Build.One Documentation
Page tree

Versions Compared

Old Version 4

changes.mady.by.user Cosmin Ichim

Saved on

compared with

New Version Current

changes.mady.by.user Cosmin Ichim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

 

Table of Contents

Available authentication methods

...

AkiomaUser

Front-end - Back-end interaction:

Basic hybridRealm  

Logic-flow:

Image Added

 

Basic HybridRealm authentication. The PASOE validates the provided credentials (username & password) directly, through HybridRealm, using the ISwatAuthenticationService.

 

In order to use AkiomaUser authentication, in the pasoe-config.xml / OEPAS_config.xml configuration file, the AllowedAuthentication property must contain AkiomaUser:

Code Block
languagexml
titlepasoe-config.xml / OEPAS_config.xml
<AllowedAuthentication>AkiomaUser</AllowedAuthentication>

Note: In case AllowedAuthentication is missing from the config file, the default is AkiomaUser.

ActiveDirectory

Front-end - Back-end interaction:

 Note

: node-main is hidden from the clientLogic-flow:

Image Added


  1. The client sends POST request with AD credentials to the "/web/Login/Login.html" access-point on the PASOE (swat-backend).
  2. PASOE forwards AD credentials to the "/auth/ad/login" on the NodeJS (node-main).
  3. NodeJS handles AD authentication, using passport with passport-ldapauth strategy. Then responds with ssoSessionId & ssoUserId.
  4. PASOES passes back to Client the ssoSessionId & ssoUserId.
  5. Client logins into PASOE, with ssoUserId & ssoSessionId, through HybridRealm.
  6. PASOE HybridRealm handles login using ISwatAuthenticationService, which sends POST request to "/sessions", with ssoSessionId & ssoUserId, on the NodeJS.
  7. NodeJs responds back to PASOE with the session's validity.
  8. PASOE finalizes authentication process.
  9. Client is authenticated.

 

In order to use ActiveDirectory authentication, the following configuration settings must be present in pasoe-config.xml / OEPAS_config.xml:

  • AllowedAuthentication containing "ActiveDirectory" - See AllowedAuthentication.
  • ssoAuthenticationURI - node-main access-point for AD authentication - takes username, password 
  • ssoAuthenticationCheckURI - node-main access-point for checking if a valid SSO session was created, for verifying if the AD authentication was successful.
  • ssoAuthenticationSecretKey - OPTIONAL - secret key known by PASOE and node-main that is passed in the requests to node-main. Provides additional validation that the requests are done from a trusted source (PASOE).

...

Code Block
languagexml
titlepasoe-config.xml / OEPAS_config.xml
	<AllowedAuthentication>ActiveDirectory</AllowedAuthentication>
	<ssoAuthenticationURI>http://localhost:8888/auth/ad/login</ssoAuthenticationURI>
	<ssoAuthenticationCheckURI>http://localhost:8888/auth/ad/sessions</ssoAuthenticationCheckURI>
	<ssoAuthenticationSecretKey>12345678901</ssoAuthenticationSecretKey>

...

ssoAuthenticationSecretKey><!-- OPTIONAL -->

 

Note: node-main is hidden behind PASOE server from the client's perspective.

AzureActiveDirectory

TBD by Sergiu MorarSebastian Lucaciu

 

Security settings

Anchor
HybridRealm
HybridRealm
HybridRealm

Overview

Image Added

Configuration

In order to use HybridRealm as the authentication provider of spring.security, the following configuration settings must be set:

oeablSecurity.properties

  • http.all.authmanager - Authentication manager to use, in our case: oerealm
  • client.login.model - Authentication model to use, in our case: form
  • OERealm.UserDetails.realmClass - OERealm (HybridRealm) class to use, in our case: Akioma.Security.HybridRealm 

Unauthenticated routes

To define routes that do not require authentication, modify the oeablSecurity.csv configuration file and set the desired URIs to permitAll():

Example for LoginWebHandler /web/Login/ routes:

Code Block
languagetext
titleoeablSecurity.csv
# "url-pattern","<method>","<spring-access-expression>"
??
# Permit unauthenticated access to /web/Login/**
"/web/Login/**","*","permitAll()"
??
# Authentication for /web/**
"/web/**","*","hasAnyRole('ROLE_PSCUser')"
??
# Best practice - deny anything not explicitly granted
"/**","*","denyAll()"


Note: To override access for a specific/sub-route: have the override setting before the parent setting. Example: /web/Login sub-route config overrides /web route config, thus it is set before.

 

Anchor
AllowedAuthentication
AllowedAuthentication
Enable/Disable authentication methods

In order to use the existing AkiomaUser and/or ActiveDirectory authentication/s, the <AllowedAuthentication> property must be present in the pasoe-config.xml / OEPAS_config.xml configuration file.

...

Code Block
languagexml
titlepasoe_-config.xml / OEPAS_config.xml
<AllowedAuthentication>AkiomaUser,ActiveDirectory</AllowedAuthentication>

...

The property is checked, during the authentication processes, if the current authentication is allowed.

 

Example for AkiomaUser check:

Code Block
languagetext
titleCheckIsAllowedAkiomaUserAuth
    METHOD PROTECTED VOID CheckIsAllowedAkiomaUserAuth():
        IF LOOKUP("AkiomaUser", SessionManager:AllowedAuthentication) EQ 0 THEN
            UNDO, THROW NEW Exception("AkiomaUser authentication is disabled!", 1).
    END METHOD.


Overall architecture

PASOE (AkiomaUser / AD authentication)

 

Image Added

 

NodeJS (AD / AzureAD authentication)

 

Image Added