Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 19

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 20

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: 'Authorization' section rewritten

...

  • The JOC Cockpit uses Apache Shiro to authenticate and authorize users.
  • Authentication and Authorization can each be mapped by Shiro to separate resources. These are:
    • a local configuration (shiro.ini) file that includes may include user names, roles and permissionpermissions,
    • a directory service that provides an LDAP interface, e.g. Microsoft Active Directory,
    • a database that complies with the Shiro data model requirements and that is managed (and populated) by an a system administrator.

Authentication

  • The JOC Cockpit accepts the user name and password from the login screen and, depending on the configuration in the shiro.ini file either:
    • either tries to verify the credentials from its local configuration against information stored in the shiro.ini file,
    • tries to login to the Active Directory LDAP directory service with the given credentials,
    • or checks the credentials against information stored in a Shiro compliant database.
  • The authentication credentials are subsequently used for HTTP Authentication with each HTTP request that is created by the JOC Cockpit to for the JobScheduler Web Services.
    • Browsers may cache credentials during a session, i.e. they are re-used for single sign-on when opening the JOC Cockpit in a new browser tab. The credentials cache is cleared on termination of the browser.
    • This behavior might vary depending on the browser and version.
  • Authentication is configured in an The local shiro.ini configuration file is described in detail in the Authentication and Authorization Configuration article.

...

  • Intended for use in production environments.
    • The JOC Cockpit configuration file contains information specifying the database authentication service.
    • Authentication information is entered manually in the database.

Authorization

Authorization is carried out against a mapping of user role(s) against permissions. The method used to specify this mapping depends in the method used for user authentication. After successful authentication the JOC Cockpit will check the assignment of roles to the given user by either:

  • Shiro Authentication:
    • Using a mapping of roles to permissions stored in the local shiro.ini configuration file.
  • LDAP Authentication:
    • Using
    :
    • either by using a configurable LDAP query that checks membership of the user with a number of Active Directory groups. An LDAP query is configured for each role and in case of a positive match for group membership the user is assigned the a relevant role.
    • or by using its local configuration file that includes a assignment of users and roles.
    The assignment of permissions to roles is configured with
    • This role is then mapped onto a set of permissions using information stored in the local shiro.ini configuration file.
  • Database Authentication:
    • Using a Hibernate query to check the user's role(s) against a table of roles and permissions stored in the same database as used for authentication.

By default the JOC Cockpit ships with a

...

pre-configured shiro.ini configuration file, which contains a mapping of roles and

...

permissions. This mapping can be used with Shiro and LDAP authentication and is shown in the Matrix of Roles and Permissions section below.

  • Users System administrators can:
    • add additional roles of their own to the mapping,
    • change the permissions assigned to roles.
  • System administrators wishing to use database authorization can copy this mapping into a database table.
  • Configuration of the shiroAuthorization is configured in an .ini file is described in detail in the Authentication and Authorization Configuration article.

...