...
- The JOC Cockpit uses Apache Shiro to authenticate and authorize users.
- Authentication and Authorization information can be read by Shiro from a number of separate resources. These are:
- a local configuration (
shiro.ini
) file that may include both authentication and authorization information, depending on the methods of authentication and authorization configured; - a authentication service that provides an LDAP interface such as Microsoft Active Directory and
- a database containing both authentication and authorization information and which complies with the Shiro data model requirements. This database will be managed (and populated) by a system administrator.
- a local configuration (
...
- The JOC Cockpit accepts the user name and password from the login screen and, depending on the configuration in the
shiro.ini
file, either:- tries to verify the credentials against information stored in the
shiro.ini
file, - tries to login to the LDAP directory service with the given credentials or
- checks the credentials against information stored in a Shiro compliant database.
- tries to verify the credentials against information stored in the
- The authentication credentials are subsequently used for HTTP Authentication with each HTTP request that is created by the JOC Cockpit for the JobScheduler Web Services.
- Browsers may cache credentials during a session, i.e. they are re-used for single sign-on when opening the JOC Cockpit in a new browser tab. The credentials cache is cleared on termination of the browser.
- This behavior might vary depending on the browser and version.
- The configuration of the local
shiro.ini
file is described in detail in the Configuration of Authentication and Authorization Configuration article.
Authentication Methods
...
- Shiro Authentication:
- Using a mapping of roles to permissions stored in the local
shiro.ini
configuration file.
- Using a mapping of roles to permissions stored in the local
- LDAP Authentication:
- Using a configurable LDAP query that checks membership of the user with a number of Active Directory groups. An LDAP query is configured for each role and in case of a positive match for group membership the user is assigned a relevant role. This role is then mapped onto a set of permissions using information stored in the local
shiro.ini
configuration file.
- Using a configurable LDAP query that checks membership of the user with a number of Active Directory groups. An LDAP query is configured for each role and in case of a positive match for group membership the user is assigned a relevant role. This role is then mapped onto a set of permissions using information stored in the local
- Database Authentication:
- Using a Hibernate query to check the user's role(s) against a table of roles and permissions stored in the same database as used for authentication.
By default the shiro.ini
configuration file contains a an example mapping of roles and permissions. This mapping can be used with Shiro and LDAP authentication and is shown in the Matrix of Roles and Permissions section below.
- System administrators can:
- add additional roles of their own to the mapping and
- change the permissions assigned to roles.
- System administrators wishing to use database authorization can copy this mapping into database tables.
- Configuration of the
shiro.ini
file is described in detail in the Configuration of Authentication and Authorization Configuration article.
Viewing User Profile and Roles
The following screenshot shows A user can check the permissions they are currently allocated in the JOC Cockpit. This is done in the User Profile view with , which is opened via the user menu in the top right of the JOC Cockpit window. The following screenshot shows the User Details and Roles information for a user SOS:
This view is read-only for all users - changes can only be made by a system administrator modifying the authentication and authorization configuration as described in the the Configuration of Authentication and Authorization Configuration article.
Matrix of Roles and Permissions
...