Both sides previous revision
Previous revision
Next revision
|
Previous revision
Last revision
Both sides next revision
|
devel:documentation:security:dev:authentication [2019/01/18 10:18] apeterova |
devel:documentation:security:dev:authentication [2020/06/24 06:09] kopro [Actual list of authenticators] change image position |
| |
=== DefaultAccAuthenticator === | === DefaultAccAuthenticator === |
| |
| <note important>This authenticator is from version 10.4.0 deprecated. Please use DefaultAccMultipleSystemAuthenticator. The configuration properties will be removed.</note> |
| |
[[https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/acc/src/main/java/eu/bcvsolutions/idm/acc/security/authentication/impl/DefaultAccAuthenticator.java|DefaultAccAuthenticator]] checks the [[https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/core/core-api/src/main/java/eu/bcvsolutions/idm/core/security/api/dto/LoginDto.java|LoginDto]] against an end system. Users use their internal IdM login and their password from the end system. | [[https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/acc/src/main/java/eu/bcvsolutions/idm/acc/security/authentication/impl/DefaultAccAuthenticator.java|DefaultAccAuthenticator]] checks the [[https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/core/core-api/src/main/java/eu/bcvsolutions/idm/core/security/api/dto/LoginDto.java|LoginDto]] against an end system. Users use their internal IdM login and their password from the end system. |
| |
First, the authenticator tries to find an end system with given UUID. If such system doesn't exist, the authentication returns NULL. Otherwise, the authenticator finds the mapped attribute of the system which is marked as ''Authentication attr.''. | First, the authenticator tries to find an end system with given UUID. If such system doesn't exist, the authentication returns NULL. Otherwise, the authenticator finds the mapped attribute of the system which is marked as ''Authentication attr.''. |
| |
{{:navrh:01.png|}} | {{:navrh:01.png|}} |
| |
{{:navrh:02.png|}} | {{:navrh:02.png|}} |
| |
===== Password change & old password ===== | |
| |
When users want to change their password in IdM, they will be required to fill their old password (unless the configuration attribute requireOldPassword is set differently, see below). It's possible that their local password in CzechIdM is distinct from their password in end systems. In such situation, users must use the password which satisfies the authentication chain (the same authentication chain that is used during authentication - same rules, same order of processing). If the (old) password is validated successfully, users can change their password. | === DefaultAccMultipleSystemAuthenticator === |
| |
| Since 10.4.0. |
| |
| [[https://github.com/bcvsolutions/CzechIdMng/blob/okopr/2046-authentication-against-multiple-systems/Realization/backend/acc/src/main/java/eu/bcvsolutions/idm/acc/security/authentication/impl/DefaultAccMultipleSystemAuthenticator.java|DefaultAccMultipleSystemAuthenticator]] has same behavior as [[https://github.com/bcvsolutions/CzechIdMng/blob/develop/Realization/backend/acc/src/main/java/eu/bcvsolutions/idm/acc/security/authentication/impl/DefaultAccAuthenticator.java|DefaultAccAuthenticator]] but is allowed more system for authentication than one. Authenticator is placed between **DefaultAccAuthenticator** and **DefaultCoreAuthenticator**, more priority has original authenticator **DefaultAccAuthenticator**. |
| |
| <note tip>All behavior with authentication is same as original **DefaultAccAuthenticator**. The original authenticator is now deprecated. Please use the newer.</note> |
| |
| The end systems are defined with configuration properties. For example: |
| <code> |
| idm.sec.acc.security.auth.order1.system=e6a8b1e7-d656-47ae-aa2d-1062d1583c1a |
| idm.sec.acc.security.auth.order2.system=ea86a399-9b26-4f75-9b3a-d3f0049031ef |
| idm.sec.acc.security.auth.order3.system= |
| idm.sec.acc.security.auth.order4.system= |
| idm.sec.acc.security.auth.order5.system=SystemAD - User |
| idm.sec.acc.security.auth.order6.system= |
| idm.sec.acc.security.auth.order7.system=e6a8b1e7-d656-47ae-aa2d-1062d1583c1a |
| idm.sec.acc.security.auth.order8.system= |
| idm.sec.acc.security.auth.order9.system=LDAP User 2 |
| </code> |
| |
| Authentication is done from lowest order to highest. Maximum order is defined with the configuration property (default count is 50): |
| <code> |
| idm.sec.acc.security.auth.maximumSystemCount=50 |
| </code> |
| |
The configuration attribute **idm.pub.core.identity.passwordChange.requireOldPassword=** determines whether the users are required to fill in the old password when changing their password. The possible values are: | Configuration property can be null or empty. **These configurations will be skipped**. |
* true - the old password is required, | |
* false - the old password is not required. | |