Project

General

Profile

Authentication

External applications access the FWD server through the remote object protocol. Before that can be used, the external application must establish a session with the FWD server. This involves writing custom Java code to connect to the FWD server and then authenticate using a known account.

Inside the directory there are several parameters that are used to set up the authentication.

Search Algorithm

There is no search algorithm used for reading the authenticate directory sections. All configurations are global for the directory and can be found under the /security/config root node.

Password Change

This section defines the policies regarding how the server forces password changes. For more details on how to develop a password change plugin, see the Hooks chapter from Developer Guide.

Directory Example:

<node class="container" name="security">
   <node class="container" name="config">
      <node class="container" name="change">
         <node class="integer" name="maxage">
            <node-attribute name="value" value="90"/>
         </node>
         <node class="string" name="plugin">
            <node-attribute name="value" value="com.acme.myapp.security.PasswordChange"/>
         </node>
      </node>
   </node>
</node>

maxAge

maxAge provides the maximum number of days since the previous password change the current password remains valid. This node is optional. If not defined, no password aging is performed.

plugin

public class PasswordChange
implements PasswordInput
{
    ...
    /**
    * Gets and verifies the new password.
    *
    * @param  oldHash
    *         digest of the current password for comparisons
    *
    * @return new password
    */
   public String obtainPassword(byte[] oldHash)
   {

      return getInputForChangePassword(oldHash);
   }
   ...
   /**
   *  Provides entry for handling: the user interface to change the password,
   * verifications for given current pasword match and for new password
   * fulfillment password standards.
   * @param  oldHash
   *         digest of the current password for comparisons
   * @return if verifications are passed the input new password is returned,
   *        otherwise error cause is displayed and user will have to re-input
   *        passwords for correct values
   */

   private String  getInputForChangePassword( byte[] oldHash)
   {

    /*Implement and call actual logic to match requirements */

      ...
      if (validation_passed)
    {
        return newPassword;
      }
      ...
   }
   ...
}

The user account class in the FWD directory provides attributes for the date and time the password last changed. They are named pwsetdate and pwsettime and are optional. This means that for a particular account they may be missing by the time the password age is checked. In this case the Security Manager assumes the password is old enough to make this check fail. A new password should be set and these attributes will be created automatically.

Auth Mode

The Authentication mode section provides data to establish what authentication modes apply to the declared authentication plugins.

This container can be found under /security/config/auth-mode location

Directory example:

<node class="container" name="security">
   <node class="container" name="config">
      <node class="authMode" name="auth-mode">
         <node-attribute name="mode" value="4"/>
         <node-attribute name="retries" value="-1"/>
         <node-attribute name="plugin" value="com.acme.myapp.security.Login"/>
      </node>
   </node>
</node>

auth-mode:mode

Represents the authentication mode id.

It resides under /security/config/auth-mode/mode node.

The authentication mode ids can be found as constants inside com.goldencode.p2j.security.SecurityContants class.

Authentication mode ids:

  • 0 no override , lowest value.
  • 1 user id and password
  • 2 X.509 certificate
  • 3 X.509 certificate + user id and password
  • 4 custom , highest value

auth-mode: retries

Represents the number of authentication retries permitted for a certain authentication plugin, where:

  • -1 unlimited retries
  • 0 no retries
  • > 0 specific limit

It can be found under /security/config/auth-mode/mode node.

auth-mode: plugin

Represents the plugin class for which the authorization mode will be applied.

It can be found under /security/config/auth-mode/plugin node.

Authentication Plugins

The Authentication plugins section contains a series of attributes that are used to initialize and set the authentication for accounts or groups.

This container can be found inside the /security/config/auth-plugins location.

Directory example:

<node class="container" name="security">
   <node class="container" name="config">
      <node class="container" name="auth-plugins">
         <node class="container" name="acme_login">
            <node class="string" name="classname">
               <node-attribute name="value" value="com.acme.myapp.security.Login"/>
            </node>
            <node class="string" name="description">
               <node-attribute name="value" value="ACME Login Screen"/>
            </node>
            <node class="string" name="option">
               <node-attribute name="value" value="arbitrary text here that is passed as options"/>
            </node>
         </node>
         <node class="container" name="trusted_client">
            <node class="string" name="classname">
              <node-attribute name="value" value="com.goldencode.p2j.security.TrustedClientPlugin"/>
            </node>
            <node class="string" name="description">
               <node-attribute name="value" value="Trusted Client Plugin"/>
            </node>
            <node class="string" name="option">
               <node-attribute name="value" value=""/>
            </node>
         </node>
      </node>
   </node>
</node>

auth-plugins: classname

The authentication plugin classname property represents the class which will handle authentication for the specified user account or group.

It can be found under /security/config/auth-plugins/<account_or_group>/classname node.

Any class that will serve as an authentication plugin must implement the com.goldencode.p2j.security.Authenticator interface.

permitted for a certain authentication plugin,

Example for authentication plugin:

public class GuestAccess
implements Authenticator
{
   /**
    * Default constructor.
    */
   public GuestAccess()
   {
      // nothing to do here
   }

   /**
    * Implements client side custom authentication logic.
    *
    * @param    parameters
    *           Additional configuration parameters. This plugin uses
    *           "subjectId" parameter which corresponds the name of the user
    *           account to be used.
    * @param    code
    *           The result of the most recent attempt to authenticate or
    *           AUTH_RESULT_NONE if this is the first attempt.
    *

    * @return   Array of bytes to be transmitted to the server as the
    *           authorization input.
*/
public byte[] clientAuthHook(Map<String, Object> parameters, int code) {
/*Implement logic for client hook*/
...
// return a byte array
return SecurityManager.packageIdPassword(id, pw);
} /** * Finalizes any resources allocated during authentication by the client.
*/
public void clientFinalize() {
// nothing to do here
} /** * Not used for the client side. * * @param auth * The authorization input from the client. * @param parameter * Additional configuration parameters taken from the directory. * * @return Always null.
*/
public AuthenticationResponse serverAuthHook(byte[] auth,
String parameter) {
/*Implement logic for authentification*/
...
/*return AuthenticationResponse with result type set from
com.goldencode.p2j.security.SecurityConstants depending on
the Authentication process result*/ return new AuthenticationResponse(userId, AUTH_RESULT);
}
}

auth-plugins: description

This represents the description of the authentication plugin.

It can be found under /security/config/auth-plugins/<account_or_group>/description node.

auth-plugins: option

This can provide additional info example : contact for authentication problems

It can be found under /security/config/auth-plugins/<account_or_group>/option node.

trusted_client: classname

The trusted client plugin represents the custom authentication class that allows a user to be automatically logged in (without password!) by specifiying the target user id when starting FWD client.

It can be found under /security/config/auth-plugins/trusted_client/classname node.

An example: ./client.sh -u userid

In order to be able to log in without password, this plugin should be specified as the auth plugin for the target users.

This plugin is the form of disabling p2j's server security for the given set of users.

trusted_client: description

This reprensents the description of the custom authentication plugin.

It can be found under /security/config/auth-plugins/trusted_client/description node.

trusted_client: option

This can provide additional info example : contact for authentication problems

It can be found under /security/config/auth-plugins/trusted_client/option node.

Reference

The following options can be specified related to authentication:

Option ID Data Type Default Value Required Details
/security/config/change/maxAge Integer N/A No Provides the maximum number of days since the previous password change the current password remains valid. This node is optional. If not defined, no password aging is performed.
/security/config/change/plugin String N/A No rovides This represents the class responsible for new password change input.
/security/config/auth-mode/mode Integer N/A Yes Represents the authentication mode id
/security/config/auth-mode/retries Integer N/A Yes Represents the number of authentication retries permitted for the given plugin
/security/config/auth-mode/plugin String N/A Yes Represents the authentication plugin for which the authentication mode will be applied
/security/config/auth-plugins/<account_or_group>/classname String N/A Yes This represents the class which will handle authentication for the specified user account or group.
security/config/auth-plugins/<account_or_group>/description String N/A Yes This represents the description of the authentication plugin
security/config/auth-plugins/<account_or_group>/option String N/A Yes This can provide additional info about the authentication plugin, example : contact for authentication problems
/security/config/auth-plugins/trusted_client/classname String N/A No Represents the custom authentication class that allows a user to be automatically logged in (without password!) by specifiying the target user id when starting FWD client.
/security/config/auth-plugins/trusted_client/description String N/A No This reprensents the description of the custom authentication plugin.
/security/config/auth-plugins/trusted_client/option String N/A No This can provide additional info about the authentication plugin, example : contact for authentication problems

© 2004-2017 Golden Code Development Corporation. ALL RIGHTS RESERVED.