JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Introduction

The architecture introduced with the of JOC Cockpit ensures that users are restricted to directly access accessing the JOC Cockpit user interface as illustrated with in the diagram below. The JOC Cockpit then calls the includes the JS7 - REST Web Service API which, in turn, has access to the JobScheduler JS7 Controller instances. There is no connection from a the JOC Cockpit to Agents.

See the JS7 - System Architecture article for more information.


Security Considerations for System Administrators

HTTP / HTTPS Connections

As indicated with in the schematic architecture diagram above, communication connections between the JOC Cockpit, the REST Web Service API and the Controllers & Agents can be carried out using both HTTP and HTTPS protocols. By default after installation HTTP will be used. However, system administrators are recommended to implement HTTPS connections.

...

Authorization tokens are used for communication between users and the JOC Cockpit, between the JS7 REST Web Service API and between the Controller instances and Agents. This means that if an attacker is able to take over and to use a token they will only be able to bypass a part of the communication chain only.

Authorization Token for the JOC Cockpit

The JOC Cockpit generates an authorization token each time a user logs on and saves this token either in the browser's local storage , if Remember Me is set on logging in, or in the browser's session storage , if Remember Me is not set. Note that there are situations when users can leave a valid authorization token on their file system although they are no longer working with the JOC Cockpit: 

...

Situation

Remember Me
Set

Remember Me
Not set

User logs out, browser reverts to Log In pageAuthorization token is invalidated by the logoutAuthorization token is deleted with the session storage
Session expires, browser reverts to Log In pageAuthorization token is deletedAuthorization token is deleted with the session storage
New browser tab is opened in parallel to an existing browser tab

Authorization token in existing tab is valid

Authorization token is required for new tab

Authorization token is maintained with the session storage
Browser tab is closed during session and then reopened by opening the recent tabAuthorization token is invalidatedAuthorization token is deleted with the session storage

Browser tab is closed during session and then reopened by opening login page

Authorization token is invalidated Authorization token is deleted with the session storage

Note that:

  • the browserThe browser's local storage will not be emptied after a period of time when Remember Me is set and a user does not log in again.

Session Idle Timeout

The JOC Cockpit uses the idle timeout period set in the shiro.ini configuration file for user sessions:

Code Block
languagetext
titleSession timeout in shiro.ini
securityManager.sessionManager.globalSessionTimeout = 900000

for user sessions which is available from the Manage Global Settings button in the Identity Services page :

Image Added


The default value is 15 minutes. The JOC Cockpit does not require a restart to apply changes made to this valueThe default value of 900.000 milliseconds translates to 15 minutes. To apply changes to this value the JOC Cockpit has to be restarted.

If a user does not logout from the JOC Cockpit but, for example, closes the browser or browser tab then:

  • the authorization token will remain valid for the specified period since the user's last user activity,
  • the user session in the JOC Cockpit will be closed, however, the JS7 REST Web Service API will accept the authorization token for the specified period.

...

The JOC Cockpit ships with a default setting in the shiro.ini configuration file for the account "root" with the password "root" and setting for the default user account that is configured with the JOC-INITIAL Identity Service. By default the root user account and password root is used with permissions to carry out all operations with the JOC Cockpit.

Please Users should adjust the account and password to be used. For a secure configuration it is recommended that LDAP access to a directory service Directory Service is implemented configured for users with roles configured in the shiro.ini file and that the "root" user accounts with roles managed by an JS7 - LDAP Identity Service and that the root account is dropped. This guarantees that general policies such as password rotation or password complexity requirements are considered when using the JOC Cockpit.

See the Authentication and Authorization - Configuration article for more information.

Default Profile Account

JOC Cockpit stores the userusers' s profile settings with in its database. When a user logs in for the first time then the settings of the default profile account are copied to the user profile. By default the profile of the "root" user account that ships with the shiro.ini file JOC-INITIAL Identity Service is used as the default user profile.

The default profile account can be specified with the following setting in the JETTY_BASE/resources/joc/joc.properties file:

Code Block
languagetext
titleDefault profile account in shiro.ini
################################################################################
### A default profile should be available that includes any profile settings 
### that are applied by default to new users.

default_profile_account = root

default_profile_account setting  in section "joc" of the JS7 - Settings page.

Audit Log

Excerpt Include
JS7 - Audit Log
JS7 - Audit Log
nopaneltrue

Read more ....

Security Considerations for Users

Use of the Log In Form Remember Me Checkbox

The Remember Me setting in the JOC Cockpit Log In form shown below is a convenient function for users working in "normal" environments. However it should be used with caution in sensitive environments as it could allow unauthorized access to JOC Cockpit by third parties when users would do not rigorously lock their computer. In addition, storing credentials with the browser can be considered a questionable practice.

...

The behavior of the JOC Cockpit when Remember Me is set or is not set depends on the situation. This behavior is specified in the following table:

Situation

Remember Me
Set

Remember Me
Not set

User logs out, browser reverts to Log In pageLog In information displayed,
credentials are available 		Log In form is empty,
input of credentials required 
Session expires, browser reverts to Log In pageLog In information displayedLog In form is empty,
input of credentials required 
Browser is closed during session and then reopened;
Log In page is opened by user		Log In information displayedLog In form is empty,
input of credentials required 

...

  • The Log In form will not be emptied after a period of time when Remember Me is set and a user does not log in again,
  • The behavior specified in the table above is independent of whether or not the browser is set configured to save store login information.

Use of the Remember Me functionality can be disabled by applying the following setting to the JETTY_BASE/resources/joc/joc.properties file:

...

titleDisable Remember Me setting in joc.properties file

...

modifying the enable_remember_me setting in the "joc" section of the JS7 - Settings page.

Password Reset and Password Change

A user account's password cannot can be reset or changed with the JOC Cockpit . Depending on the configuration set in the shiro.ini configuration file

  • users should ask their system administrator to modify their password in the shiro.ini file if local user management is used,
  • any password changes effected for a directory service are automatically considered when using the JOC Cockpit if LDAP configuration is used.

...

if the JS7 - JOC Identity Service is used.

  • When resetting or modifying a user account's password then the user is forced to specify a new password with the next login.
  • This functionality by design is not offered for the JS7 - LDAP Identity Service or other external Identity Service.

Resources

...