You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Administrative user management

This section describes how to set up users and user rights for accessing administrative instruments.

Administrative access to FEJ can be obtained through:

  • remote shell
  • JMX
  • FIXICC app

The configuration of users and their access rights is performed by using Spring Security.

For details on monitoring and management using a remote shell, refer to FIXEdge Java Administration.

Security configuration

FEJ uses Spring Security for authentication purposes. Authentication configuration is located in the spring/custom-security.xml file.

File-based authentication

By default, for testing purposes, the FEJ container uses simple, in-memory authentication with the NoOpPasswordEncoder encoder and plain-text credentials.

For other password encoder options, please check Spring Security 5.0

If you need a more complex authentication solution, please refer to Spring Security documentation.

The authentication mechanism is defined in spring/custom-security.xml:

   <!--Mock Authentication-->
    <sec:authentication-manager id="authenticationManager">
        <sec:authentication-provider>
            <sec:password-encoder ref="passwordEncoder"/>
            <sec:user-service id="userDetailsService" properties="admin-users.properties"/>
        </sec:authentication-provider>
    </sec:authentication-manager>

    <!-- Password encode bean to support plain text passwords in user.properties -->
    <bean id="passwordEncoder"
          class="org.springframework.security.crypto.password.NoOpPasswordEncoder"
          factory-method="getInstance"/>

    <!-- Password encode bean to support passwords encripted with BCrypt way in admin.properties -->
<!--    <bean id="adminPasswordEncoder"-->
<!--          class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>-->

Authorized administrative users are defined in the admin-users.properties properties file:

# Spring security file format
# password depends on configured spring PasswordEncoder (hash or plain text)
#
# Format: username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

# password is plain text
admin=admin,JMX_ADMIN,SSH_ADMIN,FIXICC_ADMIN,enabled
guest=guest,FIXICC_GUEST,enabled

# password is hash (bcrypt)
#admin=$2a$10$hCDWIHTwb7zui0dDbG8dXe2r9x3H4JDEynQuoGDn85rk6vOjxGoJC,JMX_ADMIN,SSH_ADMIN,FIXICC_ADMIN,enabled
#guest=$2a$10$pQcJLlpuHRmn5w1MdBx/xudmEBKc0l/ER7TXifc2zntKIrW3lw8S2,FIXICC_GUEST,enabled

By default, FEJ provides the following user roles with different access levels: 

  • FIXICC_ADMIN - access by FIXICC with ALL permissions (role is defined in fixicc_permissions.properties )
  • FIXICC_GUEST - access by FIXICC with ONLY READ permissions (role is defined in fixicc_permissions.properties )
  • SSH_ADMIN - access by Remote Shell with ALL permissions (role is defined in fixedge.properties)
  • JMX_ADMIN - access by JMX with ALL permissions (role is defined in fixedge.properties)

LDAP authentication

FEJ also supports authentication against an LDAP server.

Before getting deep into LDAP authentication, let’s get familiar with some LDAP terms.

TermDescription

Dn

Distinguished name. A unique name that is used to find a user on an LDAP server, for example, in the Microsoft Active Directory.

Ou

Organization unit

Bind

LDAP Bind is an operation in which LDAP clients send bindRequest to an LDAP server, including a username and password. If
the LDAP server finds that the username and password is correct, it grants access to the LDAP server.

Search

LDAP search is an operation that is performed to retrieve the Dn of a user by using some user credentials.

Root

LDAP directory’s top element, like the root of a tree.

BaseDn

Branch in an LDAP tree that can be used as a base for the LDAP search operation.

To activate the authentication of administrative users with LDAP, replace the authentication-manager bean definition in the spring/custom-security.xml file:

<authentication-manager>
    <ldap-authentication-provider
      user-search-base="ou=people"
      user-search-filter="(uid={0})"
      group-search-base="ou=groups"
      group-search-filter="(member={0})">
    </ldap-authentication-provider>
</authentication-manager>
   
<ldap-server url="ldap://epam.com:389/dc=epam,dc=com" /

Elements from the above sample are described in the table below:

Attribute nameDescription
user-search-baseSearch base for user searches. Defaults to "". Only used with a 'user-search-filter'.
user-search-filterThe LDAP filter used to search for users (optional). For example "(uid={0})". The
substituted parameter is the user's login name.
group-search-baseSearch base for group membership searches. Defaults to "" (searching from the root).
group-search-filterGroup search filter. Defaults to (uniqueMember={0}). The substituted parameter is the DN
of the user.
group-role-attributeThe LDAP attribute name that contains the role name that will be used within Spring
Security. Defaults to "cn".
user-dn-patternA specific pattern used to build the user's DN, for example "uid={0},ou=people". The key
"{0}" must be present and will be substituted with the username.

See more details about configuration authentication with the LDAP server in Spring Documentation.

Administrative shell configuration

To configure access to the interactive shell, shell configuration properties are used.

Shell configuration properties are defined by the shell.properties file.

NameDefault valueDescription

crash.auth

spring

Authentication mechanism

crash.ssh.port

2000

SSH server port

crash.ssh.auth_timeout

300000

Authentication timeout of the SSH server (in milliseconds)

crash.ssh.idle_timeout

300000

Idle timeout of the SSH server (in milliseconds)

crash.ssh.default_encoding

UTF-8

Character encoding

FEJ uses the Java shell called ‘CRaSH’. For more information about configuration properties, please refer to the CRaSH reference documentation.

Administrative JMX configuration

The fixedge.properties file contains settings for defining the JMX port and the URL for accessing the JMX service.

For details, refer to the official Java documentation.

Monitoring and management using the JMX technology is described at the Management over JMX section.

FIXICC access configuration

For details on FIXICC access configuration, refer to the FIXICC & FEJ Integration User Guide.

  • No labels