...
- The JOC Cockpit uses Apache Shiro to authenticate and authorize users.
- Authentication and Authorization information can each be mapped read by Shiro to from a number of separate resources. These are:
- a local configuration (
shiro.ini) file that may include user names, roles and permissionsboth authentication and authorization information, - a directory authentication service that provides an LDAP interface , e.g. such as Microsoft Active Directory ,and
- a database that complies with the Shiro data model requirements and that which is managed (and populated) by a system administrator.
- a local configuration (
...
- Intended for use in production environments.
- The JOC Cockpit configuration file contains information specifying the database authentication service.
- Authentication information is entered manually in the database.
Authorization
Authorization is carried out After successful authentication the JOC Cockpit will check the assignment of roles to the given user against a mapping of user role(s) against permissions. The method used to specify this mapping depends in the method used for user authentication. After successful authentication the JOC Cockpit will check the assignment of roles to the given user by either:
- Shiro Authentication:
- Using a mapping of roles to permissions stored in the local
shiro.iniconfiguration file.
- Using a mapping of roles to permissions stored in the local
- LDAP Authentication:
- Using a configurable LDAP query that checks membership of the user with a number of Active Directory groups. An LDAP query is configured for each role and in case of a positive match for group membership the user is assigned a relevant role. This role is then mapped onto a set of permissions using information stored in the local
shiro.iniconfiguration file.
- Using a configurable LDAP query that checks membership of the user with a number of Active Directory groups. An LDAP query is configured for each role and in case of a positive match for group membership the user is assigned a relevant role. This role is then mapped onto a set of permissions using information stored in the local
- Database Authentication:
- Using a Hibernate query to check the user's role(s) against a table of roles and permissions stored in the same database as used for authentication.
By default the JOC Cockpit ships with a pre-configured shiro.ini configuration file , which contains a mapping of roles and permissions. This mapping can be used with Shiro and LDAP authentication and is shown in the Matrix of Roles and Permissions section below.
- System administrators can:
- add additional roles of their own to the mapping ,and
- change the permissions assigned to roles.
- System administrators wishing to use database authorization can copy this mapping into a database table.
- Configuration of the
shiro.inifile is described in detail in the Authentication and Authorization Configuration article.
...
The document below shows the default roles and permissions delivered with in the JOC Cockpit shiro.ini configuration file. System administrators can define additional and modify roles and modify permissions as required.
Document: joc-role-operation-permission.xlsx
...