| Table of Contents |
|---|
Available authentication methods
...
Front-end - Back-end interaction:
Basic hybridRealm
Logic-flow:
Basic HybridRealm authentication. The PASOE validates the provided credentials (username & password) directly, through HybridRealm, using the ISwatAuthenticationService.
In order to use AkiomaUser authentication, in the pasoe-config.xml / OEPAS_config.xml configuration file, the AllowedAuthentication property must contain AkiomaUser:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<AllowedAuthentication>AkiomaUser</AllowedAuthentication> |
Note: In case AllowedAuthentication is missing from the config file, the default is AkiomaUser.
ActiveDirectory
Front-end - Back-end interaction:
Logic-flow:
- The client sends POST request with AD credentials to the "/web/Login/Login.html" access-point on the PASOE (swat-backend).
- PASOE forwards AD credentials to the "/auth/ad/login" on the NodeJS (node-main).
- NodeJS handles AD authentication, using passport with passport-ldapauth strategy. Then responds with ssoSessionId & ssoUserId, if authentication successful.
- PASOES passes back to Client the ssoSessionId & ssoUserId.
- Client logins into PASOE, with ssoUserId & ssoSessionId, through HybridRealm.
- PASOE HybridRealm handles login using HybridRealm with ISwatAuthenticationService by checking if the ssoSessionId & ssoUserId is valid in nodeJsISwatAuthenticationService, which sends POST request to "/sessions", with ssoSessionId & ssoUserId, on the NodeJS.
- NodeJs responds back to PASOE with the session's validity.
- PASOE finalizes authentication process.
- Client is authenticated.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<AllowedAuthentication>ActiveDirectory</AllowedAuthentication>
<ssoAuthenticationURI>http://localhost:8888/auth/ad/login</ssoAuthenticationURI>
<ssoAuthenticationCheckURI>http://localhost:8888/auth/ad/sessions</ssoAuthenticationCheckURI>
<ssoAuthenticationSecretKey>12345678901</ssoAuthenticationSecretKey><!-- OPTIONAL --> |
...
TBD by Sergiu Morar / Sebastian Lucaciu
Security settings
| Anchor | ||||
|---|---|---|---|---|
|
Overview
Configuration
In order to use HybridRealm as the authentication provider of spring.security, the following configuration settings must be set:
oeablSecurity.properties
- http.all.authmanager - Authentication manager to use, in our case: oerealm
- client.login.model - Authentication model to use, in our case: form
- OERealm.UserDetails.realmClass - OERealm (HybridRealm) class to use, in our case: Akioma.Security.HybridRealm
Unauthenticated routes
To define routes that do not require authentication, modify the oeablSecurity.csv configuration file and set the desired URIs to permitAll():
Example for LoginWebHandler /web/Login/ routes:
| Code Block | ||||
|---|---|---|---|---|
| ||||
# "url-pattern","<method>","<spring-access-expression>"
??
# Permit unauthenticated access to /web/Login/**
"/web/Login/**","*","permitAll()"
??
# Authentication for /web/**
"/web/**","*","hasAnyRole('ROLE_PSCUser')"
??
# Best practice - deny anything not explicitly granted
"/**","*","denyAll()" |
Note: To override access for a specific/sub-route: have the override setting before the parent setting. Example: /web/Login sub-route config overrides /web route config, thus it is set before.
| Anchor | ||||
|---|---|---|---|---|
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<AllowedAuthentication>AkiomaUser,ActiveDirectory</AllowedAuthentication> |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
METHOD PROTECTED VOID CheckIsAllowedAkiomaUserAuth():
IF LOOKUP("AkiomaUser", SessionManager:AllowedAuthentication) EQ 0 THEN
UNDO, THROW NEW Exception("AkiomaUser authentication is disabled!", 1).
END METHOD. |
Overall architecture
PASOE (AkiomaUser / AD authentication)
NodeJS (AD / AzureAD authentication)
