256m increases the Permanent Generation size from 64 MB to 256 MB.
Other options to try if we need more information about memory usage:
-XX:+HeapDumpOnOutOfMemoryError -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -verbosegc -xloggc:/path/to/log/file -XX:+PrintTLAB
Tips and Tricks
Removed Legacy Users from Database
- ssh confluence.et-test.psu.edu
- sudo mysql
- use confluence;
- select * from os_user;
- DELETE from os_user WHERE id=XX;
- DELETE from os_user_group where user_id=XX;
- quit
- exit
*Replace instances of https://confluence.et-test.psu.edu with https://wikispaces.psu.edu*
- /var/confluence-2.5.4-std/bin/shutdown.sh
- service mysqld stop
- dsmc inc (it's nightly but take another snapshot to be super safe)
- mysql -p confluence
- update BODYCONTENT set BODY=replace(BODY, 'https://confluence.et-test.psu.edu', 'https://wikispaces.psu.edu');
- quit
- /var/confluence-2.5.4-std/bin/startup.sh