If your configuration has a requirement for a container (Tomcat, JBoss, Websphere) to handle authentication, but users/roles reside in an external database, tenants using DB Container Security Manager can provide a database interface to fetch those user/roles. Some configuration is necessary and details may vary depending on the container you are using.
...
Setting up the Security Database
- Modify your container configuration files to point to your security database. For example, setting up datasources are deployed in an xml file using the -ds.xml naming convention, such as jaas-ds.xml. In this example, the jaas-ds.xml. file for JBoss is modified to point to an Oracle security database so can use it.
- Supply the SECURITY_DB_NAME and DB_PORT shown in the example for your database.
...
Code Block |
---|
<default-security-domain value="newly-defined-security-domain"/> ... <subsystem xmlns="urn:jboss:domain:security:1.2"> <security-domains> <security-domain name="newly-defined-security-domain" cache-type="default"> ... </security-domain> </security-domains> </subsystem> |
Modify the principalsQuery and rolesQuery
Here's an example of changes to the standalone.xml file.
Code Block |
---|
security-domain name="other" cache-type="default"> <authentication> <login-module code="Database" flag="required"> <module-option name="dsJndiName" value="java:jboss/datasources/securityDS"/> <module-option name="principalsQuery" value="select USER_ID from FREVVO_USER_T where USER_ID = ?"/> <module-option name="rolesQuery" value="SELECT CASE INSTR(gt.role_name, 'frevvo.') WHEN 1 THEN gt.role_name ELSE pt.customer_id || '_'|| gt.role_name END as role, 'Roles' FROM frevvo_user_roles_t ut, frevvo_group_rights_t gt, frevvo_person_t pt WHERE gt.group_name = ut.group_name AND pt.person_id = ut.user_id AND ut.user_id = ?"/> </login-module> </authentication> </security-domain> |
Set up frevvo.war for JAAS Authentication
To identify any user with the role frevvo.User as a valid frevvo user, add this section to the web.xml file in the frevvo.war. The web.xml file is included in the <frevvo-home>\tomcat\webapps\frevvo.war. The frevvo.war must be unzipped/rezipped after modifications have been made as outlined in the steps below:
- Stop if it is running.
- Unpack the frevvo.war file to a temporary location of your choice: e.g. c:\tmp\frevvo-war. Change the file extension from .war to .zip if necessary.
Edit c:\tmp\frevvo-war\WEB-INF\web.xml. Add the section:
Code Block <!-- Security constraint BASIC AUTH --> <security-constraint> <web-resource-collection> <web-resource-name>Secure frevvo</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>frevvo.User</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>UnsecureHeartbeat</web-resource-name> <url-pattern>/heartbeat/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method>login-config> <security-role> <role-name>frevvo.User</role-name> </security-role>
- Save the changes to the web.xml file.
Rezip all the files in the c:\tmp\frevvo-war directory, even the ones you did not edit — if you change directories or zip them differently, Live Forms may not load correctly:
This is the correct structure for the frevvo.war zip-file.
Make sure you create the zip-file with the directory structure as shown in the image above. It is an easy mistake to include the containing directory in the zip-file.
Zip will often give your zip-file a .zip extension. Make sure you change this to a .war extension.
...
In order to successfully create a DB ContainerSecurityManager tenantDB ContainerSecurityManager tenant, requires you must have an admin user that: already exists and has that already exists and has the following roles: frevvo.TenantAdmin?, frevvo.Designer.
- Restart .
- Browse to the following url: http://<hostname>:<port>/frevvo/web/login
- Login into your as the superuser:
- Username : admin@d
- Password : admin
- 5. Once you are logged in as administrator click on the “Manage Tenants” link.
6. Click icon to add a new Tenant .
- 7. Select “DB Container Security Manager” as the Security Manager Class.
8. Add a Tenant ID, Tenant Name and Tenant Description. Use the user ID from the Security DB that has the role “frevvo.TenantAdmin” as the Admin Id - 9. Click Submit You should see a message “Tenant <TenantName> added successfully”
If the tenant admin user does not exist or it does not have the required roles, this error will display with the name of the tenant you are trying to add:
...