Authorization and Security Settings¶
Application configuration parameters, file deploy.json
¶
Application configuration options are designed to identify key features of the system when the application is running at the design stage and changing the default settings.
Setting authorization parameters when working with a password¶
The parameters and requirements for working with the password are set in di
in the configuration of the auth
component of the module. But mostly the settings are set globally.
{
"globals": {
"parametrised": true,
"plugins":{
"auth": {
"module": "lib/auth",
"initMethod": "init",
"initLevel": 2,
"options": {
"app": "ion://application",
"logger": "ion://sysLog",
"dataSource": "ion://Db",
"acl": "ion://aclProvider",
"passwordLifetime": "[[auth.passwordLifeTime]]", // Максимальный срок действия пароля
"passwordMinPeriod": "[[auth.passwordMinPeriod]]", // Минимальный срок действия пароля
"passwordMinLength": "[[auth.passwordMinLength]]", // Минимальная длина пароля
"passwordComplexity": { // Требования к сложности пароля
"upperLower": true, // Обязательно верхний и нижний регистр
"number": true, // Обязрательно использование хотя бы одного числа
"special": true // Обязательно использование хотя бы одного специального символа
},
"passwordJournalSize": "[[auth.passwordJournalSize]]", // Вести журнал паролей размере паролей
"tempBlockInterval": "[[auth.tempBlockInterval]]", // Время до сброса счетчика блокировки
"attemptLimit": "[[auth.attemptLimit]]", // Пороговое значение количества попыток для блокировки
"tempBlockPeriod": "[[auth.tempBlockPeriod]]" // Продолжительность блокировки учетной записи
}
}
The values indicated as [[auth.passwordLifeTime]]
can be reconfigured in the application settings file - /config/setup.ini
. But for this, it is necessary to verify that the “parametrised”: true setting is set to global.
The lifetime is set in the format [duration][unit]
, while units:
- y - year
- d - day
- h - hour
- m - minute
- s - second
By default, the key parameter values are:
- passwordLifetime = 100y
- passwordMinPeriod = 0d
- passwordMinLength = 8
All created passwords in the system, including the imported ones, are automatically set as required to be changed. To avoid having to change passwords during import, the parameter needPwdReset: false
must be specified in the user properties in the imported acl file.
Setting the minimum password length¶
You can specify the minimum password length to log in, using the "passwordMinLength"
property.
"plugins":{
"accounts": {
"options": {
"passwordMinLength": 8
}
}
}
Setting the access rights “aclProvider”¶
"plugins":{
"aclProvider": {
"module": "core/impl/access/aclMetaMap",
"initMethod": "init",
"initLevel": 1,
"options":{
"dataRepo": "lazy://dataRepo",
"acl": "lazy://actualAclProvider",
"accessManager": "lazy://roleAccessManager"
}
}
Framework and application settings parameters in the config/setup.ini
file¶
The settings are intended to refine and change the application parameters and are initialized at startup. The settings have a higher priority than the configuration settings.
Application settings can also be set in the environment variables; however, the environment variables have a higher priority over the settings.
Overriding password configuration settings¶
The password parameters set in the deploy.json
of the project, if parameterization is enabled and the parameter code is specified, you can override them via the platform settings or through environment variables.
Example of a settings file /config/setup. ini
that overrides the values specified in the example file deploy.json
.
# Максимальный срок действия пароля
auth.passwordLifeTime=90d
# Минимальный срок действия пароля
auth.passwordMinPeriod=75d
# Минимальная длина пароля
auth.passwordMinLength=8
# Вести журнал паролей размере паролей
auth.passwordJournalSize=5
# Время до сброса счетчика блокировки
auth.tempBlockInterval=30m
# Пороговое значение блокировки
auth.attemptLimit=6
# Продолжительность блокировки учетной записи
auth.tempBlockPeriod=30m
# Время жизни авторизованной сессии, при отсутствии активности
auth.sessionLifeTime=4h
Setting the session length in the system¶
Set the session length in the в config/config.json in sessionHandler
, using placeholders for the cookie.maxAge
parameter:
"sessionHandler": {
"module": "lib/session",
"initMethod": "init",
"initLevel": 1,
"options": {
"app": "ion://application",
"dataSource": "ion://Db",
"session": {
"secret": "ion:demo:secret",
"resave": false,
"saveUninitialized": true,
"cookie": {
"httpOnly": true,
"secure": false,
"maxAge": "[[auth.sessionLifeTime]]"
}
}
}
}
Add this setting in the deploy.ini-file of the project. The format is the same as for the period setting in the auth
:
auth.tempBlockPeriod=2s
auth.tempBlockInterval=15m
auth.blockPeriod=1d
auth.sessionLifeTime=2h
You can also set it in numbers, and then it will be in milliseconds.
To store the session not in the database, but in the redis caching server, add the setting and caching parameters to the deploy.ini file of the project
session.type=redis
cache.redis.host=127.0.0.1
cache.redis.port=6379
Setting to disable the authorization form to go to the module page¶
In the core setting the “auth” field has the exclude
setting:
"auth": {
"module": "lib/auth",
"initMethod": "init",
"initLevel": 2,
"options": {
"app": "ion://application",
"logger": "ion://sysLog",
"dataSource": "ion://Db",
"denyTopLevel": "[[auth.denyTop]]",
"authCallbacks": ["[[auth.callback]]"],
"publicRegistration": "[[auth.registration]]",
"exclude": ["[[auth.exclude1]]", "[[auth.exclude2]]", "[[auth.exclude3]]"]
}
}
So, write the following in the ini-file of the project:
auth.exclude[] = /registry/ # исключаем только запросы к корню модуля
auth.exclude[] = /registry/** # исключаем запросы ко всем страницам модуля
auth.exclude[] = \/registry\/khv-svyaz-info@naselenniePunkty\/\w+ # исключаем запросы ко всем страницам модуля
внутри ноды khv-svyaz-info@naselenniePunkty
auth.exclude[] = /registry/api/naselenniyPunkt@khv-svyaz-info/** # исключаем запросы к api класса
When you go to the page specified in the module settings, the data is displayed without the authorization.
Deactivation of the authorization for static paths on the example of the develop-and-test project:¶
; Исключение статичных путей ядра из проверки доступа безопасности
auth.exclude[]=/
auth.exclude[]=/vendor/**
auth.exclude[]=/css/**
auth.exclude[]=/fonts/**
auth.exclude[]=/favicon.ico
; Исключение статичных путей модулей из проверки доступа безопасности
auth.exclude[]=/registry/vendor/**
auth.exclude[]=/registry/css/**
auth.exclude[]=/registry/js/**
auth.exclude[]=/registry/app-vendor/**
auth.exclude[]=/registry/app-static/**
auth.exclude[]=/registry/common-static/**
auth.exclude[]=/registry/img/**
auth.exclude[]=/registry/fonts/**
auth.exclude[]=/dashboard/vendor/**
auth.exclude[]=/dashboard/develop-and-test/** ; для проекта develop-and-test
auth.exclude[]=/dashboard/js/**
auth.exclude[]=/registry/viewlib-ext-static/** ; для проекта viewlib-extra
auth.exclude[]=/registry/viewlib-static/js/** ; для проекта viewlib
auth.exclude[]=/gantt-chart/vendor/**
auth.exclude[]=/gantt-chart/gantt/**
auth.exclude[]=/gantt-chart/css/**
auth.exclude[]=/gantt-chart/js/**
auth.exclude[]=/gantt-chart/common-static/**
auth.exclude[]=/gantt-chart/fonts/**
auth.exclude[]=/geomap/vendor/**
auth.exclude[]=/geomap/css/**
auth.exclude[]=/geomap/js/**
auth.exclude[]=/geomap/common-static/**
auth.exclude[]=/geomap/img/**
auth.exclude[]=/geomap/fonts/**
auth.exclude[]=/report/vendor/**
auth.exclude[]=/report/css/**
auth.exclude[]=/report/js/**
auth.exclude[]=/report/common-static/**
auth.exclude[]=/report/img/**
auth.exclude[]=/report/fonts/**
; Исключение всего модуля из проверки доступа безопасности
auth.exclude[]=/portal/**