...
- The JOC Cockpit accepts the user name and password from the login screen and:
- either tries to verify the credentials from its local configuration file,
- tries to login to the Active Directory service with the given credentials,
- or checks the credentials in a Shiro compliant database.
- The credentials are subsequently used for HTTP Authentication with each HTTP request that is created by the JOC Cockpit to the JobScheduler Web Services.
- Browsers may cache credentials during a session, i.e. they are re-used for single sign-on when opening the JOC Cockpit in a new browser tab. The credentials cache is cleared on termination of the browser.
- This behavior might vary depending on the browser and version.
- Authentication is configured in an
shiro.ini
file described in detail in the Authentication and Authorization Configuration article.
Shiro Authentication
- Intended for development and use where security is of relatively low importance.
- User passwords are saved in plain text in an unencrypted
.ini
file.
- User passwords are saved in plain text in an unencrypted
LDAP Authentication
- Intended for use in production environments where LDAP is already in use.
- The JOC Cockpit configuration file contains information specifying the LDAP service.
Database Authentication
- Intended for use in production environments... article
- The JOC Cockpit configuration file contains information specifying the database authentication service.
- Authentication information is entered manually in the database.
Authorization
- After successful authentication the JOC Cockpit will check the assignment of roles to the given user:
- either by using a configurable LDAP query that checks membership of the user with a number of Active Directory groups. An LDAP query is configured for each role and in case of a positive match for group membership the user is assigned the relevant role.
- or by using its local configuration file that includes a assignment of users and roles.
- The assignment of permissions to roles is configured with the local
shiro.ini
configuration file.- By default the JOC Cockpit ships with a number of predefined roles and assigned permission, see the Matrix of Roles and Permissions below.
- Users can:
- add additional roles of their own,
- change the permissions assigned to roles.
- Authorization is configured in an
.ini
file described in detail in the .... article.
...