Authentication

Configuring the authentication modules

The file login-modules.xml present on the Process distribution enables to define different authentication modules.

Extract of the Configuration File:

<application-policy name="VDoc"> 
        <!-- JAAS configuration for VDoc--> 
        <authentication> 
                <login-module code="com.axemble.security.loginmodules.KerberosAutoLoginModule" flag="sufficient"> 
                        <module-option name="domains">lyon,axemble</module-option> 
                </login-module> 
                <login-module code="com.axemble.security.loginmodules.CookiesAutoLoginModule" flag="sufficient" /> 
                <!-- 
                <login-module code="com.axemble.security.loginmodules.LDAPLoginModule" flag="sufficient" /> 
                -->     
                <login-module code="com.axemble.security.loginmodules.ForceUserAutoLoginModule" flag="sufficient"> 
                        <module-option name="user">sysadmin</module-option> 
                        <module-option name="address">192.168.1.2</module-option> 
                </login-module> <login-module code="com.axemble.security.loginmodules.ForceUserAutoLoginModule" flag="sufficient"> 
                        <module-option name="user">user1</module-option> 
                        <module-option name="address">192.168.1.*</module-option> 
                </login-module> 
                <login-module code="com.axemble.security.loginmodules.DirectoryLoginModule" flag="sufficient" /> 
        </authentication> 
</application-policy>

The file login-modules.xml present on the Process distribution enables to define different authentication modules.

Extract of the Configuration File:

<application-policy name="VDoc"> 
        <!-- JAAS configuration for VDoc--> 
        <authentication> 
                <login-module code="com.axemble.security.loginmodules.KerberosAutoLoginModule" flag="sufficient"> 
                        <module-option name="domains">lyon,axemble</module-option> 
                </login-module> 
                <login-module code="com.axemble.security.loginmodules.CookiesAutoLoginModule" flag="sufficient" /> 
                <!-- 
                <login-module code="com.axemble.security.loginmodules.LDAPLoginModule" flag="sufficient" /> 
                -->     
                <login-module code="com.axemble.security.loginmodules.ForceUserAutoLoginModule" flag="sufficient"> 
                        <module-option name="user">sysadmin</module-option> 
                        <module-option name="address">192.168.1.2</module-option> 
                </login-module> <login-module code="com.axemble.security.loginmodules.ForceUserAutoLoginModule" flag="sufficient"> 
                        <module-option name="user">user1</module-option> 
                        <module-option name="address">192.168.1.*</module-option> 
                </login-module> 
                <login-module code="com.axemble.security.loginmodules.DirectoryLoginModule" flag="sufficient" /> 
        </authentication> 
</application-policy>

The system has evolved since Process18 (Wildfly 26.0.1).

Note

The old overload system is no longer taken into account, it is imperative to follow the new procedure.

PTo add a new specific login module, please follow the following procedure:

  • Duplicate existing file [HOME]/configurator/jaas_vdoc.config and name it [HOME]/configurator/jaas_vdoc-custom.config
  • Edit the new file and complete with the declaration of the new module
  • Apply the new configuration and restart the service.

Here is an example of configuring the “SpecificLoginModule” login module in the file : [HOME]/configurator/jass_vdoc-custom.config

VDoc {
	com.package.SpecificLoginModule SUFFICIENT ;
	com.vs.interop.openid.connect.login.modules.MoovappsJwTLoginModule SUFFICIENT;
	com.axemble.security.loginmodules.ExternalAuthenticationLoginModule SUFFICIENT;
	com.vs.interop.openid.connect.login.modules.OpenIdConnectLoginModule SUFFICIENT;
	com.axemble.security.loginmodules.LDAPLoginModule SUFFICIENT;
	com.axemble.security.loginmodules.KerberosAutoLoginModule SUFFICIENT;
	com.axemble.security.loginmodules.DirectoryLoginModule SUFFICIENT;
};

Authentication extensions

The BaseAutoLoginModule class

The class com.axemble.vdoc.sdk.authentication.base.BaseAutoLoginModule simplifies the implementation of an automatic authentication module. This class is only called if the information of identifier and user password are not present in the HTTP request.

Methods of the BaseAutoLoginModule class

public class BaseAutoLoginModule extends AbstractAutoLoginModule {
	// helper methods
	final protected Object getOption( String key );
	final protected Map getOptions();
	// method to implement
	public String doAutoLogin() throws LoginException;
}

The method doAutoLogin() must send the authenticated user login back. The method getOption() lets retrieve the value assigned to a key put in the configuration file of the JAAS authentication.

The BasePasswordLoginModule class

The class com.axemble.vdoc.sdk.authentication.base.BasePasswordLoginModule simplifies the implementation of an authentication module based on the identifier and user password information contained in the HTTP request.

Methods of the BasePasswordLoginModule class

public abstract class BasePasswordLoginModule extends AbstractLoginPasswordModule {
	// helper methods
	final protected Object getOption( String key );
	final protected Map getOptions();
	// method to implement
	public abstract boolean checkPassword( String password, IUser user ) throws AuthenticationException, LoginException;
}

The method checkPassword() must send “true” or “false” back . The method getOption() lets retrieve the value assigned to a key put in the configuration file of the JAAS authentication.

The BaseAuthenticationExtension class

The class com.axemble.vdoc.sdk.authentication.base.BaseAuthenticationExtension is called on two events: onBeforeAuthenticate() and onAfterAuthenticate().

Methods of the BaseAuthenticationExtension class

public class BaseAuthenticationExtension implements Serializable {
	// methods to implement
	public boolean onBeforeAuthenticate()
	public boolean onAfterAuthenticate()
}

The event onBeforeAuthenticate() is called before evaluating every authentication modules.

The event onAfterAuthenticate() is called after evaluating.

The definition of an authentication class may be done in the file CustomResource.properties by specifying a value for the key: com.axemble.vdoc.sdk.security.AuthenticationExtensions. The value must be a class name branching off BaseAuthenticationExtension.

Example of defining an authentication extension

com.axemble.vdoc.sdk.security.AuthenticationExtensions=com.axemble.education.authentication.extensions.DemoAuthenticationExtension

Sequence diagram of the authentication system

The following diagram shows the calling sequence of the different modules as well as authentication extension classes.

overview authentication overview authentication