Server Administration Application – User Authentication
See also: Server Administration Application Home Page, User Authentication, Application Authentication
This page provides options for authenticating end users. These properties are saved to file security.properties in the ebaseConf folder of the web application e.g. userdata/apps/<webappname>/ebaseConf/security.properties.
Users can either be authenticated when they first connect. As an alternative, users can be authenticated under application control. This page describes the options available for authenticating users when they first connect.
The options available are:
See also User Authentication.
Caution! when
testing and activating any of the automatic authentication options below, it’s
very easy to lock yourself out of the Server Administration App so you can’t
revert your changes. To avoid this situation, the recommended technique is to
use two browsers: the first browser is used to configure changes using the
Server Administration App, the second browser is used
to connect to the system and test the changes. The automatic authentication
mechanisms are activated when one of the options below is configured and a user
is not already signed on.
If you get locked out, the Server
Administration App properties in userdata/Server/apps/<webappname>/ebaseConf/security.properties can be edited using any text
editor.
This warning applies only to on-premise
servers, it does not apply to Cloud Service Plans.
This option is only available for systems inside a Windows domain where the users have already signed on to the Windows domain. Use of IIS with the AJP connector is required and the IIS option Windows Authentication must be configured. The result of this is that the Windows domain userid is made available to the Verj.io server as Remote User.
See Windows Authentication for more details.
To connect to a remote Active Directory server using ADFS, use OpenID Connect.
Label |
Property Name |
Requires Restart |
Description |
Use Windows Domain User |
Logonexit.useWindowsAuthentication |
No |
Uses the Windows domain user name when the user is signed on to a Windows domain. This option requires the use of IIS with the AJP connector. The IIS option Windows Authentication must be configured. Click the Test Windows Domain User button to check whether the Windows
domain user is available. |
Allow Non-Windows Users |
Logonexit.allowNonWindowsUsers |
No |
If checked, the system will allow non-Windows users to access the system. This might be useful if you want to mix intranet and external users on the same system. If unchecked, only valid
Windows users will be allowed. |
Automatically populate roles from AD |
Logonexit.extractADRoles |
No |
When checked, the system will connect to the Active Directory system configured in Security Properties > LDAP Connection and extract any groups assigned to the user. One role is created for each AD group. Click the Test Active Directory Search button to test whether this option can be safely activated. |
Automatically populate credentials from AD |
Ldap.RegistrUrl |
No |
When checked, the system will connect to the Active Directory system configured in Security Properties > LDAP Connection and extract user attributes. A credential is created for each attribute configured. Click the Test Active Directory Search button to test whether this option can be safely activated. |
When the Use OpenID Connect checkbox is checked, the connection marked as the default is used to authenticate all users when they first connect to the system. Connection configurations can also be used for application authentication.
See OpenID Connect Configuration for configuration details.
Label |
Property Name |
Requires Restart |
Description |
Use OpenID Connect |
Logonexit.useOpenIdConnectAuthentication |
No |
The connection marked as the default is used to authenticate all
users when they first connect to the system |
This option only applies to users who have originally connected and signed on to a separate Gateway Server system and have then been routed through to this system using the Gateway Programming API or Gateway Portal. Gateway users can be authenticated automatically when they first connect, or they can also be manually authenticated using application authentication.
This option cannot be configured on Gateway Servers.
See also Gateway Authentication.
Label |
Property Name |
Requires Restart |
Description |
Use Gateway Server |
Logonexit.useGatewayAuthentication |
No |
Authenticates Gateway users
automatically when they first connect to the system. Copies the users’
security credentials from the originating Gateway Server system |
Allow Non-Gateway Users |
Logonexit.allowNonGatewayUsers |
No |
If checked, the system will allow non-Gateway users to access the system. This might be useful if you want to mix intranet and external users on the same system. If unchecked, only valid Gateway
users will be allowed. |
With this option users are shown a logon page where they can enter their userid, password and any other details. This is then passed to a Logon Service where the details are checked and any additional roles, credentials and authorizations can be added. The Verj.io distribution contains two basic logon JSPs in userdata/Server/apps/<appname>/webapp/samples/logon and these can be modified to meet your requirements. A sample logon service named JSPLogonService is also shipped in the VerjSamples project.
See also: JSP Authentication
Label |
Property Name |
Requires Restart |
Description |
Use JSP Logon Page |
Logonexit.useJSPAuthentication |
No |
Activates the JSP logon
mechanism |
Logon Service Web Service Name |
Logonexit.JSPLogonWebService |
No |
The web service name of the Logon Service. This service will receive the parameters specified below from the Logon Page. A sample Logon Service JSPLogonService is shipped with the system in the VerjSamples project within the workspace. |
Logon Page |
Logonexit.LogonPage |
No |
The URL of the HTML or JSP page where the user enters userid, password details etc. The default is samples/logon/logon.jsp. |
Invalid Logon Page |
Logonexit.InvalidLogonPage |
No |
The URL of the HTML or JSP page presented to the user when the logon fails. The default is samples/logon/logonInvalid.jsp. |
Timeout Page |
Logonexit.TimeoutPage |
No |
The URL of the page that is displayed in the event of a timeout. The default is ufs_timeout_page.htm. |
Logon Page Code |
Logonexit.LogonPageCode |
No |
This is the error code which is returned by a Logon Service to indicate that the user must sign on manually using the URL in the Logon Page property. The default for this parameter is JSP. |
Max Logon Attempts |
Logonexit.MaxLogonAttempts |
No |
The maximum number of logon attempts before the logon is considered invalid. This is used for manual sign on by the end user. The default if not specified is 3. |
User Parameter 1 |
Logonexit.UserParm1 |
No |
The default name of the first URL request parameter in the page configured in property Logon Page above. The default if not specified is e_username. |
User Parameter 2 |
Logonexit.UserParm2 |
No |
The default name of the first URL request parameter in the page configured in property Logon Page above. The default if not specified is e_password. |
User Parameter 3 |
Logonexit.UserParm3 |
No |
The default name of the first URL request parameter in the page configured in property Logon Page above. The default if not specified is jsp_param3. |
User Parameter 1/2/3 should match the form input field names in the Logon Page JSP page. For example the supplied logon.jsp has input fields named e_username and e_password. So in this case User Parameter 1 is set to e_username and User Parameter 2 is set to e_password. User Parameter 3 is not used. The parameters passed into the Logon Service will be:
PARAM1_VALUE : the user id
PARAM1_SOURCE: “JSP”
PARAM2_VALUE: the password
PARAM2_SOURCE: “JSP”
This option can be used to authenticate users where some sort of user-related information is available from the HTTP request e.g. as a URL parameter containing a user name or a token, an HTTP header or a cookie. This option cannot be used to pop-up any sort of dialog where the user enters their credentials, it can only be used where this information is already available. Once the user-related details have been extracted, they are passed to a Logon Service where they can be checked and any additional roles, credentials and authorizations can be added.
See Custom Authentication for more details.
Label |
Property Name |
Requires Restart |
Description |
Use Custom Authentication |
Logonexit.useCustomAuthentication |
No |
Activates the Custom logon
mechanism |
Logon Service Web Service Name |
Logonexit.CustomLogonWebService |
No |
The web service name of the Logon Service. This service will receive extracted user details. A sample Logon Service CustomLogonService is shipped with the system in the VerjSamples project within the workspace. |
The following six properties describe where the system should source user related information that is to be used to control the logon operation. The system extracts this information automatically and then invokes the Logon Service specified above passing these parameters. Between one and three parameters can be configured where each one consists of a:
Valid Parameter Sources:
|
|||
Parameter Name 1 |
Logonexit.ParameterName1 |
No |
Name for Parameter 1 |
Parameter Source 1 |
Logonexit.ParameterSource1 |
No |
Parameter 1 source type |
Parameter Name 2 |
Logonexit.ParameterName2 |
No |
Name for Parameter 2 |
Parameter Source 2 |
Logonexit.ParameterSource2 |
No |
Parameter 2 source type |
Parameter Name 3 |
Logonexit.ParameterName3 |
No |
Name for Parameter 3 |
Parameter Source 3 |
Logonexit.ParameterSource3 |
No |
Parameter 3 source type |
The Default Logon Service is used when authentication is invoked by a script instead of automatically using one of the options above. It is used as the default when system.securityManager.logon() is called and a logon web service name is not explicitly specified.
Label |
Property Name |
Requires Restart |
Description |
Default Logon Service Web Service Name |
Logonexit.WebService |
No |
The web service name of the
default Logon Service |