Wiki source code of Authentification personnalisée
Last modified by jhurst on 2021/04/21 10:01
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | **Configuration** | ||
| 2 | |||
| 3 | Installation of a personalized authentication valve for DigDash | ||
| 4 | |||
| 5 | **Contents** | ||
| 6 | |||
| 7 | {{toc/}} | ||
| 8 | |||
| 9 | = Prerequisites = | ||
| 10 | |||
| 11 | * Have recovered the **CustomAuthenticator** folder in the **add-ons directory ** of the DigDash installation archive. It contains all the files necessary for setting up the personalized authentication valve in the DigDash Tomcat server. The placement of these files is described in this document. | ||
| 12 | ** The Tomcat7 folder: the versions of the libraries for a Tomcat 7 server | ||
| 13 | ** The Tomcat8 folder: the library versions for a Tomcat 8 server | ||
| 14 | * The following operations are to be performed **on the stopped DigDash server** . | ||
| 15 | |||
| 16 | = Configuration of the DigDash server = | ||
| 17 | |||
| 18 | == Copy of libraries == | ||
| 19 | |||
| 20 | Add the libraries and the log configuration file from the **CustomAuthenticator / Tomcat <N>** folder (N: Tomcat version) to the folder | ||
| 21 | |||
| 22 | **<digdash_installation> / apache / lib** : | ||
| 23 | |||
| 24 | |custom_authenticator.jar|httpcore-4.4.9.jar | ||
| 25 | |commons-codec-1.10.jar|httpmime-4.5.5.jar | ||
| 26 | |commons-logging-1.2.jar|log4j-1.2.15.jar | ||
| 27 | |httpclient-4.5.5.jar| | ||
| 28 | |||
| 29 | __Libraries in the CustomAuthenticator / Tomcat8 folder__ | ||
| 30 | |||
| 31 | == Addition of the personalized authentication valve == | ||
| 32 | |||
| 33 | Add the custom authentication valve in the **context.xml** file located in the folder | ||
| 34 | |||
| 35 | **<digdash_installation> / apache-tomcat / conf** | ||
| 36 | |||
| 37 | To do this, add the following Valve element in the **Context** element . | ||
| 38 | |||
| 39 | {{code language="XML"}} | ||
| 40 | <Context> | ||
| 41 | ... | ||
| 42 | <Valve className = "custom.apache.CustomAuthenticator" | ||
| 43 | sharedPasswd = "secret" | ||
| 44 | allowAddr = ". * Localhost. *,. * 127.0.0. *" | ||
| 45 | PortalUrl = "<url>? Login = $ { login} & amp; token = $ {token} " | ||
| 46 | fallbackAuth = " LDAP " | ||
| 47 | expectedResponse = " OK " /> | ||
| 48 | </Context ...> | ||
| 49 | {{/code}} | ||
| 50 | |||
| 51 | __Extract from the server.xml file__ | ||
| 52 | |||
| 53 | Invariable value / Variable value depending on the installation | ||
| 54 | |||
| 55 | |Attribute|Description | ||
| 56 | |className|Name of the Java class, implementing the org.apache.catalina.Valve interface, to use as Valve here. This attribute is mandatory because it allows you to select the Valve to use. There are indeed several implementations provided by Tomcat. | ||
| 57 | |sharedPasswd|The shared password and verified at authentication (see point II.5) | ||
| 58 | |allowAddr|Regular expression (s) that the address for sending requests to the dashboard must satisfy. In the case of multiple regexes, separate with commas. | ||
| 59 | |portalUrl|((( | ||
| 60 | The address of the user verification page and the token. | ||
| 61 | |||
| 62 | - It can be unique and request validation from a single server; in that case: | ||
| 63 | |||
| 64 | <protocol>: ~/~/ <host>: <port> / <context> / <path> ? login = $ {login} & amp; token = $ {token} | ||
| 65 | |||
| 66 | - It can correspond to the address of the source issuing the access request to the dashboard; indicate in this case only the remaining path: | ||
| 67 | |||
| 68 | <context> / <path> ? login = $ {login} & amp; token = $ {token} | ||
| 69 | |||
| 70 | The valve will analyze in the header parameters of the incoming request the Referer to which to send the verification request. | ||
| 71 | ))) | ||
| 72 | |fallbackAuth|Authentication method to use if the valve authentication fails. | ||
| 73 | |expectedResponse|Response returned by the page in the event of valid authentication (not case-sensitive), all other responses lead to authentication failure. | ||
| 74 | |print_debug|Optional, is false by default, otherwise add print_debug = " true " for more verbose traces. | ||
| 75 | |||
| 76 | __Table describing the attributes of the Valve element__ | ||
| 77 | |||
| 78 | == Addition of security constraints == | ||
| 79 | |||
| 80 | Add the security constraints to the **web.xml** file located in the folder | ||
| 81 | |||
| 82 | **<digdash_installation> / apache-tomcat / conf** . | ||
| 83 | |||
| 84 | {{code}} | ||
| 85 | <web-app ... > | ||
| 86 | ... | ||
| 87 | <security-role> | ||
| 88 | <role-name> CUSTOM </role-name> | ||
| 89 | </security-role> | ||
| 90 | |||
| 91 | <security-constraint> | ||
| 92 | <display-name> CUSTOM Security Constraint </display-name> | ||
| 93 | <web-resource-collection> | ||
| 94 | <web-resource-name> Protected Area </web-resource-name> | ||
| 95 | <url-pattern> / * </url-pattern> | ||
| 96 | </web-resource-collection> | ||
| 97 | <auth-constraint> | ||
| 98 | <role-name> CUSTOM </role-name> | ||
| 99 | </auth-constraint> | ||
| 100 | </security-constraint> | ||
| 101 | |||
| 102 | <security-constraint> | ||
| 103 | <web-resource-collection> | ||
| 104 | <web-resource-name> Non-Protected Area</web-resource-name> | ||
| 105 | <url-pattern> / vjdbc </url-pattern> | ||
| 106 | </web-resource-collection> | ||
| 107 | </security-constraint> | ||
| 108 | ... | ||
| 109 | </web-app> | ||
| 110 | {{/code}} | ||
| 111 | |||
| 112 | __Extract from web.xml file__ | ||
| 113 | |||
| 114 | == URL of the server and domain for the Dashboard == | ||
| 115 | |||
| 116 | It may be necessary, and **it is advisable** to specify on which server / domain the Dashboard will rely. | ||
| 117 | |||
| 118 | To do this, modify in the **web.xml** file in | ||
| 119 | |||
| 120 | **<digdash_installation> / apache-tomcat / webapps / digdash_dashboard / WEB-INF.** | ||
| 121 | |||
| 122 | To force the domain, change the value of the **FORCEDOMAIN** parameter to //true// . | ||
| 123 | Mention the domain name by changing the **DOMAIN** parameter . | ||
| 124 | |||
| 125 | To force the server address, change the value of the **FORCESERVERURL** parameter to //true// . | ||
| 126 | Mention the server address by changing the **SERVERURL** parameter . | ||
| 127 | |||
| 128 | {{code}} | ||
| 129 | <web-app ... > | ||
| 130 | ... | ||
| 131 | <servlet> | ||
| 132 | <servlet-name>dashServlet</servlet-name> | ||
| 133 | <servlet-class> com.digdash.server.DigdashServiceImpl </servlet-class> | ||
| 134 | ... | ||
| 135 | <init-param> | ||
| 136 | <param-name>DOMAIN</param-name> | ||
| 137 | <param-value> ddenterpriseapi </param-value> | ||
| 138 | </init-param> | ||
| 139 | <init-param> | ||
| 140 | <param-name>FORCEDOMAIN</param-name> | ||
| 141 | <param-value> true </param-value> | ||
| 142 | </init-param> | ||
| 143 | <init-param> | ||
| 144 | <param-name> SERVERURL </param-name> | ||
| 145 | <param-value> http: // localhost: 8080</param-value> | ||
| 146 | </init-param> | ||
| 147 | <init-param> | ||
| 148 | <param-name>FORCESERVERURL</param-name> | ||
| 149 | <param-value>true</param-value> | ||
| 150 | </init-param> | ||
| 151 | ... | ||
| 152 | </servlet> | ||
| 153 | ... | ||
| 154 | </web-app> | ||
| 155 | {{/code}} | ||
| 156 | |||
| 157 | |||
| 158 | Variable value depending on the installation: "ddenterpriseapi" / "true" / "8080". | ||
| 159 | |||
| 160 | |||
| 161 | __Extract from web.xml file__ | ||
| 162 | |||
| 163 | |((( | ||
| 164 | [[image:https://doc.digdash.com/xwiki/bin/download/Digdash_DEV/others_documents/config_custom_authenticator/WebHome/1591347244508-950.png?rev=1.1||alt="1591347244508-950.png"]] | ||
| 165 | )))|((( | ||
| 166 | * The example value for the SERVERURL parameter will almost always refer to localhost, when the dashboard and the server are placed in the same Tomcat server, which represents almost 99% of the uses. It will naturally be necessary to refer to the address of the external server if these two elements are placed on different servers. | ||
| 167 | ))) | ||
| 168 | |||
| 169 | |[[image:https://doc.digdash.com/xwiki/bin/download/Digdash_DEV/others_documents/config_custom_authenticator/WebHome/1591347251515-981.png?rev=1.1||alt="1591347251515-981.png"]] | ||
| 170 | |((( | ||
| 171 | * This parameter can be edited via the web.xml file as indicated above. This file is specific to each installation of DigDash. You can enter this parameter more generally in the file((( | ||
| 172 | **<user> / Application Data / Enterprise Server / dashboard_system.xml** | ||
| 173 | |||
| 174 | For more information, you can refer to the DigDash documentation “guide_avance_systeme_fr.pdf”. | ||
| 175 | ))) | ||
| 176 | ))) | ||
| 177 | |||
| 178 | == Changing the value of the sharedPasswd parameter == | ||
| 179 | |||
| 180 | **Uncomment** and change the value of the **sharedPasswd** parameter (secret value below to change) in the **web.xml** file in the folder | ||
| 181 | |||
| 182 | **<digdash_installation> / apache-tomcat / webapps / digdash_dashboard / WEB-INF** . | ||
| 183 | |||
| 184 | The value must correspond to that mentioned in the **sharedPasswd** attribute in the valve of the file | ||
| 185 | |||
| 186 | **<digdash_installation> /apache-tomcat/conf/server.xml** (see part II.2). | ||
| 187 | |||
| 188 | {{code}} | ||
| 189 | <web-app ... > | ||
| 190 | ... | ||
| 191 | <servlet> | ||
| 192 | <servlet-name> dashServlet </servlet-name> | ||
| 193 | <servlet-class> com.digdash.server.DigdashServiceImpl </servlet-class> | ||
| 194 | ... | ||
| 195 | <init-param> | ||
| 196 | <param-name> sharedPasswd </param-name> | ||
| 197 | <param-value> secret </param-value> | ||
| 198 | </init-param> | ||
| 199 | ... | ||
| 200 | </servlet> | ||
| 201 | ... | ||
| 202 | </web-app> | ||
| 203 | {{/code}} | ||
| 204 | |||
| 205 | Variable value depending on the installation: "secret". | ||
| 206 | |||
| 207 | __Extract from the server.xml file__ | ||
| 208 | |||
| 209 | |||
| 210 | == Modification of the authentication method == | ||
| 211 | |||
| 212 | Modify the **authMethod** parameter **to change** the authentication method (LDAP is the default method) in the **web.xml** file located in the folder | ||
| 213 | |||
| 214 | **<digdash_installation> / apache-tomcat / webapps / ddenterpriseapi / WEB-INF** . | ||
| 215 | |||
| 216 | " //External// " means that safety is managed by the valve configured above. | ||
| 217 | |||
| 218 | {{code}} | ||
| 219 | <web-app ... > | ||
| 220 | ... | ||
| 221 | <servlet> | ||
| 222 | ... | ||
| 223 | </servlet> | ||
| 224 | ... | ||
| 225 | <servlet> | ||
| 226 | <description> </description> | ||
| 227 | <display-name> DDEnterpriseAuthServlet </display-name> | ||
| 228 | <servlet-name> DDEnterpriseAuthServlet </servlet-name> | ||
| 229 | <servlet-class> com.digdash.server.DDEnterpriseAuthServlet </servlet-class> | ||
| 230 | <init-param> | ||
| 231 | <param-name> authMethod </param-name> | ||
| 232 | <param-value> External </param-value> | ||
| 233 | </init-param> | ||
| 234 | ... | ||
| 235 | </servlet> | ||
| 236 | ... | ||
| 237 | </web-app> | ||
| 238 | {{/code}} | ||
| 239 | |||
| 240 | __Extract from web.xml file__ | ||
| 241 | |||
| 242 | |||
| 243 |