Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:application_configuration:dev:backend [2019/02/05 09:41] svandav [Notification from Workflow] |
devel:documentation:application_configuration:dev:backend [2020/03/27 08:45] tomiskar |
||
---|---|---|---|
Line 1: | Line 1: | ||
===== Configuration - backend ===== | ===== Configuration - backend ===== | ||
- | {{tag> configuration}} | + | {{tag> configuration |
The application uses a Spring boot configuration in the '' | The application uses a Spring boot configuration in the '' | ||
Line 38: | Line 38: | ||
* '' | * '' | ||
* '' | * '' | ||
- | * '' | + | * '' |
* '' | * '' | ||
Line 75: | Line 75: | ||
<code properties> | <code properties> | ||
# Application stage (development, | # Application stage (development, | ||
+ | # | ||
+ | # Public properties - available for frontend without authentication (show information about app, decorators etc.). | ||
+ | # | ||
+ | # Application stage - development, | ||
idm.pub.app.stage= | idm.pub.app.stage= | ||
# Application instance / server id - is used for scheduler etc. | # Application instance / server id - is used for scheduler etc. | ||
# Should be defined in property file only | # Should be defined in property file only | ||
idm.pub.app.instanceId=idm-primary | idm.pub.app.instanceId=idm-primary | ||
- | # Enable forest index for tree structures | ||
- | idm.sec.app.forest.index.enabled=true | ||
# global date format on BE. Used in notification templates, logs, etc. FE uses localization key ' | # global date format on BE. Used in notification templates, logs, etc. FE uses localization key ' | ||
idm.pub.app.format.date=dd.MM.yyyy | idm.pub.app.format.date=dd.MM.yyyy | ||
# global datetime format on BE. Used in notification templates, logs, etc. FE uses localization key ' | # global datetime format on BE. Used in notification templates, logs, etc. FE uses localization key ' | ||
idm.pub.app.format.datetime=dd.MM.yyyy HH:mm | idm.pub.app.format.datetime=dd.MM.yyyy HH:mm | ||
+ | # Show identifiers (uuid) in frontend application. Empty value by default => identifier is shown, when application ' | ||
+ | idm.pub.app.show.id= | ||
+ | # Show transaction identifiers (uuid) in frontend application | ||
+ | idm.pub.app.show.transactionId=false | ||
+ | # Show role environmnent in frontend application for roles (table, role detail, niceLabel, info components, role select) | ||
+ | idm.pub.app.show.environment=true | ||
+ | # Available size options for tables in frontend application | ||
+ | idm.pub.app.show.sizeOptions=10, | ||
+ | # show default form for newly cretaed user | ||
+ | # default form can be disabled => at least one configured form projection is needed | ||
+ | idm.pub.app.show.identity.formProjection.default=true | ||
+ | # | ||
+ | # Private properties - used on backend only. | ||
+ | # | ||
# create demo data at application start | # create demo data at application start | ||
idm.sec.core.demo.data.enabled=true | idm.sec.core.demo.data.enabled=true | ||
# demo data was created - prevent to create demo data duplicitly | # demo data was created - prevent to create demo data duplicitly | ||
idm.sec.core.demo.data.created=false | idm.sec.core.demo.data.created=false | ||
+ | # Enable forest index for tree structures | ||
+ | idm.sec.app.forest.index.enabled=true | ||
</ | </ | ||
Line 96: | Line 114: | ||
<code properties> | <code properties> | ||
- | # audit table suffix | + | # ZonedDateTime is stored in UTC |
+ | spring.jpa.properties.hibernate.jdbc.time_zone=UTC | ||
+ | # Driver (e.g. postgres) does not support contextual LOB creation | ||
+ | spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true | ||
+ | # audit table suffixes | ||
spring.jpa.properties.org.hibernate.envers.audit_table_suffix=_a | spring.jpa.properties.org.hibernate.envers.audit_table_suffix=_a | ||
+ | spring.jpa.properties.org.hibernate.envers.modified_flag_suffix=_m | ||
# modified flag for all audited columns | # modified flag for all audited columns | ||
spring.jpa.properties.org.hibernate.envers.global_with_modified_flag=true | spring.jpa.properties.org.hibernate.envers.global_with_modified_flag=true | ||
# prevent to modify attributes created, creator etc. | # prevent to modify attributes created, creator etc. | ||
- | spring.jpa.properties.hibernate.ejb.interceptor=eu.bcvsolutions.idm.core.model.repository.listener.AuditableInterceptor | + | spring.jpa.properties.org.hibernate.envers.audit_strategy=eu.bcvsolutions.idm.core.model.repository.listener.IdmAuditStrategy |
+ | spring.jpa.properties.hibernate.session_factory.interceptor=eu.bcvsolutions.idm.core.model.repository.listener.AuditableInterceptor | ||
# enable / disable audit (envers) | # enable / disable audit (envers) | ||
spring.jpa.properties.hibernate.listeners.envers.autoRegister=true | spring.jpa.properties.hibernate.listeners.envers.autoRegister=true | ||
+ | # Spring boot 2 changed default to true, but we are using IDENTITY identifier generators for mssql database. | ||
+ | spring.jpa.hibernate.use-new-id-generator-mappings=false | ||
# | # | ||
# DB ddl auto generation by hibernate is disabled - flyway database migration is used | # DB ddl auto generation by hibernate is disabled - flyway database migration is used | ||
Line 118: | Line 143: | ||
spring.datasource.testOnBorrow=true | spring.datasource.testOnBorrow=true | ||
spring.datasource.validationQuery=SELECT 1 | spring.datasource.validationQuery=SELECT 1 | ||
+ | # Enlarge pool size by default. This property should be revised for each project. Size should be configured by task and event thread pool size - should be higher than sum of pool sizes. | ||
+ | spring.datasource.hikari.maximumPoolSize=50 | ||
</ | </ | ||
Line 204: | Line 231: | ||
# temporary file time to live in milliseconds | # temporary file time to live in milliseconds | ||
# older temporary files will be purged, default 14 days | # older temporary files will be purged, default 14 days | ||
+ | # Temporary file is used mainly for upload files internaly. When upload is complete, then temporary file is moved into normal IdM attachment (~ temporary file is not reachable, after user session ends). | ||
idm.sec.core.attachment.tempTtl=1209600000 | idm.sec.core.attachment.tempTtl=1209600000 | ||
+ | </ | ||
+ | |||
+ | In the application profile (application.properties). | ||
+ | |||
+ | <code properties> | ||
+ | # Max file size of uploaded file. Values can use the suffixed " | ||
+ | spring.servlet.multipart.max-file-size=100MB | ||
+ | spring.servlet.multipart.max-request-size=100MB | ||
+ | |||
</ | </ | ||
Line 244: | Line 281: | ||
# - recaptchaservice endpoint | # - recaptchaservice endpoint | ||
idm.sec.security.recaptcha.url=https:// | idm.sec.security.recaptcha.url=https:// | ||
- | # - secret key, can be generated here https:// | + | # - secret key, can be generated here https:// |
# - test secret key: https:// | # - test secret key: https:// | ||
idm.sec.security.recaptcha.secretKey=xxx | idm.sec.security.recaptcha.secretKey=xxx | ||
Line 384: | Line 421: | ||
# When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | ||
scheduler.task.executor.maxPoolSize= | scheduler.task.executor.maxPoolSize= | ||
- | # Waiting tasks to be processed. Uses {@code Integer.MAX_VALUE} | + | # Waiting tasks to be processed. Uses 20 as default. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. |
- | # {@link AbotrPolicy} is set for rejected tasks. | + | # {@link AbotrPolicy} is set for rejected tasks - reject exception has to be processed by a caller ({@link LongRunningTaskManager}). |
- | scheduler.task.executor.queueCapacity= | + | scheduler.task.executor.queueCapacity=20 |
# Thread priority for threads in event executor pool - 5 by default (normal). | # Thread priority for threads in event executor pool - 5 by default (normal). | ||
scheduler.task.executor.threadPriority= | scheduler.task.executor.threadPriority= | ||
- | # Event queue processing period (ms). Default | + | # Event queue processing period (ms). Period to read prepared (~created) asynchronous entity events from queue. |
- | scheduler.event.queue.process=1000 | + | # Events are processed in batch configured by property ' |
+ | # Default | ||
+ | scheduler.event.queue.process=500 | ||
# Event executor core pool size. Uses CPU count + 1 as default. | # Event executor core pool size. Uses CPU count + 1 as default. | ||
scheduler.event.executor.corePoolSize= | scheduler.event.executor.corePoolSize= | ||
Line 397: | Line 436: | ||
# When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | ||
scheduler.event.executor.maxPoolSize= | scheduler.event.executor.maxPoolSize= | ||
- | # Waiting events to be processed. Uses 1000 as default - prevent to prepare events repetitively and use additional threads till maxPoolSize. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. | + | # Waiting events to be processed. Uses 50 as default - prevent to prepare events repetitively and use additional threads till maxPoolSize. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. |
- | # {@link AbotrPolicy} is set for rejected tasks. | + | # {@link AbotrPolicy} is set for rejected tasks - reject exception has to be processed by a caller ({@link EntityEventManager}). |
- | scheduler.event.executor.queueCapacity=1000 | + | scheduler.event.executor.queueCapacity=50 |
# Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5). | # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5). | ||
scheduler.event.executor.threadPriority=6 | scheduler.event.executor.threadPriority=6 | ||
Line 419: | Line 458: | ||
idm.pub.core.identity.passwordChange=ALL_ONLY | idm.pub.core.identity.passwordChange=ALL_ONLY | ||
# | # | ||
- | # required old password for change password. Needed on FE (=> public) | + | # required old password for change password. |
+ | # Needed on FE (=> public) | ||
idm.pub.core.identity.passwordChange.requireOldPassword=true | idm.pub.core.identity.passwordChange.requireOldPassword=true | ||
# | # | ||
Line 425: | Line 465: | ||
# true - change to IdM and all system | # true - change to IdM and all system | ||
# false - change to all system except IdM | # false - change to all system except IdM | ||
+ | # Needed on FE (=> public) | ||
idm.pub.core.identity.passwordChange.public.idm.enabled=true | idm.pub.core.identity.passwordChange.public.idm.enabled=true | ||
# | # | ||
Line 430: | Line 471: | ||
# skipped in synchronizations - contract synchronization should be provided. | # skipped in synchronizations - contract synchronization should be provided. | ||
idm.pub.core.identity.create.defaultContract.enabled=true | idm.pub.core.identity.create.defaultContract.enabled=true | ||
+ | # | ||
+ | # Skip identity dashboard content - show full detail directly (link from table or from info component) | ||
+ | # Needed on FE (=> public) | ||
+ | idm.pub.core.identity.dashboard.skip= | ||
# | # | ||
# supports authorization policies for extended form definitions and their values for identities | # supports authorization policies for extended form definitions and their values for identities | ||
Line 497: | Line 542: | ||
# Asynchronous events will be executed on server instance with id. Default is the same as {@link ConfigurationService# | # Asynchronous events will be executed on server instance with id. Default is the same as {@link ConfigurationService# | ||
idm.sec.core.event.asynchronous.instanceId= | idm.sec.core.event.asynchronous.instanceId= | ||
+ | # Asynchronous events will be executed in batch - batch will be split for event with HIGH / NORMAL priority in 70% HIGH / 30% NORMAL. | ||
+ | # If you events are processed quickly (~provisioning on your environment is quick), then batch size can be higher (in combination with higher ' | ||
+ | idm.sec.core.event.asynchronous.batchSize=15 | ||
</ | </ | ||
Line 519: | Line 567: | ||
- | ==== Workflow ===== | + | ==== Workflow |
<code properties> | <code properties> | ||
## WF | ## WF | ||
- | # Global property that allow disable or enable sending notification from WF | ||
- | idm.sec.core.wf.notification.send=false | ||
# Approve by manager | # Approve by manager | ||
idm.sec.core.wf.approval.manager.enabled=false | idm.sec.core.wf.approval.manager.enabled=false | ||
Line 547: | Line 593: | ||
# In the request to create new role is also used. | # In the request to create new role is also used. | ||
idm.sec.core.wf.approval.role-change.role= | idm.sec.core.wf.approval.role-change.role= | ||
+ | # | ||
+ | # Default main WF for approve all roles. | ||
+ | idm.sec.core.processor.role-request-approval-processor.wf=approve-identity-change-permissions | ||
</ | </ | ||
Line 643: | Line 692: | ||
idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids= | idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids= | ||
</ | </ | ||
+ | |||
+ | === Remote user authentication filter === | ||
+ | Login into IdM by preset request remote user by servlet container can be configured with following properties: | ||
+ | <code properties> | ||
+ | # Allow remote user authentication | ||
+ | idm.sec.core.authentication-filter.core-remote-user-authentication-filter.enabled=false | ||
+ | # The suffixes to remove from the login - usually domains | ||
+ | idm.sec.core.authentication-filter.core-remote-user-authentication-filter.uid-suffixes= | ||
+ | # The uids that can't be authenticated by SSO | ||
+ | idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbidden-uids= | ||
+ | </ | ||
+ | |||
+ | This authentication filter reuses SSO authentication filter behavior above ('' | ||
==== Backup ==== | ==== Backup ==== | ||
- | If you want to use redeploy and backup for example in agenda (notification | + | If you want to use redeploy and backup for example in agenda (notification |
+ | When redploy is used, then actual templates (or scripsts) are loaded from classpath by configuration (for templates or scripts) and deployed into application. Previous templates (or scripts) are backup too. | ||
<code properties> | <code properties> | ||
# configuration property for default backup | # configuration property for default backup | ||
Line 678: | Line 742: | ||
idm.sec.vs.role.default=< | idm.sec.vs.role.default=< | ||
</ | </ | ||
+ | |||
+ | ==== Long polling ==== | ||
+ | |||
+ | <code properties> | ||
+ | # Long polling | ||
+ | idm.pub.app.long-polling.enabled=true | ||
+ | </ | ||
+ | |||
+ | You can disable long polling for all types of entites with use value `false`. | ||
==== Provisioning ==== | ==== Provisioning ==== | ||
Line 694: | Line 767: | ||
# - Default value is ' | # - Default value is ' | ||
idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=true | idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=true | ||
+ | |||
+ | # Default provisioning timeout in milis - every longer provisioning operations will ends with timeout exception (prevent to stuck running operations). | ||
+ | # 3 minutes by default. | ||
+ | # Timeout has to be configured >= 1000, otherwise default will be returned. | ||
+ | idm.sec.acc.provisioning.timeout=180000 | ||
+ | </ | ||
+ | |||
+ | ==== Provisioning global break ==== | ||
+ | <note tip>For enable global provisioning break you must set configurations properties defined below, otherwise global provisioning break will not be active.</ | ||
+ | |||
+ | <code properties> | ||
+ | # Global break for update disabled/ | ||
+ | idm.sec.acc.provisioning.break.update.disabled | ||
+ | # Global break for update checked period (integer values) | ||
+ | idm.sec.acc.provisioning.break.update.period | ||
+ | # Global break for update disable limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.update.disableLimit | ||
+ | # Global break for update disabled template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.update.templateDisable | ||
+ | # Global break for update warning limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.update.warningLimit | ||
+ | # Global break for update warning template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.update.templateWarning | ||
+ | # Global break for update. Existing identity recipients (identity username or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.update.identityRecipients | ||
+ | # Global break for update. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.update.roleRecipients | ||
+ | # | ||
+ | # | ||
+ | # Global break for create disabled/ | ||
+ | idm.sec.acc.provisioning.break.create.disabled | ||
+ | # Global break for create checked period (integer values) | ||
+ | idm.sec.acc.provisioning.break.create.period | ||
+ | # Global break for create disable limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.create.disableLimit | ||
+ | # Global break for create disabled template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.create.templateDisable | ||
+ | # Global break for create warning limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.create.warningLimit | ||
+ | # Global break for create warning template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.create.templateWarning | ||
+ | # Global break for create. Existing identity recipients (identity username or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.create.identityRecipients | ||
+ | # Global break for create. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.create.roleRecipients | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # Global break for delete disabled/ | ||
+ | idm.sec.acc.provisioning.break.delete.disabled | ||
+ | # Global break for delete checked period (integer values) | ||
+ | idm.sec.acc.provisioning.break.delete.period | ||
+ | # Global break for delete disable limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.delete.disableLimit | ||
+ | # Global break for delete disabled template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.delete.templateDisable | ||
+ | # Global break for delete warning limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.delete.warningLimit | ||
+ | # Global break for delete warning template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.delete.templateWarning | ||
+ | # Global break for delete. Existing identity recipients (identity username or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.delete.identityRecipients | ||
+ | # Global break for delete. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.delete.roleRecipients | ||
</ | </ | ||
Line 723: | Line 860: | ||
Common configuration properties for all renderers: | Common configuration properties for all renderers: | ||
* '' | * '' | ||
+ | |||
+ | ==== Logger ==== | ||
+ | |||
+ | In the application profile ('' | ||
+ | |||
+ | Logger levels can be configured programmatically (override '' | ||
+ | |||
+ | <code properties> | ||
+ | idm.sec.core.logger.< | ||
+ | </ | ||
+ | |||
+ | Where ''< | ||
+ | |||
+ | Example: | ||
+ | <code properties> | ||
+ | idm.sec.core.logger.eu.bcvsolutions=DEBUG | ||
+ | </ |