1. ibcndevs Avatar ibcndevs
  2. LimeDS Public
  3. limeds-framework

Wiki

Clone wiki

limeds-framework / Modules_Simple_Auth

View History

We've provided a simple auth module to enable authentication and authorization for your LimeDS instance. Note that HTTPS should be enabled for the Jetty HTTP server for this to be effective!

To install it, browse the following URL:

http://[limeds_host]:[limeds_port]/_limeds/installables/org.ibcn.limeds.simpleauth/latest/deploy

(Or add it to your run.bndrun file and click resolve when working in Eclipse)

From now on, the LimeDS System API are automatically password protected, so first things first, we're going to authenticate using the default username "admin" and the password "admin".

You can do this by sending a POST to /auth/tokens, with the following JSON object as a request body:

{
  "username": "admin",
  "password": "admin"
}

The Swagger UI at http://[limeds_host]:[limeds_port]/swagger/#/Auth_APIs can be used for this.

Now we can change the configuration of the auth module using the Configuration Editor that can be accessed using the main LimeDS editor. Click on the "org.ibcn.limeds.simpleauth.Provider" on the left to access the configuration. You should see the following panel:

auth_1.PNG

The accounts property, holds an array of active accounts. The entries are semicolon-separated Strings describing (in their respective order):

  1. The username for the account
  2. The password for the account (*)
  3. The roles for this account (String IDs for the roles, separated again by semicolon)

When the property hashPasswords is set to true, the auth module will use SHA-256 hashed passwords. To generate a valid password hash, use the Generator at http://[limeds_host]:[limeds_port]/swagger/#!/Auth_APIs/HashGenerator.

You can now add additional accounts with different roles that you can specify yourselves. Two default roles are supported by the system:

  1. LIMEDS_ADMIN: Accounts that have this role will have access to all LimeDS System APIs
  2. LIMEDS_VIEW_ONLY: Accounts that have this role will only have access to the LimeDS System APIs that don't make changes to the environment (e.g. listing all Segments).

Adding authentication or authorization to your HTTP endpoints is done by adding additional properties to the HTTP configuration.

Example of enabling authentication for an endpoint:

@Segment
public GetUsers extends HttpEndpointSegment {

  @Override
  @HttpOperation(method=HttpMethod.GET, path="/users/", authMode=AuthMode.AUTHENTICATE_ONLY)
  public JsonValue apply(JsonValue input, HttpContext context) {
    //Your logic
  }

}

Example of adding authorization to an endpoint:

@Segment
public AddUser extends HttpEndpointSegment {

  @Override
  @HttpOperation(method=HttpMethod.POST, path="/users/", authMode=AuthMode.AUTHORIZE_DISJUNCTIVE, authorityRequired={"FORUM_MODERATOR", "FORUM_ADMIN"})
  public JsonValue apply(JsonValue input, HttpContext context) {
    //Your logic
  }

}

There are two AUTHORIZE modes: DISJUNCTIVE as used in the example means that the authenticated user should have at least one of the roles indicated by the "authorityRequired" attribute. If the CONJUNCTIVE mode is used, the authenticated user should have all the roles indicated by that attribute.

Updated