Differences

This shows you the differences between two versions of the page.

--- devel:documentation:application_configuration:dev:backend [2023/02/24 12:05]
kopro [Security] add proxy recaptcha
+++ devel:documentation:application_configuration:dev:backend [2023/12/01 13:10] (current)
chalupat [Authentication]
@@ Line 133: / Line 133: @@
 # you can use FE configuration https://wiki.czechidm.com/devel/documentation/application_configuration/dev/frontend
 idm.pub.app.show.identity.table.columns=username, lastName, firstName, externalCode, email, state, description
-idm.pub.app.show.identityRole.table.columns=role, roleAttributes, environment, identityContract, contractPosition, validFrom, validTill, directRole, automaticRole, incompatibleRoles, description, priority
+# Rendered columns in user roles agenda (Directly assigned roles). Comma is used as separator. Order of rendered columns is preserved as configured.
+idm.pub.app.show.identityRole.table.columns=role, roleAttributes, environment, owner, contractPosition, validFrom, validTill, directRole, automaticRole, incompatibleRoles, description, priority
+# Rendered columns in role requests in the table for assigned roles. Comma is used as separator. Order of rendered columns is preserved as configured.
+idm.pub.app.show.role.request.table.columns=name, description, roleAttributes, contractPosition, validFrom, validTill, directRole, automaticRole, action, priority
 # If is true, then role-request description will be show on the detail.
 # Description will hidden if this property will be false and role request
@@ Line 166: / Line 169: @@
 # Set property to false to disable init data creation and updates.
 idm.sec.core.init.data.enabled=true
 </code>
@@ Line 220: / Line 224: @@
 # Enlarge pool size by default. This property should be revised for each project. Size should be configured by task and event thread pool size - should be higher than sum of pool sizes.
 spring.datasource.maximumPoolSize=50
 </code>
@@ Line 233: / Line 238: @@
 There are by default two datasources configured
-      * datasource - default datasource, which is being used for almost all database communication (Flyway, JPA repositories)
+  * datasource - default datasource, which is being used for almost all database communication (Flyway, JPA repositories)
-      * loggingDatasource - This datasource is used by our database logging appender to write logging messages, when databes appender is enabled. The reason why this is done by separate datasource is to prevent database logging to hog database connections and hinder the application performance
+  * loggingDatasource - This datasource is used by our database logging appender to write logging messages, when databes appender is enabled. The reason why this is done by separate datasource is to prevent database logging to hog database connections and hinder the application performance
   *
 Configuration properties, that have changed with introduction of additional datasources:
-      * //''spring.datasource.''url →// //''spring.datasource.jdbcUrl'' //
+  * //''spring.datasource.''url →// //''spring.datasource.jdbcUrl'' //
-      * spring.datasource.hikari.* → spring.datasource.*
+  * spring.datasource.hikari.* → spring.datasource.*
   *
 Both datasources are required for the app to start.
-      * By default, both datasources are configured for H2 in-memory database
+  * By default, both datasources are configured for H2 in-memory database
-      * If you specify property spring.datasource.jdbcUrl, IdM will no longer use in memory database for main datasource and instead it will configure connection using spring.datasource.* properties
+  * If you specify property spring.datasource.jdbcUrl, IdM will no longer use in memory database for main datasource and instead it will configure connection using spring.datasource.* properties
-      * The same goes for loggingDatasource, which is configured using spring.logging-datasource.* properties
+  * The same goes for loggingDatasource, which is configured using spring.logging-datasource.* properties
 ===== Datasource configuration properties
@@ Line 254: / Line 259: @@
 ===== Developer =====
-      * If you are using ''EntityManager''  in your code, you will run into the issue with autowiring. In order to fix it, you need to explicitly specify, which ''EntityManager''  bean you want spring to autowire. You can use
-        * @CoreEntityManager` annotation, if you want to autowire main application datasource (in most cases you want to use this
+  * If you are using ''EntityManager''  in your code, you will run into the issue with autowiring. In order to fix it, you need to explicitly specify, which ''EntityManager''  bean you want spring to autowire. You can use
-        * @Qualifier("coreEntityManager") annotation, if you want to autowire main application datasource and do not want to explicitly define dependency on core-api module
+      * @CoreEntityManager` annotation, if you want to autowire main application datasource (in most cases you want to use this
+      * @Qualifier("coreEntityManager") annotation, if you want to autowire main application datasource and do not want to explicitly define dependency on core-api module
 === JNDI datasource ===
@@ Line 275: / Line 281: @@
             maxIdle="4"/>
 </Context>
 </code>
@@ Line 283: / Line 290: @@
 # JNDI location of the datasource. Class, url, username & password are ignored when set.
 spring.datasource.jndi-name=PostgresDS
 </code>
@@ Line 299: / Line 307: @@
 </appender>
 ...
 </code>
@@ Line 327: / Line 336: @@
 # add ssl usage flag, see https://jdbc.postgresql.org/documentation/head/connect.html
 spring.datasource.url=jdbc:postgresql://localhost:5432/bcv_idm_storage?ssl=true
 </code>
@@ Line 347: / Line 357: @@
 # Size in MB
 idm.sec.cache.terracota.resource.pool.size=32
 </code>
@@ Line 384: / Line 395: @@
 # Temporary file is used mainly for upload files internaly. When upload is complete, then temporary file is moved into normal IdM attachment (~ temporary file is not reachable, after user session ends).
 idm.sec.core.attachment.tempTtl=1209600000
 </code>
@@ Line 405: / Line 417: @@
 # definitions name pattern - subfolders can be used
 spring.activiti.processDefinitionLocationSuffixes=**/**.bpmn20.xml
 </code>
@@ Line 428: / Line 441: @@
 # - test secret key: https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha-v2-what-should-i-do
 idm.sec.security.recaptcha.secretKey=xxx
-# Proxy configuration for reCAPTCHA
+# Proxy configuration for reCAPTCHA (since version 12.2.5)
 idm.sec.security.recaptcha.proxy=12.34.56.78:1234
@@ Line 443: / Line 456: @@
 # @see https://proj.bcvsolutions.eu/ngidm/doku.php?id=navrh:databazove_scripty
 flyway.enabled=false
 </code>
@@ Line 467: / Line 481: @@
 # IdmFlywayMigrationStrategy resolves used jdbc database dynamically - ${dbName} in location could be used.
 flyway.core.locations=classpath:eu/bcvsolutions/idm/core/sql/${dbName}
 </code>
@@ Line 490: / Line 505: @@
 module.<module>.build.name=@project.name@
 module.<module>.build.description=@project.description@
 </code>
@@ Line 508: / Line 524: @@
 springfox.documentation.swagger.outputDir=@swagger.output.dir@
 springfox.documentation.swagger.outputFilename=@swagger.output.filename@
 </code>
@@ Line 526: / Line 543: @@
 # The FROM email address.
 idm.sec.core.emailer.from=idm@bcvsolutions.eu
 </code>
@@ Line 540: / Line 558: @@
 idm.sec.core.notification.template.folder=classpath*:/eu/bcvsolutions/idm/template/
 idm.sec.core.notification.template.fileSuffix=**/**.xml # template suffix
 </code>
@@ Line 554: / Line 573: @@
 idm.sec.core.script.folder=classpath*:/eu/bcvsolutions/idm/scripts/
 idm.sec.core.script.fileSuffix=**/**.xml
 </code>
@@ Line 599: / Line 619: @@
 # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5).
 scheduler.event.executor.threadPriority=6
 </code>
@@ Line 661: / Line 682: @@
 # termination of the contract from the currently valid slice.
 idm.sec.core.contract-slice.protection-interval=0
 </code>
@@ Line 705: / Line 727: @@
 # Look out: when separator is changed, then all roles should be updated (manually from ui, by scripted LRT or by change script).
 idm.sec.core.role.codeEnvironmentSeperator=|
 </code>
@@ Line 719: / Line 742: @@
 # Default tree node (uuid) - is used, when default contract is created. More in Contractual relationship doc.
 idm.sec.core.tree.defaultNode=
 </code>
@@ Line 729: / Line 753: @@
 # rebuild index in progress (true). When tree type index rebuild is in progress, then tree node cannot be created / updated / deleted.
 idm.sec.core.treeType.<tree-code>.rebuild=false
 </code>
@@ Line 749: / Line 774: @@
 # If you events are processed quickly (~provisioning on your environment is quick), then batch size can be higher (in combination with higher 'scheduler.event.queue.process' property).
 idm.sec.core.event.asynchronous.batchSize=15
 </code>
@@ Line 761: / Line 787: @@
 # override event types for given processor
 idm.sec.<module>.processor.<name>.eventTypes=CREATE,UPDATE
 </code>
@@ Line 782: / Line 809: @@
 # disable / enable bulk action
 idm.sec.<module>.bulk-action.<name>.enabled=true
 </code>
@@ Line 826: / Line 854: @@
 # Default main WF for approve all roles.
 idm.sec.core.processor.role-request-approval-processor.wf=approve-identity-change-permissions
 </code>
@@ Line 838: / Line 867: @@
 # If returns null, then all guarantees will be used for approving (no limitations).
 idm.sec.core.request.idm-role.approval.guarantee-type=
 </code>
@@ Line 850: / Line 880: @@
 ## Enable sending notification of changing roles to user, who made request
 idm.sec.core.wf.notification.implementer.enabled=true
 </code>
@@ Line 864: / Line 895: @@
 # or secretKey defined in the external file - secret.keyPath
 # cipher.crypt.secret.keyPath=/path/to/key
 </code>
@@ Line 879: / Line 911: @@
 # Throws exception, when size is exceeded. Set to {@code -1} to disable this check.
 idm.sec.core.filter.check.size.maximum=500
 </code>
@@ Line 889: / Line 922: @@
 # filter implementation
 idm.sec.<module>.filter.<entity>.<name>.impl=<beanName>
 </code>
@@ Line 911: / Line 945: @@
 # sender implementation
 idm.sec.<module>.notification-sender.<notificationType>.impl=<beanName>
 </code>
@@ Line 930: / Line 965: @@
 # ID system against which to authenticate
 idm.sec.security.auth.system=
 </code>
@@ Line 938: / Line 974: @@
 idm.sec.acc.security.auth.order1.system=
 idm.sec.acc.security.auth.order2.system=
 </code>
@@ Line 945: / Line 982: @@
 <code properties>
 idm.sec.acc.security.auth.maximumSystemCount=50
 </code>
@@ Line 953: / Line 991: @@
 In the application profile (''application.properties'') - overloadable via ''ConfigurationService''. Authentication filter could have his own configuration properties under prefix:
 <code properties>
 # enable/ disable filter - enabled by default or by filter implementation.
 idm.sec.<module>.authentication-filter.<name>.enabled=true
 </code>
@@ Line 980: / Line 1018: @@
 # The uids that can't be authenticated by SSO
 idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids=
 </code>
@@ Line 994: / Line 1033: @@
 # The uids that can't be authenticated by SSO
 idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbidden-uids=
 </code>
@@ Line 1038: / Line 1078: @@
 # Path to CzechIdM for the HTTP Referer header used by CAS while redirecting back to application. This value is concatenated with CAS ticket to form Referer header. Syntax of this field is https://hostname-of-CzechIdM/URI/?ticket=. Not configured by default.
 idm.sec.core.cas.header-prefix=
 </code>
+=== OIDC authentication ===
+@since 13.1.0 [[this>devel/documentation/security/dev/security#oidc_authentication|OIDC authentication]] can be configured with following properties:
+<code properties>
+# Enable authentication via OIDC when false IDM will return 503 SERVICE_UNAVAILABLE on enpoints used for OICD auth, and ignore any Bearer token. Default: false
+idm.pub.core.oidc.enabled=false
+# REQIRED configuration
+# client-id confugured in CAS Service
+idm.sec.core.oidc.client-id=
+# client-secret confugured in CAS Service
+idm.sec.core.oidc.client-secret=
+# Base URL where OICD provider is accessible. Syntax of this field is https://hostname-of-OICD/URI.
+idm.sec.core.oidc.url=
+# OPTIONAL configuration
+idm.sec.core.oidc.login-path=/authorize
+idm.sec.core.oidc.logout-path=/logout
+idm.sec.core.oidc.token-path=/token
+# Configuration for spring.security most is gotten from auto-discover endpoint (${idm.sec.core.oidc.url}/.well-known/openid-configuration) but can be overwritten here
+spring.security.oauth2.client.registration.cas.client-id=${idm.sec.core.oidc.client-id}
+spring.security.oauth2.client.registration.cas.client-secret=${idm.sec.core.oidc.client-secret}
+spring.security.oauth2.client.registration.cas.scope=openid
+spring.security.oauth2.client.registration.cas.redirect-uri={baseUrl}/api/v1/authentication/oidc-login-response/{registrationId}
+#spring.security.oauth2.client.registration.cas.authorization-grant-type=authorization_code
+#spring.security.oauth2.resource.jwk.key-set-uri=${idm.sec.core.oidc.url}/jwks
+spring.security.oauth2.client.provider.cas.issuer-uri=${idm.sec.core.oidc.url}
+#spring.security.oauth2.client.provider.cas.token-uri=${idm.sec.core.oidc.token-path}
+#spring.security.oauth2.client.provider.cas.authorization-uri=${idm.sec.core.oidc.login-path}
+</code>
 ==== Backup ====
@@ Line 1049: / Line 1126: @@
 # Configured attachment storage patrh ( see 'idm.sec.core.attachment.storagePath') is used as default.
 idm.sec.core.backups.default.folder.path=/tmp/backup
 </code>
@@ Line 1054: / Line 1132: @@
 ==== Http proxy ====
-For outgoing http communication, you can set a proxy (currently used only by ReCaptcha).
+For outgoing http communication, you can set a proxy.
 **Server restart**  is needed to apply this configuration change.
@@ Line 1061: / Line 1139: @@
 # Proxy for HTTP requests
 idm.sec.core.http.proxy=12.34.56.78:1234
+# For reCAPTCHA is used since version 12.2.5 new configuration. Backward compatibility with original configuration still exists.
+# Proxy configuration for reCAPTCHA
+idm.sec.security.recaptcha.proxy=12.34.56.78:1234
 </code>
@@ Line 1071: / Line 1153: @@
 # use cglib for proxies by default
 spring.aop.proxy-target-class=true
 </code>
@@ Line 1081: / Line 1164: @@
 # If you do not define default role, then will be used **superAdminRole** as default!
 idm.sec.vs.role.default=<some-code-of-role>
 </code>
@@ Line 1089: / Line 1173: @@
 # Long polling
 idm.pub.app.long-polling.enabled=true
 </code>
@@ Line 1114: / Line 1199: @@
 # Timeout has to be configured>= 1000, otherwise default will be returned.
 idm.sec.acc.provisioning.timeout=180000
 </code>
@@ Line 1175: / Line 1261: @@
 # Global break for delete. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',')
 idm.sec.acc.provisioning.break.delete.roleRecipients
 </code>
@@ Line 1187: / Line 1274: @@
 # disable / enable report
 idm.sec.<module>.report-executor.<name>.enabled=true
 </code>
@@ Line 1202: / Line 1290: @@
 # disable / enable renderer
 idm.sec.<module>.report-renderer.<name>.enabled=true
 </code>
@@ Line 1219: / Line 1308: @@
 logging.pattern.console=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n
 logging.pattern.file=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n
 </code>
@@ Line 1228: / Line 1318: @@
 <code properties>
 idm.sec.core.logger.<packageName>=<level>
 </code>
@@ Line 1237: / Line 1328: @@
 <code properties>
 idm.sec.core.logger.eu.bcvsolutions=DEBUG
 </code>
@@ Line 1249: / Line 1341: @@
 # disable / enable monitoring evaluator
 idm.sec.<module>.monitoring-evaluator.<name>.enabled=true
 </code>