Products Downloads


French version


 

Authentication service configuration is based on the JwtProviderConfig object and, depending on the chosen authentication module, on the JwtLDAPLoginModule, JwtJEELoginModule or JwtAdeliaLoginModule objects.


All these objects are described in the application's /WEB-INF/beans.xml configuration file.


The authentication module(s) is (are) chosen using the jwtLoginModuleName property of the JwtProviderConfig object (by default: "jwtJEELoginModule").

To chain several authentication modules, the module names need to be separated with a comma.


Examples :
Use of the LDAP authentication module:
<bean id="jwtProviderConfig" class="com.hardis.jwtprovider.JwtProviderConfig">
      ...
      <!-- jwtJEELoginModule | jwtLDAPLoginModule -->
      <property name="jwtLoginModuleName"    value="jwtLDAPLoginModule"/>
</bean>



Chaining an LDAP authentication module and an Adelia authentication module:
<bean id="jwtProviderConfig" class="com.hardis.jwtprovider.JwtProviderConfig">
      ...
      <!-- jwtJEELoginModule | jwtLDAPLoginModule | jwtAdeliaLoginModule-->
      <property name="jwtLoginModuleName"    value="jwtLDAPLoginModule,jwtAdeliaLoginModule"/>
      <property name="jwtUnionLMGroupsSet"  value="false"/>
      <property name="jwtGetFirstClaimFound"  value="true"/>
</bean>


Java EE authentication

The Java EE authentication module is selected by setting the jwtLoginModuleName property with the jwtJEELoginModule value where jwtJEELoginModule is a com.hardis.security.loginmodules.jee.JwtJEELoginModule class instance.


The jwtJEELoginModule object serving as the Java EE authentication module is declared as follows:

<bean id="jwtJEELoginModule" class="com.hardis.security.loginmodules.jee.JwtJEELoginModule" lazy-init="true">
      <property name="userParameterName"     value="login"/>
      <property name="passwordParameterName" value="password"/>
      <property name="securityRoles">
         <!-- roles to test to define user roles list -->
         <list>
            <value>role1</value>
            <value>role2</value>
            <value>role3</value>
         </list>
      </property>
      <!--property name="securityRequestUrl"    value="http://127.0.0.1:8080/security/JEELoginServlet"/-->
</bean>


Detailed description of the properties:

  • userParameterName: name of the parameter used to pass the name of the user to be authenticated (by default: "login").

  • passwordParameterName: name of the parameter used to pass the password of the user to be authenticated (by default: "password").

  • securityRoles: list of roles to test to produce the list of roles specific to the authenticated user.

  • securityRequestUrl: by default, this parameter is determined automatically and takes the value http://yourwebcontainerhost:port/contextPath/security/JEELoginServlet.

The user is authenticated by calling the JEELoginServlet servlet via the /security/JEELoginServlet resource.

In the case of a Cluster configuration with front-end server which is not re-entrant and therefore accessible from the application server, it is advisable to specify the Web Container IP (127.0.0.1) and the Web Container port.


Example:
A front-end server listens on port 80 in front of a firewall.
The web container listens on port 8080.
The firewall does not authorize requests to the front-end IP from the web container.

The url is therefore http://127.0.0.1:8080/security/JEELoginServlet.


NB: User and role configuration is defined in the Java EE Container setup.

↑ Top of page



LDAP authentication

The LDAP authentication module is selected by setting the jwtLoginModuleName property with the jwtLDAPLoginModule value where jwtLDAPLoginModule is a com.hardis.security.loginmodules.ldap.JwtLDAPLoginModule class instance.


The jwtLDAPLoginModule object serving as the LDAP authentication module is declared as follows:

<bean id="jwtLDAPLoginModule" class="com.hardis.security.loginmodules.ldap.JwtLDAPLoginModule" init-method="init" lazy-init="true">
      <property name="userParameterName"     value="login"/>
      <property name="passwordParameterName" value="password"/>
      <property name="ldapParameters">
         <map>
              <!-- AD, Domino ou ldap -->
              <entry key="type" value="Domino" />
              <entry key="connectionsURL" value=" dominoldap.domain.com:389" />
              <entry key="connectionName" value="user" />
              <entry key="connectionPassword" value="password" />
              <entry key="connectionTimeout" value="5000" />
              <entry key="connectionPoolSize" value="10" />
              <entry key="useSSL" value="false" />
               
              <!-- user query informations -->
              <entry key="userBase" value="o=domain" />
              <entry key="userSearch" value="(&amp;(uid={0})(objectclass=dominoPerson))" />
              <entry key="userSearchScope" value="SUB" />
              <entry key="userName" value="sn" />
              <entry key="userAttributes" value="attrName1,attrName2" />
              <entry key="userAttributesSearchAsUser" value="true" />
               
              <!-- user groups query informations -->
              <entry key="groupBase" value="o=domain" />
              <entry key="groupSearch" value="(member={0})" />
              <entry key="groupSearchAsUser" value="true" />
              <entry key="groupSearchScope" value="SUB" />
              <entry key="groupName" value="cn" />              
              <entry key="rolesMapping" value="role1=group1|group2|group3;role2=group4" />
         </map>
      </property>
      <property name="jwtExtraClaims">
         <map>
            <entry key="claimName" value="userAttributeName"/>
         </map>
      </property>
</bean>


Detailed description of the properties:

  • userParameterName: name of the parameter used to pass the name of the user to be authenticated (by default: "login").

  • passwordParameterName: name of the parameter used to pass the password of the user to be authenticated (by default: "password").

  • ldapParameters: groups together all attributes for LDAP configuration.
    Of those, the rolesMapping attribute defines mapping between roles and groups.
    This mapping ultimately defines the authenticated user roles.

    URLconnections is the LDAP URL, connectionName (login) and connectionPassword (password) are required to connected to the LDAP.
    userBase indicates the location where users are stored, userSearch is the LDAP command to use to find a user from his login {0} and userName is the attribute name to use for the username.
    Finally, userAttributes are used, according to requirements, to retrieve information on the authenticated user other than the name.

    userSearchScope indicates the search scope (BASEONESUBSUBORDINATE_SUBTREE). The default value is SUB (recursive search). 
    userAttributesSearchAsUserconnectionName).


    groupBasegroupSearch and groupName and are used to find the groups the user is in.

    groupSearchScope indicates the search scope (BASEONESUBSUBORDINATE_SUBTREE). If the parameter is not specified, the userSearchScope value is used. 
    groupSearchAsUser indicates whether the group search must be executed under the identity of the user to authenticate (true by default) or by using the LDAP conn<entry key="userAttributes" value="attrName1,attrName2" />ection profile (connectionName).

  • jwtExtraclaims: used to add additional claims (token attributes) to the token using <claimName, userAttributeName> pairs where claimName is the name of the claim to add to the token and userAttributeName is one of the attribute names of the user listed for the userAttributes.


The search scope (userSearchScope, groupSearchScope) indicates how the search must be executed in the LDAP tree (recursivity). The possible values are:

BASE

Only the object targeted by the search is considered.

ONE

Only the object targeted by the search and its immediate descendants are considered.

SUB

The object targeted by the search and all its descendants are considered.

SUBORDINATE_SUBTREE

All the descendants of the object targeted by the search are considered but the object itself is excluded.

 


<bean id="jwtLDAPLoginModule" class="com.hardis.security.loginmodules.ldap.JwtLDAPLoginModule" init-method="init" lazy-init="true">
      <property name="userParameterName"     value="login"/>
      <property name="passwordParameterName" value="password"/>
      <property name="ldapParameters">
         <map>
              <!-- AD, Domino ou ldap -->
              <entry key="type" value="Domino" />
...
            <entry key="userAttributes" value= "mail" />
...
         </map>
      </property>
      <property name="jwtExtraclaims">
         <map>
            <entry key="email" value="mail"/>
         </map>
      </property>
</bean>


In the example above, the LDAP configuration attribute userAttributes is used to retrieve the user's mail attribute.
This can also be used to add the claim email to the JWT.


↑ Top of page


Adelia authentication

The Adelia authentication module is selected by setting the jwtLoginModuleName property with the jwtAdeliaLoginModule value where jwtAdeliaLoginModule is a com.hardis.security.loginmodules.adelia.JwtAdeliaLoginModule class instance.

This type of module is used to delegate authentication to a Visual Adelia Batch program.


The jwtAdeliaLoginModule object serving as the Adelia authentication module is declared as follows:

<bean id="jwtAdeliaLoginModule" class="com.hardis.security.loginmodules.adelia.JwtAdeliaLoginModule" lazy-init="true">
      <property name="userParameterName" value="login"/>
      <property name="passwordParameterName" value="password"/>
      <property name="adeliaParameters">
    <map>
      <entry key="VAAuthProgram" value="javaobj.JWAUTH" />
      <entry key="SSOEnabled" value="false" />
      <entry key="Unicode" value="false" />
      <entry key="Poolname" value="Pool" />
    </map>
</property>
</bean>



Details of properties:

  • userParameterName: name of the parameter used to pass the name of the user to be authenticated (by default: "login").
  • passwordParameterName: name of the parameter used to pass the password of the user to be authenticated (by default: "password").
  • adeliaParameters: groups all the attributes specific to the Adelia authentication program:

- VAAuthProgram: name of the Visual Adelia Batch program in charge of authentication.

- SSOEnabled: Single Sign On enabled or disabled; the missing information for the Adelia middleware connection may be substituted by that entered for the authentication request.
By default: false.

- Unicode: indicates whether the Adelia program was generated in Unicode.
By default: false.

- Poolname: indicates the name of the pool used for middleware connections.
By default: "Pool".


The Adelia program in charge of authentication must comply with the following constraints:

  • Authentication is validated by the VAB program body.
  • The program must declare the following parameters:

Parameter name Type

Kind

 Description

LstCredentials

LIST (ALPHA, ALPHA)

I

List containing login information,

The attribute called 'login' returns the user used.

The attribute called 'password' returns the password used.

LstAttrLoginModule

LIST (ALPHA, ALPHA)

I

List of LoginModule configuration parameters/attributes.

retAuthChecked

NUM_BIN_2

O

Returned value indicating whether or not authentication has been successful:

0: Authentication has been successful

-1: Authentication has failed: abort

retExtendedUser

ALPHA

O

User value used for the Adelia reserved word *USER.

If not entered, the Adelia reserved word *USER returns the user associated with the 'login' attribute.

LstUserRoles

LIST(ALPHA)

O

List of authenticated user roles.

LstClaims

LIST (ALPHA, ALPHA)

O

List of claims to add to the JWT token.

RetErrMsg

ALPHA(1024)

O

A explanatory message is sent if authentication fails.

This message is returned in response to the authentication request.

Caution: The Adelia program must be generated for the standard Java platform and deployed in the authentication service application.


↑ Top of page

Chaining authentication modules

The authentication phase may use several authentication modules.

The module chaining order follows the declaration order for the same modules.


For example, to chain an LDAP authentication with an Adelia authentication, the two module names jwtLDAPLoginModule and jwtAdeliaLoginModule need to be entered into the jwtLoginModuleName property of the jwtProviderConfig object. The names are separated with a comma.


Example:

<bean id="jwtProviderConfig" class="com.hardis.jwtprovider.JwtProviderConfig">
...
<!-- jwtJEELoginModule | jwtLDAPLoginModule | JwtAdeliaLoginModule-->
<property name="jwtLoginModuleName" value="jwtLDAPLoginModule,jwtAdeliaLoginModule"/>
<property name="jwtUnionLMGroupsSet" value="false"/>
<property name="jwtGetFirstClaimFound" value="false"/>
</bean>


Authentication is only validated if all the modules validate the authentication.

In the case of successful authentication, each module can return a list of roles and a list of claims.

By default, only the roles appearing in all the lists returned by the authentication modules (intersection) are kept for token creation.

The inter-module role saving method can be changed using the jwtUnionLMGroupsSet property of the jwtProviderConfig object.

By setting this property at the "true" value, the group of selected roles is built based on the union of roles returned by each authentication module.


Where claims are concerned, the group of selected claims – to create the token - is still built based on the union of claims returned by each authentication module.

If a claim of the same name is used by several modules, by default the value of the claim returned by the module invoked the latest is kept.

The homonymous claims selection rule can be changed using the jwtGetFirstClaimFound property of the jwtProviderConfig object.

By setting this property to the "true" value, the value of the claim returned by the module invoked the least recently is kept.



↑ Top of page

  • Aucune étiquette