If your configuration has a requirement for a container (Tomcat, JBoss, Websphere) to handle authentication, but users/roles reside in an external database, tenants using DB -CSM security Container Security Manager can provide a database interface to fetch those user/roles. Some configuration is necessary and details may vary depending on the container you are using.
...
Setting up the Security Database
- Modify your container configuration files to point to your security database. For example, setting up datasources are deployed in an xml file using the -ds.xml naming convention, such as jaas-ds.xml. In this example, the jaas-ds.xml. file for JBoss is modified to point to an Oracle security database so can use it.
- Supply the SECURITY_DB_NAME and DB_PORT shown in the example for your database.
...
| Code Block |
|---|
<default-security-domain value="newly-defined-security-domain"/>
...
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="newly-defined-security-domain" cache-type="default">
...
</security-domain>
</security-domains>
</subsystem> |
Modify the principalsQuery and rolesQuery
Here's an example of changes to the standalone.xml file.
| Code Block |
|---|
security-domain name="other" cache-type="default"> <authentication> <login-module code="Database" flag="required"> <module-option name="dsJndiName" value="java:jboss/datasources/securityDS"/> <module-option name="principalsQuery" value="select USER_ID from FREVVO_USER_T where USER_ID = ?"/> <module-option name="rolesQuery" value="SELECT CASE INSTR(gt.role_name, 'frevvo.') WHEN 1 THEN gt.role_name ELSE pt.customer_id || '_'|| gt.role_name END as role, 'Roles' FROM frevvo_user_roles_t ut, frevvo_group_rights_t gt, frevvo_person_t pt WHERE gt.group_name = ut.group_name AND pt.person_id = ut.user_id AND ut.user_id = ?"/> </login-module> </authentication> </security-domain> |
Set up frevvo.war for JAAS Authentication
To identify any user with the role frevvo.User as a valid frevvo user, add this section to the web.xml file in the frevvo.war. The web.xml file is included in the <frevvo-home>\tomcat\webapps\frevvo.war. The frevvo.war must be unzipped/rezipped after modifications have been made as outlined in the steps below:
- Stop if it is running.
- Unpack the frevvo.war file to a temporary location of your choice: e.g. c:\tmp\frevvo-war. Change the file extension from .war to .zip if necessary.
Edit c:\tmp\frevvo-war\WEB-INF\web.xml. Add the section:
Code Block <!-- Security constraint BASIC AUTH --> <security-constraint> <web-resource-collection> <web-resource-name>Secure frevvo</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>frevvo.User</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>UnsecureHeartbeat</web-resource-name> <url-pattern>/heartbeat/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method>login-config> <security-role> <role-name>frevvo.User</role-name> </security-role>- Save the changes to the web.xml file.
Rezip all the files in the c:\tmp\frevvo-war directory, even the ones you did not edit — if you change directories or zip them differently, Live Forms may not load correctly:
This is the correct structure for the frevvo.war zip-file.
Make sure you create the zip-file with the directory structure as shown in the image above. It is an easy mistake to include the containing directory in the zip-file.
Zip will often give your zip-file a .zip extension. Make sure you change this to a .war extension.
...