Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

FEJ uses Spring Security for authentication purposes. Security Authentication configuration is stored in the fejlocated in the spring/custom-security.xml file.

File-based authentication

...

If you need a more complex authentication solution, please refer to Spring Security documentation.

The authentication mechanism is defined in spring/custom-security.xml:

Code Block
languagexml
<bean id="passwordEncoder"
      class="org.springframework.security.crypto.password.NoOpPasswordEncoder" 
 <!--Mock Authentication-->
     factory-method="getInstance"/>

<sec:authentication-manager id="authenticationManager">
        <sec:authentication-provider>
            <sec:password-encoder ref="passwordEncoder"/>
            <sec:user-service id="userDetailsService" properties="admin-users.properties"/>
        </sec:authentication-provider>
    </sec:authentication-manager>

Users are defined by the external properties file named users.properties

Code Block
languagejava
test=test,ROLE_ADMIN,enabled


    <!-- Password encode bean to support plain text passwords in user.properties -->
    <bean id="passwordEncoder"
          class="org.springframework.security.crypto.password.NoOpPasswordEncoder"
          factory-method="getInstance"/>

    <!-- Password encode bean to support passwords encripted with BCrypt way in admin.properties -->
<!--    <bean id="adminPasswordEncoder"-->
<!--          class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>-->

Authorized administrative users are defined in admin-users.properties properties file:

Code Block
languagejava
# Spring security file format
# password depends on configured spring PasswordEncoder (hash or plain text)
#
# Format: username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

# password is plain text
admin=admin,JMX_ADMIN,SSH_ADMIN,FIXICC_ADMIN,enabled
guest=guest,FIXICC_GUEST,enabled

# password is hash (bcrypt)
#admin=$2a$10$hCDWIHTwb7zui0dDbG8dXe2r9x3H4JDEynQuoGDn85rk6vOjxGoJC,JMX_ADMIN,SSH_ADMIN,FIXICC_ADMIN,enabled
#guest=$2a$10$pQcJLlpuHRmn5w1MdBx/xudmEBKc0l/ER7TXifc2zntKIrW3lw8S2,FIXICC_GUEST,enabled

By default, FEJ provides such user roles with different access level: 

  • FIXICC_ADMIN - access by FIXICC with ALL permissions (role is defined in fixicc_permissions.properties )
  • FIXICC_GUEST - access by FIXICC with ONLY READ permissions (role is defined in fixicc_permissions.properties )
  • SSH_ADMIN - access by Remote Shell with ALL permissions (role is defined in fixedge.properties)
  • JMX_ADMIN - access by JMX with ALL permissions (role is defined in fixedge.properties)

LDAP authentication

FEJ also supports authentication against an LDAP server.

...

To activate the authentication of administrative users with LDAP, it needs to replace the authentication-manager bean definition in fejin spring/custom-security.xml file:

Code Block
languagexml
<authentication-manager>
    <ldap-authentication-provider
      user-search-base="ou=people"
      user-search-filter="(uid={0})"
      group-search-base="ou=groups"
      group-search-filter="(member={0})">
    </ldap-authentication-provider>
</authentication-manager>
   
<ldap-server url="ldap://epam.com:389/dc=epam,dc=com" /
Attribute nameDescription
user-search-baseSearch base for user searches. Defaults to "". Only used with a 'user-search-filter'.
user-search-filterThe LDAP filter used to search for users (optional). For example "(uid={0})". The
substituted parameter is the user's login name.
group-search-baseSearch base for group membership searches. Defaults to "" (searching from the root).
group-search-filterGroup search filter. Defaults to (uniqueMember={0}). The substituted parameter is the DN
of the user.
group-role-attributeThe LDAP attribute name which contains the role name which will be used within Spring
Security. Defaults to "cn".
user-dn-patternA specific pattern used to build the user's DN, for example "uid={0},ou=people". The key
"{0}" must be present and will be substituted with the username.

See more details about configuration authentication with the LDAP server in Spring Documentation.

...