Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 24

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 25

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The JOC Cockpit uses Apache Shiro to authenticate and authorize users.
  • Authentication and Authorization information can be read by Shiro from a number of separate resources. These are:
    • a local configuration (shiro.ini) file that may include both authentication and authorization information, depending on the methods of authentication and authorization configured;
    • a authentication service that provides an LDAP interface such as Microsoft Active Directory and
    • a database containing both authentication and authorization information and which complies with the Shiro data model requirements. This database will be managed (and populated) by a system administrator.

...

  • The JOC Cockpit accepts the user name and password from the login screen and, depending on the configuration in the shiro.ini file, either:
    • tries to verify the credentials against information stored in the shiro.ini file,
    • tries to login to the LDAP directory service with the given credentials or
    • checks the credentials against information stored in a Shiro compliant database.
  • The authentication credentials are subsequently used for HTTP Authentication with each HTTP request that is created by the JOC Cockpit for the JobScheduler Web Services.
    • Browsers may cache credentials during a session, i.e. they are re-used for single sign-on when opening the JOC Cockpit in a new browser tab. The credentials cache is cleared on termination of the browser.
    • This behavior might vary depending on the browser and version.
  • The configuration of the local shiro.ini file is described in detail in the Configuration of Authentication and Authorization Configuration article.

...

  • Shiro Authentication:
    • Using a mapping of roles to permissions stored in the local shiro.ini configuration file.
  • LDAP Authentication:
    • Using a configurable LDAP query that checks membership of the user with a number of Active Directory groups. An LDAP query is configured for each role and in case of a positive match for group membership the user is assigned a relevant role. This role is then mapped onto a set of permissions using information stored in the local shiro.ini configuration file.
  • Database Authentication:
    • Using a Hibernate query to check the user's role(s) against a table of roles and permissions stored in the same database as used for authentication.

By default the shiro.ini configuration file contains a an example mapping of roles and permissions. This mapping can be used with Shiro and LDAP authentication and is shown in the Matrix of Roles and Permissions section below.

  • System administrators can:
    • add additional roles of their own to the mapping and
    • change the permissions assigned to roles.
  • System administrators wishing to use database authorization can copy this mapping into database tables.
  • Configuration of the shiro.ini file is described in detail in the Configuration of Authentication and Authorization Configuration article.

Viewing User Profile and Roles

The following screenshot shows A user can check the permissions they are currently allocated in the JOC Cockpit. This is done in the User Profile view with , which is opened via the user menu in the top right of the JOC Cockpit window. The following screenshot shows the User Details and Roles information for a user SOS:

 

This view is read-only for all users - changes can only be made by a system administrator modifying the authentication and authorization configuration as described in the the Configuration of Authentication and Authorization Configuration article.

Matrix of Roles and Permissions

...