Build.One Documentation
Page tree
Skip to end of metadata
Go to start of metadata

Available authentication methods

AkiomaUser

Front-end - Back-end interaction:

 

Logic-flow:

 

Basic HybridRealm authentication. The PASOE validates the provided credentials (username & password) directly, through HybridRealm, using the ISwatAuthenticationService.

 

In order to use AkiomaUser authentication, in the pasoe-config.xml / OEPAS_config.xml configuration file, the AllowedAuthentication property must contain AkiomaUser:

pasoe-config.xml / OEPAS_config.xml
<AllowedAuthentication>AkiomaUser</AllowedAuthentication>

Note: In case AllowedAuthentication is missing from the config file, the default is AkiomaUser.

ActiveDirectory

Front-end - Back-end interaction:

 

Logic-flow:



  1. The client sends POST request with AD credentials to the "/web/Login/Login.html" access-point on the PASOE (swat-backend).
  2. PASOE forwards AD credentials to the "/auth/ad/login" on the NodeJS (node-main).
  3. NodeJS handles AD authentication, using passport with passport-ldapauth strategy. Then responds with ssoSessionId & ssoUserId.
  4. PASOES passes back to Client the ssoSessionId & ssoUserId.
  5. Client logins into PASOE, with ssoUserId & ssoSessionId, through HybridRealm.
  6. PASOE HybridRealm handles login using ISwatAuthenticationService, which sends POST request to "/sessions", with ssoSessionId & ssoUserId, on the NodeJS.
  7. NodeJs responds back to PASOE with the session's validity.
  8. PASOE finalizes authentication process.
  9. Client is authenticated.

 

In order to use ActiveDirectory authentication, the following configuration settings must be present in pasoe-config.xml / OEPAS_config.xml:

  • AllowedAuthentication containing "ActiveDirectory" - See AllowedAuthentication.
  • ssoAuthenticationURI - node-main access-point for AD authentication - takes username, password 
  • ssoAuthenticationCheckURI - node-main access-point for checking if a valid SSO session was created, for verifying if the AD authentication was successful.
  • ssoAuthenticationSecretKey - OPTIONAL - secret key known by PASOE and node-main that is passed in the requests to node-main. Provides additional validation that the requests are done from a trusted source (PASOE).

Example:

pasoe-config.xml / OEPAS_config.xml
	<AllowedAuthentication>ActiveDirectory</AllowedAuthentication>
	<ssoAuthenticationURI>http://localhost:8888/auth/ad/login</ssoAuthenticationURI>
	<ssoAuthenticationCheckURI>http://localhost:8888/sessions</ssoAuthenticationCheckURI>
	<ssoAuthenticationSecretKey>12345678901</ssoAuthenticationSecretKey><!-- OPTIONAL -->

 

Note: node-main is hidden behind PASOE server from the client's perspective.

AzureActiveDirectory

TBD by Sergiu MorarSebastian Lucaciu

 

Security settings

HybridRealm

Overview

Configuration

In order to use HybridRealm as the authentication provider of spring.security, the following configuration settings must be set:

oeablSecurity.properties

  • http.all.authmanager - Authentication manager to use, in our case: oerealm
  • client.login.model - Authentication model to use, in our case: form
  • OERealm.UserDetails.realmClass - OERealm (HybridRealm) class to use, in our case: Akioma.Security.HybridRealm 

Unauthenticated routes

To define routes that do not require authentication, modify the oeablSecurity.csv configuration file and set the desired URIs to permitAll():

Example for LoginWebHandler /web/Login/ routes:

oeablSecurity.csv
# "url-pattern","<method>","<spring-access-expression>"
??
# Permit unauthenticated access to /web/Login/**
"/web/Login/**","*","permitAll()"
??
# Authentication for /web/**
"/web/**","*","hasAnyRole('ROLE_PSCUser')"
??
# Best practice - deny anything not explicitly granted
"/**","*","denyAll()"


Note: To override access for a specific/sub-route: have the override setting before the parent setting. Example: /web/Login sub-route config overrides /web route config, thus it is set before.

 

Enable/Disable authentication methods

In order to use the existing AkiomaUser and/or ActiveDirectory authentication/s, the <AllowedAuthentication> property must be present in the pasoe-config.xml / OEPAS_config.xml configuration file.

The AllowedAuthentication property is a comma separated list, containing enabled authentication methods. Default value is "AkiomaUser".

 

Example:

pasoe-config.xml / OEPAS_config.xml
<AllowedAuthentication>AkiomaUser,ActiveDirectory</AllowedAuthentication>

 

The property is checked, during the authentication processes, if the current authentication is allowed.

 

Example for AkiomaUser check:

CheckIsAllowedAkiomaUserAuth
    METHOD PROTECTED VOID CheckIsAllowedAkiomaUserAuth():
        IF LOOKUP("AkiomaUser", SessionManager:AllowedAuthentication) EQ 0 THEN
            UNDO, THROW NEW Exception("AkiomaUser authentication is disabled!", 1).
    END METHOD.


Overall architecture

PASOE (AkiomaUser / AD authentication)

 

 

NodeJS (AD / AzureAD authentication)

 

 

  • No labels