Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
devel:documentation:application_configuration:dev:backend [2021/10/22 06:45] tomiskar [Application/ Server] |
devel:documentation:application_configuration:dev:backend [2023/12/01 12:42] chalupat [Authentication] |
||
---|---|---|---|
Line 3: | Line 3: | ||
{{tag> configuration final property properties config setup}} | {{tag> configuration final property properties config setup}} | ||
- | The application uses a Spring boot configuration in the '' | + | The application uses a Spring boot configuration in the '' |
Naming conventions of the configuration items in idm: | Naming conventions of the configuration items in idm: | ||
- | | + | |
- | * '' | + | |
- | * '' | + | * '' |
- | * '' | + | * '' |
- | * if the name of a configuration item contains the'' | + | * '' |
- | * It is better to use constants for keys, e.g. '' | + | * if the name of a configuration item contains the'' |
+ | * It is better to use constants for keys, e.g. '' | ||
==== Configure environment properties ==== | ==== Configure environment properties ==== | ||
Line 20: | Line 21: | ||
Start server under defined profile ([[https:// | Start server under defined profile ([[https:// | ||
- | |||
< | < | ||
+ | |||
-Dspring.profiles.active=production | -Dspring.profiles.active=production | ||
+ | |||
</ | </ | ||
== Configured devstack profiles == | == Configured devstack profiles == | ||
- | * '' | + | * '' |
- | * '' | + | * '' |
- | * '' | + | * '' |
- | * '' | + | * '' |
=== External configuration === | === External configuration === | ||
Line 37: | Line 38: | ||
Start server with external path to configuration ([[https:// | Start server with external path to configuration ([[https:// | ||
- | |||
< | < | ||
+ | |||
--spring.config.location=classpath:/ | --spring.config.location=classpath:/ | ||
+ | |||
</ | </ | ||
=== Environment properties === | === Environment properties === | ||
- | |||
[[https:// | [[https:// | ||
- | |||
- | |||
===== Configuration items ===== | ===== Configuration items ===== | ||
- | ==== Application/ | + | ==== Application/ |
- | In the application profile (application.properties) and overloadable via ConfigurationService. | + | In the application profile (application.properties) and overloadable via ConfigurationService. |
<code properties> | <code properties> | ||
Line 65: | Line 64: | ||
# Can be defined in property file only! Overidding via ConfigurationService is not possible for application instance (~ more instanceos on the same database) | # Can be defined in property file only! Overidding via ConfigurationService is not possible for application instance (~ more instanceos on the same database) | ||
idm.pub.app.instanceId=idm-primary | idm.pub.app.instanceId=idm-primary | ||
+ | # Frontend server url. | ||
+ | # E.g. http:// | ||
+ | # Default: The first ' | ||
+ | # @since 12.0.0 | ||
+ | idm.pub.app.frontend.url= | ||
+ | # Backend server url. | ||
+ | # E.g. http:// | ||
+ | # Default: Url is resolved dynamically from current servlet request. | ||
+ | # @since 12.0.0 | ||
+ | idm.pub.app.backend.url= | ||
+ | |||
# global date format on BE. Used in notification templates, logs, etc. FE uses localization key ' | # global date format on BE. Used in notification templates, logs, etc. FE uses localization key ' | ||
idm.pub.app.format.date=dd.MM.yyyy | idm.pub.app.format.date=dd.MM.yyyy | ||
Line 102: | Line 112: | ||
# Bulk action can enforce showing in quick access button (by bulk action configuration). | # Bulk action can enforce showing in quick access button (by bulk action configuration). | ||
idm.pub.app.show.table.quickButton.count=5 | idm.pub.app.show.table.quickButton.count=5 | ||
- | # Quick button for bulk actions in tables will be included in drop down select box too (available as button + menu item with text). | + | # Quick button for bulk actions in tables will be included in drop down select box too (available as button + menu item with text). |
# Number of selected record is shown in drop down select header. | # Number of selected record is shown in drop down select header. | ||
idm.pub.app.show.table.quickButton.menuIncluded=true | idm.pub.app.show.table.quickButton.menuIncluded=true | ||
Line 120: | Line 130: | ||
# - description | # - description | ||
# Note: Table in identity agenda can be configured with this property (common identity table with columns is not specified on FE). | # Note: Table in identity agenda can be configured with this property (common identity table with columns is not specified on FE). | ||
- | # If you want to configure rendered columns for all tables generalized from identity table (e.g. on role or tree node detail), | + | # If you want to configure rendered columns for all tables generalized from identity table (e.g. on role or tree node detail), |
# you can use FE configuration https:// | # you can use FE configuration https:// | ||
idm.pub.app.show.identity.table.columns=username, | idm.pub.app.show.identity.table.columns=username, | ||
- | idm.pub.app.show.identityRole.table.columns=role, | + | # Rendered columns in user roles agenda (Directly assigned roles). Comma is used as separator. Order of rendered columns is preserved as configured. |
+ | idm.pub.app.show.identityRole.table.columns=role, | ||
+ | # Rendered columns in role requests in the table for assigned roles. Comma is used as separator. Order of rendered columns is preserved as configured. | ||
+ | idm.pub.app.show.role.request.table.columns=name, | ||
# If is true, then role-request description will be show on the detail. | # If is true, then role-request description will be show on the detail. | ||
# Description will hidden if this property will be false and role request | # Description will hidden if this property will be false and role request | ||
Line 129: | Line 142: | ||
idm.pub.app.show.roleRequest.description=true | idm.pub.app.show.roleRequest.description=true | ||
# Show logout content (~ page) with message, after user is logged out. | # Show logout content (~ page) with message, after user is logged out. | ||
+ | # @since 12.0.0 | ||
idm.pub.app.show.logout.content=false | idm.pub.app.show.logout.content=false | ||
+ | # | ||
+ | # Configurable application theme | ||
+ | # @since 12.0.0 | ||
+ | idm.pub.app.show.theme={ " | ||
+ | # | ||
+ | # Configurable application logo (attachment uuid identifier) | ||
+ | # Recommended logo size is 165 x 40 px. | ||
+ | # @since 12.0.0 | ||
+ | idm.pub.app.show.logo= | ||
+ | # Footer help link url. | ||
+ | # @since 12.0.0 | ||
+ | idm.pub.app.show.footer.help.link=https:// | ||
+ | # Footer service desk link url. | ||
+ | # @since 12.0.0 | ||
+ | idm.pub.app.show.footer.serviceDesk.link=https:// | ||
# | # | ||
# Private properties - used on backend only. | # Private properties - used on backend only. | ||
Line 140: | Line 169: | ||
# Set property to false to disable init data creation and updates. | # Set property to false to disable init data creation and updates. | ||
idm.sec.core.init.data.enabled=true | idm.sec.core.init.data.enabled=true | ||
+ | |||
+ | |||
</ | </ | ||
- | === Change server for asynchronous processing (switch application instance) == | + | === Change server for asynchronous processing (switch application instance) |
@since 11.1.0 | @since 11.1.0 | ||
- | Application instance (server) is used for asynchronus processing - for scheduled tasks, asynchronous long running tasks and events. | + | Application instance (server) is used for asynchronus processing - for scheduled tasks, asynchronous long running tasks and events. Instance identifier can be defined in the application profile (application.properties) by property '' |
- | Instance identifier can be defined in the application profile (application.properties) by property '' | + | |
- | When we want to schedule and process asynchronous tasks and event on other instace (or when one instance shutdown), then we can switch processing by provided bulk action '' | + | |
- | {{ : | + | {{ .: |
Previous and new instance identifier is required as input parameters. All scheduled tasks and all created (~ not processed) asynchronous long running tasks and events will be moved from previous to new instance and will be processed on new instance (server). | Previous and new instance identifier is required as input parameters. All scheduled tasks and all created (~ not processed) asynchronous long running tasks and events will be moved from previous to new instance and will be processed on new instance (server). | ||
Bulk action is available for logged user with required authorities and permissions: | Bulk action is available for logged user with required authorities and permissions: | ||
- | * '' | ||
- | * '' | ||
- | * '' | ||
- | + | * '' | |
- | ==== Jpa === | + | * '' |
+ | * '' | ||
+ | ==== Jpa ==== | ||
In the application profile (application.properties) | In the application profile (application.properties) | ||
Line 194: | Line 222: | ||
spring.datasource.testOnBorrow=true | spring.datasource.testOnBorrow=true | ||
spring.datasource.validationQuery=SELECT 1 | spring.datasource.validationQuery=SELECT 1 | ||
- | # Enlarge pool size by default. This property should be revised for each project. Size should be configured by task and event thread pool size - should be higher than sum of pool sizes. | + | # Enlarge pool size by default. This property should be revised for each project. Size should be configured by task and event thread pool size - should be higher than sum of pool sizes. |
- | spring.datasource.hikari.maximumPoolSize=50 | + | spring.datasource.maximumPoolSize=50 |
+ | |||
</ | </ | ||
+ | |||
+ | ====== Additional datasources ====== | ||
+ | |||
+ | As of version 12.2.0 we are no longer using spring-boot datasource autoconfiguration. Instead, we define datasources ourseves. This decision was motivated by our need for multiple independent datasources with separated connection pools, which was previously not possible. | ||
+ | |||
+ | Notable changes: | ||
+ | |||
+ | * | ||
+ | |||
+ | There are by default two datasources configured | ||
+ | |||
+ | * datasource - default datasource, which is being used for almost all database communication (Flyway, JPA repositories) | ||
+ | * loggingDatasource - This datasource is used by our database logging appender to write logging messages, when databes appender is enabled. The reason why this is done by separate datasource is to prevent database logging to hog database connections and hinder the application performance | ||
+ | * | ||
+ | |||
+ | Configuration properties, that have changed with introduction of additional datasources: | ||
+ | |||
+ | * //'' | ||
+ | * spring.datasource.hikari.* → spring.datasource.* | ||
+ | * | ||
+ | |||
+ | Both datasources are required for the app to start. | ||
+ | |||
+ | * By default, both datasources are configured for H2 in-memory database | ||
+ | * If you specify property spring.datasource.jdbcUrl, | ||
+ | * The same goes for loggingDatasource, | ||
+ | |||
+ | ===== Datasource configuration properties | ||
+ | |||
+ | CzechIdM uses HikariCP to manage connections. All possible configuration properties for each datasource can be seen as fields in [[https:// | ||
+ | |||
+ | ===== Developer ===== | ||
+ | |||
+ | * If you are using '' | ||
+ | * @CoreEntityManager` annotation, if you want to autowire main application datasource (in most cases you want to use this | ||
+ | * @Qualifier(" | ||
=== JNDI datasource === | === JNDI datasource === | ||
Firstly is needed to configure JNDI resource in the J2EE server. Here is a configuration snippet for Tomcat. It assumes PostgreSQL as the database: | Firstly is needed to configure JNDI resource in the J2EE server. Here is a configuration snippet for Tomcat. It assumes PostgreSQL as the database: | ||
+ | |||
<code xml> | <code xml> | ||
<Context antiJARLocking=" | <Context antiJARLocking=" | ||
- | < | + | |
- | | + | name=" |
- | | + | auth=" |
- | | + | type=" |
- | | + | username=" |
- | | + | password=" |
- | | + | driverClassName=" |
- | | + | url=" |
- | | + | maxActive=" |
maxIdle=" | maxIdle=" | ||
</ | </ | ||
+ | |||
+ | |||
</ | </ | ||
In the application profile (application.properties), | In the application profile (application.properties), | ||
+ | |||
<code properties> | <code properties> | ||
# JNDI location of the datasource. Class, url, username & password are ignored when set. | # JNDI location of the datasource. Class, url, username & password are ignored when set. | ||
spring.datasource.jndi-name=PostgresDS | spring.datasource.jndi-name=PostgresDS | ||
+ | |||
+ | |||
</ | </ | ||
- | In **logback-spring.xml** configuration (by profile, if db appender is used), update datasource properties: | + | In **logback-spring.xml** |
<code xml> | <code xml> | ||
... | ... | ||
< | < | ||
- | | + | |
< | < | ||
- | < | + | |
- | <!-- please note the " | + | <!-- please note the " |
- | < | + | < |
- | </ | + | </ |
</ | </ | ||
... | ... | ||
+ | |||
+ | |||
</ | </ | ||
- | |||
=== Using SSL === | === Using SSL === | ||
- | - Configure PostgreSQL server, documentation: | + | - Configure PostgreSQL server, documentation: |
- | - Short example: https:// | + | - Short example: |
- | - Create new truststore specifically for the CzechIdM. When starting your Java application you must specify this keystore and password to use '' | + | - Create new truststore specifically for the CzechIdM. When starting your Java application you must specify this keystore and password to use '' |
- | <note important> | + | <note important> |
While updating custom java deployment: | While updating custom java deployment: | ||
- | | + | |
+ | | ||
While updating Java OS packages: | While updating Java OS packages: | ||
- | | + | |
+ | | ||
</ | </ | ||
Line 255: | Line 332: | ||
Update datasource properties: | Update datasource properties: | ||
+ | |||
<code properties> | <code properties> | ||
# add ssl usage flag, see https:// | # add ssl usage flag, see https:// | ||
spring.datasource.url=jdbc: | spring.datasource.url=jdbc: | ||
+ | |||
+ | |||
</ | </ | ||
Line 265: | Line 345: | ||
In the application profile (application.properties): | In the application profile (application.properties): | ||
- | |||
- | |||
<code properties> | <code properties> | ||
Line 279: | Line 357: | ||
# Size in MB | # Size in MB | ||
idm.sec.cache.terracota.resource.pool.size=32 | idm.sec.cache.terracota.resource.pool.size=32 | ||
- | </ | ||
+ | |||
+ | </ | ||
==== Attachment storage ==== | ==== Attachment storage ==== | ||
- | '' | + | '' |
In the application profile (application.properties): | In the application profile (application.properties): | ||
Line 293: | Line 372: | ||
spring.servlet.multipart.max-file-size=100MB | spring.servlet.multipart.max-file-size=100MB | ||
spring.servlet.multipart.max-request-size=100MB | spring.servlet.multipart.max-request-size=100MB | ||
+ | |||
</ | </ | ||
Line 315: | Line 395: | ||
# Temporary file is used mainly for upload files internaly. When upload is complete, then temporary file is moved into normal IdM attachment (~ temporary file is not reachable, after user session ends). | # Temporary file is used mainly for upload files internaly. When upload is complete, then temporary file is moved into normal IdM attachment (~ temporary file is not reachable, after user session ends). | ||
idm.sec.core.attachment.tempTtl=1209600000 | idm.sec.core.attachment.tempTtl=1209600000 | ||
+ | |||
+ | |||
</ | </ | ||
==== Activiti workflow ==== | ==== Activiti workflow ==== | ||
+ | |||
<code properties> | <code properties> | ||
# String boot properties for Activiti workflow engine | # String boot properties for Activiti workflow engine | ||
Line 334: | Line 417: | ||
# definitions name pattern - subfolders can be used | # definitions name pattern - subfolders can be used | ||
spring.activiti.processDefinitionLocationSuffixes=**/ | spring.activiti.processDefinitionLocationSuffixes=**/ | ||
+ | |||
+ | |||
</ | </ | ||
Line 342: | Line 427: | ||
<code properties> | <code properties> | ||
# allowed origins for FE | # allowed origins for FE | ||
- | # the first value is used as frontend url to notification templates | ||
idm.pub.security.allowed-origins=http:// | idm.pub.security.allowed-origins=http:// | ||
# auth token | # auth token | ||
Line 352: | Line 436: | ||
idm.sec.security.jwt.token.extend.expiration=true | idm.sec.security.jwt.token.extend.expiration=true | ||
# recaptcha | # recaptcha | ||
- | # - recaptchaservice endpoint | + | # - recaptchaservice endpoint |
idm.sec.security.recaptcha.url=https:// | idm.sec.security.recaptcha.url=https:// | ||
# - secret key, can be generated here https:// | # - secret key, can be generated here https:// | ||
# - test secret key: https:// | # - test secret key: https:// | ||
idm.sec.security.recaptcha.secretKey=xxx | idm.sec.security.recaptcha.secretKey=xxx | ||
+ | # Proxy configuration for reCAPTCHA (since version 12.2.5) | ||
+ | idm.sec.security.recaptcha.proxy=12.34.56.78: | ||
+ | |||
</ | </ | ||
- | Allowed-origins defines, which resources can use backend API methods. e.g. When there is a web server serving as reverse proxy on the same server as BE, the http:// | + | Allowed-origins defines, which resources can use backend API methods. e.g. When there is a web server serving as reverse proxy on the same server as BE, the [[http:// |
==== Flyway ==== | ==== Flyway ==== | ||
Line 367: | Line 453: | ||
<code properties> | <code properties> | ||
- | # Enable flyway migrations. | + | # Enable flyway migrations. |
# @see https:// | # @see https:// | ||
flyway.enabled=false | flyway.enabled=false | ||
+ | |||
+ | |||
</ | </ | ||
Line 377: | Line 465: | ||
## Core Flyway configuration | ## Core Flyway configuration | ||
# | # | ||
- | # Whether to automatically call baseline when migrate is executed against a non-empty schema with no metadata table. | + | # Whether to automatically call baseline when migrate is executed against a non-empty schema with no metadata table. |
- | # This schema will then be baselined with the baselineVersion before executing the migrations. | + | # This schema will then be baselined with the baselineVersion before executing the migrations. |
# Only migrations above baselineVersion will then be applied. | # Only migrations above baselineVersion will then be applied. | ||
# This is useful for initial Flyway production deployments on projects with an existing DB. | # This is useful for initial Flyway production deployments on projects with an existing DB. | ||
Line 390: | Line 478: | ||
# Comma-separated list of locations to scan recursively for migrations. The location type is determined by its prefix. | # Comma-separated list of locations to scan recursively for migrations. The location type is determined by its prefix. | ||
# Unprefixed locations or locations starting with classpath: point to a package on the classpath and may contain both sql and java-based migrations. | # Unprefixed locations or locations starting with classpath: point to a package on the classpath and may contain both sql and java-based migrations. | ||
- | # Locations starting with filesystem: point to a directory on the filesystem and may only contain sql migrations. | + | # Locations starting with filesystem: point to a directory on the filesystem and may only contain sql migrations. |
# IdmFlywayMigrationStrategy resolves used jdbc database dynamically - ${dbName} in location could be used. | # IdmFlywayMigrationStrategy resolves used jdbc database dynamically - ${dbName} in location could be used. | ||
flyway.core.locations=classpath: | flyway.core.locations=classpath: | ||
+ | |||
+ | |||
</ | </ | ||
==== Module configuration ==== | ==== Module configuration ==== | ||
- | Information about module can be defined in property file (module-< | + | Information about module can be defined in property file (module-< |
<code properties> | <code properties> | ||
Line 415: | Line 505: | ||
module.< | module.< | ||
module.< | module.< | ||
+ | |||
+ | |||
</ | </ | ||
Line 420: | Line 512: | ||
In the application profile (application.properties) | In the application profile (application.properties) | ||
+ | |||
<code properties> | <code properties> | ||
## Swagger config | ## Swagger config | ||
Line 431: | Line 524: | ||
springfox.documentation.swagger.outputDir=@swagger.output.dir@ | springfox.documentation.swagger.outputDir=@swagger.output.dir@ | ||
springfox.documentation.swagger.outputFilename=@swagger.output.filename@ | springfox.documentation.swagger.outputFilename=@swagger.output.filename@ | ||
+ | |||
+ | |||
</ | </ | ||
Line 448: | Line 543: | ||
# The FROM email address. | # The FROM email address. | ||
idm.sec.core.emailer.from=idm@bcvsolutions.eu | idm.sec.core.emailer.from=idm@bcvsolutions.eu | ||
+ | |||
+ | |||
</ | </ | ||
Line 461: | Line 558: | ||
idm.sec.core.notification.template.folder=classpath*:/ | idm.sec.core.notification.template.folder=classpath*:/ | ||
idm.sec.core.notification.template.fileSuffix=**/ | idm.sec.core.notification.template.fileSuffix=**/ | ||
+ | |||
+ | |||
</ | </ | ||
Line 474: | Line 573: | ||
idm.sec.core.script.folder=classpath*:/ | idm.sec.core.script.folder=classpath*:/ | ||
idm.sec.core.script.fileSuffix=**/ | idm.sec.core.script.fileSuffix=**/ | ||
- | </ | ||
+ | |||
+ | </ | ||
==== Scheduler ==== | ==== Scheduler ==== | ||
Line 490: | Line 590: | ||
# Task executor core pool size. Uses CPU count as default. | # Task executor core pool size. Uses CPU count as default. | ||
scheduler.task.executor.corePoolSize= | scheduler.task.executor.corePoolSize= | ||
- | # Task executor max pool size. Uses CPU corePoolSize * 2 as default. | + | # Task executor max pool size. Uses CPU corePoolSize * 2 as default. |
# maxPoolSize has to be higher than corePoolSize (IllegalArgumentException is thrown otherwise). | # maxPoolSize has to be higher than corePoolSize (IllegalArgumentException is thrown otherwise). | ||
# When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | ||
Line 504: | Line 604: | ||
# Asynchronous task are still created in queue, but they are not processed automatically - task can be executed manually from ui. | # Asynchronous task are still created in queue, but they are not processed automatically - task can be executed manually from ui. | ||
idm.sec.core.scheduler.task.asynchronous.stopProcessing=false | idm.sec.core.scheduler.task.asynchronous.stopProcessing=false | ||
- | # Event queue processing period (ms). Period to read prepared (~created) asynchronous entity events from queue. | + | # Event queue processing period (ms). Period to read prepared (~created) asynchronous entity events from queue. |
# Events are processed in batch configured by property ' | # Events are processed in batch configured by property ' | ||
# Default 500ms. | # Default 500ms. | ||
Line 510: | Line 610: | ||
# Event executor core pool size. Uses CPU count + 1 as default. | # Event executor core pool size. Uses CPU count + 1 as default. | ||
scheduler.event.executor.corePoolSize= | scheduler.event.executor.corePoolSize= | ||
- | # Event executor max pool size. Uses CPU corePoolSize * 2 as default. | + | # Event executor max pool size. Uses CPU corePoolSize * 2 as default. |
# maxPoolSize has to be higher than corePoolSize (IllegalArgumentException is thrown otherwise). | # maxPoolSize has to be higher than corePoolSize (IllegalArgumentException is thrown otherwise). | ||
# When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | # When queueCapacity is full, then new threads are created from corePoolSize to maxPoolSize. | ||
Line 519: | Line 619: | ||
# Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5). | # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5). | ||
scheduler.event.executor.threadPriority=6 | scheduler.event.executor.threadPriority=6 | ||
+ | |||
+ | |||
</ | </ | ||
Line 526: | Line 628: | ||
<code properties> | <code properties> | ||
- | # supports delete identity. Needed on FE (=> public) to render available bulk action in table | + | # supports delete identity. Needed on FE (=> public) to render available bulk action in table |
# @deprecated @since 10.6.0 - action can be disabled by bulk action configurable api - use ' | # @deprecated @since 10.6.0 - action can be disabled by bulk action configurable api - use ' | ||
idm.pub.core.identity.delete=true | idm.pub.core.identity.delete=true | ||
# | # | ||
- | # default password change type for custom users, one of values: | + | # default password change type for custom users, one of values: |
# DISABLED - password change is disable | # DISABLED - password change is disable | ||
# ALL_ONLY - users can change passwords only for all accounts | # ALL_ONLY - users can change passwords only for all accounts | ||
# CUSTOM - users can choose for which accounts change password | # CUSTOM - users can choose for which accounts change password | ||
- | # Needed on FE (=> public) | + | # Needed on FE (=> public) |
idm.pub.core.identity.passwordChange=CUSTOM | idm.pub.core.identity.passwordChange=CUSTOM | ||
# | # | ||
# required old password for change password. | # required old password for change password. | ||
- | # Needed on FE (=> public) | + | # Needed on FE (=> public) |
idm.pub.core.identity.passwordChange.requireOldPassword=true | idm.pub.core.identity.passwordChange.requireOldPassword=true | ||
# | # | ||
Line 544: | Line 646: | ||
# true - change to IdM and all system | # true - change to IdM and all system | ||
# false - change to all system except IdM | # false - change to all system except IdM | ||
- | # Needed on FE (=> public) | + | # Needed on FE (=> public) |
idm.pub.core.identity.passwordChange.public.idm.enabled=true | idm.pub.core.identity.passwordChange.public.idm.enabled=true | ||
# | # | ||
# Skip identity dashboard content - show full detail directly (link from table or from info component) | # Skip identity dashboard content - show full detail directly (link from table or from info component) | ||
- | # Needed on FE (=> public) | + | # Needed on FE (=> public) |
idm.pub.core.identity.dashboard.skip= | idm.pub.core.identity.dashboard.skip= | ||
# | # | ||
Line 566: | Line 668: | ||
# Profile image max file size in readable string format (e.g. 200KB). | # Profile image max file size in readable string format (e.g. 200KB). | ||
idm.sec.core.identity.profile.image.max-file-size=512KB | idm.sec.core.identity.profile.image.max-file-size=512KB | ||
+ | |||
</ | </ | ||
Line 576: | Line 679: | ||
# The protected interval can be set using the property idm.sec.core.contract-slice.protection-interval, | # The protected interval can be set using the property idm.sec.core.contract-slice.protection-interval, | ||
# If the number of days between the termination of the contract and its renewal in the following time slice is less than or equal to the number | # If the number of days between the termination of the contract and its renewal in the following time slice is less than or equal to the number | ||
- | # of days set in the protection interval, then the date of the contract validity from the following slice will be used instead of the date of | + | # of days set in the protection interval, then the date of the contract validity from the following slice will be used instead of the date of |
# termination of the contract from the currently valid slice. | # termination of the contract from the currently valid slice. | ||
idm.sec.core.contract-slice.protection-interval=0 | idm.sec.core.contract-slice.protection-interval=0 | ||
- | </ | ||
+ | </ | ||
==== Role ==== | ==== Role ==== | ||
Line 624: | Line 727: | ||
# Look out: when separator is changed, then all roles should be updated (manually from ui, by scripted LRT or by change script). | # Look out: when separator is changed, then all roles should be updated (manually from ui, by scripted LRT or by change script). | ||
idm.sec.core.role.codeEnvironmentSeperator=| | idm.sec.core.role.codeEnvironmentSeperator=| | ||
+ | |||
+ | |||
</ | </ | ||
==== Tree ==== | ==== Tree ==== | ||
+ | |||
Tree structures configuration properties. | Tree structures configuration properties. | ||
Line 636: | Line 742: | ||
# Default tree node (uuid) - is used, when default contract is created. More in Contractual relationship doc. | # Default tree node (uuid) - is used, when default contract is created. More in Contractual relationship doc. | ||
idm.sec.core.tree.defaultNode= | idm.sec.core.tree.defaultNode= | ||
+ | |||
+ | |||
</ | </ | ||
Internal properties used for tree indexing (forest index) - holds index state: | Internal properties used for tree indexing (forest index) - holds index state: | ||
+ | |||
<code properties> | <code properties> | ||
- | # forest index is valid. Is set to false, when index exception occurs and tree index has to be rebuild | + | # forest index is valid. Is set to false, when index exception occurs and tree index has to be rebuild |
idm.sec.core.treeType.< | idm.sec.core.treeType.< | ||
# rebuild index in progress (true). When tree type index rebuild is in progress, then tree node cannot be created / updated / deleted. | # rebuild index in progress (true). When tree type index rebuild is in progress, then tree node cannot be created / updated / deleted. | ||
idm.sec.core.treeType.< | idm.sec.core.treeType.< | ||
+ | |||
+ | |||
</ | </ | ||
Line 663: | Line 774: | ||
# If you events are processed quickly (~provisioning on your environment is quick), then batch size can be higher (in combination with higher ' | # If you events are processed quickly (~provisioning on your environment is quick), then batch size can be higher (in combination with higher ' | ||
idm.sec.core.event.asynchronous.batchSize=15 | idm.sec.core.event.asynchronous.batchSize=15 | ||
+ | |||
+ | |||
</ | </ | ||
=== Entity event processors === | === Entity event processors === | ||
- | In the application profile ('' | + | |
- | Every processor could have his own configuration properties under prefix: | + | In the application profile ('' |
<code properties> | <code properties> | ||
# disable / enable event procesor | # disable / enable event procesor | ||
Line 673: | Line 787: | ||
# override event types for given processor | # override event types for given processor | ||
idm.sec.< | idm.sec.< | ||
+ | |||
+ | |||
</ | </ | ||
- | Where ''< | + | |
+ | Where ''< | ||
Common configuration properties for all processors: | Common configuration properties for all processors: | ||
- | * '' | ||
- | * '' | ||
- | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
Exists processors configuration: | Exists processors configuration: | ||
Line 687: | Line 804: | ||
@since 10.6.0 | @since 10.6.0 | ||
- | In the application profile ('' | + | In the application profile ('' |
- | Every bulk action could have his own configuration properties under prefix: | + | |
<code properties> | <code properties> | ||
# disable / enable bulk action | # disable / enable bulk action | ||
idm.sec.< | idm.sec.< | ||
+ | |||
+ | |||
</ | </ | ||
- | Where ''< | + | |
+ | Where ''< | ||
Common configuration properties for all bulk actions: | Common configuration properties for all bulk actions: | ||
- | * '' | ||
- | * '' | ||
- | * '' | ||
- | * '' | ||
- | * '' | ||
- | * '' | ||
- | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | ==== Workflow settings for approval of change user roles ==== | ||
- | |||
- | ==== Workflow settings for approval of change user roles ===== | ||
<code properties> | <code properties> | ||
## WF | ## WF | ||
Line 735: | Line 854: | ||
# Default main WF for approve all roles. | # Default main WF for approve all roles. | ||
idm.sec.core.processor.role-request-approval-processor.wf=approve-identity-change-permissions | idm.sec.core.processor.role-request-approval-processor.wf=approve-identity-change-permissions | ||
+ | |||
+ | |||
</ | </ | ||
- | ==== Universal requests ===== | + | ==== Universal requests ==== |
<code properties> | <code properties> | ||
## Universal requests | ## Universal requests | ||
Line 745: | Line 867: | ||
# If returns null, then all guarantees will be used for approving (no limitations). | # If returns null, then all guarantees will be used for approving (no limitations). | ||
idm.sec.core.request.idm-role.approval.guarantee-type= | idm.sec.core.request.idm-role.approval.guarantee-type= | ||
+ | |||
+ | |||
</ | </ | ||
- | ==== Notification from Workflow ===== | + | ==== Notification from Workflow ==== |
<code properties> | <code properties> | ||
## Global property that allow disable or enable sending notification from WF | ## Global property that allow disable or enable sending notification from WF | ||
Line 755: | Line 880: | ||
## Enable sending notification of changing roles to user, who made request | ## Enable sending notification of changing roles to user, who made request | ||
idm.sec.core.wf.notification.implementer.enabled=true | idm.sec.core.wf.notification.implementer.enabled=true | ||
+ | |||
+ | |||
</ | </ | ||
==== Confidential storage ==== | ==== Confidential storage ==== | ||
- | Properties **is not** overloadable via '' | + | Properties **is not** overloadable via '' |
<code properties> | <code properties> | ||
Line 768: | Line 895: | ||
# or secretKey defined in the external file - secret.keyPath | # or secretKey defined in the external file - secret.keyPath | ||
# cipher.crypt.secret.keyPath=/ | # cipher.crypt.secret.keyPath=/ | ||
+ | |||
+ | |||
</ | </ | ||
==== Entity filters ==== | ==== Entity filters ==== | ||
+ | |||
In the application profile ('' | In the application profile ('' | ||
<code properties> | <code properties> | ||
- | # Enable / disable check filter is properly registered, when filter is used (by entity and property name). | + | # Enable / disable check filter is properly registered, when filter is used (by entity and property name). |
# Throws exception, when unrecognized filter is used. | # Throws exception, when unrecognized filter is used. | ||
idm.sec.core.filter.check.supported.enabled=true | idm.sec.core.filter.check.supported.enabled=true | ||
- | # Check count of values exceeded given maximum. | + | # Check count of values exceeded given maximum. |
# Related to database count of query parameters (e.g. Oracle = {@code 1000}, MSSql = {@code 2100}). | # Related to database count of query parameters (e.g. Oracle = {@code 1000}, MSSql = {@code 2100}). | ||
# Throws exception, when size is exceeded. Set to {@code -1} to disable this check. | # Throws exception, when size is exceeded. Set to {@code -1} to disable this check. | ||
idm.sec.core.filter.check.size.maximum=500 | idm.sec.core.filter.check.size.maximum=500 | ||
+ | |||
+ | |||
</ | </ | ||
- | Every registered filter could have his own configuration properties under prefix: | + | Every registered filter could have his own configuration properties under prefix: |
<code properties> | <code properties> | ||
# enable / disable filter - enabled by default. When filter is disabled and property is filled in filter, then '' | # enable / disable filter - enabled by default. When filter is disabled and property is filled in filter, then '' | ||
Line 789: | Line 922: | ||
# filter implementation | # filter implementation | ||
idm.sec.< | idm.sec.< | ||
+ | |||
+ | |||
</ | </ | ||
+ | |||
Where: | Where: | ||
- | * ''< | ||
- | * ''< | ||
- | * ''< | ||
- | * ''< | ||
+ | * ''< | ||
+ | * ''< | ||
+ | * ''< | ||
+ | * ''< | ||
Common configuration properties for all filters: | Common configuration properties for all filters: | ||
- | * '' | ||
- | * '' | ||
+ | * '' | ||
+ | * '' | ||
Exists filters configuration: | Exists filters configuration: | ||
==== Notification senders ==== | ==== Notification senders ==== | ||
- | In the application profile ('' | + | |
- | Senders could have his own configuration properties under prefix: | + | In the application profile ('' |
<code properties> | <code properties> | ||
# sender implementation | # sender implementation | ||
idm.sec.< | idm.sec.< | ||
+ | |||
+ | |||
</ | </ | ||
+ | |||
Where: | Where: | ||
- | * ''< | ||
- | * ''< | ||
+ | * ''< | ||
+ | * ''< | ||
Common configuration properties for all senders: | Common configuration properties for all senders: | ||
- | * '' | ||
+ | * '' | ||
Read more about [[..: | Read more about [[..: | ||
- | |||
==== Authentication ==== | ==== Authentication ==== | ||
+ | |||
UUID of system, against which to user will be authenticated. This authentication is from version 10.4.0 deprecated. | UUID of system, against which to user will be authenticated. This authentication is from version 10.4.0 deprecated. | ||
+ | |||
<code properties> | <code properties> | ||
# ID system against which to authenticate | # ID system against which to authenticate | ||
idm.sec.security.auth.system= | idm.sec.security.auth.system= | ||
+ | |||
+ | |||
</ | </ | ||
Authentication against multiple system wich to user will be authenticated (since 10.4.0) - ID or Code can be used: | Authentication against multiple system wich to user will be authenticated (since 10.4.0) - ID or Code can be used: | ||
+ | |||
<code properties> | <code properties> | ||
idm.sec.acc.security.auth.order1.system= | idm.sec.acc.security.auth.order1.system= | ||
idm.sec.acc.security.auth.order2.system= | idm.sec.acc.security.auth.order2.system= | ||
+ | |||
+ | |||
</ | </ | ||
Maximum system for authentication can be set with the property: | Maximum system for authentication can be set with the property: | ||
+ | |||
<code properties> | <code properties> | ||
idm.sec.acc.security.auth.maximumSystemCount=50 | idm.sec.acc.security.auth.maximumSystemCount=50 | ||
+ | |||
+ | |||
</ | </ | ||
- | More about authenticator can be found [[devel:documentation: | + | More about authenticator can be found [[..:..: |
=== Authentication filters === | === Authentication filters === | ||
- | In the application profile ('' | + | |
- | Authentication filter could have his own configuration properties under prefix: | + | In the application profile ('' |
<code properties> | <code properties> | ||
# enable/ disable filter - enabled by default or by filter implementation. | # enable/ disable filter - enabled by default or by filter implementation. | ||
idm.sec.< | idm.sec.< | ||
+ | |||
+ | |||
</ | </ | ||
+ | |||
Where: | Where: | ||
- | * ''< | ||
- | * ''< | ||
+ | * ''< | ||
+ | * ''< | ||
Common configuration properties for all filters: | Common configuration properties for all filters: | ||
- | * '' | ||
+ | * '' | ||
=== SSO authentication filter === | === SSO authentication filter === | ||
+ | |||
[[..: | [[..: | ||
+ | |||
<code properties> | <code properties> | ||
# Allow SSO authentication | # Allow SSO authentication | ||
Line 864: | Line 1018: | ||
# The uids that can't be authenticated by SSO | # The uids that can't be authenticated by SSO | ||
idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids= | idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids= | ||
+ | |||
+ | |||
</ | </ | ||
=== Remote user authentication filter === | === Remote user authentication filter === | ||
+ | |||
Login into IdM by preset request remote user by servlet container can be configured with following properties: | Login into IdM by preset request remote user by servlet container can be configured with following properties: | ||
+ | |||
<code properties> | <code properties> | ||
# Allow remote user authentication | # Allow remote user authentication | ||
Line 875: | Line 1033: | ||
# The uids that can't be authenticated by SSO | # The uids that can't be authenticated by SSO | ||
idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbidden-uids= | idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbidden-uids= | ||
+ | |||
+ | |||
</ | </ | ||
- | This authentication filter reuses SSO authentication filter behavior above ('' | + | This authentication filter reuses SSO authentication filter behavior above ('' |
=== Two-factor authentication === | === Two-factor authentication === | ||
Line 890: | Line 1050: | ||
# Time Discrepancy - number of past (but still valid) authentication codes (e.g. when code is sent by notification, | # Time Discrepancy - number of past (but still valid) authentication codes (e.g. when code is sent by notification, | ||
totp.time.discrepancy=1 | totp.time.discrepancy=1 | ||
+ | |||
</ | </ | ||
=== CAS authentication filter === | === CAS authentication filter === | ||
- | @since 12.0.0 | + | |
- | [[..: | + | @since 12.0.0 [[..: |
<code properties> | <code properties> | ||
# Enable authentication via CAS. If enabled, " | # Enable authentication via CAS. If enabled, " | ||
Line 902: | Line 1064: | ||
# Base URL where CAS is accessible. Syntax of this field is https:// | # Base URL where CAS is accessible. Syntax of this field is https:// | ||
idm.sec.core.cas.url= | idm.sec.core.cas.url= | ||
- | # IdM service name configured as service on CAS server. | + | # IdM service name configured as service on CAS server. |
# When service is configured, then login and logout redirect urls, should be defined directly in CAS service configuration. | # When service is configured, then login and logout redirect urls, should be defined directly in CAS service configuration. | ||
# Default: service name for login / logout is created dynamically by BE server url (recommended). | # Default: service name for login / logout is created dynamically by BE server url (recommended). | ||
Line 916: | Line 1078: | ||
# Path to CzechIdM for the HTTP Referer header used by CAS while redirecting back to application. This value is concatenated with CAS ticket to form Referer header. Syntax of this field is https:// | # Path to CzechIdM for the HTTP Referer header used by CAS while redirecting back to application. This value is concatenated with CAS ticket to form Referer header. Syntax of this field is https:// | ||
idm.sec.core.cas.header-prefix= | idm.sec.core.cas.header-prefix= | ||
+ | |||
+ | |||
</ | </ | ||
+ | |||
+ | === OIDC authentication filter === | ||
+ | |||
+ | @since 13.1.0 [[this> | ||
+ | |||
+ | <code properties> | ||
+ | # Enable authentication via OIDC when false IDM will return 503 SERVICE_UNAVAILABLE on enpoints used for OICD auth, and ignore any Bearer token. Default: false | ||
+ | idm.pub.core.oidc.enabled=false | ||
+ | # REQIRED configuration | ||
+ | # client-id confugured in CAS Service | ||
+ | idm.sec.core.oidc.client-id= | ||
+ | # client-secret confugured in CAS Service | ||
+ | idm.sec.core.oidc.client-secret= | ||
+ | # Base URL where OICD provider is accessible. Syntax of this field is https:// | ||
+ | idm.sec.core.oidc.url= | ||
+ | |||
+ | # OPTIONAL configuration | ||
+ | idm.sec.core.oidc.login-path=/ | ||
+ | idm.sec.core.oidc.logout-path=/ | ||
+ | idm.sec.core.oidc.token-path=/ | ||
+ | |||
+ | # | ||
+ | spring.security.oauth2.client.registration.cas.client-id=${idm.sec.core.oidc.client-id} | ||
+ | spring.security.oauth2.client.registration.cas.client-secret=${idm.sec.core.oidc.client-secret} | ||
+ | spring.security.oauth2.client.registration.cas.scope=openid | ||
+ | spring.security.oauth2.client.registration.cas.redirect-uri={baseUrl}/ | ||
+ | # | ||
+ | # | ||
+ | |||
+ | spring.security.oauth2.client.provider.cas.issuer-uri=${idm.sec.core.oidc.url} | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
==== Backup ==== | ==== Backup ==== | ||
- | If you want to use redeploy and backup for example in agenda (notification templates, scripts), you must define default backup folder. | + | |
- | When redploy is used, then actual templates (or scripsts) are loaded from classpath by configuration (for templates or scripts) and deployed into application. Previous templates (or scripts) are backup too. | + | If you want to use redeploy and backup for example in agenda (notification templates, scripts), you must define default backup folder. When redploy is used, then actual templates (or scripsts) are loaded from classpath by configuration (for templates or scripts) and deployed into application. Previous templates (or scripts) are backup too. |
<code properties> | <code properties> | ||
Line 926: | Line 1126: | ||
# Configured attachment storage patrh ( see ' | # Configured attachment storage patrh ( see ' | ||
idm.sec.core.backups.default.folder.path=/ | idm.sec.core.backups.default.folder.path=/ | ||
+ | |||
+ | |||
</ | </ | ||
==== Http proxy ==== | ==== Http proxy ==== | ||
- | For outgoing http communication, | ||
- | **Server restart** is needed to apply this configuration change. | + | For outgoing http communication, |
+ | |||
+ | **Server restart** | ||
<code properties> | <code properties> | ||
# Proxy for HTTP requests | # Proxy for HTTP requests | ||
idm.sec.core.http.proxy=12.34.56.78: | idm.sec.core.http.proxy=12.34.56.78: | ||
+ | |||
+ | # For reCAPTCHA is used since version 12.2.5 new configuration. Backward compatibility with original configuration still exists. | ||
+ | # Proxy configuration for reCAPTCHA | ||
+ | idm.sec.security.recaptcha.proxy=12.34.56.78: | ||
+ | |||
</ | </ | ||
Line 945: | Line 1153: | ||
# use cglib for proxies by default | # use cglib for proxies by default | ||
spring.aop.proxy-target-class=true | spring.aop.proxy-target-class=true | ||
+ | |||
+ | |||
</ | </ | ||
==== Virtual system ==== | ==== Virtual system ==== | ||
- | VS configurations allows define implementers via assigned IdM role or directly by selected identities. If you do not define none directly implementers and none role in VS configuration, | + | |
- | Default role can be defined in configuration: | + | VS configurations allows define implementers via assigned IdM role or directly by selected identities. If you do not define none directly implementers and none role in VS configuration, |
<code properties> | <code properties> | ||
# If you do not define default role, then will be used **superAdminRole** as default! | # If you do not define default role, then will be used **superAdminRole** as default! | ||
idm.sec.vs.role.default=< | idm.sec.vs.role.default=< | ||
+ | |||
+ | |||
</ | </ | ||
Line 961: | Line 1173: | ||
# Long polling | # Long polling | ||
idm.pub.app.long-polling.enabled=true | idm.pub.app.long-polling.enabled=true | ||
- | </ | ||
- | You can disable long polling for all types of entites with use value `false`. | ||
+ | </ | ||
+ | You can disable long polling for all types of entites with use value `false`. | ||
==== Provisioning ==== | ==== Provisioning ==== | ||
Line 976: | Line 1188: | ||
# It's possible to automatic mapped existed account on the target system. It means, before create new account (call create on the connector), | # It's possible to automatic mapped existed account on the target system. It means, before create new account (call create on the connector), | ||
- | # we try to found account (by generated UID) on the target system. If account will be | + | # we try to found account (by generated UID) on the target system. If account will be |
# returned, then will be mapped on the IdM account. Target account will be reused and only updated by connector. | # returned, then will be mapped on the IdM account. Target account will be reused and only updated by connector. | ||
# - true: for reusing account | # - true: for reusing account | ||
Line 985: | Line 1197: | ||
# Default provisioning timeout in milis - every longer provisioning operations will ends with timeout exception (prevent to stuck running operations). | # Default provisioning timeout in milis - every longer provisioning operations will ends with timeout exception (prevent to stuck running operations). | ||
# 3 minutes by default. | # 3 minutes by default. | ||
- | # Timeout has to be configured >= 1000, otherwise default will be returned. | + | # Timeout has to be configured> |
idm.sec.acc.provisioning.timeout=180000 | idm.sec.acc.provisioning.timeout=180000 | ||
+ | |||
+ | |||
</ | </ | ||
==== Provisioning global break ==== | ==== Provisioning global break ==== | ||
+ | |||
<note tip>For enable global provisioning break you must set configurations properties defined below, otherwise global provisioning break will not be activated.</ | <note tip>For enable global provisioning break you must set configurations properties defined below, otherwise global provisioning break will not be activated.</ | ||
Line 1046: | Line 1261: | ||
# Global break for delete. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',' | # Global break for delete. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',' | ||
idm.sec.acc.provisioning.break.delete.roleRecipients | idm.sec.acc.provisioning.break.delete.roleRecipients | ||
+ | |||
+ | |||
</ | </ | ||
Line 1052: | Line 1269: | ||
=== Report executor === | === Report executor === | ||
- | In the application profile ('' | + | In the application profile ('' |
- | Every report executor (~report) could have his own configuration properties under prefix: | + | |
<code properties> | <code properties> | ||
# disable / enable report | # disable / enable report | ||
idm.sec.< | idm.sec.< | ||
+ | |||
+ | |||
</ | </ | ||
- | Where ''< | + | |
+ | Where ''< | ||
Common configuration properties for all reports: | Common configuration properties for all reports: | ||
- | * '' | ||
+ | * '' | ||
=== Report renderer === | === Report renderer === | ||
- | In the application profile ('' | + | In the application profile ('' |
- | Every report renderer could have his own configuration properties under prefix: | + | |
<code properties> | <code properties> | ||
# disable / enable renderer | # disable / enable renderer | ||
idm.sec.< | idm.sec.< | ||
+ | |||
+ | |||
</ | </ | ||
- | Where ''< | + | |
+ | Where ''< | ||
Common configuration properties for all renderers: | Common configuration properties for all renderers: | ||
- | * '' | ||
+ | * '' | ||
==== Logger ==== | ==== Logger ==== | ||
Line 1085: | Line 1308: | ||
logging.pattern.console=%d{yyyy-MM-dd HH: | logging.pattern.console=%d{yyyy-MM-dd HH: | ||
logging.pattern.file=%d{yyyy-MM-dd HH: | logging.pattern.file=%d{yyyy-MM-dd HH: | ||
+ | |||
+ | |||
</ | </ | ||
- | Logger levels can be configured programmatically (override '' | + | Logger levels can be configured programmatically (override '' |
In the application profile ('' | In the application profile ('' | ||
Line 1093: | Line 1318: | ||
<code properties> | <code properties> | ||
idm.sec.core.logger.< | idm.sec.core.logger.< | ||
+ | |||
+ | |||
</ | </ | ||
- | Where ''< | + | Where ''< |
Example: | Example: | ||
+ | |||
<code properties> | <code properties> | ||
idm.sec.core.logger.eu.bcvsolutions=DEBUG | idm.sec.core.logger.eu.bcvsolutions=DEBUG | ||
+ | |||
+ | |||
</ | </ | ||
Line 1111: | Line 1341: | ||
# disable / enable monitoring evaluator | # disable / enable monitoring evaluator | ||
idm.sec.< | idm.sec.< | ||
+ | |||
+ | |||
</ | </ | ||
- | Where ''< | + | |
+ | Where ''< | ||
Common configuration properties for all monitorings: | Common configuration properties for all monitorings: | ||
- | | + | |
+ | | ||
+ |