...
As indicated in the schematic architecture diagram above, communication between the JOC Cockpit, the Web Service and the JobScheduler Masters and Agents can be carried out using both HTTP and HTTPS protocols. By default after installation HTTP will be used. However, HTTPS should be implemented by system administrators for all communication steps when the JobScheduler is to be used in sensitive environments. Information about the configuration of the Jetty Web Server delivered with the JOC Cockpit for HTTPS can be found on the Jetty Web Site.
...
Separate authorization tokens are used for each communication step between the JOC Cockpit, the JobScheduler Web Service and the JobScheduler Masters and Agents. This means that if an attacker is able to take over and use a token they will only be able to bypass a part of the communication chain. This means that it will be harder for the attacker to remain undetected. Status
Status | ||
---|---|---|
|
Authorization Token for the JOC Cockpit
The JOC Cockpit generates an authorization token each time a user logs on and saves this token either in the browser's local storage, if Remember Me is set on logging in, or in the browser's session storage, if Remember Me is not set. Note that there are situations where a user users can leave a valid authorization token on their file system although they are no longer working at their with the JOC Cockpit:
Situation | Remember Me | Remember Me |
---|---|---|
User logs out, browser reverts to Log In page | Authorization token is invalidated by the logout | Authorization token is deleted with the session storage |
Session expires, browser reverts to Log In pageIn page | Authorization token is deleted | Authorization token is deleted with the session storage |
Browser tab is closed during session and then reopened by opening recent tab (Firefox) | Authorization token remains in browser's local storage and is not invalidated as a logout has not taken place. The token will then remain valid until the timeout period set in the shiro.ini configuration file has elapsed. | Authorization token remains in browser's session storage and is not invalidated as a logout has not taken place. The token will then remain valid until the timeout period set in the shiro.ini configuration file has elapsed. |
Browser tab is closed during session and then reopened by opening login page | Authorization token remains in browser's local storage and is not invalidated as a logout has not taken place. The token will then remain valid until the timeout period set in the shiro.ini configuration file has elapsed. | Authorization token has been is deleted with the session storage |
...
- the browser's local storage will not be emptied after a period of time when Remember Me is set and a user does not log in again,
Session Timeout
The JOC Cockpit makes use of the timeout period set in the shiro.ini configuration file for user sessions:
Code Block | ||
---|---|---|
| ||
securityManager.sessionManager.globalSessionTimeout = 900000 |
The default value of 900'000 milliseconds translates to 15 minutes. To apply changes to this value the JOC Cockpit has to be restarted
If a user does not logout from the JOC Cockpit, but e.g. closes the browser or browser tab, then
- the authorization token will remain valid for the specified period since the last user activity.
- the user session in the JOC Cockpit is closed, however, the JobScheduler Web Service will accept the authorization token for the specified period.
Default Accounts
The JOC Cockpit ships with a default in the shiro.ini configuration file for the account "root" to use the password "root" having permissions for any operations with the JOC Cockpit.
Please adjust the account and password to be used. For a secure configuration it is recommended to configure LDAP access to a directory service for users and roles with shiro.ini. This would guarantee that general policies such as frequency of password change or password complexity are considered when using the JOC Cockpit.
Audit Logs
Excerpt Include | ||||||
---|---|---|---|---|---|---|
|
...
The Remember Me setting in the JOC Cockpit Log In form shown below is a convenient function for users working in "normal" environments. However it should be used with caution in security-sensitive environments as it could allow unauthorized personnel access to the scheduling environment when the user does not rigorously lock their desktopcomputer.
The behavior of the JOC Cockpit when Remember Me is set or not set depends on the situation. This behavior is specified in the following table:
Situation | Remember Me | Remember Me |
---|---|---|
User logs out, browser reverts to Log In page | Log In information shown, credentials are available | Log In form is empty, input of credentials required |
Session expires, browser reverts to Log In pageIn page | Log In information shown | Log In form is empty, input of credentials required |
Browser is closed during session and then reopened; Log In page In page is opened by user | User is automatically logged in | Log In form is empty, input of credentials required |
Note that:
- The Log In form will not be emptied after a period of time when Remember Me is set and a user does not log in again,
- The behavior specified in the table above is independent of whether or not the browser is set to save login information.
Password Change
x