Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:application_configuration:dev:backend [2018/06/01 12:28] tomiskar |
devel:documentation:application_configuration:dev:backend [2021/05/05 09:08] tomiskar [Application/ Server] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ===== Configuration - backend ===== | ||
+ | {{tag> configuration final property properties config setup}} | ||
+ | |||
+ | The application uses a Spring boot configuration in the '' | ||
+ | |||
+ | Naming conventions of the configuration items in idm: | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * if the name of a configuration item contains the'' | ||
+ | * It is better to use constants for keys, e.g. '' | ||
+ | |||
+ | ==== Configure environment properties ==== | ||
+ | |||
+ | === Application profiles === | ||
+ | |||
+ | We are using Spring profiles: [[https:// | ||
+ | |||
+ | Start server under defined profile ([[https:// | ||
+ | |||
+ | < | ||
+ | -Dspring.profiles.active=production | ||
+ | </ | ||
+ | |||
+ | == Configured devstack profiles == | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | === External configuration === | ||
+ | |||
+ | External configuration uses Spring: [[https:// | ||
+ | |||
+ | Start server with external path to configuration ([[https:// | ||
+ | |||
+ | < | ||
+ | --spring.config.location=classpath:/ | ||
+ | </ | ||
+ | |||
+ | === Environment properties === | ||
+ | |||
+ | |||
+ | [[https:// | ||
+ | |||
+ | |||
+ | |||
+ | ===== Configuration items ===== | ||
+ | |||
+ | ==== Application/ | ||
+ | |||
+ | In the application profile (application.properties) and overloadable via ConfigurationService. | ||
+ | |||
+ | <code properties> | ||
+ | # Application stage (development, | ||
+ | # | ||
+ | # Public properties - available for frontend without authentication (show information about app, decorators etc.). | ||
+ | # | ||
+ | # Application stage - development, | ||
+ | idm.pub.app.stage= | ||
+ | # Application instance / server id - is used for scheduler etc. | ||
+ | # Can be defined in property file only! Overidding via ConfigurationService is not possible for application instance (~ more instanceos on the same database) | ||
+ | idm.pub.app.instanceId=idm-primary | ||
+ | # global date format on BE. Used in notification templates, logs, etc. FE uses localization key ' | ||
+ | idm.pub.app.format.date=dd.MM.yyyy | ||
+ | # global datetime format on BE. Used in notification templates, logs, etc. FE uses localization key ' | ||
+ | idm.pub.app.format.datetime=dd.MM.yyyy HH:mm | ||
+ | # Show identifiers (uuid) in frontend application. Empty value by default => identifier is shown, when application ' | ||
+ | idm.pub.app.show.id= | ||
+ | # Show transaction identifiers (uuid) in frontend application. | ||
+ | idm.pub.app.show.transactionId=false | ||
+ | # Show role environment in frontend application for roles (table, role detail, niceLabel, info components, role select). | ||
+ | idm.pub.app.show.environment=true | ||
+ | # Show role baseCode in frontend application for roles (table, role detail, niceLabel, info components, role select). | ||
+ | idm.pub.app.show.role.baseCode=true | ||
+ | # Number of items (pagination) in role catalogue tree in root level. Used on role select and agenda. | ||
+ | idm.pub.app.show.roleCatalogue.tree.pagination.root.size=25 | ||
+ | # Number of items (pagination) in role catalogue tree in other levels. Used on role select and agenda. | ||
+ | idm.pub.app.show.roleCatalogue.tree.pagination.node.size=25 | ||
+ | # Number of items (pagination) in tree node structure in root level. | ||
+ | idm.pub.app.show.treeNode.tree.pagination.root.size=50 | ||
+ | # Number of items (pagination) in tree node structure in other levels. | ||
+ | idm.pub.app.show.treeNode.tree.pagination.node.size=50 | ||
+ | # Available size options for tables in frontend application | ||
+ | idm.pub.app.show.sizeOptions=10, | ||
+ | # Show buttons for bulk actions in tables (0 = select box will be shown only). | ||
+ | # Count of quick access buttons for bulk actions in tables - the first count of bulk actions will be shown as button - next action will be rendered in drop down select box. | ||
+ | # Bulk action icon is required for quick access button - action without icon will be rendered in select box. | ||
+ | # Bulk action can enforce showing in quick access button (by bulk action configuration). | ||
+ | idm.pub.app.show.table.quickButton.count=5 | ||
+ | # Quick button for bulk actions in tables will be included in drop down select box too (available as button + menu item with text). | ||
+ | # Number of selected record is shown in drop down select header. | ||
+ | idm.pub.app.show.table.quickButton.menuIncluded=true | ||
+ | # Show default form for newly created user. | ||
+ | # Default form can be disabled => at least one configured form projection is needed. | ||
+ | idm.pub.app.show.identity.formProjection.default=true | ||
+ | # Rendered column in identity table agenda. Comma is used as separator. Order of rendered columns is preserved as configured. | ||
+ | # Available columns: | ||
+ | # - username - username with link to detail | ||
+ | # - entityinfo - identity info card | ||
+ | # - lastName | ||
+ | # - firstName | ||
+ | # - externalCode - personal number | ||
+ | |||
+ | # - state | ||
+ | # - passwordexpiration - information about identity password epiration | ||
+ | # - description | ||
+ | # Note: Table in identity agenda can be configured with this property (common identity table with columns is not specified on FE). | ||
+ | # If you want to configure rendered columns for all tables generalized from identity table (e.g. on role or tree node detail), | ||
+ | # you can use FE configuration https:// | ||
+ | idm.pub.app.show.identity.table.columns=username, | ||
+ | # If is true, then role-request description will be show on the detail. | ||
+ | # Description will hidden if this property will be false and role request | ||
+ | # doesn' | ||
+ | idm.pub.app.show.roleRequest.description=true | ||
+ | # | ||
+ | # Private properties - used on backend only. | ||
+ | # | ||
+ | # Create demo data at application start. | ||
+ | idm.sec.core.demo.data.enabled=true | ||
+ | # Demo data was created - prevent to create demo data duplicitly. | ||
+ | idm.sec.core.demo.data.created=false | ||
+ | # Create init data at application start. Init data (product provided roles) are updated automatically with pruct updates. | ||
+ | # Set property to false to disable init data creation and updates. | ||
+ | idm.sec.core.init.data.enabled=true | ||
+ | </ | ||
+ | |||
+ | === Change server for asynchronous processing (switch application instance) == | ||
+ | |||
+ | @since 11.1.0 | ||
+ | |||
+ | Application instance (server) is used for asynchronus processing - for scheduled tasks, asynchronous long running tasks and events. | ||
+ | Instance identifier can be defined in the application profile (application.properties) by property '' | ||
+ | When we want to schedule and process asynchronous tasks and event on other instace (or when one instance shutdown), then we can switch processing by provided bulk action '' | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Previous and new instance identifier is required as input parameters. All scheduled tasks and all created (~ not processed) asynchronous long running tasks and events will be moved from previous to new instance and will be processed on new instance (server). | ||
+ | |||
+ | |||
+ | ==== Jpa === | ||
+ | |||
+ | In the application profile (application.properties) | ||
+ | |||
+ | <code properties> | ||
+ | # ZonedDateTime is stored in UTC | ||
+ | spring.jpa.properties.hibernate.jdbc.time_zone=UTC | ||
+ | # Driver (e.g. postgres) does not support contextual LOB creation | ||
+ | spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true | ||
+ | # audit table suffixes | ||
+ | spring.jpa.properties.org.hibernate.envers.audit_table_suffix=_a | ||
+ | spring.jpa.properties.org.hibernate.envers.modified_flag_suffix=_m | ||
+ | # modified flag for all audited columns | ||
+ | spring.jpa.properties.org.hibernate.envers.global_with_modified_flag=true | ||
+ | # prevent to modify attributes created, creator etc. | ||
+ | spring.jpa.properties.org.hibernate.envers.audit_strategy=eu.bcvsolutions.idm.core.model.repository.listener.IdmAuditStrategy | ||
+ | spring.jpa.properties.hibernate.session_factory.interceptor=eu.bcvsolutions.idm.core.model.repository.listener.AuditableInterceptor | ||
+ | # enable / disable audit (envers) | ||
+ | spring.jpa.properties.hibernate.listeners.envers.autoRegister=true | ||
+ | # Spring boot 2 changed default to true, but we are using IDENTITY identifier generators for mssql database. | ||
+ | spring.jpa.hibernate.use-new-id-generator-mappings=false | ||
+ | # | ||
+ | # DB ddl auto generation by hibernate is disabled - flyway database migration is used | ||
+ | spring.jpa.generate-ddl=false | ||
+ | spring.jpa.hibernate.ddl-auto=none | ||
+ | # | ||
+ | # DATASOURCE (DataSourceAutoConfiguration & DataSourceProperties) | ||
+ | spring.datasource.url=jdbc: | ||
+ | spring.datasource.username=***** | ||
+ | spring.datasource.password=***** | ||
+ | spring.datasource.driver-class-name=org.postgresql.Driver | ||
+ | # test connection, when is used from pool (reconnect after db is restarted) | ||
+ | spring.datasource.testOnBorrow=true | ||
+ | spring.datasource.validationQuery=SELECT 1 | ||
+ | # Enlarge pool size by default. This property should be revised for each project. Size should be configured by task and event thread pool size - should be higher than sum of pool sizes. | ||
+ | spring.datasource.hikari.maximumPoolSize=50 | ||
+ | </ | ||
+ | |||
+ | === JNDI datasource === | ||
+ | |||
+ | Firstly is needed to configure JNDI resource in the J2EE server. Here is a configuration snippet for Tomcat. It assumes PostgreSQL as the database: | ||
+ | <code xml> | ||
+ | <Context antiJARLocking=" | ||
+ | < | ||
+ | name=" | ||
+ | auth=" | ||
+ | type=" | ||
+ | username=" | ||
+ | password=" | ||
+ | driverClassName=" | ||
+ | url=" | ||
+ | maxActive=" | ||
+ | maxIdle=" | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | In the application profile (application.properties), | ||
+ | <code properties> | ||
+ | # JNDI location of the datasource. Class, url, username & password are ignored when set. | ||
+ | spring.datasource.jndi-name=PostgresDS | ||
+ | </ | ||
+ | |||
+ | In **logback-spring.xml** configuration (by profile, if db appender is used), update datasource properties: | ||
+ | <code xml> | ||
+ | ... | ||
+ | < | ||
+ | | ||
+ | < | ||
+ | < | ||
+ | <!-- please note the " | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | |||
+ | === Using SSL === | ||
+ | |||
+ | - Configure PostgreSQL server, documentation: | ||
+ | - Short example: https:// | ||
+ | - Create new truststore specifically for the CzechIdM. When starting your Java application you must specify this keystore and password to use '' | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | While updating custom java deployment: | ||
+ | * Not being a " | ||
+ | |||
+ | While updating Java OS packages: | ||
+ | * Nowadays, most Linux distros offering packages with OpenJDK, OracleJDK, ... use " | ||
+ | </ | ||
+ | |||
+ | In the application profile (application.properties) | ||
+ | |||
+ | Update datasource properties: | ||
+ | <code properties> | ||
+ | # add ssl usage flag, see https:// | ||
+ | spring.datasource.url=jdbc: | ||
+ | </ | ||
+ | |||
+ | ==== Cache ==== | ||
+ | |||
+ | Cache is used for reading configuration values. Value in cache is cleared by an active (save, delete) operation. | ||
+ | |||
+ | In the application profile (application.properties): | ||
+ | |||
+ | |||
+ | |||
+ | <code properties> | ||
+ | # Disable cache | ||
+ | # If you are debugging some of code and are you figuring, something is wrong with the cache, then you can turn the cache off with property. | ||
+ | # | ||
+ | # | ||
+ | # Clusterred cache settings | ||
+ | # | ||
+ | idm.sec.cache.terracota.resource.name=main | ||
+ | idm.sec.cache.terracota.resource.pool.name=resource-pool | ||
+ | # Size in MB | ||
+ | idm.sec.cache.terracota.resource.pool.size=32 | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Attachment storage ==== | ||
+ | |||
+ | '' | ||
+ | |||
+ | In the application profile (application.properties): | ||
+ | |||
+ | <code properties> | ||
+ | # Max file size of uploaded file. Values can use the suffixed " | ||
+ | # Application server (e.g. Tomcat " | ||
+ | spring.servlet.multipart.max-file-size=100MB | ||
+ | spring.servlet.multipart.max-request-size=100MB | ||
+ | |||
+ | </ | ||
+ | |||
+ | In the application profile (application.properties) and overloadable via '' | ||
+ | |||
+ | <code properties> | ||
+ | # | ||
+ | ## Attachment manager | ||
+ | # | ||
+ | # attachments will be stored under this path. | ||
+ | # new directories for attachment will be created in this folder (permissions has to be added) | ||
+ | # System.getProperty(" | ||
+ | # idm.sec.core.attachment.storagePath=/ | ||
+ | # | ||
+ | # temporary files for attachment processing (e.g. temp files for download / upload) | ||
+ | # getStoragePath()/ | ||
+ | # idm.sec.core.attachment.tempPath=/ | ||
+ | # | ||
+ | # temporary file time to live in milliseconds | ||
+ | # older temporary files will be purged, default 14 days | ||
+ | # Temporary file is used mainly for upload files internaly. When upload is complete, then temporary file is moved into normal IdM attachment (~ temporary file is not reachable, after user session ends). | ||
+ | idm.sec.core.attachment.tempTtl=1209600000 | ||
+ | </ | ||
+ | |||
+ | ==== Activiti workflow ==== | ||
+ | <code properties> | ||
+ | # String boot properties for Activiti workflow engine | ||
+ | # https:// | ||
+ | # let activiti to manage their schema | ||
+ | spring.activiti.databaseSchemaUpdate=true | ||
+ | # disable automatic jpa entities persisting - dto usage is prefered | ||
+ | spring.activiti.jpaEnabled=false | ||
+ | # Automatic process deployment | ||
+ | spring.activiti.checkProcessDefinitions=true | ||
+ | # path to automatically deployed definitions - should be the same in all modules | ||
+ | # more locations can be given e.g. classpath*: | ||
+ | # resources in the latest location has the highest priority (last wins) - workflow definitions are prioritized by file name, don't change definition' | ||
+ | # put resource, which has to override some core resource to last location | ||
+ | spring.activiti.processDefinitionLocationPrefix=classpath*: | ||
+ | # definitions name pattern - subfolders can be used | ||
+ | spring.activiti.processDefinitionLocationSuffixes=**/ | ||
+ | </ | ||
+ | |||
+ | ==== Security ==== | ||
+ | |||
+ | In the application profile (application.properties) and overloadable via ConfigurationService. | ||
+ | |||
+ | <code properties> | ||
+ | # allowed origins for FE | ||
+ | # the first value is used as frontend url to notification templates | ||
+ | idm.pub.security.allowed-origins=http:// | ||
+ | # auth token | ||
+ | # - expiration in milis | ||
+ | idm.sec.security.jwt.expirationTimeout=36000000 | ||
+ | # - secret jwt password | ||
+ | idm.sec.security.jwt.secret.token=idmSecret | ||
+ | # - extend JWT token expiration period on each successful request | ||
+ | idm.sec.security.jwt.token.extend.expiration=true | ||
+ | # recaptcha | ||
+ | # - recaptchaservice endpoint | ||
+ | idm.sec.security.recaptcha.url=https:// | ||
+ | # - secret key, can be generated here https:// | ||
+ | # - test secret key: https:// | ||
+ | idm.sec.security.recaptcha.secretKey=xxx | ||
+ | </ | ||
+ | |||
+ | Allowed-origins defines, which resources can use backend API methods. e.g. When there is a web server serving as reverse proxy on the same server as BE, the http:// | ||
+ | |||
+ | |||
+ | ==== Flyway ==== | ||
+ | |||
+ | In the application profile (application.properties) | ||
+ | |||
+ | <code properties> | ||
+ | # Enable flyway migrations. | ||
+ | # @see https:// | ||
+ | flyway.enabled=false | ||
+ | </ | ||
+ | |||
+ | Module configuration (flyway-core.properties) | ||
+ | |||
+ | <code properties> | ||
+ | ## Core Flyway configuration | ||
+ | # | ||
+ | # Whether to automatically call baseline when migrate is executed against a non-empty schema with no metadata table. | ||
+ | # This schema will then be baselined with the baselineVersion before executing the migrations. | ||
+ | # Only migrations above baselineVersion will then be applied. | ||
+ | # This is useful for initial Flyway production deployments on projects with an existing DB. | ||
+ | # Be careful when enabling this as it removes the safety net that ensures Flyway does not migrate the wrong database in case of a configuration mistake! | ||
+ | flyway.core.baselineOnMigrate=true | ||
+ | # | ||
+ | # The name of Flyway' | ||
+ | # By default (single-schema mode) the metadata table is placed in the default schema for the connection provided by the datasource. | ||
+ | flyway.core.table=idm_schema_version_core | ||
+ | # | ||
+ | # Comma-separated list of locations to scan recursively for migrations. The location type is determined by its prefix. | ||
+ | # Unprefixed locations or locations starting with classpath: point to a package on the classpath and may contain both sql and java-based migrations. | ||
+ | # Locations starting with filesystem: point to a directory on the filesystem and may only contain sql migrations. | ||
+ | # IdmFlywayMigrationStrategy resolves used jdbc database dynamically - ${dbName} in location could be used. | ||
+ | flyway.core.locations=classpath: | ||
+ | </ | ||
+ | |||
+ | ==== Module configuration ==== | ||
+ | |||
+ | Information about module can be defined in property file (module-< | ||
+ | |||
+ | <code properties> | ||
+ | # mapping pom.xml properties by default | ||
+ | # add custom properties if needed | ||
+ | # | ||
+ | # module version | ||
+ | module.< | ||
+ | # build number | ||
+ | module.< | ||
+ | module.< | ||
+ | # module vendor | ||
+ | module.< | ||
+ | module.< | ||
+ | module.< | ||
+ | # module description | ||
+ | module.< | ||
+ | module.< | ||
+ | </ | ||
+ | |||
+ | ==== Swagger ==== | ||
+ | |||
+ | In the application profile (application.properties) | ||
+ | <code properties> | ||
+ | ## Swagger config | ||
+ | # enable swagger endpoint (can be disabled for development etc.) | ||
+ | springfox.documentation.swagger.enabled=true | ||
+ | # endpoint with exposed documentations. Documentations are exposed by module e.g. < | ||
+ | springfox.documentation.swagger.v2.path=/ | ||
+ | # | ||
+ | # for static documentation generation puprose => internal usage mainly in test stage. Swagger specification on then rest endpoint is exported to given file e.g. < | ||
+ | # output directory and filename for swagger export - other build parts are dependent on this. | ||
+ | springfox.documentation.swagger.outputDir=@swagger.output.dir@ | ||
+ | springfox.documentation.swagger.outputFilename=@swagger.output.filename@ | ||
+ | </ | ||
+ | |||
+ | ==== Emailer ==== | ||
+ | |||
+ | In the application profile ('' | ||
+ | |||
+ | <code properties> | ||
+ | # enable test mode - in this mode, emails are not send | ||
+ | idm.sec.core.emailer.test.enabled=false | ||
+ | # http:// | ||
+ | idm.sec.core.emailer.protocol=smtps | ||
+ | idm.sec.core.emailer.host=smtp.gmail.com | ||
+ | idm.sec.core.emailer.port=465 | ||
+ | idm.sec.core.emailer.username=servis.bcvsolutions@gmail.com | ||
+ | idm.sec.core.emailer.password=***** | ||
+ | # The FROM email address. | ||
+ | idm.sec.core.emailer.from=idm@bcvsolutions.eu | ||
+ | </ | ||
+ | |||
+ | ==== Templates ==== | ||
+ | |||
+ | In the application profile (application.properties) - overloadable via ConfigurationService. | ||
+ | |||
+ | <code properties> | ||
+ | # Templates location | ||
+ | # more locations can be given e.g. classpath*:/ | ||
+ | # resources in the latest location has the highest priority (last wins). Resources are prioritized - put resource, which has to override some core resource to last location | ||
+ | # Locations can be configured https:// | ||
+ | idm.sec.core.notification.template.folder=classpath*:/ | ||
+ | idm.sec.core.notification.template.fileSuffix=**/ | ||
+ | </ | ||
+ | |||
+ | ==== Scripts ==== | ||
+ | |||
+ | In the application profile (application.properties) - overloadable via ConfigurationService. | ||
+ | |||
+ | <code properties> | ||
+ | # Scripts location | ||
+ | # more locations can be given e.g. classpath*:/ | ||
+ | # resources in the latest location has the highest priority (last wins). Resources are prioritized - put resource, which has to override some core resource to last location | ||
+ | # Locations can be configured https:// | ||
+ | idm.sec.core.script.folder=classpath*:/ | ||
+ | idm.sec.core.script.fileSuffix=**/ | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Scheduler ==== | ||
+ | |||
+ | In the application profile (application.properties). | ||
+ | |||
+ | <code properties> | ||
+ | # Enable scheduler. Enabled by default | ||
+ | scheduler.enabled=true | ||
+ | # Task queue processing period (ms). Default 1000ms. | ||
+ | scheduler.task.queue.process=1000 | ||
+ | # Application settings for QUARTZ (for current mvn profile) | ||
+ | scheduler.properties.location=/ | ||
+ | # Task executor core pool size. Uses CPU count as default. | ||
+ | scheduler.task.executor.corePoolSize= | ||
+ | # Task executor max pool size. Uses CPU corePoolSize * 2 as default. | ||
+ | # maxPoolSize has to be higher than corePoolSize (IllegalArgumentException is thrown otherwise). | ||
+ | # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | ||
+ | scheduler.task.executor.maxPoolSize= | ||
+ | # Waiting tasks to be processed. Uses 20 as default. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. | ||
+ | # {@link AbotrPolicy} is set for rejected tasks - reject exception has to be processed by a caller ({@link LongRunningTaskManager}). | ||
+ | scheduler.task.executor.queueCapacity=20 | ||
+ | # Thread priority for threads in event executor pool - 5 by default (normal). | ||
+ | scheduler.task.executor.threadPriority= | ||
+ | # Asynchronous task processing is stopped. | ||
+ | # Asynchronous task processing is stopped, when instance for processing is switched => prevent to process asynchronous task in the meantime. | ||
+ | # Asynchronous task processing can be stopped for testing or debugging purposes. | ||
+ | # Asynchronous task are still created in queue, but they are not processed automatically - task can be executed manually from ui. | ||
+ | idm.sec.core.scheduler.task.asynchronous.stopProcessing=false | ||
+ | # Event queue processing period (ms). Period to read prepared (~created) asynchronous entity events from queue. | ||
+ | # Events are processed in batch configured by property ' | ||
+ | # Default 500ms. | ||
+ | scheduler.event.queue.process=500 | ||
+ | # Event executor core pool size. Uses CPU count + 1 as default. | ||
+ | scheduler.event.executor.corePoolSize= | ||
+ | # Event executor max pool size. Uses CPU corePoolSize * 2 as default. | ||
+ | # maxPoolSize has to be higher than corePoolSize (IllegalArgumentException is thrown otherwise). | ||
+ | # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | ||
+ | scheduler.event.executor.maxPoolSize= | ||
+ | # Waiting events to be processed. Uses 50 as default - prevent to prepare events repetitively and use additional threads till maxPoolSize. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. | ||
+ | # {@link AbotrPolicy} is set for rejected tasks - reject exception has to be processed by a caller ({@link EntityEventManager}). | ||
+ | scheduler.event.executor.queueCapacity=50 | ||
+ | # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5). | ||
+ | scheduler.event.executor.threadPriority=6 | ||
+ | </ | ||
+ | |||
+ | ==== Identity ==== | ||
+ | |||
+ | In the application profile ('' | ||
+ | |||
+ | <code properties> | ||
+ | # supports delete identity. Needed on FE (=> public) to render available bulk action in table | ||
+ | # @deprecated @since 10.6.0 - action can be disabled by bulk action configurable api - use ' | ||
+ | idm.pub.core.identity.delete=true | ||
+ | # | ||
+ | # default password change type for custom users, one of values: | ||
+ | # DISABLED - password change is disable | ||
+ | # ALL_ONLY - users can change passwords only for all accounts | ||
+ | # CUSTOM - users can choose for which accounts change password | ||
+ | # Needed on FE (=> public) | ||
+ | idm.pub.core.identity.passwordChange=CUSTOM | ||
+ | # | ||
+ | # required old password for change password. | ||
+ | # Needed on FE (=> public) | ||
+ | idm.pub.core.identity.passwordChange.requireOldPassword=true | ||
+ | # | ||
+ | # change password to idm from public pages. | ||
+ | # true - change to IdM and all system | ||
+ | # false - change to all system except IdM | ||
+ | # Needed on FE (=> public) | ||
+ | idm.pub.core.identity.passwordChange.public.idm.enabled=true | ||
+ | # | ||
+ | # create default identity' | ||
+ | # skipped in synchronizations - contract synchronization should be provided. | ||
+ | idm.pub.core.identity.create.defaultContract.enabled=true | ||
+ | # | ||
+ | # Skip identity dashboard content - show full detail directly (link from table or from info component) | ||
+ | # Needed on FE (=> public) | ||
+ | idm.pub.core.identity.dashboard.skip= | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Identity contract slice ==== | ||
+ | |||
+ | In the application profile ('' | ||
+ | |||
+ | <code properties> | ||
+ | # The protected interval can be set using the property idm.sec.core.contract-slice.protection-interval, | ||
+ | # If the number of days between the termination of the contract and its renewal in the following time slice is less than or equal to the number | ||
+ | # of days set in the protection interval, then the date of the contract validity from the following slice will be used instead of the date of | ||
+ | # termination of the contract from the currently valid slice. | ||
+ | idm.sec.core.contract-slice.protection-interval=0 | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ==== Role ==== | ||
+ | |||
+ | In the application profile ('' | ||
+ | |||
+ | <code properties> | ||
+ | # | ||
+ | # Default user role will be added automatically, | ||
+ | # could contains default authorities and authority policies configuration | ||
+ | # for adding autocomplete or all record read permission etc. | ||
+ | # Role full code should be given (should contain environment, | ||
+ | # Role authorities are updated automatically, | ||
+ | idm.sec.core.role.default=userRole | ||
+ | # | ||
+ | # Admin user role | ||
+ | # Role full code should be given (should contain environment, | ||
+ | # Role authorities are updated automatically, | ||
+ | idm.sec.core.role.admin=superAdminRole | ||
+ | # | ||
+ | # Helpdesk user role | ||
+ | # Role full code should be given (should contain environment, | ||
+ | # Role authorities are updated automatically, | ||
+ | idm.sec.core.role.helpdesk=helpdeskRole | ||
+ | # | ||
+ | # User manager role | ||
+ | # Role full code should be given (should contain environment, | ||
+ | # Role authorities are updated automatically, | ||
+ | idm.sec.core.role.userManager=userManagerRole | ||
+ | # | ||
+ | # Role manager role - role guarantee | ||
+ | # Role full code should be given (should contain environment, | ||
+ | # Role authorities are updated automatically, | ||
+ | idm.sec.core.role.roleManager=roleManagerRole | ||
+ | # | ||
+ | # Virtual system implementer | ||
+ | # Role full code should be given (should contain environment, | ||
+ | # Role authorities are updated automatically, | ||
+ | idm.sec.vs.role.implementer=virtualSystemImplementerRole | ||
+ | # | ||
+ | # Separator for the suffix with environment used in role code. | ||
+ | # Look out: when separator is changed, then all roles should be updated (manually from ui, by scripted LRT or by change script). | ||
+ | idm.sec.core.role.codeEnvironmentSeperator=| | ||
+ | </ | ||
+ | |||
+ | ==== Tree ==== | ||
+ | Tree structures configuration properties. | ||
+ | |||
+ | In the application profile ('' | ||
+ | |||
+ | <code properties> | ||
+ | # Default tree type (uuid or code). More in Default organizational structure doc. | ||
+ | idm.sec.core.tree.defaultType= | ||
+ | # Default tree node (uuid) - is used, when default contract is created. More in Contractual relationship doc. | ||
+ | idm.sec.core.tree.defaultNode= | ||
+ | </ | ||
+ | |||
+ | Internal properties used for tree indexing (forest index) - holds index state: | ||
+ | <code properties> | ||
+ | # forest index is valid. Is set to false, when index exception occurs and tree index has to be rebuild | ||
+ | idm.sec.core.treeType.< | ||
+ | # rebuild index in progress (true). When tree type index rebuild is in progress, then tree node cannot be created / updated / deleted. | ||
+ | idm.sec.core.treeType.< | ||
+ | </ | ||
+ | |||
+ | ==== Entity events ==== | ||
+ | |||
+ | In the application profile ('' | ||
+ | |||
+ | <code properties> | ||
+ | # disable / enable asynchronous event processing. Events will be executed synchronously, | ||
+ | idm.sec.core.event.asynchronous.enabled=true | ||
+ | # Asynchronous event processing is stopped. | ||
+ | # Event processing is stopped, when instance for processing is switched => prevent to process instances in the meantime. | ||
+ | # Asynchronous event processing can be disabled for testing or debugging purposes. | ||
+ | # Events are still created in queue, but they are not processed. | ||
+ | idm.sec.core.event.asynchronous.stopProcessing=false | ||
+ | # Asynchronous events will be executed on server instance with id. Default is the same as {@link ConfigurationService# | ||
+ | idm.sec.core.event.asynchronous.instanceId= | ||
+ | # Asynchronous events will be executed in batch - batch will be split for event with HIGH / NORMAL priority in 70% HIGH / 30% NORMAL. | ||
+ | # If you events are processed quickly (~provisioning on your environment is quick), then batch size can be higher (in combination with higher ' | ||
+ | idm.sec.core.event.asynchronous.batchSize=15 | ||
+ | </ | ||
+ | |||
+ | === Entity event processors === | ||
+ | In the application profile ('' | ||
+ | Every processor could have his own configuration properties under prefix: | ||
+ | <code properties> | ||
+ | # disable / enable event procesor | ||
+ | idm.sec.< | ||
+ | # override event types for given processor | ||
+ | idm.sec.< | ||
+ | </ | ||
+ | Where ''< | ||
+ | |||
+ | Common configuration properties for all processors: | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Exists processors configuration: | ||
+ | |||
+ | ==== Bulk actions ==== | ||
+ | |||
+ | @since 10.6.0 | ||
+ | |||
+ | In the application profile ('' | ||
+ | Every bulk action could have his own configuration properties under prefix: | ||
+ | <code properties> | ||
+ | # disable / enable bulk action | ||
+ | idm.sec.< | ||
+ | </ | ||
+ | Where ''< | ||
+ | |||
+ | Common configuration properties for all bulk actions: | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | |||
+ | |||
+ | ==== Workflow settings for approval of change user roles ===== | ||
+ | <code properties> | ||
+ | ## WF | ||
+ | # Approve by manager | ||
+ | idm.sec.core.wf.approval.manager.enabled=false | ||
+ | # Approve by security department | ||
+ | idm.sec.core.wf.approval.security.enabled=false | ||
+ | idm.sec.core.wf.approval.security.role=Security | ||
+ | # Approve by helpdesk department | ||
+ | idm.sec.core.wf.approval.helpdesk.enabled=false | ||
+ | idm.sec.core.wf.approval.helpdesk.role=Helpdesk | ||
+ | # Approve by usermanager department | ||
+ | idm.sec.core.wf.approval.usermanager.enabled=false | ||
+ | idm.sec.core.wf.approval.usermanager.role=Usermanager | ||
+ | # Approve a role incompatibilities - If some incompatibilities are found in request, then this approving will be executed. | ||
+ | idm.sec.core.wf.approval.incompatibility.enabled=true | ||
+ | idm.sec.core.wf.approval.incompatibility.role=Incompatibility | ||
+ | # Approval wf by role priority | ||
+ | idm.sec.core.wf.role.approval.1=approve-role-by-manager | ||
+ | idm.sec.core.wf.role.approval.2=approve-role-by-guarantee | ||
+ | idm.sec.core.wf.role.approval.3=approve-role-by-guarantee-security | ||
+ | # Approval wf for unassign role (one remove WF for whole application) | ||
+ | idm.sec.core.wf.role.approval.remove=approve-remove-role-by-manager | ||
+ | # Approve a change on the role - Is uses in the request of changing a role. | ||
+ | # In the request to create new role is also used. | ||
+ | idm.sec.core.wf.approval.role-change.role= | ||
+ | # | ||
+ | # Default main WF for approve all roles. | ||
+ | idm.sec.core.processor.role-request-approval-processor.wf=approve-identity-change-permissions | ||
+ | </ | ||
+ | |||
+ | ==== Universal requests ===== | ||
+ | <code properties> | ||
+ | ## Universal requests | ||
+ | # Role | ||
+ | idm.pub.core.request.idm-role.enabled=false | ||
+ | # Defines type of guarantee. Requests will be approving only by guarantee with this type. | ||
+ | # If returns null, then all guarantees will be used for approving (no limitations). | ||
+ | idm.sec.core.request.idm-role.approval.guarantee-type= | ||
+ | </ | ||
+ | |||
+ | ==== Notification from Workflow ===== | ||
+ | <code properties> | ||
+ | ## Global property that allow disable or enable sending notification from WF | ||
+ | idm.sec.core.wf.notification.send=false | ||
+ | ## Enable sending notification of changing roles to user, whose account will be modified | ||
+ | idm.sec.core.wf.notification.applicant.enabled=false | ||
+ | ## Enable sending notification of changing roles to user, who made request | ||
+ | idm.sec.core.wf.notification.implementer.enabled=true | ||
+ | </ | ||
+ | |||
+ | ==== Confidential storage ==== | ||
+ | |||
+ | Properties **is not** overloadable via '' | ||
+ | |||
+ | <code properties> | ||
+ | # Cipher secret key for crypt values in confidential storage | ||
+ | # for crypt values is used secretKey - secret.key | ||
+ | # Can be empty => confidential storage will not be crypted, application cannot be used in production (dev, test only). | ||
+ | cipher.crypt.secret.key= | ||
+ | # or secretKey defined in the external file - secret.keyPath | ||
+ | # cipher.crypt.secret.keyPath=/ | ||
+ | </ | ||
+ | |||
+ | ==== Entity filters ==== | ||
+ | In the application profile ('' | ||
+ | |||
+ | <code properties> | ||
+ | # Enable / disable check filter is properly registered, when filter is used (by entity and property name). | ||
+ | # Throws exception, when unrecognized filter is used. | ||
+ | idm.sec.core.filter.check.supported.enabled=true | ||
+ | # Check count of values exceeded given maximum. | ||
+ | # Related to database count of query parameters (e.g. Oracle = {@code 1000}, MSSql = {@code 2100}). | ||
+ | # Throws exception, when size is exceeded. Set to {@code -1} to disable this check. | ||
+ | idm.sec.core.filter.check.size.maximum=500 | ||
+ | </ | ||
+ | |||
+ | Every registered filter could have his own configuration properties under prefix: | ||
+ | <code properties> | ||
+ | # enable / disable filter - enabled by default. When filter is disabled and property is filled in filter, then '' | ||
+ | idm.sec.< | ||
+ | # filter implementation | ||
+ | idm.sec.< | ||
+ | </ | ||
+ | Where: | ||
+ | * ''< | ||
+ | * ''< | ||
+ | * ''< | ||
+ | * ''< | ||
+ | |||
+ | Common configuration properties for all filters: | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Exists filters configuration: | ||
+ | |||
+ | ==== Notification senders ==== | ||
+ | In the application profile ('' | ||
+ | Senders could have his own configuration properties under prefix: | ||
+ | <code properties> | ||
+ | # sender implementation | ||
+ | idm.sec.< | ||
+ | </ | ||
+ | Where: | ||
+ | * ''< | ||
+ | * ''< | ||
+ | |||
+ | Common configuration properties for all senders: | ||
+ | * '' | ||
+ | |||
+ | Read more about [[..: | ||
+ | |||
+ | |||
+ | ==== Authentication ==== | ||
+ | UUID of system, against which to user will be authenticated. This authentication is from version 10.4.0 deprecated. | ||
+ | <code properties> | ||
+ | # ID system against which to authenticate | ||
+ | idm.sec.security.auth.system= | ||
+ | </ | ||
+ | |||
+ | Authentication against multiple system wich to user will be authenticated (since 10.4.0) - ID or Code can be used: | ||
+ | <code properties> | ||
+ | idm.sec.acc.security.auth.order1.system= | ||
+ | idm.sec.acc.security.auth.order2.system= | ||
+ | </ | ||
+ | |||
+ | Maximum system for authentication can be set with the property: | ||
+ | <code properties> | ||
+ | idm.sec.acc.security.auth.maximumSystemCount=50 | ||
+ | </ | ||
+ | |||
+ | More about authenticator can be found [[devel: | ||
+ | |||
+ | === Authentication filters === | ||
+ | In the application profile ('' | ||
+ | Authentication filter could have his own configuration properties under prefix: | ||
+ | <code properties> | ||
+ | # enable/ disable filter - enabled by default or by filter implementation. | ||
+ | idm.sec.< | ||
+ | </ | ||
+ | Where: | ||
+ | * ''< | ||
+ | * ''< | ||
+ | |||
+ | Common configuration properties for all filters: | ||
+ | * '' | ||
+ | |||
+ | === SSO authentication filter === | ||
+ | [[..: | ||
+ | <code properties> | ||
+ | # Allow SSO authentication | ||
+ | idm.sec.core.authentication-filter.core-sso-authentication-filter.enabled=false | ||
+ | # The name of the header which contains the login of the authenticated user | ||
+ | idm.sec.core.authentication-filter.core-sso-authentication-filter.header-name=REMOTE_USER | ||
+ | # The suffixes to remove from the login - usually domains | ||
+ | idm.sec.core.authentication-filter.core-sso-authentication-filter.uid-suffixes= | ||
+ | # The uids that can't be authenticated by SSO | ||
+ | idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids= | ||
+ | </ | ||
+ | |||
+ | === Remote user authentication filter === | ||
+ | Login into IdM by preset request remote user by servlet container can be configured with following properties: | ||
+ | <code properties> | ||
+ | # Allow remote user authentication | ||
+ | idm.sec.core.authentication-filter.core-remote-user-authentication-filter.enabled=false | ||
+ | # The suffixes to remove from the login - usually domains | ||
+ | idm.sec.core.authentication-filter.core-remote-user-authentication-filter.uid-suffixes= | ||
+ | # The uids that can't be authenticated by SSO | ||
+ | idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbidden-uids= | ||
+ | </ | ||
+ | |||
+ | This authentication filter reuses SSO authentication filter behavior above ('' | ||
+ | |||
+ | === Two-factor authentication === | ||
+ | |||
+ | [[..: | ||
+ | |||
+ | <code properties> | ||
+ | # Verification secret length | ||
+ | totp.secret.length=32 | ||
+ | # Time Period ~ period to generate new authentication code | ||
+ | totp.time.period=30 | ||
+ | # Time Discrepancy - number of past (but still valid) authentication codes (e.g. when code is sent by notification, | ||
+ | totp.time.discrepancy=1 | ||
+ | |||
+ | </ | ||
+ | |||
+ | === CAS authentication filter === | ||
+ | @since 10.9.0 | ||
+ | [[..: | ||
+ | <code properties> | ||
+ | # Enable authentication via CAS. If enabled, all properties below "Other properties" | ||
+ | idm.pub.core.cas.sso.enabled=true | ||
+ | # Other properties | ||
+ | # Base URL where CAS is accessible. Syntax of this field is https:// | ||
+ | idm.pub.core.cas.url= | ||
+ | # Suffix which is, in effect, appended to idm.pub.core.cas.url. Resulting URL is used for login operation in CAS. It must start with slash (eg. /login). | ||
+ | idm.pub.core.cas.login-suffix=/ | ||
+ | # Suffix which is appended to idm.pub.core.cas.url. Resulting URL is used for single sign-out operation. It must start with slash (eg. /logout). | ||
+ | idm.pub.core.cas.logout-suffix=/ | ||
+ | # URL of CzechIdM. This URL is used for redirect back after logout and also for ticket validation. Syntax of this field is https:// | ||
+ | idm.pub.core.cas.idm-url= | ||
+ | # Header name in which CAS sends the ticket value. | ||
+ | idm.sec.core.cas.header-name=referer | ||
+ | # Path to CzechIdM for the HTTP Referer header used by CAS while redirecting back to application. This value is concatenated with CAS ticket to form Referer header. Syntax of this field is https:// | ||
+ | idm.sec.core.cas.header-prefix= | ||
+ | </ | ||
+ | |||
+ | ==== Backup ==== | ||
+ | If you want to use redeploy and backup for example in agenda (notification templates, scripts), you must define default backup folder. | ||
+ | When redploy is used, then actual templates (or scripsts) are loaded from classpath by configuration (for templates or scripts) and deployed into application. Previous templates (or scripts) are backup too. | ||
+ | |||
+ | <code properties> | ||
+ | # Configuration property for backup files. | ||
+ | # Configured attachment storage patrh ( see ' | ||
+ | idm.sec.core.backups.default.folder.path=/ | ||
+ | </ | ||
+ | |||
+ | ==== Http proxy ==== | ||
+ | For outgoing http communication, | ||
+ | |||
+ | **Server restart** is needed to apply this configuration change. | ||
+ | |||
+ | <code properties> | ||
+ | # Proxy for HTTP requests | ||
+ | idm.sec.core.http.proxy=12.34.56.78: | ||
+ | </ | ||
+ | |||
+ | ==== CGLIB ==== | ||
+ | |||
+ | CGLIB for creating proxies has to be enforced. Is possible to use annotations on methods, which is not defined in service interface. Prevent to use some logic in service constructors (will be called twice) and always define annotations in implementation class, [[https:// | ||
+ | |||
+ | <code properties> | ||
+ | # use cglib for proxies by default | ||
+ | spring.aop.proxy-target-class=true | ||
+ | </ | ||
+ | |||
+ | ==== Virtual system ==== | ||
+ | VS configurations allows define implementers via assigned IdM role or directly by selected identities. If you do not define none directly implementers and none role in VS configuration, | ||
+ | Default role can be defined in configuration: | ||
+ | |||
+ | <code properties> | ||
+ | # If you do not define default role, then will be used **superAdminRole** as default! | ||
+ | idm.sec.vs.role.default=< | ||
+ | </ | ||
+ | |||
+ | ==== Long polling ==== | ||
+ | |||
+ | <code properties> | ||
+ | # Long polling | ||
+ | idm.pub.app.long-polling.enabled=true | ||
+ | </ | ||
+ | |||
+ | You can disable long polling for all types of entites with use value `false`. | ||
+ | |||
+ | |||
+ | |||
+ | ==== Provisioning ==== | ||
+ | |||
+ | <code properties> | ||
+ | # It's possible to send additional attributes, when password is changed (mapped attributes with flag sendOnPasswordChange) | ||
+ | # - true: additional password attributes will be send in one provisioning operation together with password | ||
+ | # - false: additional password attributes will be send in new provisioning operation, after password change operation | ||
+ | idm.sec.acc.provisioning.sendPasswordAttributesTogether=true | ||
+ | |||
+ | # It's possible to automatic mapped existed account on the target system. It means, before create new account (call create on the connector), | ||
+ | # we try to found account (by generated UID) on the target system. If account will be | ||
+ | # returned, then will be mapped on the IdM account. Target account will be reused and only updated by connector. | ||
+ | # - true: for reusing account | ||
+ | # - false: for not reusing account | ||
+ | # - Default value is ' | ||
+ | idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=true | ||
+ | |||
+ | # Default provisioning timeout in milis - every longer provisioning operations will ends with timeout exception (prevent to stuck running operations). | ||
+ | # 3 minutes by default. | ||
+ | # Timeout has to be configured >= 1000, otherwise default will be returned. | ||
+ | idm.sec.acc.provisioning.timeout=180000 | ||
+ | </ | ||
+ | |||
+ | ==== Provisioning global break ==== | ||
+ | <note tip>For enable global provisioning break you must set configurations properties defined below, otherwise global provisioning break will not be active.</ | ||
+ | |||
+ | <code properties> | ||
+ | # Global break for update disabled/ | ||
+ | idm.sec.acc.provisioning.break.update.disabled | ||
+ | # Global break for update checked period (integer values) | ||
+ | idm.sec.acc.provisioning.break.update.period | ||
+ | # Global break for update disable limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.update.disableLimit | ||
+ | # Global break for update disabled template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.update.templateDisable | ||
+ | # Global break for update warning limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.update.warningLimit | ||
+ | # Global break for update warning template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.update.templateWarning | ||
+ | # Global break for update. Existing identity recipients (identity username or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.update.identityRecipients | ||
+ | # Global break for update. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.update.roleRecipients | ||
+ | # | ||
+ | # | ||
+ | # Global break for create disabled/ | ||
+ | idm.sec.acc.provisioning.break.create.disabled | ||
+ | # Global break for create checked period (integer values) | ||
+ | idm.sec.acc.provisioning.break.create.period | ||
+ | # Global break for create disable limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.create.disableLimit | ||
+ | # Global break for create disabled template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.create.templateDisable | ||
+ | # Global break for create warning limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.create.warningLimit | ||
+ | # Global break for create warning template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.create.templateWarning | ||
+ | # Global break for create. Existing identity recipients (identity username or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.create.identityRecipients | ||
+ | # Global break for create. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.create.roleRecipients | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # Global break for delete disabled/ | ||
+ | idm.sec.acc.provisioning.break.delete.disabled | ||
+ | # Global break for delete checked period (integer values) | ||
+ | idm.sec.acc.provisioning.break.delete.period | ||
+ | # Global break for delete disable limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.delete.disableLimit | ||
+ | # Global break for delete disabled template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.delete.templateDisable | ||
+ | # Global break for delete warning limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.delete.warningLimit | ||
+ | # Global break for delete warning template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.delete.templateWarning | ||
+ | # Global break for delete. Existing identity recipients (identity username or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.delete.identityRecipients | ||
+ | # Global break for delete. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.delete.roleRecipients | ||
+ | </ | ||
+ | |||
+ | ==== Reports ==== | ||
+ | |||
+ | === Report executor === | ||
+ | |||
+ | In the application profile ('' | ||
+ | Every report executor (~report) could have his own configuration properties under prefix: | ||
+ | <code properties> | ||
+ | # disable / enable report | ||
+ | idm.sec.< | ||
+ | </ | ||
+ | Where ''< | ||
+ | |||
+ | Common configuration properties for all reports: | ||
+ | * '' | ||
+ | |||
+ | === Report renderer === | ||
+ | |||
+ | In the application profile ('' | ||
+ | Every report renderer could have his own configuration properties under prefix: | ||
+ | <code properties> | ||
+ | # disable / enable renderer | ||
+ | idm.sec.< | ||
+ | </ | ||
+ | Where ''< | ||
+ | |||
+ | Common configuration properties for all renderers: | ||
+ | * '' | ||
+ | |||
+ | ==== Logger ==== | ||
+ | |||
+ | In the application profile ('' | ||
+ | |||
+ | <code properties> | ||
+ | # Show thread name configured by thread pools (task, event) in logs (generated name is shown otherwise) | ||
+ | # Two appenders ' | ||
+ | logging.pattern.console=%d{yyyy-MM-dd HH: | ||
+ | logging.pattern.file=%d{yyyy-MM-dd HH: | ||
+ | </ | ||
+ | |||
+ | Logger levels can be configured programmatically (override '' | ||
+ | |||
+ | In the application profile ('' | ||
+ | |||
+ | <code properties> | ||
+ | idm.sec.core.logger.< | ||
+ | </ | ||
+ | |||
+ | Where ''< | ||
+ | |||
+ | Example: | ||
+ | <code properties> | ||
+ | idm.sec.core.logger.eu.bcvsolutions=DEBUG | ||
+ | </ |