Authentication Schemes

Authentication Schemes

About authentication

To provide proper Authentication possibilities for all inbound HTTP based protocols (HTTP, REST and Webservices) we have provded an pluggable Authentication mechanism for these components. We currently support three types of Authentication schemes:

  • BASIC using a userfile
  • BASIC using JDBC
  • LDAP authentication

Using basic authentication using a userfile

This form of authentication schema allows the user to inject a user file containing usernames/passwords for authentication users. This file is usually named users.properties and needs to be placed somewhere on the filesystem of the platform ConnectPlaza is running on. For example in [connectplaza-agent]/conf.

The users.properties file should look something like this:

jetty: MD5:164c88b302622e17050af52c89945d44,user
admin: CRYPT:adpexzg3FUZAk,server-administrator,content-administrator,admin,user
other: OBF:1xmk1w261u9r1w1c1xmq,user
plain: plain,user
user: password,user

# This entry is for digest auth.  The credential is a MD5 hash of username:realmname:password
digest: MD5:6e120743ad67abfbc385bc2bb754e297,user

As you can see you specify a username, then a colon, and then either plain-text password, or a digested password specifying which digest is used (IE MD5, CRYPT or OBF).

Specify the location of this file in the Authentication Realm property in Constructor and set Authentication Scheme to BASIC.

Using basic authentication using JDBC

This form of authentication scheme allows our users to connect to a JDBC Datasource containing a specific database-scheme containing the tables that are required to store users and roles. The configuration for this database must be placed in a jdbc.properties file and placed somewhere on the filesystem of the platform ConnectPlaza is running on. For example in [connectplaza-agent]/conf.

The jdbc.properties should look something like this:

jdbcdriver = com.mysql.jdbc.Driver
url = jdbc:mysql://localhost:3306/users
username = root
password = root
usertable = users
usertablekey = id
usertableuserfield = username
usertablepasswordfield = pwd
roletable = roles
roletablekey = id
roletablerolefield = role
userroletable = user_roles
userroletableuserkey = user_id
userroletablerolekey = role_id
cachetime = 300
requiredrole = admin,myrole

This configuration file specifies the connection to the database, the names of the desired tables and the column names to select the correct records.

The requiredrole property specifies which role a user must have in order to be authenticated. This may also be a comma separated list. When a user is connected to a single role in this list, the user will be authenticated.

Specify the location of this file in the Authentication Realm property in Constructor and set Authentication Scheme to BASIC_JDBC.

In order to populate the database you can use this SQL syntax:

CREATE TABLE `roles` (
  `id` int(11) NOT NULL,
  `role` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `role` (`role`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

CREATE TABLE `user_roles` (
  `user_id` int(11) NOT NULL,
  `role_id` int(11) NOT NULL,
  PRIMARY KEY (`user_id`,`role_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

CREATE TABLE `users` (
  `id` int(11) NOT NULL,
  `username` varchar(100) NOT NULL,
  `pwd` varchar(20) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

Using LDAP authentication

This form of authentication scheme allows our users to connect to a LDAP server for authentication. The configuration for this Authentication must be placed in a jaas.ini file and placed somewhere on the filesystem of the platform ConnectPlaza is running on. For example in [connectplaza-agent]/conf.

The jaas.ini should look something like this:

jaas.type=ldap
jaas.config=[connectplaza-agent]/conf/myldap.conf
jaas.name=myldap
jaas.roles=admin,developer
  • The jaas.config property must point to a separate LDAP configuration file myldap.conf that should be placed in the same location as the jaas.ini file.
  • The jaas.name property must refer to the configuration in the myldap.conf
  • The jaas.roles property specifies which role a user must have in order to be authenticated. This may also be a comma separated list. When a user is connected to a single role in this list, the user will be authenticated.
  • Specify the location of this file in the Authentication Realm property in Constructor and set Authentication Scheme to LDAP.

In order to configure the LDAP connection, use the myldap.conf. The following is an example:

myldap {
   org.eclipse.jetty.jaas.spi.LdapLoginModule required
   debug="true"
   contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
   hostname="ldap.server.com"
   port="389"
   bindDn="cn=directory manager"
   bindPassword="somepassword"
   authenticationMethod="simple"
   forceBindingLogin="true"
   userBaseDn="ou=gebruikers,dc=one,dc=two"
   userRdnAttribute=""
   userIdAttribute="uid"
   userPasswordAttribute="userPassword"
   userObjectClass="myobjectclass"
   roleBaseDn="dc=one,dc=two"
   roleNameAttribute="cn"
   roleMemberAttribute="uniqueMember"
   roleObjectClass="groupOfUniqueNames";
   };

Please note that this configuration is based on a OpenLDAP server on port 389, the exact configuration of your specific LDAP implementation may vary! Please consult the settings and specifics of your situation before changing these settings. Only correct settings will allow for correct authentication!  

Example