Page History
Introduction
Blueriq (exposed) flows can be protected by setting allowed roles on them. When a flow is started that requires the user to have an explicit role, this (by default) will redirect the user to the Blueriq login page. This article describes how to configure the authentication mechanism in the runtime that is 'behind' the login page. The Java and .NET runtime have similar functionality but are configured in a different way.
Java Runtime configuration
The Java Runtime reads the authentication configuration from Spring environment properties, under the covers Spring Security is used. In the Java Runtime one Spring Security AuthenticationManagaer bean named 'blueriqAuthenticationManager' is registered,
Authentication providers
Blueriq uses Spring Security to allow custom flexible authentication providers. Spring Security provides a variety of options for performing authentication – all following a simple contract – an Authentication request is processed by an AuthenticationProvider and a fully authenticated object with full credentials is returned.
The 'blueriqAuthenticationManager' defined in 'com.aquima.web.boot.SecurityConfiguration' allows configuration based on Spring environment properties. The anonymous authenticationProvider is added (hardcoded) at the end of the authentication providers chain.. An anonymous authentication provider is added by default (hardcoded).
Blueriq supports Blueriq provides an 'in-memory' authentication provider by default type and a "'customBean" ' authentication provider type for a custom implmentationauthentication needs. Multiple authentication providers can be chained. Every authentication provider must have an unique name. This , this name is also used in the 'auth-providers-chain' property to determine the order of the authentication providers in the chain.
Properties
All security Like all security properties, the authentication properties are prefixed with "'blueriq.security".
...
'. For every authentication provider a type must be specified, it can be 'in-memory' or 'customBean'.
Defining an 'in-memory' authentication provider
In the 'application.properties' file two properties are expected . Example of for an 'in-memory' authentication provider configuration:
Code Block |
---|
blueriq.security.auth-providers.local01.type=in-memory blueriq.security.auth-providers.local01.users.location=users.properties |
...
- "auth-providers" is the property name of the authentication providers property
- After the property name, the name of the authentication provider is specified. In this example the name is "'local01"'.
Each authentication provider has a type, it can be "in-memory" or "customBean".
An in-memory authentication provider also needs the name file location of the a property file . This to load the users/roles from, this is specified by in the 'users.location' property.
An example of a 'users.properties' file:
Code Block |
---|
# format: USERNAME=PASSWORD,ROLE1,ROLE2 admin=welcome,dcm,administrator jane=welcome02,dcm,operator john=welcome03,dcm |
...
Defining a 'customBean' authentication provider
In the 'application.properties' file only one property is expected for a 'customBean' authentication provider:
Code Block |
---|
blueriq.security.auth-providers.ldap01myAuthProvider01.type=customBean |
When a custom authentication manager The name of the authentication provider is used , only as the type and name of the Spring bean to lookup in the Spring Context needs to be specified.
Spring looks application context. Spring searches in the application context for an a bean of the type org.springframework.security.authentication.AuthenticationProvider with (in this example) the name "ldap01"'myAuthProvider01'. So it is important that the AuthenticationBean a bean with the specified name is available in the application context.
An implementation example of an a custom AuthenticationProvider:
Code Block |
---|
@Component public class Ldap01AuthenticationProviderMyCustomAuthenticationProvider implements AuthenticationProvider { @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String name = authentication.getName(); String password = authentication.getCredentials().toString(); if (shouldAuthenticateAgainstThirdPartySystem()) { // use the credentials and authenticate against the third-party system return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<>()); } else { return null; } } @Override public boolean supports(Class<?> authentication) { return authentication.equals(UsernamePasswordAuthenticationToken.class); } } @Configuration public class SecurityConfigurationMyAuthProviderConfig { @Bean public AuthenticationProvider myAuthProvider01() { return new MyCustomAuthenticationProvider(); } } |
Example of authentication providers chaining:
Code Block |
---|
application.properties: blueriq.security.auth-providers.local01.type=in-memory blueriq.security.auth-providers.local01.users.location=users.properties blueriq.security.auth-providers.myAuthProvider01.type=customBean blueriq.security.auth-providers.ldap01myAuthProvider02.type=customBean blueriq.security.auth-providers-chain=ldap01myAuthProvider01,local01 |
.NET Runtime configuration
TODO
- Explain default configuration (local user store) in Web.config
- Example of custom MembershipProvider