You are viewing the documentation for Blueriq 17. Documentation for other versions is available in our documentation directory.
Authentication providers
Blueriq uses Spring Security to allow custom flexible authentication providers. Spring Security provides a variety of options for performing authentication – all following a simple contract – an Authentication request is processed by an AuthenticationProvider and a fully authenticated object with full credentials is returned.
The 'blueriqAuthenticationManager' defined in 'com.aquima.web.boot.SecurityConfiguration' allows configuration based on Spring environment properties. The anonymous authenticationProvider is added (hardcoded) at the end of the authentication providers chain.
Blueriq provides an 'in-memory' authentication provider by default and a "customBean" authentication provider for a custom implmentation. Multiple authentication providers can be chained. Every authentication provider must have an unique name. This name is also used in the auth-providers-chain property to determine the order of the authentication providers in the chain.
Properties
All security properties are prefixed with "blueriq.security".
An in-memory authentication provider
In the application.properties file two properties are expected. Example of an 'in-memory' authentication provider configuration:
blueriq.security.auth-providers.local01.type=in-memory blueriq.security.auth-providers.local01.users.location=users.properties
- All security properties are prefixed with "blueriq.security"
- "auth-providers" is the property name of the authentication providers property
- After the property name the name of the authentication provider is specified. In this example the name is "local01".
Each authentication provider has a type, it can be "in-memory" or "customBean".
An in-memory authentication provider also needs the name of the property file. This is specified by the users.location property.
An example of a users.properties file:
# format: USERNAME=PASSWORD,ROLE1,ROLE2 admin=welcome,dcm,administrator jane=welcome02,dcm,operator john=welcome03,dcm
A customBean authentication provider
blueriq.security.auth-providers.ldap01.type=customBean
When a custom authentication manager is used, only the type and name of the been in the Spring Context needs to be specified.
Spring looks in the application context for a custom implementation of the type org.springframework.security.authentication.AuthenticationProvider with the name "ldap01". So it is important that the AuthenticationBean with the specified name is available in the application context.
An implementation example of an AuthenticationProvider:
@Component public class Ldap01AuthenticationProvider implements AuthenticationProvider { @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String name = authentication.getName(); String password = authentication.getCredentials().toString(); if (shouldAuthenticateAgainstThirdPartySystem()) { // use the credentials and authenticate against the third-party system return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<>()); } else { return null; } } @Override public boolean supports(Class<?> authentication) { return authentication.equals(UsernamePasswordAuthenticationToken.class); } }
Example of authentication providers chaining:
application.properties: blueriq.security.auth-providers.local01.type=in-memory blueriq.security.auth-providers.local01.users.location=users.properties blueriq.security.auth-providers.ldap01.type=customBean blueriq.security.auth-providers-chain=ldap01,local01