You are viewing the documentation for Blueriq 17. Documentation for other versions is available in our documentation directory.
Introduction
Blueriq (exposed) flows can be protected by setting allowed roles on them. When a flow is started that requires the user to have an explicit role, this (by default) will redirect the user to the Blueriq login page. This article describes how to configure the authentication mechanism in the runtime that is 'behind' the login page. The Java and .NET runtime have similar functionality but are configured in a different way.
Java Runtime configuration
The Java Runtime reads the authentication configuration from Spring environment properties, under the covers Spring Security is used. In the Java Runtime one Spring Security AuthenticationManager bean named blueriqAuthenticationManager is registered, defined in com.aquima.web.boot.SecurityConfiguration. An anonymous authentication provider is added by default (hardcoded).
Blueriq supports an in-memory authentication provider type and a customBean authentication provider type for custom authentication needs. Multiple authentication providers can be chained. Every authentication provider must have a unique name, this name is also used in the auth-providers-chain property to determine the order of the authentication providers in the chain.
Properties
Like all security properties, the authentication properties are prefixed with blueriq.security. For every authentication provider a type must be specified, it can be in-memory or customBean.
Defining an in-memory authentication provider
In the application.properties file two properties are expected for an in-memory authentication provider:
blueriq.security.auth-providers.local01.type=in-memory blueriq.security.auth-providers.local01.users.location=users.properties
auth-providersis the property name of the authentication providers property- After the property name, the name of the authentication provider is specified. In this example the name is
local01.
An in-memory authentication provider needs the file location of a property file to load the users/roles from, this is specified in the users.location property.
An example of a users.properties file:
# format: USERNAME=PASSWORD,ROLE1,ROLE2 admin=welcome,dcm,administrator jane=welcome02,dcm,operator john=welcome03,dcm
Defining a customBean authentication provider
In the application.properties file only one property is expected for a customBean authentication provider:
blueriq.security.auth-providers.myAuthProvider01.type=customBean
The name of the authentication provider is used as the name of the Spring bean to lookup in the application context. Spring searches in the application context for a bean of the type org.springframework.security.authentication.AuthenticationProvider with (in this example) the name myAuthProvider01. So it is important that a bean with the specified name is available in the application context.
An implementation example of a custom AuthenticationProvider:
@Component
public class MyCustomAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String name = authentication.getName();
String password = authentication.getCredentials().toString();
if (shouldAuthenticateAgainstThirdPartySystem()) {
// use the credentials and authenticate against the third-party system
return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<>());
} else {
return null;
}
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
@Configuration
public class SecurityConfigurationMyAuthProviderConfig {
@Bean
public AuthenticationProvider myAuthProvider01() {
return new MyCustomAuthenticationProvider();
}
}
Example of authentication providers chaining:
application.properties
blueriq.security.auth-providers.local01.type=in-memory blueriq.security.auth-providers.local01.users.location=users.properties blueriq.security.auth-providers.myAuthProvider01.type=customBean blueriq.security.auth-providers.myAuthProvider02.type=customBean blueriq.security.auth-providers-chain=myAuthProvider01,local01
.NET Runtime configuration
The .NET Runtime reads the authentication configuration from Web.config using the ASP.NET standard mechanisms for membership and role services. Blueriq has a DefaultMembershipProvider and DefaultRoleProvider that will read its users and roles from Web.config sections.
Example of using the Blueriq providers:
Web.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="defaultMembership" type="Aquima.WebApplication.Foundation.Security.DefaultMembershipProviderHandler" />
<section name="defaultRoleProvider" type="Aquima.WebApplication.Foundation.Security.DefaultRoleProviderHandler" />
...
</configSections>
<defaultMembership>
<users>
<user name="admin" password="welcome" />
<user name="user" password="welcome" />
</users>
</defaultMembership>
<defaultRoleProvider>
<users>
<user name="admin">
<roles>
<role name="admin" />
</roles>
</user>
</users>
</defaultRoleProvider>
<system.web>
<authentication mode="Forms" />
<membership defaultProvider="defaultProvider">
<providers>
<add name="defaultProvider" type="Aquima.WebApplication.Foundation.Security.DefaultMembershipProvider" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="defaultProvider">
<providers>
<add name="defaultProvider" type="Aquima.WebApplication.Foundation.Security.DefaultRoleProvider" />
</providers>
</roleManager>
...
</system.web>
...
</configuration>
It is also possible to configure ASP.NET built-in providers (for example ActiveDirectoryMembershipProvider and/or AuthorizationStoreRoleProvider) or create your own implementations of System.Web.Security.MembershipProvider and/or System.Web.Security.RoleProvider.
Overview
Content Tools