Personalized authentication

Last modified by jhurst on 2021/04/21 10:01

Configuration

Installation of a personalized authentication valve for DigDash

Contents

Prerequisites

  • Have recovered the CustomAuthenticator folder in the add-ons directory  of the DigDash installation archive. It contains all the files necessary for setting up the personalized authentication valve in the DigDash Tomcat server. The placement of these files is described in this document.
    • The Tomcat7 folder: the versions of the libraries for a Tomcat 7 server
    • The Tomcat8 folder: the library versions for a Tomcat 8 server
  • The following operations are to be performed on the stopped DigDash server .

 Configuration of the DigDash server

Copy of libraries

Add the libraries and the log configuration file from the CustomAuthenticator / Tomcat <N> folder (N: Tomcat version) to the folder

<digdash_installation> / apache / lib :

custom_authenticator.jarhttpcore-4.4.9.jar
commons-codec-1.10.jarhttpmime-4.5.5.jar
commons-logging-1.2.jarlog4j-1.2.15.jar
httpclient-4.5.5.jar 

Libraries in the CustomAuthenticator / Tomcat8 folder

Addition of the personalized authentication valve

Add the custom authentication valve in the context.xml file located in the folder

<digdash_installation> / apache-tomcat / conf

To do this, add the following Valve element in the Context element .

<Context>
  ...
   <Valve className = "custom.apache.CustomAuthenticator"
          sharedPasswd = "secret"
          allowAddr = ". * Localhost. *,. * 127.0.0. *"
          PortalUrl = "<url>? Login = $ { login} & amp; token = $ {token} "
          fallbackAuth = " LDAP "
          expectedResponse = " OK " />
</Context ...>

Extract from the server.xml file

Invariable value / Variable value depending on the installation

AttributeDescription
classNameName of the Java class, implementing the org.apache.catalina.Valve interface, to use as Valve here. This attribute is mandatory because it allows you to select the Valve to use. There are indeed several implementations provided by Tomcat.
sharedPasswdThe shared password and verified at authentication (see point II.5)
allowAddrRegular expression (s) that the address for sending requests to the dashboard must satisfy. In the case of multiple regexes, separate with commas.
portalUrl

The address of the user verification page and the token.

- It can be unique and request validation from a single server; in that case:

<protocol>: // <host>: <port> / <context> / <path> ? login = $ {login} & amp; token = $ {token}

- It can correspond to the address of the source issuing the access request to the dashboard; indicate in this case only the remaining path:

<context> / <path> ? login = $ {login} & amp; token = $ {token}

The valve will analyze in the header parameters of the incoming request the Referer to which to send the verification request.

fallbackAuthAuthentication method to use if the valve authentication fails.
expectedResponseResponse returned by the page in the event of valid authentication (not case-sensitive), all other responses lead to authentication failure.
print_debugOptional, is false by default, otherwise add print_debug = " true " for more verbose traces.

Table describing the attributes of the Valve element

Addition of security constraints

Add the security constraints to the web.xml file located in the folder

<digdash_installation> / apache-tomcat / conf .

<web-app ... >
  ...
     <security-role>
         <role-name> CUSTOM </role-name>
     </security-role>

     <security-constraint>
         <display-name> CUSTOM Security Constraint </display-name>
         <web-resource-collection>
             <web-resource-name> Protected Area </web-resource-name>
             <url-pattern> / * </url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name> CUSTOM </role-name>
         </auth-constraint>
     </security-constraint>

     <security-constraint>
         <web-resource-collection>
             <web-resource-name> Non-Protected Area</web-resource-name>
             <url-pattern> / vjdbc </url-pattern>
         </web-resource-collection>
     </security-constraint>
  ...
</web-app>

Extract from web.xml file

URL of the server and domain for the Dashboard

It may be necessary, and it is advisable to specify on which server / domain the Dashboard will rely.

To do this, modify in the web.xml file in

<digdash_installation> / apache-tomcat / webapps / digdash_dashboard / WEB-INF.

To force the domain, change the value of the FORCEDOMAIN parameter to true .
 Mention the domain name by changing the DOMAIN parameter .

To force the server address, change the value of the FORCESERVERURL parameter to true .
 Mention the server address by changing the SERVERURL parameter .

<web-app ... >
  ...
     <servlet>
         <servlet-name>dashServlet</servlet-name>
         <servlet-class> com.digdash.server.DigdashServiceImpl </servlet-class>
          ...
         <init-param>
             <param-name>DOMAIN</param-name>
             <param-value> ddenterpriseapi </param-value>
         </init-param>
         <init-param>
             <param-name>FORCEDOMAIN</param-name>
             <param-value> true </param-value>
         </init-param>
         <init-param>
             <param-name> SERVERURL </param-name>
             <param-value> http: // localhost: 8080</param-value>
         </init-param>
         <init-param>
             <param-name>FORCESERVERURL</param-name>
             <param-value>true</param-value>
         </init-param>
          ...
     </servlet>
  ...
</web-app>

Variable value depending on the installation: "ddenterpriseapi" / "true" / "8080".

Extract from web.xml file

1591347244508-950.png

  • The example value for the SERVERURL parameter will almost always refer to localhost, when the dashboard and the server are placed in the same Tomcat server, which represents almost 99% of the uses. It will naturally be necessary to refer to the address of the external server if these two elements are placed on different servers.
1591347251515-981.png
 
  • This parameter can be edited via the web.xml file as indicated above. This file is specific to each installation of DigDash. You can enter this parameter more generally in the file

    <user> / Application Data / Enterprise Server / dashboard_system.xml

    For more information, you can refer to the DigDash documentation “guide_avance_systeme_fr.pdf”.

Changing the value of the sharedPasswd parameter

Uncomment and change the value of the sharedPasswd parameter (secret value below to change) in the web.xml file in the folder

<digdash_installation> / apache-tomcat / webapps / digdash_dashboard / WEB-INF .

The value must correspond to that mentioned in the sharedPasswd attribute in the valve of the file

<digdash_installation> /apache-tomcat/conf/server.xml (see part II.2).

<web-app ... >
  ...
     <servlet>
         <servlet-name> dashServlet </servlet-name>
         <servlet-class> com.digdash.server.DigdashServiceImpl </servlet-class>
          ...
         <init-param>
             <param-name> sharedPasswd </param-name>
             <param-value> secret </param-value>
         </init-param>
          ...
     </servlet>
  ...
 </web-app>

Variable value depending on the installation: "secret".

Extract from the server.xml file

Modification of the authentication method

Modify the authMethod parameter to change the authentication method (LDAP is the default method) in the web.xml file located in the folder

<digdash_installation> / apache-tomcat / webapps / ddenterpriseapi / WEB-INF .

External " means that safety is managed by the valve configured above.

<web-app ... >
  ...
     <servlet>
        ...
     </servlet>
        ...
     <servlet>
         <description> </description>
         <display-name> DDEnterpriseAuthServlet </display-name>
         <servlet-name> DDEnterpriseAuthServlet </servlet-name>
         <servlet-class> com.digdash.server.DDEnterpriseAuthServlet </servlet-class>
         <init-param>
             <param-name> authMethod </param-name>
             <param-value> External </param-value>
         </init-param>
            ...
     </servlet>
  ...
 </web-app>

Extract from web.xml file