...
As indicated in the schematic architecture diagram above, communication between the JOC Cockpit, the Web Service and the JobScheduler Masters and Agents can be carried out using both HTTP and HTTPS protocols. By default after installation HTTP will be used. However, HTTPS should be implemented by system administrators for all communication steps when the JobScheduler is to be used in sensitive environments.
- Information about the configuration of the Jetty Web Server delivered with the JOC Cockpit for HTTPS can be found from the JOC Cockpit - HTTPS Authentication article and on the Jetty Web Site.
- Information about setting up a secure connection between the JOC Cockpit - Web Service and the JobScheduler Master can be found from the JOC Cockpit - HTTPS Authentication article.
- Consider JobScheduler Universal Agent - HTTPS Agent and Master Authentication for securing the connections between a JobScheduler Master and Agents.
Authorization Tokens
Separate authorization tokens are used for each communication step between the JOC Cockpit, the JobScheduler Web Service and the JobScheduler Masters and Agents. This means that if an attacker is able to take over and use a token they will only be able to bypass a part of the communication chain.
...
- the browser's local storage will not be emptied after a period of time when Remember Me is set and a user does not log in again,.
Session Timeout
The JOC Cockpit uses the timeout period set in the shiro.ini configuration file for user sessions:
...