Versions Compared

Old Version 6

changes.mady.by.user Unknown User (r.de.haard)

Saved on

compared with

New Version 7

changes.mady.by.user Manon van Tilburg

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Division in Java and .NET Runtime sections. Textual clarifications

Introduction

Blueriq (exposed) flows can be protected by setting allowed roles on them. When a flow is started that requires the user to have an explicit role, this (by default) will redirect the user to the Blueriq login page. This article describes how to configure the authentication mechanism in the runtime that is 'behind' the login page. The Java and .NET runtime have similar functionality but are configured in a different way.

Java Runtime configuration

The Java Runtime reads the authentication configuration from Spring environment properties, under the covers Spring Security is used. In the Java Runtime one Spring Security AuthenticationManagaer bean named 'blueriqAuthenticationManager' is registered,

Authentication providers

 

Blueriq uses Spring Security to allow custom flexible authentication providers. Spring Security provides a variety of options for performing authentication – all following a simple contract – an Authentication request is processed by an AuthenticationProvider and a fully authenticated object with full credentials is returned.
The 'blueriqAuthenticationManager' defined in 'com.aquima.web.boot.SecurityConfiguration' allows configuration based on Spring environment properties. The anonymous authenticationProvider is added (hardcoded) at the end of the authentication providers chain.. An anonymous authentication provider is added by default (hardcoded).

Blueriq supports Blueriq provides an 'in-memory' authentication provider by default type and a "'customBean" ' authentication provider type for a custom implmentationauthentication needs. Multiple authentication providers can be chained. Every authentication provider must have an unique name. This , this name is also used in the 'auth-providers-chain' property to determine the order of the authentication providers in the chain.  

Properties

All security Like all security properties, the authentication properties are prefixed with "'blueriq.security".

...

'. For every authentication provider a type must be specified, it can be 'in-memory' or 'customBean'.

Defining an 'in-memory' authentication provider

In the 'application.properties' file two properties are expected . Example of for an 'in-memory' authentication provider configuration:

Code Block
blueriq.security.auth-providers.local01.type=in-memory
blueriq.security.auth-providers.local01.users.location=users.properties

...

  • "auth-providers" is the property name of the authentication providers property
  • After the property name, the name of the authentication provider is specified. In this example the name is "'local01"'

Each authentication provider has a type, it can be "in-memory" or "customBean".
An in-memory authentication provider also needs the name file location of the a property file . This to load the users/roles from, this is specified by in the 'users.location' property.

An example of a 'users.properties' file:
 Code Block
# format: USERNAME=PASSWORD,ROLE1,ROLE2
admin=welcome,dcm,administrator
jane=welcome02,dcm,operator
john=welcome03,dcm
...
Defining a 'customBean' authentication provider
 In the 'application.properties' file only one property is expected for a 'customBean' authentication provider:
 Code Block
blueriq.security.auth-providers.ldap01myAuthProvider01.type=customBean

When a custom authentication manager The name of the authentication provider is used , only as the type and name of the Spring bean to lookup in the Spring Context needs to be specified.
Spring looks application context. Spring searches in the application context for an a bean of the type org.springframework.security.authentication.AuthenticationProvider with (in this example) the name "ldap01"'myAuthProvider01'. So it is important that the AuthenticationBean a bean with the specified name is available in the application context.
An implementation example of an a custom AuthenticationProvider:
 Code Block
@Component
public class Ldap01AuthenticationProviderMyCustomAuthenticationProvider implements AuthenticationProvider {
 
    @Override
    public Authentication authenticate(Authentication authentication) 
      throws AuthenticationException {
        String name = authentication.getName();
        String password = authentication.getCredentials().toString();
         
        if (shouldAuthenticateAgainstThirdPartySystem()) {
            // use the credentials and authenticate against the third-party system
            return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<>());
        } else {
            return null;
        }
    }
 
    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }
}

@Configuration
public class SecurityConfigurationMyAuthProviderConfig {

    @Bean
    public AuthenticationProvider myAuthProvider01() {
        return new MyCustomAuthenticationProvider();
    }
}
 
Example of authentication providers chaining:
 Code Block
application.properties:
 
blueriq.security.auth-providers.local01.type=in-memory
blueriq.security.auth-providers.local01.users.location=users.properties
blueriq.security.auth-providers.myAuthProvider01.type=customBean
blueriq.security.auth-providers.ldap01myAuthProvider02.type=customBean
blueriq.security.auth-providers-chain=ldap01myAuthProvider01,local01
.NET Runtime configuration
TODO
  • Explain default configuration (local user store) in Web.config
  • Example of custom MembershipProvider