Authentication¶
External applications access the FWD server through the remote object protocol. Before that can be used, the external application must establish a session with the FWD server. This involves writing custom Java code to connect to the FWD server and then authenticate using a known account.
Inside the directory there are several parameters that are used to set up the authentication.
Search Algorithm¶
There is no search algorithm used for reading the authenticate
directory sections. All configurations are global for the directory and can be found under the /security/config root node.
Password Change¶
This section defines the policies regarding how the server forces password changes. For more details on how to develop a password change plugin, see the Hooks chapter from Developer Guide.
Directory Example:
<node class="container" name="security"> <node class="container" name="config"> <node class="container" name="change"> <node class="integer" name="maxage"> <node-attribute name="value" value="90"/> </node> <node class="string" name="plugin"> <node-attribute name="value" value="com.acme.myapp.security.PasswordChange"/> </node> </node> </node> </node>
maxAge¶
maxAge
provides the maximum number of days since the previous password change the current password remains valid. This node is optional. If not defined, no password aging is performed.
plugin¶
public class PasswordChange implements PasswordInput { ... /** * Gets and verifies the new password. * * @param oldHash * digest of the current password for comparisons * * @return new password */ public String obtainPassword(byte[] oldHash) { return getInputForChangePassword(oldHash); } ... /** * Provides entry for handling: the user interface to change the password, * verifications for given current pasword match and for new password * fulfillment password standards. * @param oldHash * digest of the current password for comparisons * @return if verifications are passed the input new password is returned, * otherwise error cause is displayed and user will have to re-input * passwords for correct values */ private String getInputForChangePassword( byte[] oldHash) { /*Implement and call actual logic to match requirements */ ... if (validation_passed) { return newPassword; } ... } ... }
The user account class in the FWD directory provides attributes for the date and time the password last changed. They are named pwsetdate
and pwsettime
and are optional. This means that for a particular account they may be missing by the time the password age is checked. In this case the Security Manager assumes the password is old enough to make this check fail. A new password should be set and these attributes will be created automatically.
Auth Mode¶
The Authentication mode section provides data to establish what authentication modes apply to the declared authentication plugins.
This container can be found under /security/config/auth-mode location
Directory example:
<node class="container" name="security"> <node class="container" name="config"> <node class="authMode" name="auth-mode"> <node-attribute name="mode" value="4"/> <node-attribute name="retries" value="-1"/> <node-attribute name="plugin" value="com.acme.myapp.security.Login"/> </node> </node> </node>
auth-mode:mode¶
Represents the authentication mode id.
It resides under /security/config/auth-mode/mode node.
The authentication mode ids can be found as constants inside com.goldencode.p2j.security.SecurityContants class.
Authentication mode ids:
- 0 no override , lowest value.
- 1 user id and password
- 2 X.509 certificate
- 3 X.509 certificate + user id and password
- 4 custom , highest value
auth-mode: retries¶
Represents the number of authentication retries permitted for a certain authentication plugin, where:
- -1 unlimited retries
- 0 no retries
- > 0 specific limit
It can be found under /security/config/auth-mode/mode node.
auth-mode: plugin¶
Represents the plugin class for which the authorization mode will be applied.
It can be found under /security/config/auth-mode/plugin node.
Authentication Plugins¶
The Authentication plugins section contains a series of attributes that are used to initialize and set the authentication for accounts or groups.
This container can be found inside the /security/config/auth-plugins location.
Directory example:
<node class="container" name="security"> <node class="container" name="config"> <node class="container" name="auth-plugins"> <node class="container" name="acme_login"> <node class="string" name="classname"> <node-attribute name="value" value="com.acme.myapp.security.Login"/> </node> <node class="string" name="description"> <node-attribute name="value" value="ACME Login Screen"/> </node> <node class="string" name="option"> <node-attribute name="value" value="arbitrary text here that is passed as options"/> </node> </node> <node class="container" name="trusted_client"> <node class="string" name="classname"> <node-attribute name="value" value="com.goldencode.p2j.security.TrustedClientPlugin"/> </node> <node class="string" name="description"> <node-attribute name="value" value="Trusted Client Plugin"/> </node> <node class="string" name="option"> <node-attribute name="value" value=""/> </node> </node> </node> </node> </node>
auth-plugins: classname¶
The authentication plugin classname property represents the class which will handle authentication for the specified user account or group.
It can be found under /security/config/auth-plugins/<account_or_group>/classname node.
Any class that will serve as an authentication plugin must implement the com.goldencode.p2j.security.Authenticator interface.
permitted for a certain authentication plugin,
Example for authentication plugin:
public class GuestAccess implements Authenticator { /** * Default constructor. */ public GuestAccess() { // nothing to do here } /** * Implements client side custom authentication logic. * * @param parameters * Additional configuration parameters. This plugin uses * "subjectId" parameter which corresponds the name of the user * account to be used. * @param code * The result of the most recent attempt to authenticate or *AUTH_RESULT_NONE
if this is the first attempt. * * @return Array of bytes to be transmitted to the server as the * authorization input.
*/
public byte[] clientAuthHook(Map<String, Object> parameters, int code) {
/*Implement logic for client hook*/
...
// return a byte array
return SecurityManager.packageIdPassword(id, pw);
} /** * Finalizes any resources allocated during authentication by the client.
*/
public void clientFinalize() {
// nothing to do here
} /** * Not used for the client side. * * @param auth * The authorization input from the client. * @param parameter * Additional configuration parameters taken from the directory. * * @return Alwaysnull
.
*/
public AuthenticationResponse serverAuthHook(byte[] auth,
String parameter) {
/*Implement logic for authentification*/
...
/*return AuthenticationResponse with result type set from
com.goldencode.p2j.security.SecurityConstants depending on
the Authentication process result*/ return new AuthenticationResponse(userId, AUTH_RESULT);
}
}
auth-plugins: description¶
This represents the description of the authentication plugin.
It can be found under /security/config/auth-plugins/<account_or_group>/description node.
auth-plugins: option¶
This can provide additional info example : contact for authentication problems
It can be found under /security/config/auth-plugins/<account_or_group>/option node.
trusted_client: classname¶
The trusted client plugin represents the custom authentication class that allows a user to be automatically logged in (without password!) by specifiying the target user id when starting FWD client.
It can be found under /security/config/auth-plugins/trusted_client/classname node.
An example: ./client.sh -u userid
In order to be able to log in without password, this plugin should be specified as the auth plugin for the target users.
This plugin is the form of disabling p2j's server security for the given set of users.
trusted_client: description¶
This reprensents the description of the custom authentication plugin.
It can be found under /security/config/auth-plugins/trusted_client/description node.
trusted_client: option¶
This can provide additional info example : contact for authentication problems
It can be found under /security/config/auth-plugins/trusted_client/option node.
Reference¶
The following options can be specified related to authentication:
Option ID | Data Type | Default Value | Required | Details |
---|---|---|---|---|
/security/config/change/maxAge | Integer | N/A | No | Provides the maximum number of days since the previous password change the current password remains valid. This node is optional. If not defined, no password aging is performed. |
/security/config/change/plugin | String | N/A | No | rovides This represents the class responsible for new password change input. |
/security/config/auth-mode/mode | Integer | N/A | Yes | Represents the authentication mode id |
/security/config/auth-mode/retries | Integer | N/A | Yes | Represents the number of authentication retries permitted for the given plugin |
/security/config/auth-mode/plugin | String | N/A | Yes | Represents the authentication plugin for which the authentication mode will be applied |
/security/config/auth-plugins/<account_or_group>/classname | String | N/A | Yes | This represents the class which will handle authentication for the specified user account or group. |
security/config/auth-plugins/<account_or_group>/description | String | N/A | Yes | This represents the description of the authentication plugin |
security/config/auth-plugins/<account_or_group>/option | String | N/A | Yes | This can provide additional info about the authentication plugin, example : contact for authentication problems |
/security/config/auth-plugins/trusted_client/classname | String | N/A | No | Represents the custom authentication class that allows a user to be automatically logged in (without password!) by specifiying the target user id when starting FWD client. |
/security/config/auth-plugins/trusted_client/description | String | N/A | No | This reprensents the description of the custom authentication plugin. |
/security/config/auth-plugins/trusted_client/option | String | N/A | No | This can provide additional info about the authentication plugin, example : contact for authentication problems |
© 2004-2017 Golden Code Development Corporation. ALL RIGHTS RESERVED.