|
You are here: Configuring Viewpoint Security
|
|
2.0 Configuring Viewpoint Security |
|
|
You are here: Configuring Viewpoint Security
|
|
2.0 Configuring Viewpoint Security |
|
The following represents the out-of-the-box core.xml settings pertaining to authentication:
<config>
<security>
<permissions-caching>true</permissions-caching>
<login-jsp-path>/WEB-INF/login.jsp</login-jsp-path>
<login-servlet-path>/login</login-servlet-path>
<app-jsp-path>/WEB-INF/application.jsp</app-jsp-path>
<app-servlet-path>/app</app-servlet-path>
<logout-parameter>logout</logout-parameter>
<username-parameter>username</username-parameter>
<request-handler>
<parameter callback="ProxyUserCallback">username</parameter>
<parameter callback="NameCallback">username</parameter>
<parameter callback="PasswordCallback">password</parameter>
</request-handler>
<login-modules>
<login-module class="com.moab.api.login.MoabLoginModule" flag="required"></login-module>
<login-module class="com.cri.security.server.modules.ViewpointLoginModule" flag="required"/>
</login-modules>
<permissions-map>
<principal type="MoabSshUserPrincipal" name="cri">
<role name="user"/>
</principal>
<principal type="MoabAdminPrincipal" name="ADMIN5">
<role name="user"/>
</principal>
<principal type="ViewpointRolePrincipal" name="user">
<role name="user"/>
</principal>
<principal type="ViewpointRolePrincipal" name="admin">
<role name="admin"/>
</principal>
</permissions-map>
<role-definitions>
<definition name="user">
<permission name="archive.create"/>
<permission name="archive.read"/>
<permission name="archive.restore"/>
<permission name="cart.read"/>
<permission name="cart.update"/>
<permission name="cart.delete"/>
</definition>
<definition name="admin">
<permission name="user.*"/>
<role name="user"/>
</definition>
</role-definitions>
</security>
</config>
See Permissions for a list of available permissions and their associated pages.
permissions-caching> - Either true or false; default is true. When set to true, permissions are cached in the HttpSession associated with a given user. When set to false, the user must re-authenticate each time they make a request. A value of false can be useful if a single-sign-on system is enabled.login-jsp-path> - The path to the jsp file that presents the login page. Note that the path is relative to the Web application. This means that "WEB-INF/login.jsp" resolves to (assuming the default location of tomcat and a Web application named "sample") /var/lib/tomcat6/webapps/sample/WEB-INF/login.jsp and "/WEB-INF/login.jsp" resolves to /WEB-INF/login.jsp. Also note that the tomcat user must have at least read access to this file.login-servlet-path> - The path to the servlet that authenticates a user attempting to get to the Viewpoint application. This URL must be visible to any given Web browser. Default is /login.app-jsp-path> - The path to the jsp file that presents the application page. Note that the path is relative to the Web application This means that "WEB-INF/application.jsp" resolves to (assuming the default location of tomcat and a Web application named "sample") /var/lib/tomcat6/webapps/sample/WEB-INF/application.jsp and "/WEB-INF/application.jsp" resolves to /WEB-INF/application.jsp. Also note that the tomcat user must have at least read access to this file.app-servlet-path> - The path to the servlet that serves the Viewpoint application. This URL must be visible to any given Web browser.logout-parameter> - The HTTP parameter used by the application and login servlets to assess whether the user is attempting to log out. This is used in the navigation configuration to create a Logout link. The URL in this case is /${login-servlet}?${logout-parameter}.username-parameter> - The HTTP request parameter used by the application to determine the user's username.request-handler> - The request-handler configuration defines the set of HTTP parameters to be used during authentication, and the callbacks they serve. More information about what callbacks need to be handled by the callbackhandler can be found in the documentation for your login modules. A parameter tag maps directly to an HTTP parameter in each request.
parameter callback="ProxyUserCallback"> - The callback attribute indicates what Java Authentication and Authorization Service (JAAS) callback maps to this parameter. The value is the class name of the callback. In cases where callback names conflict, the fully-qualified class name must be used. In addition, an optional "required" attribute can be specified. The default value is true.login-modules> - JAAS enables extensible security in the Viewpoint framework. It allows a system administrator to specify one or more LoginModules, which are used to authenticate a user across the domains or realms those LoginModules were defined to access. For more information, see the JAAS Reference Guide.
login-module class="<class name>"> - A LoginModule to be used to authenticate a user. This LoginModule is used to populate the user with "principals" which is then used to authorize the user to take specific actions within the system. The attributes are:
class - the fully-qualified class name of the LoginModule.flag - controls the overall behavior as authentication proceeds down the stack of LoginModules. The JavaDoc for the Configuration class gives a more detailed specification of the purpose and use of these configurations.permissions-map> - The permission-map section specifies how authenticated users are authorized in the Viewpoint framework. For each principal value that should be considered, an arbitrary number of roles and permissions are assigned.
principal> - A principal definition requires the following attributes:
type - the "simple" class name of the principal.name - the value of the principal. If a user is assigned a principal that matches this type and value, the given roles and permissions are assigned to that user.
role> - This is a child element of <principal> and is the role the user is given if they have the given principal.role-definition> - Roles define groups of permissions. This is essentially just a configuration shortcut, since roles are resolved as the configuration is read in. You can recursively specify roles in order to create a role hierarchy.
permission> - A permission is a domain-like identifier that grants a given entity access to perform some function within Viewpoint (for example, "exit", "setFactory", "print.queueJob"). The naming convention follows the hierarchical property naming convention. An asterisk can appear by itself, or if immediately preceded by a "." can appear at the end of the name, to signify a wildcard match. For example, "*" and "java.*" are valid, while "*java", "a*b", and "java*" are not valid.