Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:application_configuration:dev:backend [2019/04/26 10:00]
tomiskar 		devel:documentation:application_configuration:dev:backend [2020/03/09 07:33]
tomiskar [Attachment storage]
Line 1: Line 1:
 ===== Configuration - backend ===== ===== Configuration - backend =====
  
-{{tag> configuration}}+{{tag> configuration final property properties config setup}}
  
 The application uses a Spring boot configuration in the ''application.properties'' files. All the configuration items which are used solely for idm begin with ''idm.'' prefix. The configuration items from the file can be overloaded through a setting agenda in the gui => a server restart isn't needed for changing the configuration with ''idm.'' prefix, which was one of the main goals. The configuration is saved in the database. Use ''ConfigurationService'' for reading and saving configuration items. The application uses a Spring boot configuration in the ''application.properties'' files. All the configuration items which are used solely for idm begin with ''idm.'' prefix. The configuration items from the file can be overloaded through a setting agenda in the gui => a server restart isn't needed for changing the configuration with ''idm.'' prefix, which was one of the main goals. The configuration is saved in the database. Use ''ConfigurationService'' for reading and saving configuration items.
Line 38: Line 38:
   * ''default'' - the default profile - configured to db h2. If a developer downloads the project from Git, the application will run without any other configuration over h2 database with demo data (by admin user ...). Default profile is used for issuing a demo.   * ''default'' - the default profile - configured to db h2. If a developer downloads the project from Git, the application will run without any other configuration over h2 database with demo data (by admin user ...). Default profile is used for issuing a demo.
   * ''dev'' - developing profile configured to postgresql. In the future, we can move the configuration itself to special profiles - their combinations (e.g. test+ postgresql or dev + mysql). We will be able to cover more variants of environment versus database.   * ''dev'' - developing profile configured to postgresql. In the future, we can move the configuration itself to special profiles - their combinations (e.g. test+ postgresql or dev + mysql). We will be able to cover more variants of environment versus database.
-  * ''test'' - test profile - configured to db h2 and **it's used for unit and intergartion testing only**. Don't use this profile for test environment - create your own profiles (testing / production).+  * ''test'' - test profile - configured to db h2 and **it's used for unit and intergration testing only**. Don't use this profile for test environment - create your own profiles (testing / production).
   * ''release'' - release profile - all modules in CzechIdM repository are included, they are released together under one version.    * ''release'' - release profile - all modules in CzechIdM repository are included, they are released together under one version. 
  
Line 75: Line 75:
 <code properties> <code properties>
 # Application stage (development, test, production (default)) # Application stage (development, test, production (default))
 +#
 +# Public properties - available for frontend without authentication (show information about app, decorators etc.).
 +#
 +# Application stage - development, test, production
 idm.pub.app.stage= idm.pub.app.stage=
 # Application instance / server id - is used for scheduler etc. # Application instance / server id - is used for scheduler etc.
 # Should be defined in property file only # Should be defined in property file only
 idm.pub.app.instanceId=idm-primary idm.pub.app.instanceId=idm-primary
-# Enable forest index for tree structures 
-idm.sec.app.forest.index.enabled=true 
 # global date format on BE. Used in notification templates, logs, etc. FE uses localization key 'core:format.date'. # global date format on BE. Used in notification templates, logs, etc. FE uses localization key 'core:format.date'.
 idm.pub.app.format.date=dd.MM.yyyy idm.pub.app.format.date=dd.MM.yyyy
 # global datetime format on BE. Used in notification templates, logs, etc. FE uses localization key 'core:format.datetime'. # global datetime format on BE. Used in notification templates, logs, etc. FE uses localization key 'core:format.datetime'.
 idm.pub.app.format.datetime=dd.MM.yyyy HH:mm idm.pub.app.format.datetime=dd.MM.yyyy HH:mm
 +# Show identifiers (uuid) in frontend application. Empty value by default => identifier is shown, when application 'idm.pub.app.stage' is set to 'development'.
 +idm.pub.app.show.id=
 +# Show transaction identifiers (uuid) in frontend application 
 +idm.pub.app.show.transactionId=false
 +# Show role environmnent in frontend application for roles (table, role detail, niceLabel, info components, role select) 
 +idm.pub.app.show.environment=true
 +# Available size options for tables in frontend application
 +idm.pub.app.show.sizeOptions=10, 25, 50, 100
 +#
 +# Private properties - used on backend only.
 +#
 # create demo data at application start # create demo data at application start
 idm.sec.core.demo.data.enabled=true idm.sec.core.demo.data.enabled=true
 # demo data was created - prevent to create demo data duplicitly # demo data was created - prevent to create demo data duplicitly
 idm.sec.core.demo.data.created=false idm.sec.core.demo.data.created=false
 +# Enable forest index for tree structures
 +idm.sec.app.forest.index.enabled=true
 </code> </code>
  
Line 96: Line 111:
  
 <code properties> <code properties>
-# audit table suffix+# ZonedDateTime is stored in UTC 
 +spring.jpa.properties.hibernate.jdbc.time_zone=UTC 
 +# Driver (e.g. postgres) does not support contextual LOB creation 
 +spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true 
 +# audit table suffixes
 spring.jpa.properties.org.hibernate.envers.audit_table_suffix=_a spring.jpa.properties.org.hibernate.envers.audit_table_suffix=_a
 +spring.jpa.properties.org.hibernate.envers.modified_flag_suffix=_m
 # modified flag for all audited columns # modified flag for all audited columns
 spring.jpa.properties.org.hibernate.envers.global_with_modified_flag=true spring.jpa.properties.org.hibernate.envers.global_with_modified_flag=true
 # prevent to modify attributes created, creator etc. # prevent to modify attributes created, creator etc.
-spring.jpa.properties.hibernate.ejb.interceptor=eu.bcvsolutions.idm.core.model.repository.listener.AuditableInterceptor+spring.jpa.properties.org.hibernate.envers.audit_strategy=eu.bcvsolutions.idm.core.model.repository.listener.IdmAuditStrategy 
 +spring.jpa.properties.hibernate.session_factory.interceptor=eu.bcvsolutions.idm.core.model.repository.listener.AuditableInterceptor
 # enable / disable audit (envers) # enable / disable audit (envers)
 spring.jpa.properties.hibernate.listeners.envers.autoRegister=true spring.jpa.properties.hibernate.listeners.envers.autoRegister=true
 +# Spring boot 2 changed default to true, but we are using IDENTITY identifier generators for mssql database. 
 +spring.jpa.hibernate.use-new-id-generator-mappings=false
 # #
 # DB ddl auto generation by hibernate is disabled - flyway database migration is used # DB ddl auto generation by hibernate is disabled - flyway database migration is used
Line 118: Line 140:
 spring.datasource.testOnBorrow=true spring.datasource.testOnBorrow=true
 spring.datasource.validationQuery=SELECT 1 spring.datasource.validationQuery=SELECT 1
 +# Enlarge pool size by default. This property should be revised for each project. Size should be configured by task and event thread pool size - should be higher than sum of pool sizes. 
 +spring.datasource.hikari.maximumPoolSize=50
 </code> </code>
  
Line 204: Line 228:
 # temporary file time to live in milliseconds # temporary file time to live in milliseconds
 # older temporary files will be purged, default 14 days # older temporary files will be purged, default 14 days
 +# Temporary file is used mainly for upload files internaly. When upload is complete, then temporary file is moved into normal IdM attachment (~ temporary file is not reachable, after user session ends).
 idm.sec.core.attachment.tempTtl=1209600000 idm.sec.core.attachment.tempTtl=1209600000
-# 
-# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size. 
-multipart.max-file-size=1Mb 
- 
 </code> </code>
  
Line 214: Line 235:
  
 <code properties> <code properties>
-+# Max file size of uploaded file. Values can use the suffixed "Mb" or "Kb" to indicate a Megabyte or Kilobyte size. 
-# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size. +spring.servlet.multipart.max-file-size=100MB 
-multipart.max-file-size=1Mb+spring.servlet.multipart.max-request-size=100MB
  
 </code> </code>
Line 397: Line 418:
 # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize.
 scheduler.task.executor.maxPoolSize= scheduler.task.executor.maxPoolSize=
-# Waiting tasks to be processed. Uses {@code Integer.MAX_VALUE} as default. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. +# Waiting tasks to be processed. Uses 20 as default. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. 
-# {@link AbotrPolicy} is set for rejected tasks.  +# {@link AbotrPolicy} is set for rejected tasks - reject exception has to be processed by a caller ({@link LongRunningTaskManager})
-scheduler.task.executor.queueCapacity=+scheduler.task.executor.queueCapacity=20
 # Thread priority for threads in event executor pool - 5 by default (normal). # Thread priority for threads in event executor pool - 5 by default (normal).
 scheduler.task.executor.threadPriority= scheduler.task.executor.threadPriority=
Line 412: Line 433:
 # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize.
 scheduler.event.executor.maxPoolSize= scheduler.event.executor.maxPoolSize=
-# Waiting events to be processed. Uses 1000 as default - prevent to prepare events repetitively and use additional threads till maxPoolSize. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. +# Waiting events to be processed. Uses 50 as default - prevent to prepare events repetitively and use additional threads till maxPoolSize. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. 
-# {@link AbotrPolicy} is set for rejected tasks.+# {@link AbotrPolicy} is set for rejected tasks - reject exception has to be processed by a caller ({@link EntityEventManager}).
 scheduler.event.executor.queueCapacity=50 scheduler.event.executor.queueCapacity=50
 # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5). # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5).
Line 569: Line 590:
 # In the request to create new role is also used. # In the request to create new role is also used.
 idm.sec.core.wf.approval.role-change.role= idm.sec.core.wf.approval.role-change.role=
 +#
 +# Default main WF for approve all roles.
 +idm.sec.core.processor.role-request-approval-processor.wf=approve-identity-change-permissions
 </code> </code>
  
Line 665: Line 689:
 idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids= idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids=
 </code> </code>
 +
 +=== Remote user authentication filter ===
 +Login into IdM by preset request remote user by servlet container can be configured with following properties:
 +<code properties>
 +# Allow remote user authentication
 +idm.sec.core.authentication-filter.core-remote-user-authentication-filter.enabled=false
 +# The suffixes to remove from the login - usually domains
 +idm.sec.core.authentication-filter.core-remote-user-authentication-filter.uid-suffixes=
 +# The uids that can't be authenticated by SSO
 +idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbidden-uids=
 +</code>
 +
 +This authentication filter reuses SSO authentication filter behavior above (''uid-suffixes'', ''forbidden-uids''), but application administrator can be logged by this filter (identity with ''APP_ADMIN'' authority).
  
 ==== Backup ==== ==== Backup ====
-If you want to use redeploy and backup for example in agenda (notification template), you must define default backup folder see:+If you want to use redeploy and backup for example in agenda (notification templates, scripts), you must define default backup folder
 +When redploy is used, then actual templates (or scripsts) are loaded from classpath by configuration (for templates or scripts) and deployed into application. Previous templates (or scripts) are backup too. 
 <code properties> <code properties>
 # configuration property for default backup  # configuration property for default backup 
Line 700: Line 739:
 idm.sec.vs.role.default=<some-code-of-role> idm.sec.vs.role.default=<some-code-of-role>
 </code> </code>
 +
 +==== Long polling ====
 +
 +<code properties>
 +# Long polling
 +idm.pub.app.long-polling.enabled=true
 +</code>
 +
 +You can disable long polling for all types of entites with use value `false`.
  
 ==== Provisioning ==== ==== Provisioning ====
Line 716: Line 764:
 # - Default value is 'true' # - Default value is 'true'
 idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=true idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=true
 +
 +# Default provisioning timeout in milis - every longer provisioning operations will ends with timeout exception (prevent to stuck running operations).
 +# 3 minutes by default.
 +# Timeout has to be configured >= 1000, otherwise default will be returned.
 +idm.sec.acc.provisioning.timeout=180000
 +</code>
 +
 +==== Provisioning global break ====
 +<note tip>For enable global provisioning break you must set configurations properties defined below, otherwise global provisioning break will not be active.</note>
 +
 +<code properties>
 +# Global break for update disabled/enabled (values: true/false)
 +idm.sec.acc.provisioning.break.update.disabled
 +# Global break for update checked period (integer values)
 +idm.sec.acc.provisioning.break.update.period
 +# Global break for update disable limit (integer values)
 +idm.sec.acc.provisioning.break.update.disableLimit
 +# Global break for update disabled template (ID of template, if will by null default template will be used)
 +idm.sec.acc.provisioning.break.update.templateDisable
 +# Global break for update warning limit (integer values)
 +idm.sec.acc.provisioning.break.update.warningLimit
 +# Global break for update warning template (ID of template, if will by null default template will be used)
 +idm.sec.acc.provisioning.break.update.templateWarning
 +# Global break for update. Existing identity recipients (identity username or id, split by ',')
 +idm.sec.acc.provisioning.break.update.identityRecipients
 +# Global break for update. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',')
 +idm.sec.acc.provisioning.break.update.roleRecipients
 +#
 +#
 +# Global break for create disabled/enabled (values: true/false)
 +idm.sec.acc.provisioning.break.create.disabled
 +# Global break for create checked period (integer values)
 +idm.sec.acc.provisioning.break.create.period
 +# Global break for create disable limit (integer values)
 +idm.sec.acc.provisioning.break.create.disableLimit
 +# Global break for create disabled template (ID of template, if will by null default template will be used)
 +idm.sec.acc.provisioning.break.create.templateDisable
 +# Global break for create warning limit (integer values)
 +idm.sec.acc.provisioning.break.create.warningLimit
 +# Global break for create warning template (ID of template, if will by null default template will be used)
 +idm.sec.acc.provisioning.break.create.templateWarning
 +# Global break for create. Existing identity recipients (identity username or id, split by ',')
 +idm.sec.acc.provisioning.break.create.identityRecipients
 +# Global break for create. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',')
 +idm.sec.acc.provisioning.break.create.roleRecipients
 +#
 +#
 +#
 +# Global break for delete disabled/enabled (values: true/false)
 +idm.sec.acc.provisioning.break.delete.disabled
 +# Global break for delete checked period (integer values)
 +idm.sec.acc.provisioning.break.delete.period
 +# Global break for delete disable limit (integer values)
 +idm.sec.acc.provisioning.break.delete.disableLimit
 +# Global break for delete disabled template (ID of template, if will by null default template will be used)
 +idm.sec.acc.provisioning.break.delete.templateDisable
 +# Global break for delete warning limit (integer values)
 +idm.sec.acc.provisioning.break.delete.warningLimit
 +# Global break for delete warning template (ID of template, if will by null default template will be used)
 +idm.sec.acc.provisioning.break.delete.templateWarning
 +# Global break for delete. Existing identity recipients (identity username or id, split by ',')
 +idm.sec.acc.provisioning.break.delete.identityRecipients
 +# Global break for delete. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',')
 +idm.sec.acc.provisioning.break.delete.roleRecipients
 </code> </code>
  
Line 745: Line 857:
 Common configuration properties for all renderers: Common configuration properties for all renderers:
   * ''enabled'' - on / off   * ''enabled'' - on / off
 +
 +==== Logger ====
 +
 +In the application profile (''application.properties'') - overloadable via ''ConfigurationService''.
 +
 +Logger levels can be configured programmatically (override ''logback.xml'' file with default logger levels configuration).
 +
 +<code properties>
 +idm.sec.core.logger.<packageName>=<level>
 +</code>
 +
 +Where ''<packageName>'' is package name to set logger ''<level>''.
 +
 +Example:
 +<code properties>
 +idm.sec.core.logger.eu.bcvsolutions=DEBUG
 +</code>
  • by chalupat