CollectionSpace has an out-of-the-box easy to use identity provider. This is the default identity provider of CollectionSpace. This identity provider is also tenant-aware (release 0.4). That means the realm managed by it is partitioned per tenant. This provider would be consulted in addition to any other 3rd party identity providers while verifying identities of the users.
|This document is linked from the Authentication Service Configuration Guide. If you are seeking to set up authentication in your CollectionSpace system, please start with that document. (You may potentially be referred back to this document to complete some parts of the process.)|
In Java, the security context could be in the form of a Subject if JAAS framework is used for authentication. A subject may be any entity, such as a person or a service. Once the subject is authenticated, a Java Subject is populated with associated identities, or principals. A Java Principal could represent any entity, such as an individual, a corporation, and a login id. A Subject may also own credentials. Sensitive credentials that require special protection, such as private cryptographic keys, are stored within a private credential Set. Credentials intended to be shared, such as public key certificates, are stored within a public credential Set. Access to credentials is provided based on permissions.
Security context in the form of a Subject is made available by the Java Application Server to application (mostly, attached to the thread context) once the authentication completes.
The CollectionSpace security runtime could further populate the Subject with tenant-specific information post successful authentication. This information could be in the form of a special group called "Tenants". Each member of this group would represent a tenant to whose resources the user principal would have access to. This context could then be used for the following purposes.
- Retrieve tenant-specific bindings in order to process the service request
- Enforce access control policies/permissions (using roles implemented as groups)
- It is assumed that at the time of provisioning a tenant, a user with privileges to administer the accounts for that tenant is added into the system.
- It is also assumed that the above mentioned user is added off-band without using the Account Service
Following sections describe how to configure this provider in JBoss 4.2.3 GA.
Shutdown the JBoss server if it is running. Execute the following commands from prompt. It is assumed that you have executed ant deploy at the trunk level as follows.
With this command, the datasource configuration is copied to $JBOSS_HOME/server/cspace/deploy/cspace-ds.xml among other things including CS IdP binaries.
|Since 0.4, the CS IdP is able to use datasource to get connection to the database. See CSPACE-259 for resolution.|
You may find latest version of this in /src/services/trunk/services/src/main/resources/config/cspace-ds.xml.
Configuration of JAAS Login Module involves two steps:
- Create necessary tables in database
- Configure JBoss's login configuration to add an application policy using the login module
The preferred way to create tables is to use ant task create_db. This task not only creates necessary tables, it also populates them with test data.
Note: You may want to set required environment variables (DB_USER, DB_PASSWORD) before running create_db. See Services Build for more details.
Alternately, you could use the following sql script to create necessary tables. Use the following script to create tables in MySQL database named cspace. Here, we create 3 tables.
- Table users: stores user names, (encrypted) passwords
- Table roles: stores role names, role group
- Table users_roles: associates users and roles
You may find a copy of this in src/services/trunk/services/authentication/client/src/main/resources/db/mysql/authentication.sql.
Then you may want to add the following indices regardless of the approach you use to create tables.
You may find a copy of this in src/services/trunk/services/authentication/client/src/main/resources/db/mysql/authentication_index.sql
Edit $JBOSS_HOME/server/cspace/conf/login-config.xml and add the following snippet anywhere above the application-policy named other.
|The following configuration is according to release 0.5|
Note that the module-option with name dsJndiName is referring to the same datasource as configured in datasource configuration . Secondly, the name of the application-policy cspace is also the name of security domain for JBoss. Lastly, you would require to use CSpacePrincipal to populate tenant-specific context into the security context.
The above configuration indicates that hash algorithm SHA-256 is used to encrypt passwords before storing in the database. Password is case-sensitive. It also lists SQL queries to use to retrieve password and user-role association(s) from the database.
You may find the latest version of this in /src/services/trunk/services/authentication/service/src/main/resources/config/jboss-login-config.xml.