Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:application_configuration:dev:backend [2019/02/05 09:44] svandav [Workflow] |
devel:documentation:application_configuration:dev:backend [2021/09/10 08:15] tomiskar [Identity] |
||
---|---|---|---|
Line 1: | Line 1: | ||
===== Configuration - backend ===== | ===== Configuration - backend ===== | ||
- | {{tag> configuration}} | + | {{tag> configuration |
The application uses a Spring boot configuration in the '' | The application uses a Spring boot configuration in the '' | ||
Line 12: | Line 12: | ||
* if the name of a configuration item contains the'' | * if the name of a configuration item contains the'' | ||
* It is better to use constants for keys, e.g. '' | * It is better to use constants for keys, e.g. '' | ||
- | |||
- | Cache is used for reading configuration values - default spring boot cache (ConcurrentHashMap) is configured for now. Value in cache is cleared by an active (save, delete) operation. | ||
- | |||
- | <note tip> | ||
- | If you are debugging some of code and are you figuring, something is wrong with the cache, then you can turn the cache off with property (in application.properties) | ||
- | <code properties> | ||
- | spring.cache.type=none | ||
- | </ | ||
- | </ | ||
==== Configure environment properties ==== | ==== Configure environment properties ==== | ||
Line 38: | Line 29: | ||
* '' | * '' | ||
* '' | * '' | ||
- | * '' | + | * '' |
* '' | * '' | ||
Line 54: | Line 45: | ||
- | <note important> | + | [[https:// |
- | < | + | |
- | Initialization of bean failed; nested exception is java.lang.IllegalArgumentException: | + | |
- | </ | + | |
- | |||
- | [[https:// | ||
- | |||
- | < | ||
- | -Djava.util.Arrays.useLegacyMergeSort=true | ||
- | </ | ||
Line 75: | Line 57: | ||
<code properties> | <code properties> | ||
# Application stage (development, | # Application stage (development, | ||
+ | # | ||
+ | # Public properties - available for frontend without authentication (show information about app, decorators etc.). | ||
+ | # | ||
+ | # Application stage - development, | ||
idm.pub.app.stage= | idm.pub.app.stage= | ||
# Application instance / server id - is used for scheduler etc. | # Application instance / server id - is used for scheduler etc. | ||
- | # Should | + | # Can be defined in property file only! Overidding via ConfigurationService is not possible for application instance (~ more instanceos on the same database) |
idm.pub.app.instanceId=idm-primary | idm.pub.app.instanceId=idm-primary | ||
- | # Enable forest index for tree structures | ||
- | idm.sec.app.forest.index.enabled=true | ||
# global date format on BE. Used in notification templates, logs, etc. FE uses localization key ' | # global date format on BE. Used in notification templates, logs, etc. FE uses localization key ' | ||
idm.pub.app.format.date=dd.MM.yyyy | idm.pub.app.format.date=dd.MM.yyyy | ||
# global datetime format on BE. Used in notification templates, logs, etc. FE uses localization key ' | # global datetime format on BE. Used in notification templates, logs, etc. FE uses localization key ' | ||
idm.pub.app.format.datetime=dd.MM.yyyy HH:mm | idm.pub.app.format.datetime=dd.MM.yyyy HH:mm | ||
- | # create | + | # Show identifiers (uuid) in frontend application. Empty value by default => identifier is shown, when application ' |
+ | idm.pub.app.show.id= | ||
+ | # Show transaction identifiers (uuid) in frontend application. | ||
+ | idm.pub.app.show.transactionId=false | ||
+ | # Show role environment in frontend application for roles (table, role detail, niceLabel, info components, role select). | ||
+ | idm.pub.app.show.environment=true | ||
+ | # Show role baseCode in frontend application for roles (table, role detail, niceLabel, info components, role select). | ||
+ | idm.pub.app.show.role.baseCode=true | ||
+ | # Rendered column in role table agenda. Comma is used as separator. Order of rendered columns is preserved as configured. | ||
+ | # Available columns: | ||
+ | # - name - role name info card with link to detail | ||
+ | # - baseCode - role base code (without environment) | ||
+ | # - environment - role environment | ||
+ | # - disabled | ||
+ | # - description | ||
+ | idm.pub.app.show.role.table.columns=name, | ||
+ | # Show role catalogue item code in role catalogue tree | ||
+ | idm.pub.app.show.roleCatalogue.tree.code=false | ||
+ | # Number of items (pagination) in role catalogue tree in root level. Used on role select and agenda. | ||
+ | idm.pub.app.show.roleCatalogue.tree.pagination.root.size=25 | ||
+ | # Number of items (pagination) in role catalogue tree in other levels. Used on role select and agenda. | ||
+ | idm.pub.app.show.roleCatalogue.tree.pagination.node.size=25 | ||
+ | # Number of items (pagination) in tree node structure in root level. | ||
+ | idm.pub.app.show.treeNode.tree.pagination.root.size=50 | ||
+ | # Number of items (pagination) in tree node structure in other levels. | ||
+ | idm.pub.app.show.treeNode.tree.pagination.node.size=50 | ||
+ | # Available size options for tables in frontend application | ||
+ | idm.pub.app.show.sizeOptions=10, | ||
+ | # Show buttons for bulk actions in tables (0 = select box will be shown only). | ||
+ | # Count of quick access buttons for bulk actions in tables - the first count of bulk actions will be shown as button - next action will be rendered in drop down select box. | ||
+ | # Bulk action icon is required for quick access button - action without icon will be rendered in select box. | ||
+ | # Bulk action can enforce showing in quick access button (by bulk action configuration). | ||
+ | idm.pub.app.show.table.quickButton.count=5 | ||
+ | # Quick button for bulk actions in tables will be included in drop down select box too (available as button + menu item with text). | ||
+ | # Number of selected record is shown in drop down select header. | ||
+ | idm.pub.app.show.table.quickButton.menuIncluded=true | ||
+ | # Show default form for newly created user. | ||
+ | # Default form can be disabled => at least one configured form projection is needed. | ||
+ | idm.pub.app.show.identity.formProjection.default=true | ||
+ | # Rendered column in identity table agenda. Comma is used as separator. Order of rendered columns is preserved as configured. | ||
+ | # Available columns: | ||
+ | # - username - username with link to detail | ||
+ | # - entityinfo - identity info card | ||
+ | # - lastName | ||
+ | # - firstName | ||
+ | # - externalCode - personal number | ||
+ | |||
+ | # - state | ||
+ | # - passwordexpiration - information about identity password epiration | ||
+ | # - description | ||
+ | # Note: Table in identity agenda can be configured with this property (common identity table with columns is not specified on FE). | ||
+ | # If you want to configure rendered columns for all tables generalized from identity table (e.g. on role or tree node detail), | ||
+ | # you can use FE configuration https:// | ||
+ | idm.pub.app.show.identity.table.columns=username, | ||
+ | idm.pub.app.show.identityRole.table.columns=role, | ||
+ | # If is true, then role-request description will be show on the detail. | ||
+ | # Description will hidden if this property will be false and role request | ||
+ | # doesn' | ||
+ | idm.pub.app.show.roleRequest.description=true | ||
+ | # | ||
+ | # Private properties - used on backend only. | ||
+ | # | ||
+ | # Create | ||
idm.sec.core.demo.data.enabled=true | idm.sec.core.demo.data.enabled=true | ||
- | # demo data was created - prevent to create demo data duplicitly | + | # Demo data was created - prevent to create demo data duplicitly. |
idm.sec.core.demo.data.created=false | idm.sec.core.demo.data.created=false | ||
+ | # Create init data at application start. Init data (product provided roles) are updated automatically with pruct updates. | ||
+ | # Set property to false to disable init data creation and updates. | ||
+ | idm.sec.core.init.data.enabled=true | ||
</ | </ | ||
+ | |||
+ | === Change server for asynchronous processing (switch application instance) == | ||
+ | |||
+ | @since 11.1.0 | ||
+ | |||
+ | Application instance (server) is used for asynchronus processing - for scheduled tasks, asynchronous long running tasks and events. | ||
+ | Instance identifier can be defined in the application profile (application.properties) by property '' | ||
+ | When we want to schedule and process asynchronous tasks and event on other instace (or when one instance shutdown), then we can switch processing by provided bulk action '' | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Previous and new instance identifier is required as input parameters. All scheduled tasks and all created (~ not processed) asynchronous long running tasks and events will be moved from previous to new instance and will be processed on new instance (server). | ||
+ | |||
+ | Bulk action is available for logged user with required authorities and permissions: | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
==== Jpa === | ==== Jpa === | ||
Line 96: | Line 163: | ||
<code properties> | <code properties> | ||
- | # audit table suffix | + | # ZonedDateTime is stored in UTC |
+ | spring.jpa.properties.hibernate.jdbc.time_zone=UTC | ||
+ | # Driver (e.g. postgres) does not support contextual LOB creation | ||
+ | spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true | ||
+ | # audit table suffixes | ||
spring.jpa.properties.org.hibernate.envers.audit_table_suffix=_a | spring.jpa.properties.org.hibernate.envers.audit_table_suffix=_a | ||
+ | spring.jpa.properties.org.hibernate.envers.modified_flag_suffix=_m | ||
# modified flag for all audited columns | # modified flag for all audited columns | ||
spring.jpa.properties.org.hibernate.envers.global_with_modified_flag=true | spring.jpa.properties.org.hibernate.envers.global_with_modified_flag=true | ||
# prevent to modify attributes created, creator etc. | # prevent to modify attributes created, creator etc. | ||
- | spring.jpa.properties.hibernate.ejb.interceptor=eu.bcvsolutions.idm.core.model.repository.listener.AuditableInterceptor | + | spring.jpa.properties.org.hibernate.envers.audit_strategy=eu.bcvsolutions.idm.core.model.repository.listener.IdmAuditStrategy |
+ | spring.jpa.properties.hibernate.session_factory.interceptor=eu.bcvsolutions.idm.core.model.repository.listener.AuditableInterceptor | ||
# enable / disable audit (envers) | # enable / disable audit (envers) | ||
spring.jpa.properties.hibernate.listeners.envers.autoRegister=true | spring.jpa.properties.hibernate.listeners.envers.autoRegister=true | ||
+ | # Spring boot 2 changed default to true, but we are using IDENTITY identifier generators for mssql database. | ||
+ | spring.jpa.hibernate.use-new-id-generator-mappings=false | ||
# | # | ||
# DB ddl auto generation by hibernate is disabled - flyway database migration is used | # DB ddl auto generation by hibernate is disabled - flyway database migration is used | ||
Line 118: | Line 192: | ||
spring.datasource.testOnBorrow=true | spring.datasource.testOnBorrow=true | ||
spring.datasource.validationQuery=SELECT 1 | spring.datasource.validationQuery=SELECT 1 | ||
+ | # Enlarge pool size by default. This property should be revised for each project. Size should be configured by task and event thread pool size - should be higher than sum of pool sizes. | ||
+ | spring.datasource.hikari.maximumPoolSize=50 | ||
</ | </ | ||
Line 149: | Line 225: | ||
< | < | ||
| | ||
- | < | + | < |
< | < | ||
<!-- please note the " | <!-- please note the " | ||
Line 182: | Line 258: | ||
</ | </ | ||
+ | ==== Cache ==== | ||
- | ==== Attachment storage === | + | Cache is used for reading configuration values. Value in cache is cleared by an active (save, delete) operation. |
+ | |||
+ | In the application profile (application.properties): | ||
+ | |||
+ | |||
+ | |||
+ | <code properties> | ||
+ | # Disable cache | ||
+ | # If you are debugging some of code and are you figuring, something is wrong with the cache, then you can turn the cache off with property. | ||
+ | # | ||
+ | # | ||
+ | # Clusterred cache settings | ||
+ | # | ||
+ | idm.sec.cache.terracota.resource.name=main | ||
+ | idm.sec.cache.terracota.resource.pool.name=resource-pool | ||
+ | # Size in MB | ||
+ | idm.sec.cache.terracota.resource.pool.size=32 | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Attachment storage | ||
'' | '' | ||
- | In the application profile (application.properties) and overloadable via '' | + | In the application profile (application.properties): |
+ | |||
+ | <code properties> | ||
+ | # Max file size of uploaded file. Values can use the suffixed " | ||
+ | # Application server (e.g. Tomcat " | ||
+ | spring.servlet.multipart.max-file-size=100MB | ||
+ | spring.servlet.multipart.max-request-size=100MB | ||
+ | |||
+ | </ | ||
+ | |||
+ | In the application profile (application.properties) and overloadable via '' | ||
<code properties> | <code properties> | ||
Line 204: | Line 311: | ||
# temporary file time to live in milliseconds | # temporary file time to live in milliseconds | ||
# older temporary files will be purged, default 14 days | # older temporary files will be purged, default 14 days | ||
+ | # Temporary file is used mainly for upload files internaly. When upload is complete, then temporary file is moved into normal IdM attachment (~ temporary file is not reachable, after user session ends). | ||
idm.sec.core.attachment.tempTtl=1209600000 | idm.sec.core.attachment.tempTtl=1209600000 | ||
</ | </ | ||
- | ==== Activiti workflow === | + | ==== Activiti workflow |
<code properties> | <code properties> | ||
# String boot properties for Activiti workflow engine | # String boot properties for Activiti workflow engine | ||
Line 244: | Line 352: | ||
# - recaptchaservice endpoint | # - recaptchaservice endpoint | ||
idm.sec.security.recaptcha.url=https:// | idm.sec.security.recaptcha.url=https:// | ||
- | # - secret key, can be generated here https:// | + | # - secret key, can be generated here https:// |
# - test secret key: https:// | # - test secret key: https:// | ||
idm.sec.security.recaptcha.secretKey=xxx | idm.sec.security.recaptcha.secretKey=xxx | ||
Line 384: | Line 492: | ||
# When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | ||
scheduler.task.executor.maxPoolSize= | scheduler.task.executor.maxPoolSize= | ||
- | # Waiting tasks to be processed. Uses {@code Integer.MAX_VALUE} | + | # Waiting tasks to be processed. Uses 20 as default. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. |
- | # {@link AbotrPolicy} is set for rejected tasks. | + | # {@link AbotrPolicy} is set for rejected tasks - reject exception has to be processed by a caller ({@link LongRunningTaskManager}). |
- | scheduler.task.executor.queueCapacity= | + | scheduler.task.executor.queueCapacity=20 |
# Thread priority for threads in event executor pool - 5 by default (normal). | # Thread priority for threads in event executor pool - 5 by default (normal). | ||
scheduler.task.executor.threadPriority= | scheduler.task.executor.threadPriority= | ||
- | # Event queue processing period (ms). Default | + | # Asynchronous task processing is stopped. |
- | scheduler.event.queue.process=1000 | + | # Asynchronous task processing is stopped, when instance for processing is switched => prevent to process asynchronous task in the meantime. |
+ | # Asynchronous task processing can be stopped for testing or debugging purposes. | ||
+ | # Asynchronous task are still created in queue, but they are not processed automatically - task can be executed manually from ui. | ||
+ | idm.sec.core.scheduler.task.asynchronous.stopProcessing=false | ||
+ | # Event queue processing period (ms). Period to read prepared (~created) asynchronous entity events from queue. | ||
+ | # Events are processed in batch configured by property ' | ||
+ | # Default | ||
+ | scheduler.event.queue.process=500 | ||
# Event executor core pool size. Uses CPU count + 1 as default. | # Event executor core pool size. Uses CPU count + 1 as default. | ||
scheduler.event.executor.corePoolSize= | scheduler.event.executor.corePoolSize= | ||
Line 397: | Line 512: | ||
# When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | ||
scheduler.event.executor.maxPoolSize= | scheduler.event.executor.maxPoolSize= | ||
- | # Waiting events to be processed. Uses 1000 as default - prevent to prepare events repetitively and use additional threads till maxPoolSize. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. | + | # Waiting events to be processed. Uses 50 as default - prevent to prepare events repetitively and use additional threads till maxPoolSize. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. |
- | # {@link AbotrPolicy} is set for rejected tasks. | + | # {@link AbotrPolicy} is set for rejected tasks - reject exception has to be processed by a caller ({@link EntityEventManager}). |
- | scheduler.event.executor.queueCapacity=1000 | + | scheduler.event.executor.queueCapacity=50 |
# Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5). | # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5). | ||
scheduler.event.executor.threadPriority=6 | scheduler.event.executor.threadPriority=6 | ||
Line 410: | Line 525: | ||
<code properties> | <code properties> | ||
# supports delete identity. Needed on FE (=> public) to render available bulk action in table | # supports delete identity. Needed on FE (=> public) to render available bulk action in table | ||
+ | # @deprecated @since 10.6.0 - action can be disabled by bulk action configurable api - use ' | ||
idm.pub.core.identity.delete=true | idm.pub.core.identity.delete=true | ||
# | # | ||
Line 417: | Line 533: | ||
# CUSTOM - users can choose for which accounts change password | # CUSTOM - users can choose for which accounts change password | ||
# Needed on FE (=> public) | # Needed on FE (=> public) | ||
- | idm.pub.core.identity.passwordChange=ALL_ONLY | + | idm.pub.core.identity.passwordChange=CUSTOM |
# | # | ||
- | # required old password for change password. Needed on FE (=> public) | + | # required old password for change password. |
+ | # Needed on FE (=> public) | ||
idm.pub.core.identity.passwordChange.requireOldPassword=true | idm.pub.core.identity.passwordChange.requireOldPassword=true | ||
# | # | ||
Line 425: | Line 542: | ||
# true - change to IdM and all system | # true - change to IdM and all system | ||
# false - change to all system except IdM | # false - change to all system except IdM | ||
+ | # Needed on FE (=> public) | ||
idm.pub.core.identity.passwordChange.public.idm.enabled=true | idm.pub.core.identity.passwordChange.public.idm.enabled=true | ||
# | # | ||
- | # create | + | # Skip identity dashboard content - show full detail directly (link from table or from info component) |
- | # skipped | + | # Needed on FE (=> public) |
- | idm.pub.core.identity.create.defaultContract.enabled=true | + | idm.pub.core.identity.dashboard.skip= |
+ | # | ||
+ | # Create | ||
+ | # Skipped | ||
+ | idm.sec.core.identity.create.defaultContract.enabled=true | ||
+ | # Creates default identity' | ||
+ | idm.sec.core.identity.create.defaultContract.position=Default | ||
+ | # Creates default identity' | ||
+ | # EXCLUDED - Excluded from evidence - remains valid, but roles assigned for this contract are not added for logged identity. | ||
+ | # DISABLED - Invalid by user - not changed by dates. | ||
+ | idm.sec.core.identity.create.defaultContract.state= | ||
+ | # Number of days related to current date - will be used for set contract valid till date (current date + expiration in days = valid till). | ||
+ | # Contact valid till will not be set by default (~ contract expiration is not configured by default). | ||
+ | idm.sec.core.identity.create.defaultContract.expiration= | ||
# | # | ||
- | # supports authorization policies for extended form definitions and their values for identities | + | # Profile image max file size in readable string format |
- | # Default is false (backward compatibility) - all form definitions and attributes will be shown (controlled by permissions for identity - IDENTITY_READ / IDENTITY_UPDATE). | + | idm.sec.core.identity.profile.image.max-file-size=512KB |
- | # true - authorization policies will be evaluated (see https:// | + | |
- | idm.sec.core.identity.formAttributes.secured=false | + | |
</ | </ | ||
Line 457: | Line 586: | ||
<code properties> | <code properties> | ||
+ | # | ||
# Default user role will be added automatically, | # Default user role will be added automatically, | ||
# could contains default authorities and authority policies configuration | # could contains default authorities and authority policies configuration | ||
# for adding autocomplete or all record read permission etc. | # for adding autocomplete or all record read permission etc. | ||
+ | # Role full code should be given (should contain environment, | ||
+ | # Role authorities are updated automatically, | ||
idm.sec.core.role.default=userRole | idm.sec.core.role.default=userRole | ||
+ | # | ||
# Admin user role | # Admin user role | ||
+ | # Role full code should be given (should contain environment, | ||
+ | # Role authorities are updated automatically, | ||
idm.sec.core.role.admin=superAdminRole | idm.sec.core.role.admin=superAdminRole | ||
+ | # | ||
+ | # Helpdesk user role | ||
+ | # Role full code should be given (should contain environment, | ||
+ | # Role authorities are updated automatically, | ||
+ | idm.sec.core.role.helpdesk=helpdeskRole | ||
+ | # | ||
+ | # User manager role | ||
+ | # Role full code should be given (should contain environment, | ||
+ | # Role authorities are updated automatically, | ||
+ | idm.sec.core.role.userManager=userManagerRole | ||
+ | # | ||
+ | # Role manager role - role guarantee | ||
+ | # Role full code should be given (should contain environment, | ||
+ | # Role authorities are updated automatically, | ||
+ | idm.sec.core.role.roleManager=roleManagerRole | ||
+ | # | ||
+ | # Virtual system implementer | ||
+ | # Role full code should be given (should contain environment, | ||
+ | # Role authorities are updated automatically, | ||
+ | idm.sec.vs.role.implementer=virtualSystemImplementerRole | ||
+ | # | ||
# Separator for the suffix with environment used in role code. | # Separator for the suffix with environment used in role code. | ||
# Look out: when separator is changed, then all roles should be updated (manually from ui, by scripted LRT or by change script). | # Look out: when separator is changed, then all roles should be updated (manually from ui, by scripted LRT or by change script). | ||
Line 495: | Line 651: | ||
# disable / enable asynchronous event processing. Events will be executed synchronously, | # disable / enable asynchronous event processing. Events will be executed synchronously, | ||
idm.sec.core.event.asynchronous.enabled=true | idm.sec.core.event.asynchronous.enabled=true | ||
+ | # Asynchronous event processing is stopped. | ||
+ | # Event processing is stopped, when instance for processing is switched => prevent to process instances in the meantime. | ||
+ | # Asynchronous event processing can be disabled for testing or debugging purposes. | ||
+ | # Events are still created in queue, but they are not processed. | ||
+ | idm.sec.core.event.asynchronous.stopProcessing=false | ||
# Asynchronous events will be executed on server instance with id. Default is the same as {@link ConfigurationService# | # Asynchronous events will be executed on server instance with id. Default is the same as {@link ConfigurationService# | ||
idm.sec.core.event.asynchronous.instanceId= | idm.sec.core.event.asynchronous.instanceId= | ||
+ | # Asynchronous events will be executed in batch - batch will be split for event with HIGH / NORMAL priority in 70% HIGH / 30% NORMAL. | ||
+ | # If you events are processed quickly (~provisioning on your environment is quick), then batch size can be higher (in combination with higher ' | ||
+ | idm.sec.core.event.asynchronous.batchSize=15 | ||
</ | </ | ||
Line 508: | Line 672: | ||
idm.sec.< | idm.sec.< | ||
</ | </ | ||
- | Where ''< | + | Where ''< |
Common configuration properties for all processors: | Common configuration properties for all processors: | ||
Line 516: | Line 680: | ||
Exists processors configuration: | Exists processors configuration: | ||
+ | |||
+ | ==== Bulk actions ==== | ||
+ | |||
+ | @since 10.6.0 | ||
+ | |||
+ | In the application profile ('' | ||
+ | Every bulk action could have his own configuration properties under prefix: | ||
+ | <code properties> | ||
+ | # disable / enable bulk action | ||
+ | idm.sec.< | ||
+ | </ | ||
+ | Where ''< | ||
+ | |||
+ | Common configuration properties for all bulk actions: | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
Line 545: | Line 730: | ||
# In the request to create new role is also used. | # In the request to create new role is also used. | ||
idm.sec.core.wf.approval.role-change.role= | idm.sec.core.wf.approval.role-change.role= | ||
+ | # | ||
+ | # Default main WF for approve all roles. | ||
+ | idm.sec.core.processor.role-request-approval-processor.wf=approve-identity-change-permissions | ||
+ | </ | ||
+ | |||
+ | ==== Universal requests ===== | ||
+ | <code properties> | ||
+ | ## Universal requests | ||
+ | # Role | ||
+ | idm.pub.core.request.idm-role.enabled=false | ||
+ | # Defines type of guarantee. Requests will be approving only by guarantee with this type. | ||
+ | # If returns null, then all guarantees will be used for approving (no limitations). | ||
+ | idm.sec.core.request.idm-role.approval.guarantee-type= | ||
</ | </ | ||
Line 572: | Line 770: | ||
==== Entity filters ==== | ==== Entity filters ==== | ||
In the application profile ('' | In the application profile ('' | ||
- | Every filter could have his own configuration properties under prefix: | + | |
+ | <code properties> | ||
+ | # Enable / disable check filter is properly registered, when filter is used (by entity and property name). | ||
+ | # Throws exception, when unrecognized filter is used. | ||
+ | idm.sec.core.filter.check.supported.enabled=true | ||
+ | # Check count of values exceeded given maximum. | ||
+ | # Related to database count of query parameters (e.g. Oracle = {@code 1000}, MSSql = {@code 2100}). | ||
+ | # Throws exception, when size is exceeded. Set to {@code -1} to disable this check. | ||
+ | idm.sec.core.filter.check.size.maximum=500 | ||
+ | </ | ||
+ | |||
+ | Every registered | ||
<code properties> | <code properties> | ||
- | # enable/ disable filter - enabled by default. When filter is disabled and property is filled in filter, then '' | + | # enable / disable filter - enabled by default. When filter is disabled and property is filled in filter, then '' |
idm.sec.< | idm.sec.< | ||
# filter implementation | # filter implementation | ||
Line 609: | Line 818: | ||
==== Authentication ==== | ==== Authentication ==== | ||
- | UUID of system, against which to user will be authenticated. | + | UUID of system, against which to user will be authenticated. This authentication is from version 10.4.0 deprecated. |
<code properties> | <code properties> | ||
# ID system against which to authenticate | # ID system against which to authenticate | ||
- | idm.sec.security.auth.systemId= | + | idm.sec.security.auth.system= |
</ | </ | ||
+ | |||
+ | Authentication against multiple system wich to user will be authenticated (since 10.4.0) - ID or Code can be used: | ||
+ | <code properties> | ||
+ | idm.sec.acc.security.auth.order1.system= | ||
+ | idm.sec.acc.security.auth.order2.system= | ||
+ | </ | ||
+ | |||
+ | Maximum system for authentication can be set with the property: | ||
+ | <code properties> | ||
+ | idm.sec.acc.security.auth.maximumSystemCount=50 | ||
+ | </ | ||
+ | |||
+ | More about authenticator can be found [[devel: | ||
=== Authentication filters === | === Authentication filters === | ||
Line 640: | Line 862: | ||
# The uids that can't be authenticated by SSO | # The uids that can't be authenticated by SSO | ||
idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids= | idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids= | ||
+ | </ | ||
+ | |||
+ | === Remote user authentication filter === | ||
+ | Login into IdM by preset request remote user by servlet container can be configured with following properties: | ||
+ | <code properties> | ||
+ | # Allow remote user authentication | ||
+ | idm.sec.core.authentication-filter.core-remote-user-authentication-filter.enabled=false | ||
+ | # The suffixes to remove from the login - usually domains | ||
+ | idm.sec.core.authentication-filter.core-remote-user-authentication-filter.uid-suffixes= | ||
+ | # The uids that can't be authenticated by SSO | ||
+ | idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbidden-uids= | ||
+ | </ | ||
+ | |||
+ | This authentication filter reuses SSO authentication filter behavior above ('' | ||
+ | |||
+ | === Two-factor authentication === | ||
+ | |||
+ | [[..: | ||
+ | |||
+ | <code properties> | ||
+ | # Verification secret length | ||
+ | totp.secret.length=32 | ||
+ | # Time Period ~ period to generate new authentication code | ||
+ | totp.time.period=30 | ||
+ | # Time Discrepancy - number of past (but still valid) authentication codes (e.g. when code is sent by notification, | ||
+ | totp.time.discrepancy=1 | ||
+ | |||
+ | </ | ||
+ | |||
+ | === CAS authentication filter === | ||
+ | @since 10.9.0 | ||
+ | [[..: | ||
+ | <code properties> | ||
+ | # Enable authentication via CAS. If enabled, all properties below "Other properties" | ||
+ | idm.pub.core.cas.sso.enabled=true | ||
+ | # Other properties | ||
+ | # Base URL where CAS is accessible. Syntax of this field is https:// | ||
+ | idm.pub.core.cas.url= | ||
+ | # Suffix which is, in effect, appended to idm.pub.core.cas.url. Resulting URL is used for login operation in CAS. It must start with slash (eg. /login). | ||
+ | idm.pub.core.cas.login-suffix=/ | ||
+ | # Suffix which is appended to idm.pub.core.cas.url. Resulting URL is used for single sign-out operation. It must start with slash (eg. /logout). | ||
+ | idm.pub.core.cas.logout-suffix=/ | ||
+ | # URL of CzechIdM. This URL is used for redirect back after logout and also for ticket validation. Syntax of this field is https:// | ||
+ | idm.pub.core.cas.idm-url= | ||
+ | # Header name in which CAS sends the ticket value. | ||
+ | idm.sec.core.cas.header-name=referer | ||
+ | # Path to CzechIdM for the HTTP Referer header used by CAS while redirecting back to application. This value is concatenated with CAS ticket to form Referer header. Syntax of this field is https:// | ||
+ | idm.sec.core.cas.header-prefix= | ||
</ | </ | ||
==== Backup ==== | ==== Backup ==== | ||
- | If you want to use redeploy and backup for example in agenda (notification | + | If you want to use redeploy and backup for example in agenda (notification |
+ | When redploy is used, then actual templates (or scripsts) are loaded from classpath by configuration (for templates or scripts) and deployed into application. Previous templates (or scripts) are backup too. | ||
<code properties> | <code properties> | ||
- | # configuration | + | # Configuration |
+ | # Configured attachment storage patrh ( see ' | ||
idm.sec.core.backups.default.folder.path=/ | idm.sec.core.backups.default.folder.path=/ | ||
</ | </ | ||
Line 676: | Line 949: | ||
idm.sec.vs.role.default=< | idm.sec.vs.role.default=< | ||
</ | </ | ||
+ | |||
+ | ==== Long polling ==== | ||
+ | |||
+ | <code properties> | ||
+ | # Long polling | ||
+ | idm.pub.app.long-polling.enabled=true | ||
+ | </ | ||
+ | |||
+ | You can disable long polling for all types of entites with use value `false`. | ||
+ | |||
+ | |||
==== Provisioning ==== | ==== Provisioning ==== | ||
Line 692: | Line 976: | ||
# - Default value is ' | # - Default value is ' | ||
idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=true | idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=true | ||
+ | |||
+ | # Default provisioning timeout in milis - every longer provisioning operations will ends with timeout exception (prevent to stuck running operations). | ||
+ | # 3 minutes by default. | ||
+ | # Timeout has to be configured >= 1000, otherwise default will be returned. | ||
+ | idm.sec.acc.provisioning.timeout=180000 | ||
+ | </ | ||
+ | |||
+ | ==== Provisioning global break ==== | ||
+ | <note tip>For enable global provisioning break you must set configurations properties defined below, otherwise global provisioning break will not be activated.</ | ||
+ | |||
+ | <code properties> | ||
+ | # Global break for update disabled/ | ||
+ | idm.sec.acc.provisioning.break.update.disabled | ||
+ | # Global break for update checked period (integer values) | ||
+ | idm.sec.acc.provisioning.break.update.period | ||
+ | # Global break for update disable limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.update.disableLimit | ||
+ | # Global break for update disabled template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.update.templateDisable | ||
+ | # Global break for update warning limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.update.warningLimit | ||
+ | # Global break for update warning template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.update.templateWarning | ||
+ | # Global break for update. Existing identity recipients (identity username or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.update.identityRecipients | ||
+ | # Global break for update. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.update.roleRecipients | ||
+ | # | ||
+ | # | ||
+ | # Global break for create disabled/ | ||
+ | idm.sec.acc.provisioning.break.create.disabled | ||
+ | # Global break for create checked period (integer values) | ||
+ | idm.sec.acc.provisioning.break.create.period | ||
+ | # Global break for create disable limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.create.disableLimit | ||
+ | # Global break for create disabled template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.create.templateDisable | ||
+ | # Global break for create warning limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.create.warningLimit | ||
+ | # Global break for create warning template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.create.templateWarning | ||
+ | # Global break for create. Existing identity recipients (identity username or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.create.identityRecipients | ||
+ | # Global break for create. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.create.roleRecipients | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # Global break for delete disabled/ | ||
+ | idm.sec.acc.provisioning.break.delete.disabled | ||
+ | # Global break for delete checked period (integer values) | ||
+ | idm.sec.acc.provisioning.break.delete.period | ||
+ | # Global break for delete disable limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.delete.disableLimit | ||
+ | # Global break for delete disabled template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.delete.templateDisable | ||
+ | # Global break for delete warning limit (integer values) | ||
+ | idm.sec.acc.provisioning.break.delete.warningLimit | ||
+ | # Global break for delete warning template (ID of template, if will by null default template will be used) | ||
+ | idm.sec.acc.provisioning.break.delete.templateWarning | ||
+ | # Global break for delete. Existing identity recipients (identity username or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.delete.identityRecipients | ||
+ | # Global break for delete. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',' | ||
+ | idm.sec.acc.provisioning.break.delete.roleRecipients | ||
</ | </ | ||
Line 721: | Line 1069: | ||
Common configuration properties for all renderers: | Common configuration properties for all renderers: | ||
* '' | * '' | ||
+ | |||
+ | ==== Logger ==== | ||
+ | |||
+ | In the application profile ('' | ||
+ | |||
+ | <code properties> | ||
+ | # Show thread name configured by thread pools (task, event) in logs (generated name is shown otherwise) | ||
+ | # Two appenders ' | ||
+ | logging.pattern.console=%d{yyyy-MM-dd HH: | ||
+ | logging.pattern.file=%d{yyyy-MM-dd HH: | ||
+ | </ | ||
+ | |||
+ | Logger levels can be configured programmatically (override '' | ||
+ | |||
+ | In the application profile ('' | ||
+ | |||
+ | <code properties> | ||
+ | idm.sec.core.logger.< | ||
+ | </ | ||
+ | |||
+ | Where ''< | ||
+ | |||
+ | Example: | ||
+ | <code properties> | ||
+ | idm.sec.core.logger.eu.bcvsolutions=DEBUG | ||
+ | </ | ||
+ | |||
+ | ==== Monitoring ==== | ||
+ | |||
+ | === Monitoring evaluator === | ||
+ | |||
+ | In the application profile ('' | ||
+ | |||
+ | <code properties> | ||
+ | # disable / enable monitoring evaluator | ||
+ | idm.sec.< | ||
+ | </ | ||
+ | Where ''< | ||
+ | |||
+ | Common configuration properties for all monitorings: | ||
+ | * '' |