Moab Viewpoint
Home Up Previous Next
Using ViewpointLoginModule

Using ViewpointLoginModule

The ViewpointLoginModule is the default login module. When used, the ViewpointLoginModule authenticates users when the hash of a supplied password matches the stored password has in the Viewpoint database.

Configuring core.xml

To use this module, you need to edit the core.xml file. Add callbacks for a username and password in the <request-handler> element, such as in this example:

<config>
  ...
  <security>
    ...
      <request-handler>
        ...
        <parameter callback="NameCallback">username</parameter>
        <parameter callback="PasswordCallback">password</parameter>
     </request-handler>
     ...
  </security>
</config>

Next, add the ViewpointLoginModule as a required module in the <login-modules> section:

<login-modules>
  <login-module class="com.cri.security.server.modules.ViewpointLoginModule" flag="required" />
</login-modules>

We recommend you add a ViewpointRolePrincipal that has the same name as each role you define in core.xml:

<permissions-map>
  ...
  <principal type="ViewpointRolePrincipal" name="user">
    <role name="user" />
  </principal>
  <principal type="ViewpointRolePrincipal" name="admin">
    <role name="admin" />
  </principal>
</permissions-map>
...
<role-definitions>
  <definition name="user">
    <permission name="job.read" />
    ...
  </definition>			
  <definition name="admin">
    <permission name="user.*" />
      <role name="user" />
  </definition>
</role-definitions>

For information on how to associate roles with users, see the User Management page.

Security

ViewpointLoginModule allows you to authenticate across a network by using passwords, so it is important to configure your environment to use an SSL connection. For more information on how to protect a site with SSL, see the Tomcat documentation here.

The username and a salted, secure hash of the password are stored in the SecurityUser table in the Viewpoint database. Roles for each user are stored in SecurityUser_roles. It is essential that users are restricted from seeing or modifying these tables or they can grant themselves privileges they should not have.

How it works

For security reasons, passwords are not explicitly stored in the database. Instead, a base64 encoded SHA-512 secure hash consisting of the password and a salt (a random number from a secure random number generator) is stored. To authenticate a user, the input password is combined with the salt (which is retrieved from the database). This combination is base64 encoded and compared with the base64 encoded hash from the database. If the hashes match, the user is authenticated.

Home Up Previous Next