Authentication Schemes

About authentication

To provide proper authentication possibilities for all inbound HTTP based protocols (HTTP, REST and Webservices) we have provided a pluggable authentication mechanism for these components. We currently support three types of authentication schemes:

  • BASIC using a user file
  • BASIC using JDBC
  • LDAP authentication

Basic authentication using a user file

This authentication scheme allows the user to inject a user file containing usernames/passwords. This file is usually named users.properties and needs to be placed somewhere on the filesystem of the platform ConnectPlaza is running on. For example in [connectplaza-agent]/conf.

The entry in this file, must be written as:

<username>:<password>,roll

So if the user is roland and his password is rolandspassword, this could be written as:

roland:rolandspassword,user

The users.properties file should look something like this:

jetty:MD5:164c88b302622e17050af52c89945d44,user
admin:CRYPT:adpexzg3FUZAk,server-administrator,content-administrator,admin,user
other:OBF:1xmk1w261u9r1w1c1xmq,user
plain:plain,user
user:password,user

# This entry is for digest auth.  The credential is a MD5 hash of username:realmname:password
digest: MD5:6e120743ad67abfbc385bc2bb754e297,user

As illustrated, you specify a username, followed by a colon, and then either a plain-text password, or a digested password specifying which digest is used (i.e. MD5, CRYPT or OBF).

Specify the location of this file in the Authentication Realm property in Constructor and set Authentication Scheme to BASIC.

Basic authentication with JDBC

This authentication scheme allows our users to connect to a JDBC data source containing a specific database-scheme containing the tables that are required to store users and roles. The configuration for this database must be placed in a jdbc.properties file and placed somewhere on the filesystem of the platform ConnectPlaza is running on. For example in [connectplaza-agent]/conf.

The jdbc.properties should look something like this:

jdbcdriver = com.mysql.jdbc.Driver
url = jdbc:mysql://localhost:3306/users
username = root
password = root
usertable = users
usertablekey = id
usertableuserfield = username
usertablepasswordfield = pwd
roletable = roles
roletablekey = id
roletablerolefield = role
userroletable = user_roles
userroletableuserkey = user_id
userroletablerolekey = role_id
cachetime = 300
requiredrole = admin,myrole

This configuration file specifies the connection to the database, the names of the desired tables and the column names required to select the correct records.

The requiredrole property specifies which role a user must have in order to be authenticated. This may also be a comma separated list. When a user is connected to a single role in this list, the user will be authenticated.

Specify the location of this file in the Authentication Realm property in Constructor and set Authentication Scheme to BASIC_JDBC.

In order to populate the database you can use this SQL expression:

CREATE TABLE `roles` (
  `id` int(11) NOT NULL,
  `role` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `role` (`role`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

CREATE TABLE `user_roles` (
  `user_id` int(11) NOT NULL,
  `role_id` int(11) NOT NULL,
  PRIMARY KEY (`user_id`,`role_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

CREATE TABLE `users` (
  `id` int(11) NOT NULL,
  `username` varchar(100) NOT NULL,
  `pwd` varchar(20) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

LDAP authentication

This authentication scheme allows our users to connect to a LDAP server for authentication. The configuration for this authentication must be placed in a jaas.ini file and placed somewhere on the filesystem of the platform ConnectPlaza is running on. For example in [connectplaza-agent]/conf.

The jaas.ini should look something like this:

jaas.type=ldap
jaas.config=[connectplaza-agent]/conf/myldap.conf
jaas.name=myldap
jaas.roles=admin,developer
  • The jaas.config property must point to a separate LDAP configuration file myldap.conf that should be placed in the same location as the jaas.ini file.
  • The jaas.name property must refer to the configuration in the myldap.conf.
  • The jaas.roles property specifies which role a user must have in order to be authenticated. This may also be a comma separated list. When a user is connected to a single role in this list, the user will be authenticated.
  • Specify the location of this file in the Authentication Realm property in Constructor and set Authentication Scheme to LDAP.

In order to configure the LDAP connection, use the myldap.conf as illustrated in the following example:

myldap {
   org.eclipse.jetty.jaas.spi.LdapLoginModule required
   debug="true"
   contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
   hostname="ldap.server.com"
   port="389"
   bindDn="cn=directory manager"
   bindPassword="somepassword"
   authenticationMethod="simple"
   forceBindingLogin="true"
   userBaseDn="ou=gebruikers,dc=one,dc=two"
   userRdnAttribute=""
   userIdAttribute="uid"
   userPasswordAttribute="userPassword"
   userObjectClass="myobjectclass"
   roleBaseDn="dc=one,dc=two"
   roleNameAttribute="cn"
   roleMemberAttribute="uniqueMember"
   roleObjectClass="groupOfUniqueNames";
   };

Please note that this configuration is based on an OpenLDAP server on port 389, the exact configuration of your specific LDAP implementation may vary. Please consult the settings and specifics of your situation before changing these settings. Only correct settings will allow for correct authentication.

Example