Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:application_configuration:dev:backend [2020/01/31 08:03]
tomiskar 		devel:documentation:application_configuration:dev:backend [2020/12/02 13:19]
tomiskar [Authentication]
Line 1: Line 1:
 ===== Configuration - backend ===== ===== Configuration - backend =====
  
-{{tag> configuration final}}+{{tag> configuration final property properties config setup}}
  
 The application uses a Spring boot configuration in the ''application.properties'' files. All the configuration items which are used solely for idm begin with ''idm.'' prefix. The configuration items from the file can be overloaded through a setting agenda in the gui => a server restart isn't needed for changing the configuration with ''idm.'' prefix, which was one of the main goals. The configuration is saved in the database. Use ''ConfigurationService'' for reading and saving configuration items. The application uses a Spring boot configuration in the ''application.properties'' files. All the configuration items which are used solely for idm begin with ''idm.'' prefix. The configuration items from the file can be overloaded through a setting agenda in the gui => a server restart isn't needed for changing the configuration with ''idm.'' prefix, which was one of the main goals. The configuration is saved in the database. Use ''ConfigurationService'' for reading and saving configuration items.
Line 12: Line 12:
   * if the name of a configuration item contains the''password'' or ''token'' chain, the value of the configuration item is hidden in the rest interface listing (or rather replaced with substitute characters).   * if the name of a configuration item contains the''password'' or ''token'' chain, the value of the configuration item is hidden in the rest interface listing (or rather replaced with substitute characters).
   * It is better to use constants for keys, e.g. ''ConfigurationService.IDM\_PUBLIC\_PROPERTY\_PREFIX + "core.identity.delete"'' - using seperator constant in key name suffix is not preferred - constant can be simply found by key suffix ("ctrl-f" + "core.identity.delete").    * It is better to use constants for keys, e.g. ''ConfigurationService.IDM\_PUBLIC\_PROPERTY\_PREFIX + "core.identity.delete"'' - using seperator constant in key name suffix is not preferred - constant can be simply found by key suffix ("ctrl-f" + "core.identity.delete"). 
- 
-Cache is used for reading configuration values - default spring boot cache (ConcurrentHashMap) is configured for now. Value in cache is cleared by an active (save, delete) operation. 
- 
-<note tip> 
-If you are debugging some of code and are you figuring, something is wrong with the cache, then you can turn the cache off with property (in application.properties) 
-<code properties> 
-spring.cache.type=none 
-</code> 
-</note> 
  
 ==== Configure environment properties ==== ==== Configure environment properties ====
Line 54: Line 45:
  
  
-<note important>To prevent application startup fails due to Flyway error, property ''-Djava.util.Arrays.useLegacyMergeSort=true'' has to be added into environment properties. If property is not set, then application can fail on error: +[[https://proj.bcvsolutions.eu/ngidm/doku.php?id=help:czechidm_server_install_guide#vyber_profilu_aplikace|Add JAVA_OPTS parameters]]
-<code>Error creating bean with name 'flywayCore' defined in class path resource [eu/bcvsolutions/idm/core/config/flyway/CoreFlywayConfig.class]:  +
-Initialization of bean failed; nested exception is java.lang.IllegalArgumentException: Comparison method violates its general contract!</code> +
-</note>+
  
- 
-[[https://proj.bcvsolutions.eu/ngidm/doku.php?id=help:czechidm_server_install_guide#vyber_profilu_aplikace|Add JAVA_OPTS parameters]]: 
- 
-<code> 
--Djava.util.Arrays.useLegacyMergeSort=true 
-</code> 
  
  
Line 78: Line 60:
 # Public properties - available for frontend without authentication (show information about app, decorators etc.). # Public properties - available for frontend without authentication (show information about app, decorators etc.).
 # #
-# Application stage - development, test, production+# Application stage - development, test, production.
 idm.pub.app.stage= idm.pub.app.stage=
 # Application instance / server id - is used for scheduler etc. # Application instance / server id - is used for scheduler etc.
Line 89: Line 71:
 # Show identifiers (uuid) in frontend application. Empty value by default => identifier is shown, when application 'idm.pub.app.stage' is set to 'development'. # Show identifiers (uuid) in frontend application. Empty value by default => identifier is shown, when application 'idm.pub.app.stage' is set to 'development'.
 idm.pub.app.show.id= idm.pub.app.show.id=
-# Show transaction identifiers (uuid) in frontend application +# Show transaction identifiers (uuid) in frontend application.
 idm.pub.app.show.transactionId=false idm.pub.app.show.transactionId=false
-# Show role environmnent in frontend application for roles (table, role detail, niceLabel, info components, role select) +# Show role environment in frontend application for roles (table, role detail, niceLabel, info components, role select).
 idm.pub.app.show.environment=true idm.pub.app.show.environment=true
 +# Show role baseCode in frontend application for roles (table, role detail, niceLabel, info components, role select).
 +idm.pub.app.show.role.baseCode=true
 +# Number of items (pagination) in role catalogue tree in root level.
 +idm.pub.app.show.roleCatalogue.tree.pagination.root.size=25
 +# Number of items (pagination) in role catalogue tree in other levels.
 +idm.pub.app.show.roleCatalogue.tree.pagination.node.size=25
 +# Number of items (pagination) in tree node structure in root level.
 +idm.pub.app.show.treeNode.tree.pagination.root.size=50
 +# Number of items (pagination) in tree node structure in other levels.
 +idm.pub.app.show.treeNode.tree.pagination.node.size=50
 +# Available size options for tables in frontend application
 +idm.pub.app.show.sizeOptions=10, 25, 50, 100
 +# Show buttons for bulk actions in tables (0 = select box will be shown only).
 +# Count of quick access buttons for bulk actions in tables - the first count of bulk actions will be shown as button - next action will be rendered in drop down select box.
 +# Bulk action icon is required for quick access button - action without icon will be rendered in select box.
 +# Bulk action can enforce showing in quick access button (by bulk action configuration).
 +idm.pub.app.show.table.quickButton.count=5
 +# Quick button for bulk actions in tables will be included in drop down select box too (available as button + menu item with text). 
 +# Number of selected record is shown in drop down select header.
 +idm.pub.app.show.table.quickButton.menuIncluded=true
 +# Show default form for newly created user.
 +# Default form can be disabled => at least one configured form projection is needed.
 +idm.pub.app.show.identity.formProjection.default=true
 +# If is true, then role-request description will be show on the detail.
 +# Description will hidden if this property will be false and role request
 +# doesn't contains any value in description (can be filled during the approval process).
 +idm.pub.app.show.roleRequest.description=true
 # #
 # Private properties - used on backend only. # Private properties - used on backend only.
 # #
-create demo data at application start+Create demo data at application start.
 idm.sec.core.demo.data.enabled=true idm.sec.core.demo.data.enabled=true
-demo data was created - prevent to create demo data duplicitly+Demo data was created - prevent to create demo data duplicitly.
 idm.sec.core.demo.data.created=false idm.sec.core.demo.data.created=false
-Enable forest index for tree structures +Create init data at application start. Init data (product provided roles) are updated automatically with pruct updates. 
-idm.sec.app.forest.index.enabled=true+# Set property to false to disable init data creation and updates. 
 +idm.sec.core.init.data.enabled=true
 </code> </code>
  
Line 204: Line 214:
 </code> </code>
  
 +==== Cache ====
  
-==== Attachment storage ===+Cache is used for reading configuration values. Value in cache is cleared by an active (save, delete) operation. 
 + 
 +In the application profile (application.properties): 
 + 
 + 
 + 
 +<code properties> 
 +# Disable cache 
 +# If you are debugging some of code and are you figuring, something is wrong with the cache, then you can turn the cache off with property. 
 +#spring.cache.type=none 
 +
 +# Clusterred cache settings 
 +#idm.sec.cache.terracota.url=localhost:9410,localhost:9420 
 +idm.sec.cache.terracota.resource.name=main 
 +idm.sec.cache.terracota.resource.pool.name=resource-pool 
 +# Size in MB 
 +idm.sec.cache.terracota.resource.pool.size=32 
 +</code> 
 + 
 + 
 +==== Attachment storage ====
  
 ''DefaultAttachmentManager'' stores binary files on file system. Binary files can be attached to any entity, which implements ''AttachableEntity'' interface, [[..:..:modules_rpt:dev:attachment_manager| read more]]. ''DefaultAttachmentManager'' stores binary files on file system. Binary files can be attached to any entity, which implements ''AttachableEntity'' interface, [[..:..:modules_rpt:dev:attachment_manager| read more]].
  
-In the application profile (application.properties) and overloadable via ''ConfigurationService''+In the application profile (application.properties): 
 + 
 +<code properties> 
 +# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size. 
 +# Application server (e.g. Tomcat "maxSwallowSize" connector parameter) has to be set properly too (e.g. <Connector port="8080" maxSwallowSize="-1" ...) 
 +spring.servlet.multipart.max-file-size=100MB 
 +spring.servlet.multipart.max-request-size=100MB 
 + 
 +</code> 
 + 
 +In the application profile (application.properties) and overloadable via ''ConfigurationService'':
  
 <code properties> <code properties>
Line 226: Line 267:
 # temporary file time to live in milliseconds # temporary file time to live in milliseconds
 # older temporary files will be purged, default 14 days # older temporary files will be purged, default 14 days
 +# Temporary file is used mainly for upload files internaly. When upload is complete, then temporary file is moved into normal IdM attachment (~ temporary file is not reachable, after user session ends).
 idm.sec.core.attachment.tempTtl=1209600000 idm.sec.core.attachment.tempTtl=1209600000
 </code> </code>
  
-In the application profile (application.properties). +==== Activiti workflow ====
- +
-<code properties> +
-+
-# Max file size of uploaded file. Values can use the suffixed "MB" or "KB" to indicate a Megabyte or Kilobyte size. +
-multipart.max-file-size=100Mb +
- +
-</code> +
- +
-==== Activiti workflow ===+
 <code properties> <code properties>
 # String boot properties for Activiti workflow engine # String boot properties for Activiti workflow engine
Line 275: Line 308:
 # - recaptchaservice endpoint  # - recaptchaservice endpoint 
 idm.sec.security.recaptcha.url=https://www.google.com/recaptcha/api/siteverify idm.sec.security.recaptcha.url=https://www.google.com/recaptcha/api/siteverify
-# - secret key, can be generated here https://www.google.com/recaptcha/admin+# - secret key, can be generated here https://www.google.com/recaptcha/admin (generate V2 checkbox)
 # - test secret key: https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha-v2-what-should-i-do # - test secret key: https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha-v2-what-should-i-do
 idm.sec.security.recaptcha.secretKey=xxx idm.sec.security.recaptcha.secretKey=xxx
Line 415: Line 448:
 # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize.
 scheduler.task.executor.maxPoolSize= scheduler.task.executor.maxPoolSize=
-# Waiting tasks to be processed. Uses {@code Integer.MAX_VALUE} as default. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. +# Waiting tasks to be processed. Uses 20 as default. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. 
-# {@link AbotrPolicy} is set for rejected tasks.  +# {@link AbotrPolicy} is set for rejected tasks - reject exception has to be processed by a caller ({@link LongRunningTaskManager})
-scheduler.task.executor.queueCapacity=+scheduler.task.executor.queueCapacity=20
 # Thread priority for threads in event executor pool - 5 by default (normal). # Thread priority for threads in event executor pool - 5 by default (normal).
 scheduler.task.executor.threadPriority= scheduler.task.executor.threadPriority=
Line 431: Line 464:
 scheduler.event.executor.maxPoolSize= scheduler.event.executor.maxPoolSize=
 # Waiting events to be processed. Uses 50 as default - prevent to prepare events repetitively and use additional threads till maxPoolSize. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically. # Waiting events to be processed. Uses 50 as default - prevent to prepare events repetitively and use additional threads till maxPoolSize. {@link LinkedBlockingQueue} is used for queue => capacity is initialized dynamically.
-# {@link AbotrPolicy} is set for rejected tasks.+# {@link AbotrPolicy} is set for rejected tasks - reject exception has to be processed by a caller ({@link EntityEventManager}).
 scheduler.event.executor.queueCapacity=50 scheduler.event.executor.queueCapacity=50
 # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5). # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5).
Line 443: Line 476:
 <code properties> <code properties>
 # supports delete identity. Needed on FE (=> public) to render available bulk action in table  # supports delete identity. Needed on FE (=> public) to render available bulk action in table 
 +# @deprecated @since 10.6.0 - action can be disabled by bulk action configurable api - use 'idm.sec.core.bulk-action.identity-delete-bulk-action.enabled=false'.
 idm.pub.core.identity.delete=true idm.pub.core.identity.delete=true
 # #
Line 450: Line 484:
 # CUSTOM - users can choose for which accounts change password # CUSTOM - users can choose for which accounts change password
 # Needed on FE (=> public)  # Needed on FE (=> public) 
-idm.pub.core.identity.passwordChange=ALL_ONLY+idm.pub.core.identity.passwordChange=CUSTOM
 # #
 # required old password for change password. # required old password for change password.
Line 469: Line 503:
 # Needed on FE (=> public)  # Needed on FE (=> public) 
 idm.pub.core.identity.dashboard.skip= idm.pub.core.identity.dashboard.skip=
-# 
-# supports authorization policies for extended form definitions and their values for identities 
-# Default is false (backward compatibility) - all form definitions and attributes will be shown (controlled by permissions for identity - IDENTITY_READ / IDENTITY_UPDATE). 
-# true - authorization policies will be evaluated (see https://wiki.czechidm.com/devel/documentation/security/dev/authorization#secure_identity_form_extended_attribute_values) for form definitions (FORMDEFINITION_AUTOCOMPLETE is needed to show form definition) and for form values (FORMVALUE_UPDATE)  
-idm.sec.core.identity.formAttributes.secured=false 
  
 </code> </code>
Line 496: Line 525:
  
 <code properties> <code properties>
 +#
 # Default user role will be added automatically, after an identity is logged in # Default user role will be added automatically, after an identity is logged in
 # could contains default authorities and authority policies configuration # could contains default authorities and authority policies configuration
 # for adding autocomplete or all record read permission etc. # for adding autocomplete or all record read permission etc.
 +# Role full code should be given (should contain environment, if it is used).
 +# Role authorities are updated automatically, when new IdM version is installed.
 idm.sec.core.role.default=userRole idm.sec.core.role.default=userRole
 +#
 # Admin user role # Admin user role
 +# Role full code should be given (should contain environment, if it is used).
 +# Role authorities are updated automatically, when new IdM version is installed.
 idm.sec.core.role.admin=superAdminRole idm.sec.core.role.admin=superAdminRole
 +#
 +# Helpdesk user role
 +# Role full code should be given (should contain environment, if it is used).
 +# Role authorities are updated automatically, when new IdM version is installed.
 +idm.sec.core.role.helpdesk=helpdeskRole
 +#
 +# User manager role
 +# Role full code should be given (should contain environment, if it is used).
 +# Role authorities are updated automatically, when new IdM version is installed.
 +idm.sec.core.role.userManager=userManagerRole
 +#
 +# Role manager role - role guarantee
 +# Role full code should be given (should contain environment, if it is used).
 +# Role authorities are updated automatically, when new IdM version is installed.
 +idm.sec.core.role.roleManager=roleManagerRole
 +#
 +# Virtual system implementer  role - product provided role for implementers (approve vs request etc.).
 +# Role full code should be given (should contain environment, if it is used).
 +# Role authorities are updated automatically, when new IdM version is installed.
 +idm.sec.vs.role.implementer=virtualSystemImplementerRole
 +#
 # Separator for the suffix with environment used in role code. # Separator for the suffix with environment used in role code.
 # Look out: when separator is changed, then all roles should be updated (manually from ui, by scripted LRT or by change script). # Look out: when separator is changed, then all roles should be updated (manually from ui, by scripted LRT or by change script).
Line 550: Line 606:
 idm.sec.<module>.processor.<name>.eventTypes=CREATE,UPDATE idm.sec.<module>.processor.<name>.eventTypes=CREATE,UPDATE
 </code> </code>
-Where ''<module>'' is processor's module ''<name>'' is processor's name (see overridable processor's methods). Filled configuration properties will be shown on [[..:..:architecture:dev:events#implemented_processors|processor's content]].+Where ''<module>'' is processor's module and ''<name>'' is processor's name (see overridable processor's methods). Filled configuration properties will be shown on [[..:..:architecture:dev:events#implemented_processors|processor's content]].
  
 Common configuration properties for all processors: Common configuration properties for all processors:
Line 558: Line 614:
  
 Exists processors configuration: [[..:..:architecture:dev:events#implemented_processors|implemented proccessors]]. Exists processors configuration: [[..:..:architecture:dev:events#implemented_processors|implemented proccessors]].
 +
 +==== Bulk actions ====
 +
 +@since 10.6.0
 +
 +In the application profile (''application.properties'') - overloadable via ''ConfigurationService''.
 +Every bulk action could have his own configuration properties under prefix: 
 +<code properties>
 +# disable / enable bulk action
 +idm.sec.<module>.bulk-action.<name>.enabled=true
 +</code>
 +Where ''<module>'' is bulk action module and ''<name>'' is bulk action name.
 +
 +Common configuration properties for all bulk actions:
 +  * ''enabled'' - **true** / false.
 +  * ''order'' - bulk action order (for FE only). Action provided default order in implementation.
 +  * ''icon'' - Icon on frontend (for FE only). Icon libraries can be used: ''component:'', ''fa:'', ''glyph:''. Icon is loaded from FE locale by default.
 +  * ''level'' - bulk action level ~ button and icon color (for FE only). Available options: ''success'' (default value), ''info'', ''warning'', ''error''.
 +  * ''deleteAction'' - true / **false** - Action deletes records (for FE only). Action will be in bottom menu section, is action is included in menu. 
 +  * ''quickButton'' - true / **false** - Render action as quick button (for FE only). The first available actions are rendered as buttons, if icon is defined. This configuration enforces rendering action as quick button (order is ignored).
  
  
Line 617: Line 693:
 ==== Entity filters ==== ==== Entity filters ====
 In the application profile (''application.properties'') - overloadable via ''ConfigurationService''. In the application profile (''application.properties'') - overloadable via ''ConfigurationService''.
-Every filter could have his own configuration properties under prefix: + 
 +<code properties> 
 +# Enable / disable check filter is properly registered, when filter is used (by entity and property name).  
 +# Throws exception, when unrecognized filter is used. 
 +idm.sec.core.filter.check.supported.enabled=true 
 +# Check count of values exceeded given maximum.  
 +# Related to database count of query parameters (e.g. Oracle = {@code 1000}, MSSql = {@code 2100}). 
 +# Throws exception, when size is exceeded. Set to {@code -1} to disable this check. 
 +idm.sec.core.filter.check.size.maximum=500 
 +</code> 
 + 
 +Every registered filter could have his own configuration properties under prefix: 
 <code properties> <code properties>
-# enable/ disable filter - enabled by default. When filter is disabled and property is filled in filter, then ''disjunction'' criteria is added => no data will be returned+# enable / disable filter - enabled by default. When filter is disabled and property is filled in filter, then ''disjunction'' criteria is added => no data will be returned
 idm.sec.<module>.filter.<entity>.<name>.enabled=true idm.sec.<module>.filter.<entity>.<name>.enabled=true
 # filter implementation # filter implementation
Line 654: Line 741:
  
 ==== Authentication ==== ==== Authentication ====
-UUID of system, against which to user will be authenticated.+UUID of system, against which to user will be authenticated. This authentication is from version 10.4.0 deprecated.
 <code properties> <code properties>
 # ID system against which to authenticate # ID system against which to authenticate
-idm.sec.security.auth.systemId=+idm.sec.security.auth.system=
 </code> </code>
 +
 +Authentication against multiple system wich to user will be authenticated (since 10.4.0) - ID or Code can be used:
 +<code properties>
 +idm.sec.acc.security.auth.order1.system=
 +idm.sec.acc.security.auth.order2.system=
 +</code>
 +
 +Maximum system for authentication can be set with the property:
 +<code properties>
 +idm.sec.acc.security.auth.maximumSystemCount=50
 +</code>
 +
 +More about authenticator can be found [[devel:documentation:security:dev:authentication|there]].
  
 === Authentication filters === === Authentication filters ===
Line 700: Line 800:
 This authentication filter reuses SSO authentication filter behavior above (''uid-suffixes'', ''forbidden-uids''), but application administrator can be logged by this filter (identity with ''APP_ADMIN'' authority). This authentication filter reuses SSO authentication filter behavior above (''uid-suffixes'', ''forbidden-uids''), but application administrator can be logged by this filter (identity with ''APP_ADMIN'' authority).
  
 +=== Two-factor authentication ===
 +
 +[[..:..:security:dev:security#two-factor_authentication|Two-factor authentication]] can be configured in the application profile (application.properties) with following properties:
 +
 +<code properties>
 +# Verification secret length
 +totp.secret.length=32
 +# Time Period ~ period to generate new authentication code
 +totp.time.period=30
 +# Time Discrepancy - number of past (but still valid) authentication codes (e.g. when code is sent by notification, then user could need more time to fill it into CzechIdM)
 +totp.time.discrepancy=1
 +
 +</code>
 ==== Backup ==== ==== Backup ====
 If you want to use redeploy and backup for example in agenda (notification templates, scripts), you must define default backup folder. If you want to use redeploy and backup for example in agenda (notification templates, scripts), you must define default backup folder.
Line 705: Line 818:
  
 <code properties> <code properties>
-configuration property for default backup +Configuration property for backup files. 
 +# Configured attachment storage patrh ( see 'idm.sec.core.attachment.storagePath') is used as default.
 idm.sec.core.backups.default.folder.path=/tmp/backup idm.sec.core.backups.default.folder.path=/tmp/backup
 </code> </code>
Line 761: Line 875:
 # - Default value is 'true' # - Default value is 'true'
 idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=true idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=true
 +
 +# Default provisioning timeout in milis - every longer provisioning operations will ends with timeout exception (prevent to stuck running operations).
 +# 3 minutes by default.
 +# Timeout has to be configured >= 1000, otherwise default will be returned.
 +idm.sec.acc.provisioning.timeout=180000
 </code> </code>
  
Line 852: Line 971:
 ==== Logger ==== ==== Logger ====
  
-In the application profile (''application.properties''- overloadable via ''ConfigurationService''.+In the application profile (''application.properties'')
 + 
 +<code properties> 
 +# Show thread name configured by thread pools (task, event) in logs (generated name is shown otherwise) 
 +# Two appenders 'consoleand 'fileare provided by product. Same configuration is needed for your custom appenders (added in logback.xml). 
 +logging.pattern.console=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{36}.%M : %msg%n 
 +logging.pattern.file=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{36}.%M : %msg%n 
 +</code>
  
 Logger levels can be configured programmatically (override ''logback.xml'' file with default logger levels configuration). Logger levels can be configured programmatically (override ''logback.xml'' file with default logger levels configuration).
 +
 +In the application profile (''application.properties'') - overloadable via ''ConfigurationService'':
  
 <code properties> <code properties>
  • by chalupat