Versions Compared

Old Version 15

changes.mady.by.user Unknown User (m.schadd)

Saved on

compared with

New Version 16

changes.mady.by.user Mike van Emmerik

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

Blueriq (exposed) flows can be protected by setting allowed roles on them. When a flow is started that requires the user to have an explicit role, this (by default) will redirect the user to the Blueriq login page. This article describes how to configure the authentication mechanism in the runtime that is 'behind' the login page. The Java and .NET runtime have similar functionality but are configured in a different way.

...

Table of Contents

Note

The Blueriq Runtime deliveres an out-of-the-box in-memory authentication provider in Java and a DefaultProvider in .NET. These default implementations should be used for development purposes as they store the credentials in plain text on the filesystem.

 

Java Runtime configuration

The Java Runtime reads the authentication configuration from Spring environment properties, under the covers Spring Security is used. In the Java Runtime one Spring Security AuthenticationManager bean

...

named blueriqAuthenticationManager is registered, defined

...

in com.aquima.web.boot.SecurityConfiguration.

...

 An anonymous authentication provider is added by default (hardcoded), this is used for anonymous access.

Blueriq supports

...

an in-memory authentication provider type and

...

customBean authentication provider type for custom authentication needs. Multiple authentication providers can be chained. Every authentication provider must have a unique name, this name is also used in

...

the auth-providers-chain property to determine the order of the authentication providers in the chain.

Properties

Like all security properties, the authentication properties are prefixed

...

with blueriq.security. For every authentication provider a type must be specified,

it can

...

be in-memory

...

 or customBean

...

Defining an in-memory authentication provider

In the application.properties file two properties are expected for an in-memory authentication provider:

Code Block
blueriq.security.auth-providers.local01.type=in-memory
blueriq.security.auth-providers.local01.users.location=users.properties
  • auth-providers is the property name of the authentication providers property
  • After the property name, the name of the authentication provider is specified. In this example the name is local01

...

or LDAP. Checkout these pages on how it works:

Children Display

 

Chain:

...

Code Block
# format: USERNAME=PASSWORD,ROLE1,ROLE2
admin=welcome,dcm,administrator
jane=welcome02,dcm,operator
john=welcome03,dcm

Defining a customBean authentication provider

In the application.properties file only one property is expected for a customBean authentication provider:

Code Block
blueriq.security.auth-providers.myAuthProvider01.type=customBean

...

An implementation example of a custom AuthenticationProvider:

Code Block
@Component
public class MyCustomAuthenticationProvider implements AuthenticationProvider {
 
    @Override
    public Authentication authenticate(Authentication authentication) 
      throws AuthenticationException {
        String name = authentication.getName();
        String password = authentication.getCredentials().toString();
         
        if (shouldAuthenticateAgainstThirdPartySystem()) {
            // use the credentials and authenticate against the third-party system
            return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<>());
        } else {
            return null;
        }
    }
 
    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }
}

@Configuration
public class SecurityConfigurationMyAuthProviderConfig {

    @Bean
    public AuthenticationProvider myAuthProvider01() {
        return new MyCustomAuthenticationProvider();
    }
}

Specifying which authentication providers to use

Only authentication providers specified in the blueriq.security.auth-providers-chain

...

 property will be used by the Blueriq Runtime. The providers will be tried in the order they are specified in the chain. A warning will appear in the Blueriq Runtime log when no authentication providers are specified in the chain.

Example of authentication providers chain using two out of three specified providers:

Code Block
titleapplication.properties
blueriq.security.auth-providers.local01.type=in-memory
blueriq.security.auth-providers.local01.users.location=users.properties
blueriq.security.auth-providers.myAuthProvider01.type=customBean
blueriq.security.auth-providers.myAuthProvider02.type=customBean

# add any provider to this chain, can be multiple LDAP / in-memory / customBean
blueriq.security.auth-providers-chain=myAuthProvider01,local01

.NET Runtime configuration

The .NET Runtime reads the authentication configuration

...

from Web.config

...

 using the ASP.NET standard mechanisms for membership and role services. Blueriq has

...

DefaultMembershipProvider

...

 and DefaultRoleProvider

...

 that will read its users and roles

...

from Web.config

...

 sections.

Example of using the Blueriq providers:

Code Block
languagexml
titleWeb.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <section name="defaultMembership" type="Aquima.WebApplication.Foundation.Security.DefaultMembershipProviderHandler" />
    <section name="defaultRoleProvider" type="Aquima.WebApplication.Foundation.Security.DefaultRoleProviderHandler" />
    ...
  </configSections>
  <defaultMembership>
    <users>
      <user name="admin" password="welcome" />
      <user name="user" password="welcome" />
    </users>
  </defaultMembership>
  <defaultRoleProvider>
    <users>
      <user name="admin">
        <roles>
          <role name="admin" />
        </roles>
      </user>
    </users>
  </defaultRoleProvider>
  <system.web>
    <authentication mode="Forms" />
    <membership defaultProvider="defaultProvider">
      <providers>
        <add name="defaultProvider" type="Aquima.WebApplication.Foundation.Security.DefaultMembershipProvider" />
      </providers>
    </membership>
    <roleManager enabled="true" defaultProvider="defaultProvider">
      <providers>
        <add name="defaultProvider" type="Aquima.WebApplication.Foundation.Security.DefaultRoleProvider" />
      </providers>
    </roleManager>
    ...
  </system.web>
  ...
</configuration>

It is also possible to configure ASP.NET built-in providers (for

...

example ActiveDirectoryMembershipProvider

...

 and/

...

or AuthorizationStoreRoleProvider) or create your own implementations

...

of System.Web.Security.MembershipProvider

...

 and/

...

or System.Web.Security.RoleProvider.