Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:application_configuration:dev:backend [2021/02/16 14:43]
svandav [Workflow settings for approval of change user roles] 		devel:documentation:application_configuration:dev:backend [2021/11/22 10:52]
tomiskar [Application/ Server]
Line 63: Line 63:
 idm.pub.app.stage= idm.pub.app.stage=
 # Application instance / server id - is used for scheduler etc. # Application instance / server id - is used for scheduler etc.
-Should be defined in property file only+Can be defined in property file only! Overidding via ConfigurationService is not possible for application instance (~ more instanceos on the same database)
 idm.pub.app.instanceId=idm-primary idm.pub.app.instanceId=idm-primary
 +# Frontend server url. 
 +# E.g. http://localhost:3000
 +# Default: The first 'idm.pub.security.allowed-origins' configured value is used (~ backward compatible).
 +# @since 12.0.0
 +idm.pub.app.frontend.url=
 +# Backend server url. 
 +# E.g. http://localhost:8080/idm
 +# Default: Url is resolved dynamically from current servlet request.
 +# @since 12.0.0
 +idm.pub.app.backend.url=
 +
 # global date format on BE. Used in notification templates, logs, etc. FE uses localization key 'core:format.date'. # global date format on BE. Used in notification templates, logs, etc. FE uses localization key 'core:format.date'.
 idm.pub.app.format.date=dd.MM.yyyy idm.pub.app.format.date=dd.MM.yyyy
Line 77: Line 88:
 # Show role baseCode in frontend application for roles (table, role detail, niceLabel, info components, role select). # Show role baseCode in frontend application for roles (table, role detail, niceLabel, info components, role select).
 idm.pub.app.show.role.baseCode=true idm.pub.app.show.role.baseCode=true
-# Number of items (pagination) in role catalogue tree in root level.+# Rendered column in role table agenda. Comma is used as separator. Order of rendered columns is preserved as configured. 
 +# Available columns: 
 +# - name - role name info card with link to detail 
 +# - baseCode - role base code (without environment) 
 +# - environment - role environment 
 +# - disabled 
 +# - description 
 +idm.pub.app.show.role.table.columns=name, baseCode, environment, disabled, description 
 +# Show role catalogue item code in role catalogue tree 
 +idm.pub.app.show.roleCatalogue.tree.code=false 
 +# Number of items (pagination) in role catalogue tree in root level. Used on role select and agenda.
 idm.pub.app.show.roleCatalogue.tree.pagination.root.size=25 idm.pub.app.show.roleCatalogue.tree.pagination.root.size=25
-# Number of items (pagination) in role catalogue tree in other levels.+# Number of items (pagination) in role catalogue tree in other levels. Used on role select and agenda.
 idm.pub.app.show.roleCatalogue.tree.pagination.node.size=25 idm.pub.app.show.roleCatalogue.tree.pagination.node.size=25
 # Number of items (pagination) in tree node structure in root level. # Number of items (pagination) in tree node structure in root level.
Line 98: Line 119:
 # Default form can be disabled => at least one configured form projection is needed. # Default form can be disabled => at least one configured form projection is needed.
 idm.pub.app.show.identity.formProjection.default=true idm.pub.app.show.identity.formProjection.default=true
 +# Rendered column in identity table agenda. Comma is used as separator. Order of rendered columns is preserved as configured.
 +# Available columns:
 +# - username - username with link to detail
 +# - entityinfo - identity info card
 +# - lastName
 +# - firstName
 +# - externalCode - personal number
 +# - email
 +# - state
 +# - passwordexpiration - information about identity password epiration
 +# - description
 +# Note: Table in identity agenda can be configured with this property (common identity table with columns is not specified on FE).
 +# If you want to configure rendered columns for all tables generalized from identity table (e.g. on role or tree node detail), 
 +# you can use FE configuration https://wiki.czechidm.com/devel/documentation/application_configuration/dev/frontend
 +idm.pub.app.show.identity.table.columns=username, lastName, firstName, externalCode, email, state, description
 +idm.pub.app.show.identityRole.table.columns=role, roleAttributes, environment, identityContract, contractPosition, validFrom, validTill, directRole, automaticRole, incompatibleRoles
 # If is true, then role-request description will be show on the detail. # If is true, then role-request description will be show on the detail.
 # Description will hidden if this property will be false and role request # Description will hidden if this property will be false and role request
 # doesn't contains any value in description (can be filled during the approval process). # doesn't contains any value in description (can be filled during the approval process).
 idm.pub.app.show.roleRequest.description=true idm.pub.app.show.roleRequest.description=true
 +# Show logout content (~ page) with message, after user is logged out.
 +# @since 12.0.0
 +idm.pub.app.show.logout.content=false
 +#
 +# Configurable application theme
 +# @since 12.0.0
 +idm.pub.app.show.theme={ "palette": { "type": "light", "primary":       { "main": "#5cb85c", "contrastText": "#fff" }, "secondary":       { "main": "#f50057", "dark": "#c51162", "contrastText": "#fff" }, "success":       { "main": "#4caf50", "contrastText": "#ffffff" }, "warning":       { "main": "#ff9800", "contrastText": "#fff" }, "action": {"loading": "rgba(255, 255, 255, 0.7)"}, "background":       { "default": "#fafafa", "paper": "#fff" } }, "shape": {"borderRadius": 3} }
 +#
 +# Configurable application logo (attachment uuid identifier)
 +# Recommended logo size is 165 x 40 px.
 +# @since 12.0.0
 +idm.pub.app.show.logo=
 +# Footer help link url.
 +# @since 12.0.0
 +idm.pub.app.show.footer.help.link=https://wiki.czechidm.com/start
 +# Footer service desk link url.
 +# @since 12.0.0
 +idm.pub.app.show.footer.servicedesk.link=https://redmine.czechidm.com/projects/czechidmng
 # #
 # Private properties - used on backend only. # Private properties - used on backend only.
Line 113: Line 168:
 idm.sec.core.init.data.enabled=true idm.sec.core.init.data.enabled=true
 </code> </code>
 +
 +=== Change server for asynchronous processing (switch application instance) ==
 +
 +@since 11.1.0
 +
 +Application instance (server) is used for asynchronus processing - for scheduled tasks, asynchronous long running tasks and events.
 +Instance identifier can be defined in the application profile (application.properties) by property ''idm.pub.app.instanceId''.
 +When we want to schedule and process asynchronous tasks and event on other instace (or when one instance shutdown), then we can switch processing by provided bulk action ''Change server for asynchronous processing'' in configuration agenda:
 +
 +{{ :devel:documentation:application_configuration:dev:switch-instance-bulk-action.png |}}
 +
 +Previous and new instance identifier is required as input parameters. All scheduled tasks and all created (~ not processed) asynchronous long running tasks and events will be moved from previous to new instance and will be processed on new instance (server).
 +
 +Bulk action is available for logged user with required authorities and permissions:
 +  * ''CONFIGURATION_UPDATE'' - configuration property contains instance for asynchronous processing will be changed => authority and ''UPDATE'' base permission for property ''idm.sec.core.event.asynchronous.instanceId'' is required.
 +  * ''SCHEDULER_UPDATE'' - scheduled tasks and created (~ not processed) asynchronous long running tasks will be changed.
 +  * ''ENTITYEVENT_UPDATE'' - created (~ not processed) asynchronous events will be changed.
 +
  
 ==== Jpa === ==== Jpa ===
Line 181: Line 254:
 <springProperty name="spring.datasource.jndi-name" source="spring.datasource.jndi-name"/> <springProperty name="spring.datasource.jndi-name" source="spring.datasource.jndi-name"/>
        
-<appender name="DB" class="ch.qos.logback.classic.db.DBAppender">+<appender name="DB" class="eu.bcvsolutions.idm.core.exception.IdmDbAppender">
  <connectionSource class="ch.qos.logback.core.db.JNDIConnectionSource">  <connectionSource class="ch.qos.logback.core.db.JNDIConnectionSource">
  <!-- please note the "java:comp/env/" prefix -->  <!-- please note the "java:comp/env/" prefix -->
Line 296: Line 369:
 <code properties> <code properties>
 # allowed origins for FE # allowed origins for FE
-# the first value is used as frontend url to notification templates 
 idm.pub.security.allowed-origins=http://localhost:3000,http://localhost idm.pub.security.allowed-origins=http://localhost:3000,http://localhost
 # auth token # auth token
Line 453: Line 525:
 # Thread priority for threads in event executor pool - 5 by default (normal). # Thread priority for threads in event executor pool - 5 by default (normal).
 scheduler.task.executor.threadPriority= scheduler.task.executor.threadPriority=
 +# Asynchronous task processing is stopped.
 +# Asynchronous task processing is stopped, when instance for processing is switched => prevent to process asynchronous task in the meantime.
 +# Asynchronous task processing can be stopped for testing or debugging purposes.
 +# Asynchronous task are still created in queue, but they are not processed automatically - task can be executed manually from ui.
 +idm.sec.core.scheduler.task.asynchronous.stopProcessing=false
 # Event queue processing period (ms). Period to read prepared (~created) asynchronous entity events from queue.  # Event queue processing period (ms). Period to read prepared (~created) asynchronous entity events from queue. 
 # Events are processed in batch configured by property 'idm.sec.core.event.asynchronous.batchSize'. If you events are processed quickly (~provisioning on your environment is quick), then batch size can be higher or this property can be lower. # Events are processed in batch configured by property 'idm.sec.core.event.asynchronous.batchSize'. If you events are processed quickly (~provisioning on your environment is quick), then batch size can be higher or this property can be lower.
Line 495: Line 572:
 # Needed on FE (=> public)  # Needed on FE (=> public) 
 idm.pub.core.identity.passwordChange.public.idm.enabled=true idm.pub.core.identity.passwordChange.public.idm.enabled=true
-# 
-# create default identity's contract, when identity is created. 
-# skipped in synchronizations - contract synchronization should be provided. 
-idm.pub.core.identity.create.defaultContract.enabled=true 
 # #
 # Skip identity dashboard content - show full detail directly (link from table or from info component) # Skip identity dashboard content - show full detail directly (link from table or from info component)
 # Needed on FE (=> public)  # Needed on FE (=> public) 
 idm.pub.core.identity.dashboard.skip= idm.pub.core.identity.dashboard.skip=
 +#
 +# Create default identity's contract, when identity is created.
 +# Skipped in synchronizations - contract synchronization should be provided.
 +idm.sec.core.identity.create.defaultContract.enabled=true
 +# Creates default identity's contract with configured position name.
 +idm.sec.core.identity.create.defaultContract.position=Default
 +# Creates default identity's contract with configured state. Valid contract will be crated by default, other possible values:
 +# EXCLUDED - Excluded from evidence - remains valid, but roles assigned for this contract are not added for logged identity.
 +# DISABLED - Invalid by user - not changed by dates.
 +idm.sec.core.identity.create.defaultContract.state=
 +# Number of days related to current date - will be used for set contract valid till date (current date + expiration in days = valid till).
 +# Contact valid till will not be set by default (~ contract expiration is not configured by default).
 +idm.sec.core.identity.create.defaultContract.expiration=
 +#
 +# Profile image max file size in readable string format (e.g. 200KB).
 +idm.sec.core.identity.profile.image.max-file-size=512KB
  
 </code> </code>
Line 590: Line 679:
 # disable / enable asynchronous event processing. Events will be executed synchronously, if it's disabled. Enabled by default. # disable / enable asynchronous event processing. Events will be executed synchronously, if it's disabled. Enabled by default.
 idm.sec.core.event.asynchronous.enabled=true idm.sec.core.event.asynchronous.enabled=true
 +# Asynchronous event processing is stopped.
 +# Event processing is stopped, when instance for processing is switched => prevent to process instances in the meantime.
 +# Asynchronous event processing can be disabled for testing or debugging purposes.
 +# Events are still created in queue, but they are not processed.
 +idm.sec.core.event.asynchronous.stopProcessing=false
 # Asynchronous events will be executed on server instance with id. Default is the same as {@link ConfigurationService#getInstanceId()} (current server instance). # Asynchronous events will be executed on server instance with id. Default is the same as {@link ConfigurationService#getInstanceId()} (current server instance).
 idm.sec.core.event.asynchronous.instanceId= idm.sec.core.event.asynchronous.instanceId=
Line 634: Line 728:
   * ''deleteAction'' - true / **false** - Action deletes records (for FE only). Action will be in bottom menu section, is action is included in menu.    * ''deleteAction'' - true / **false** - Action deletes records (for FE only). Action will be in bottom menu section, is action is included in menu. 
   * ''quickButton'' - true / **false** - Render action as quick button (for FE only). The first available actions are rendered as buttons, if icon is defined. This configuration enforces rendering action as quick button (order is ignored).   * ''quickButton'' - true / **false** - Render action as quick button (for FE only). The first available actions are rendered as buttons, if icon is defined. This configuration enforces rendering action as quick button (order is ignored).
 +  * ''quickButtonable'' - **true** / false - Action can be included in quick buttons on FE. Set to **false**, when button should be not rendered => action will be rendendered in drop down menu only.
  
  
Line 823: Line 918:
  
 </code> </code>
 +
 +=== CAS authentication filter ===
 +@since 12.0.0
 +[[..:..:security:dev:security#cas_authentication|CAS authentication]] can be configured with following properties:
 +<code properties>
 +# Enable authentication via CAS. If enabled, "idm.sec.core.cas.url" become mandatory and must be set for SSO authentication via CAS to work. Default: false
 +idm.pub.core.cas.enabled=false
 +# Other properties
 +# Base URL where CAS is accessible. Syntax of this field is https://hostname-of-CAS/URI.
 +idm.sec.core.cas.url=
 +# IdM service name configured as service on CAS server. 
 +# When service is configured, then login and logout redirect urls, should be defined directly in CAS service configuration.
 +# Default: service name for login / logout is created dynamically by BE server url (recommended).
 +idm.sec.core.cas.service=
 +# Suffix which is, in effect, appended to idm.sec.core.cas.url. Resulting URL is used for login operation in CAS. It must start with slash (eg. /login).
 +idm.sec.core.cas.login-path=/login
 +# Suffix which is appended to idm.sec.core.cas.url. Resulting URL is used for single sign-out operation. It must start with slash (eg. /logout).
 +idm.sec.core.cas.logout-path=/logout
 +# Ticket can be given as request parameter (recommended, configured by default).
 +idm.sec.core.cas.parameter-name=ticket
 +# Header name in which CAS sends the ticket value. Ticket can be given as request header. Not configured by default.
 +idm.sec.core.cas.header-name=
 +# Path to CzechIdM for the HTTP Referer header used by CAS while redirecting back to application. This value is concatenated with CAS ticket to form Referer header. Syntax of this field is https://hostname-of-CzechIdM/URI/?ticket=. Not configured by default.
 +idm.sec.core.cas.header-prefix=
 +</code>
 +
 ==== Backup ==== ==== Backup ====
 If you want to use redeploy and backup for example in agenda (notification templates, scripts), you must define default backup folder. If you want to use redeploy and backup for example in agenda (notification templates, scripts), you must define default backup folder.
Line 895: Line 1016:
  
 ==== Provisioning global break ==== ==== Provisioning global break ====
-<note tip>For enable global provisioning break you must set configurations properties defined below, otherwise global provisioning break will not be active.</note>+<note tip>For enable global provisioning break you must set configurations properties defined below, otherwise global provisioning break will not be activated.</note>
  
 <code properties> <code properties>
Line 988: Line 1109:
 # Show thread name configured by thread pools (task, event) in logs (generated name is shown otherwise) # Show thread name configured by thread pools (task, event) in logs (generated name is shown otherwise)
 # Two appenders 'console' and 'file' are provided by product. Same configuration is needed for your custom appenders (added in logback.xml). # Two appenders 'console' and 'file' are provided by product. Same configuration is needed for your custom appenders (added in logback.xml).
-logging.pattern.console=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{36}.%M : %msg%n +logging.pattern.console=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n 
-logging.pattern.file=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{36}.%M : %msg%n+logging.pattern.file=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n
 </code> </code>
  
Line 1006: Line 1127:
 idm.sec.core.logger.eu.bcvsolutions=DEBUG idm.sec.core.logger.eu.bcvsolutions=DEBUG
 </code> </code>
 +
 +==== Monitoring ====
 +
 +=== Monitoring evaluator ===
 +
 +In the application profile (''application.properties'') - overloadable via ''ConfigurationService''.
 +
 +<code properties>
 +# disable / enable monitoring evaluator
 +idm.sec.<module>.monitoring-evaluator.<name>.enabled=true
 +</code>
 +Where ''<module>'' is monitoring's module a ''<name>'' is monitoring's name.
 +
 +Common configuration properties for all monitorings:
 +  * ''enabled'' - true / false
  • by chalupat