Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:application_configuration:dev:backend [2019/07/04 08:54]
tomiskar [Backup] 		devel:documentation:application_configuration:dev:backend [2020/07/08 12:41]
tomiskar [Application/ Server]
Line 1: Line 1:
 ===== Configuration - backend ===== ===== Configuration - backend =====
  
-{{tag> configuration}}+{{tag> configuration final property properties config setup}}
  
 The application uses a Spring boot configuration in the ''application.properties'' files. All the configuration items which are used solely for idm begin with ''idm.'' prefix. The configuration items from the file can be overloaded through a setting agenda in the gui => a server restart isn't needed for changing the configuration with ''idm.'' prefix, which was one of the main goals. The configuration is saved in the database. Use ''ConfigurationService'' for reading and saving configuration items. The application uses a Spring boot configuration in the ''application.properties'' files. All the configuration items which are used solely for idm begin with ''idm.'' prefix. The configuration items from the file can be overloaded through a setting agenda in the gui => a server restart isn't needed for changing the configuration with ''idm.'' prefix, which was one of the main goals. The configuration is saved in the database. Use ''ConfigurationService'' for reading and saving configuration items.
Line 12: Line 12:
   * if the name of a configuration item contains the''password'' or ''token'' chain, the value of the configuration item is hidden in the rest interface listing (or rather replaced with substitute characters).   * if the name of a configuration item contains the''password'' or ''token'' chain, the value of the configuration item is hidden in the rest interface listing (or rather replaced with substitute characters).
   * It is better to use constants for keys, e.g. ''ConfigurationService.IDM\_PUBLIC\_PROPERTY\_PREFIX + "core.identity.delete"'' - using seperator constant in key name suffix is not preferred - constant can be simply found by key suffix ("ctrl-f" + "core.identity.delete").    * It is better to use constants for keys, e.g. ''ConfigurationService.IDM\_PUBLIC\_PROPERTY\_PREFIX + "core.identity.delete"'' - using seperator constant in key name suffix is not preferred - constant can be simply found by key suffix ("ctrl-f" + "core.identity.delete"). 
- 
-Cache is used for reading configuration values - default spring boot cache (ConcurrentHashMap) is configured for now. Value in cache is cleared by an active (save, delete) operation. 
- 
-<note tip> 
-If you are debugging some of code and are you figuring, something is wrong with the cache, then you can turn the cache off with property (in application.properties) 
-<code properties> 
-spring.cache.type=none 
-</code> 
-</note> 
  
 ==== Configure environment properties ==== ==== Configure environment properties ====
Line 54: Line 45:
  
  
-<note important>To prevent application startup fails due to Flyway error, property ''-Djava.util.Arrays.useLegacyMergeSort=true'' has to be added into environment properties. If property is not set, then application can fail on error: +[[https://proj.bcvsolutions.eu/ngidm/doku.php?id=help:czechidm_server_install_guide#vyber_profilu_aplikace|Add JAVA_OPTS parameters]]
-<code>Error creating bean with name 'flywayCore' defined in class path resource [eu/bcvsolutions/idm/core/config/flyway/CoreFlywayConfig.class]:  +
-Initialization of bean failed; nested exception is java.lang.IllegalArgumentException: Comparison method violates its general contract!</code> +
-</note>+
  
- 
-[[https://proj.bcvsolutions.eu/ngidm/doku.php?id=help:czechidm_server_install_guide#vyber_profilu_aplikace|Add JAVA_OPTS parameters]]: 
- 
-<code> 
--Djava.util.Arrays.useLegacyMergeSort=true 
-</code> 
  
  
Line 91: Line 73:
 # Show transaction identifiers (uuid) in frontend application  # Show transaction identifiers (uuid) in frontend application 
 idm.pub.app.show.transactionId=false idm.pub.app.show.transactionId=false
-# Show role environmnent in frontend application for roles (table, role detail, niceLabel, info components, role select) +# Show role environment in frontend application for roles (table, role detail, niceLabel, info components, role select) 
 idm.pub.app.show.environment=true idm.pub.app.show.environment=true
 +# Show role baseCode in frontend application for roles (table, role detail, niceLabel, info components, role select) 
 +idm.pub.app.show.role.baseCode=true
 +# Available size options for tables in frontend application
 +idm.pub.app.show.sizeOptions=10, 25, 50, 100
 +# show default form for newly created user 
 +# default form can be disabled => at least one configured form projection is needed
 +idm.pub.app.show.identity.formProjection.default=true
 +# If is true, then role-request description will be show on the detail.
 +# Description will hidden if this property will be false and role request
 +# doesn't contains any value in description (can be filled during the approval process).
 +idm.pub.app.show.roleRequest.description=true
 # #
 # Private properties - used on backend only. # Private properties - used on backend only.
Line 109: Line 102:
  
 <code properties> <code properties>
-# audit table suffix+# ZonedDateTime is stored in UTC 
 +spring.jpa.properties.hibernate.jdbc.time_zone=UTC 
 +# Driver (e.g. postgres) does not support contextual LOB creation 
 +spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true 
 +# audit table suffixes
 spring.jpa.properties.org.hibernate.envers.audit_table_suffix=_a spring.jpa.properties.org.hibernate.envers.audit_table_suffix=_a
 +spring.jpa.properties.org.hibernate.envers.modified_flag_suffix=_m
 # modified flag for all audited columns # modified flag for all audited columns
 spring.jpa.properties.org.hibernate.envers.global_with_modified_flag=true spring.jpa.properties.org.hibernate.envers.global_with_modified_flag=true
 # prevent to modify attributes created, creator etc. # prevent to modify attributes created, creator etc.
-spring.jpa.properties.hibernate.ejb.interceptor=eu.bcvsolutions.idm.core.model.repository.listener.AuditableInterceptor+spring.jpa.properties.org.hibernate.envers.audit_strategy=eu.bcvsolutions.idm.core.model.repository.listener.IdmAuditStrategy 
 +spring.jpa.properties.hibernate.session_factory.interceptor=eu.bcvsolutions.idm.core.model.repository.listener.AuditableInterceptor
 # enable / disable audit (envers) # enable / disable audit (envers)
 spring.jpa.properties.hibernate.listeners.envers.autoRegister=true spring.jpa.properties.hibernate.listeners.envers.autoRegister=true
 +# Spring boot 2 changed default to true, but we are using IDENTITY identifier generators for mssql database. 
 +spring.jpa.hibernate.use-new-id-generator-mappings=false
 # #
 # DB ddl auto generation by hibernate is disabled - flyway database migration is used # DB ddl auto generation by hibernate is disabled - flyway database migration is used
Line 131: Line 131:
 spring.datasource.testOnBorrow=true spring.datasource.testOnBorrow=true
 spring.datasource.validationQuery=SELECT 1 spring.datasource.validationQuery=SELECT 1
 +# Enlarge pool size by default. This property should be revised for each project. Size should be configured by task and event thread pool size - should be higher than sum of pool sizes. 
 +spring.datasource.hikari.maximumPoolSize=50
 </code> </code>
  
Line 195: Line 197:
 </code> </code>
  
 +==== Cache ====
  
-==== Attachment storage ===+Cache is used for reading configuration values. Value in cache is cleared by an active (save, delete) operation. 
 + 
 +In the application profile (application.properties): 
 + 
 + 
 + 
 +<code properties> 
 +# Disable cache 
 +# If you are debugging some of code and are you figuring, something is wrong with the cache, then you can turn the cache off with property. 
 +#spring.cache.type=none 
 +
 +# Clusterred cache settings 
 +#idm.sec.cache.terracota.url=localhost:9410,localhost:9420 
 +idm.sec.cache.terracota.resource.name=main 
 +idm.sec.cache.terracota.resource.pool.name=resource-pool 
 +# Size in MB 
 +idm.sec.cache.terracota.resource.pool.size=32 
 +</code> 
 + 
 + 
 +==== Attachment storage ====
  
 ''DefaultAttachmentManager'' stores binary files on file system. Binary files can be attached to any entity, which implements ''AttachableEntity'' interface, [[..:..:modules_rpt:dev:attachment_manager| read more]]. ''DefaultAttachmentManager'' stores binary files on file system. Binary files can be attached to any entity, which implements ''AttachableEntity'' interface, [[..:..:modules_rpt:dev:attachment_manager| read more]].
  
-In the application profile (application.properties) and overloadable via ''ConfigurationService''+In the application profile (application.properties): 
 + 
 +<code properties> 
 +# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size. 
 +# Application server (e.g. Tomcat "maxSwallowSize" connector parameter) has to be set properly too (e.g. <Connector port="8080" maxSwallowSize="-1" ...) 
 +spring.servlet.multipart.max-file-size=100MB 
 +spring.servlet.multipart.max-request-size=100MB 
 + 
 +</code> 
 + 
 +In the application profile (application.properties) and overloadable via ''ConfigurationService'':
  
 <code properties> <code properties>
Line 217: Line 250:
 # temporary file time to live in milliseconds # temporary file time to live in milliseconds
 # older temporary files will be purged, default 14 days # older temporary files will be purged, default 14 days
 +# Temporary file is used mainly for upload files internaly. When upload is complete, then temporary file is moved into normal IdM attachment (~ temporary file is not reachable, after user session ends).
 idm.sec.core.attachment.tempTtl=1209600000 idm.sec.core.attachment.tempTtl=1209600000
-# 
-# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size. 
-multipart.max-file-size=1Mb 
- 
 </code> </code>
  
-In the application profile (application.properties). +==== Activiti workflow ====
- +
-<code properties> +
-+
-# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size. +
-multipart.max-file-size=1Mb +
- +
-</code> +
- +
-==== Activiti workflow ===+
 <code properties> <code properties>
 # String boot properties for Activiti workflow engine # String boot properties for Activiti workflow engine
Line 270: Line 291:
 # - recaptchaservice endpoint  # - recaptchaservice endpoint 
 idm.sec.security.recaptcha.url=https://www.google.com/recaptcha/api/siteverify idm.sec.security.recaptcha.url=https://www.google.com/recaptcha/api/siteverify
-# - secret key, can be generated here https://www.google.com/recaptcha/admin+# - secret key, can be generated here https://www.google.com/recaptcha/admin (generate V2 checkbox)
 # - test secret key: https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha-v2-what-should-i-do # - test secret key: https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha-v2-what-should-i-do
 idm.sec.security.recaptcha.secretKey=xxx idm.sec.security.recaptcha.secretKey=xxx
Line 410: Line 431:
 # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize.
 scheduler.task.executor.maxPoolSize= scheduler.task.executor.maxPoolSize=
-# Waiting tasks to be processed. Uses {@code Integer.MAX_VALUE} as default. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. +# Waiting tasks to be processed. Uses 20 as default. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. 
-# {@link AbotrPolicy} is set for rejected tasks.  +# {@link AbotrPolicy} is set for rejected tasks - reject exception has to be processed by a caller ({@link LongRunningTaskManager})
-scheduler.task.executor.queueCapacity=+scheduler.task.executor.queueCapacity=20
 # Thread priority for threads in event executor pool - 5 by default (normal). # Thread priority for threads in event executor pool - 5 by default (normal).
 scheduler.task.executor.threadPriority= scheduler.task.executor.threadPriority=
Line 426: Line 447:
 scheduler.event.executor.maxPoolSize= scheduler.event.executor.maxPoolSize=
 # Waiting events to be processed. Uses 50 as default - prevent to prepare events repetitively and use additional threads till maxPoolSize. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. # Waiting events to be processed. Uses 50 as default - prevent to prepare events repetitively and use additional threads till maxPoolSize. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically.
-# {@link AbotrPolicy} is set for rejected tasks.+# {@link AbotrPolicy} is set for rejected tasks - reject exception has to be processed by a caller ({@link EntityEventManager}).
 scheduler.event.executor.queueCapacity=50 scheduler.event.executor.queueCapacity=50
 # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5). # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5).
Line 445: Line 466:
 # CUSTOM - users can choose for which accounts change password # CUSTOM - users can choose for which accounts change password
 # Needed on FE (=> public)  # Needed on FE (=> public) 
-idm.pub.core.identity.passwordChange=ALL_ONLY+idm.pub.core.identity.passwordChange=CUSTOM
 # #
 # required old password for change password. # required old password for change password.
Line 464: Line 485:
 # Needed on FE (=> public)  # Needed on FE (=> public) 
 idm.pub.core.identity.dashboard.skip= idm.pub.core.identity.dashboard.skip=
-# 
-# supports authorization policies for extended form definitions and their values for identities 
-# Default is false (backward compatibility) - all form definitions and attributes will be shown (controlled by permissions for identity - IDENTITY_READ / IDENTITY_UPDATE). 
-# true - authorization policies will be evaluated (see https://wiki.czechidm.com/devel/documentation/security/dev/authorization#secure_identity_form_extended_attribute_values) for form definitions (FORMDEFINITION_AUTOCOMPLETE is needed to show form definition) and for form values (FORMVALUE_UPDATE)  
-idm.sec.core.identity.formAttributes.secured=false 
  
 </code> </code>
Line 612: Line 628:
 ==== Entity filters ==== ==== Entity filters ====
 In the application profile (''application.properties'') - overloadable via ''ConfigurationService''. In the application profile (''application.properties'') - overloadable via ''ConfigurationService''.
-Every filter could have his own configuration properties under prefix: + 
 +<code properties> 
 +# Enable / disable check filter is properly registered, when filter is used (by entity and property name). Throw exeption, when unrecognised filter is used. 
 +idm.sec.core.filter.check.supported.enabled=true 
 +</code> 
 + 
 +Every registered filter could have his own configuration properties under prefix: 
 <code properties> <code properties>
-# enable/ disable filter - enabled by default. When filter is disabled and property is filled in filter, then ''disjunction'' criteria is added => no data will be returned+# enable / disable filter - enabled by default. When filter is disabled and property is filled in filter, then ''disjunction'' criteria is added => no data will be returned
 idm.sec.<module>.filter.<entity>.<name>.enabled=true idm.sec.<module>.filter.<entity>.<name>.enabled=true
 # filter implementation # filter implementation
Line 649: Line 671:
  
 ==== Authentication ==== ==== Authentication ====
-UUID of system, against which to user will be authenticated.+UUID of system, against which to user will be authenticated. This authentication is from version 10.4.0 deprecated.
 <code properties> <code properties>
 # ID system against which to authenticate # ID system against which to authenticate
 idm.sec.security.auth.systemId= idm.sec.security.auth.systemId=
 </code> </code>
 +
 +Authentication against multiple system wich to user will be authenticated (since 10.4.0) - ID or Code can be used:
 +<code properties>
 +idm.sec.acc.security.auth.order1.system=
 +idm.sec.acc.security.auth.order2.system=
 +</code>
 +
 +Maximum system for authentication can be set with the property:
 +<code properties>
 +idm.sec.acc.security.auth.maximumSystemCount=50
 +</code>
 +
 +More about authenticator can be found [[devel:documentation:security:dev:authentication|there]].
  
 === Authentication filters === === Authentication filters ===
Line 681: Line 716:
 idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids= idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids=
 </code> </code>
 +
 +=== Remote user authentication filter ===
 +Login into IdM by preset request remote user by servlet container can be configured with following properties:
 +<code properties>
 +# Allow remote user authentication
 +idm.sec.core.authentication-filter.core-remote-user-authentication-filter.enabled=false
 +# The suffixes to remove from the login - usually domains
 +idm.sec.core.authentication-filter.core-remote-user-authentication-filter.uid-suffixes=
 +# The uids that can't be authenticated by SSO
 +idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbidden-uids=
 +</code>
 +
 +This authentication filter reuses SSO authentication filter behavior above (''uid-suffixes'', ''forbidden-uids''), but application administrator can be logged by this filter (identity with ''APP_ADMIN'' authority).
  
 ==== Backup ==== ==== Backup ====
Line 718: Line 766:
 idm.sec.vs.role.default=<some-code-of-role> idm.sec.vs.role.default=<some-code-of-role>
 </code> </code>
 +
 +==== Long polling ====
 +
 +<code properties>
 +# Long polling
 +idm.pub.app.long-polling.enabled=true
 +</code>
 +
 +You can disable long polling for all types of entites with use value `false`.
  
 ==== Provisioning ==== ==== Provisioning ====
Line 734: Line 791:
 # - Default value is 'true' # - Default value is 'true'
 idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=true idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=true
 +
 +# Default provisioning timeout in milis - every longer provisioning operations will ends with timeout exception (prevent to stuck running operations).
 +# 3 minutes by default.
 +# Timeout has to be configured >= 1000, otherwise default will be returned.
 +idm.sec.acc.provisioning.timeout=180000
 </code> </code>
  
Line 822: Line 884:
 Common configuration properties for all renderers: Common configuration properties for all renderers:
   * ''enabled'' - on / off   * ''enabled'' - on / off
 +
 +==== Logger ====
 +
 +In the application profile (''application.properties''):
 +
 +<code properties>
 +# Show thread name configured by thread pools (task, event) in logs (generated name is shown otherwise)
 +# Two appenders 'console' and 'file' are provided by product. Same configuration is needed for your custom appenders (added in logback.xml).
 +logging.pattern.console=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{36}.%M : %msg%n
 +logging.pattern.file=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{36}.%M : %msg%n
 +</code>
 +
 +Logger levels can be configured programmatically (override ''logback.xml'' file with default logger levels configuration).
 +
 +In the application profile (''application.properties'') - overloadable via ''ConfigurationService'':
 +
 +<code properties>
 +idm.sec.core.logger.<packageName>=<level>
 +</code>
 +
 +Where ''<packageName>'' is package name to set logger ''<level>''.
 +
 +Example:
 +<code properties>
 +idm.sec.core.logger.eu.bcvsolutions=DEBUG
 +</code>
  • by chalupat