Server Administration Application – User Authentication

Documentation home

 

See also: Server Administration Application Home Page, User Authentication, Application Authentication

 

User Authentication Options 1

Use Windows Domain Server 1

Use OpenID Connect 3

Use Gateway. 3

Use JSP Logon Page. 4

Use Custom Authentication. 5

Default Logon Service. 6

 

 

This page provides options for authenticating end users. These properties are saved to file security.properties in the ebaseConf folder of the web application e.g. userdata/apps/<webappname>/ebaseConf/security.properties.

 

User Authentication Options

Users can either be authenticated when they first connect. As an alternative, users can be authenticated under application control. This page describes the options available for authenticating users when they first connect.

 

The options available are:

 

See also User Authentication.

 

Caution! when testing and activating any of the automatic authentication options below, it’s very easy to lock yourself out of the Server Administration App so you can’t revert your changes. To avoid this situation, the recommended technique is to use two browsers: the first browser is used to configure changes using the Server Administration App, the second browser is used to connect to the system and test the changes. The automatic authentication mechanisms are activated when one of the options below is configured and a user is not already signed on.

 

If you get locked out, the Server Administration App properties in userdata/Server/apps/<webappname>/ebaseConf/security.properties can be edited using any text editor.

 

This warning applies only to on-premise servers, it does not apply to Cloud Service Plans.

Use Windows Domain Server

This option is only available for systems inside a Windows domain where the users have already signed on to the Windows domain. Use of IIS with the AJP connector is required and the IIS option Windows Authentication must be configured. The result of this is that the Windows domain userid is made available to the Verj.io server as Remote User.

 

See Windows Authentication for more details.

 

To connect to a remote Active Directory server using ADFS, use OpenID Connect.

 

Label

Property Name

Requires

Restart

Description

Use Windows Domain User

Logonexit.useWindowsAuthentication

No

Uses the Windows domain user name when the user is signed on to a Windows domain.

This option requires the use of IIS with the AJP connector. The IIS option Windows Authentication must be configured.

 

Click the Test Windows Domain User button to check whether the Windows domain user is available.

Allow Non-Windows Users

Logonexit.allowNonWindowsUsers

No

If checked, the system will allow non-Windows users to access the system. This might be useful if you want to mix intranet and external users on the same system.

If unchecked, only valid Windows users will be allowed.

Automatically populate roles from AD

Logonexit.extractADRoles

No

When checked, the system will connect to the Active Directory system configured in Security Properties > LDAP Connection and extract any groups assigned to the user. One role is created for each AD group.

 

Click the Test Active Directory Search button to test whether this option can be safely activated.

Automatically populate credentials from AD

Ldap.RegistrUrl

No

When checked, the system will connect to the Active Directory system configured in Security Properties > LDAP Connection and extract user attributes. A credential is created for each attribute configured.

 

Click the Test Active Directory Search button to test whether this option can be safely activated.

 

Use OpenID Connect

When the Use OpenID Connect checkbox is checked, the connection marked as the default is used to authenticate all users when they first connect to the system. Connection configurations can also be used for application authentication.

 

See OpenID Connect Configuration for configuration details.

 

Label

Property Name

Requires

Restart

Description

Use OpenID Connect

Logonexit.useOpenIdConnectAuthentication

No

The connection marked as the default is used to authenticate all users when they first connect to the system

 

Use Gateway

This option only applies to users who have originally connected and signed on to a separate Gateway Server system and have then been routed through to this system using the Gateway Programming API or Gateway Portal. Gateway users can be authenticated automatically when they first connect, or they can also be manually authenticated using application authentication.

 

This option cannot be configured on Gateway Servers.

 

See also Gateway Authentication.

 

Label

Property Name

Requires

Restart

Description

Use Gateway Server

Logonexit.useGatewayAuthentication

No

Authenticates Gateway users automatically when they first connect to the system. Copies the users’ security credentials from the originating Gateway Server system

Allow Non-Gateway Users

Logonexit.allowNonGatewayUsers

No

If checked, the system will allow non-Gateway users to access the system. This might be useful if you want to mix intranet and external users on the same system.

If unchecked, only valid Gateway users will be allowed.

Use JSP Logon Page

With this option users are shown a logon page where they can enter their userid, password and any other details. This is then passed to a Logon Service where the details are checked and any additional roles, credentials and authorizations can be added. The Verj.io distribution contains two basic logon JSPs in userdata/Server/apps/<appname>/webapp/samples/logon and these can be modified to meet your requirements. A sample logon service named JSPLogonService is also shipped in the VerjSamples project.

 

See also: JSP Authentication

 

Label

Property Name

Requires

Restart

Description

Use JSP Logon Page

Logonexit.useJSPAuthentication

No

Activates the JSP logon mechanism

Logon Service Web Service Name

Logonexit.JSPLogonWebService

No

The web service name of the Logon Service. This service will receive the parameters specified below from the Logon Page. A sample Logon Service JSPLogonService is shipped with the system in the VerjSamples project within the workspace.

Logon Page

Logonexit.LogonPage

No

The URL of the HTML or JSP page where the user enters userid, password details etc. The default is samples/logon/logon.jsp.

Invalid Logon Page

Logonexit.InvalidLogonPage

No

The URL of the HTML or JSP page presented to the user when the logon fails. The default is samples/logon/logonInvalid.jsp.

Timeout Page

Logonexit.TimeoutPage

No

The URL of the page that is displayed in the event of a timeout. The default is ufs_timeout_page.htm.

Logon Page Code

Logonexit.LogonPageCode

No

This is the error code which is returned by a Logon Service to indicate that the user must sign on manually using the URL in the Logon Page property. The default for this parameter is JSP.

Max Logon Attempts

Logonexit.MaxLogonAttempts

No

The maximum number of logon attempts before the logon is considered invalid. This is used for manual sign on by the end user. The default if not specified is 3.

User Parameter 1

Logonexit.UserParm1

No

The default name of the first URL request parameter in the page configured in property Logon Page above. The default if not specified is e_username.

User Parameter 2

Logonexit.UserParm2

No

The default name of the first URL request parameter in the page configured in property Logon Page above. The default if not specified is e_password.

User Parameter 3

Logonexit.UserParm3

No

The default name of the first URL request parameter in the page configured in property Logon Page above. The default if not specified is jsp_param3.

 

User Parameter 1/2/3 should match the form input field names in the Logon Page JSP page. For example the supplied logon.jsp has input fields named e_username and e_password. So in this case User Parameter 1 is set to e_username and User Parameter 2 is set to e_password. User Parameter 3 is not used. The parameters passed into the Logon Service will be:

 

PARAM1_VALUE : the user id

PARAM1_SOURCE: “JSP”

PARAM2_VALUE: the password

PARAM2_SOURCE: “JSP”

 

Use Custom Authentication

This option can be used to authenticate users where some sort of user-related information is available from the HTTP request e.g. as a URL parameter containing a user name or a token, an HTTP header or a cookie. This option cannot be used to pop-up any sort of dialog where the user enters their credentials, it can only be used where this information is already available. Once the user-related details have been extracted, they are passed to a Logon Service where they can be checked and any additional roles, credentials and authorizations can be added.

 

See Custom Authentication for more details.

 

 

Label

Property Name

Requires

Restart

Description

Use Custom Authentication

Logonexit.useCustomAuthentication

No

Activates the Custom logon mechanism

Logon Service Web Service Name

Logonexit.CustomLogonWebService

No

The web service name of the Logon Service. This service will receive extracted user details. A sample Logon Service CustomLogonService is shipped with the system in the VerjSamples project within the workspace.

The following six properties describe where the system should source user related information that is to be used to control the logon operation. The system extracts this information automatically and then invokes the Logon Service specified above passing these parameters. Between one and three parameters can be configured where each one consists of a:

  • Parameter Name - the name of the parameter
  • Parameter Source - the source where the parameter is to be extracted from

Valid Parameter Sources:

  • URL - parameter value is extracted from the named request URL parameter
  • HEADER - parameter value is extracted from the named request header parameter or the request object using method getXxx() where xxx is the parameter name
  • COOKIE - parameter value is extracted from the named cookie

 

Parameter Name 1

Logonexit.ParameterName1

No

Name for Parameter 1

Parameter Source 1

Logonexit.ParameterSource1

No

Parameter 1 source type

Parameter Name 2

Logonexit.ParameterName2

No

Name for Parameter 2

Parameter Source 2

Logonexit.ParameterSource2

No

Parameter 2 source type

Parameter Name 3

Logonexit.ParameterName3

No

Name for Parameter 3

Parameter Source 3

Logonexit.ParameterSource3

No

Parameter 3 source type

 

 

Default Logon Service

The Default Logon Service is used when authentication is invoked by a script instead of automatically using one of the options above. It is used as the default when system.securityManager.logon() is called and a logon web service name is not explicitly specified.

 

Label

Property Name

Requires

Restart

Description

Default Logon Service Web Service Name

Logonexit.WebService

No

The web service name of the default Logon Service