Authorization and Security Settings

Application configuration options, deploy.json file

Application configuration options are designed to identify key features of the system when the application is running at the design stage and changing the default settings.

Setting authorization parameters when working with a password

Password settings and requirements are set in di in auth component configuration of the module. But mostly settings are set globally.

  "globals": {
    "parametrised": true,
      "auth": {
        "module": "lib/auth",
        "initMethod": "init",
        "initLevel": 2,
        "options": {
          "app": "ion://application",
          "logger": "ion://sysLog",
          "dataSource": "ion://Db",
          "acl": "ion://aclProvider",
          "passwordLifetime": "[[auth.passwordLifeTime]]", // Максимальный срок действия пароля
          "passwordMinPeriod": "[[auth.passwordMinPeriod]]", // Минимальный срок действия пароля
          "passwordMinLength": "[[auth.passwordMinLength]]", // Минимальная длина пароля
          "passwordComplexity": { // Требования к сложности пароля
            "upperLower": true, // Обязательно верхний и нижний регистр
            "number": true, // Обязрательно использование хотя бы одного числа
            "special": true // Обязательно использование хотя бы одного специального символа
          "passwordJournalSize": "[[auth.passwordJournalSize]]", // Вести журнал паролей размере паролей
          "tempBlockInterval": "[[auth.tempBlockInterval]]", // Время до сброса счетчика блокировки
          "attemptLimit": "[[auth.attemptLimit]]", // Пороговое значение количества попыток для блокировки
          "tempBlockPeriod": "[[auth.tempBlockPeriod]]" // Продолжительность блокировки учетной записи

The values indicated as [[auth.passwordLifeTime]] can be reconfigured in the application settings file - /config/setup.ini. But for this, it is necessary to verify that the “parametrised”: true setting is set to global.

The lifetime is set in the format [duration][unit], while units:

  • y - year
  • d - day
  • h - hour
  • m - minute
  • s - second

By default, the key parameter values are:

  • passwordLifetime = 100y
  • passwordMinPeriod = 0d
  • passwordMinLength = 8

All created passwords in the system, including imported ones, are automatically set as required for the change. In order to avoid changing passwords during import, the needPwdReset: false parameter must be specified in the user properties in the imported acl file.

Setting the minimum password length

You can specify the minimum password length to log in, using the "passwordMinLength" property.

Setting the access rights “aclProvider”


"aclProvider": {
    "module": "core/impl/access/aclMetaMap",
    "initMethod": "init",
    "initLevel": 1,
      "dataRepo": "lazy://dataRepo",
      "acl": "lazy://actualAclProvider",
      "accessManager": "lazy://roleAccessManager"

Settings for the framework and application in `config/setup.ini

Settings are used to specify and change the application parameters and initialized at start. Settings take precedence over configuration settings.

Application settings can also be set in environment variables, while environment variables take precedence over settings.

Overriding password configuration settings

The password parameters set in the deploy.json of the project, if parameterization is enabled and the parameter code is specified, you can redefine them via the platform settings or through environment variables.

Example of the setup file /config/setup.ini in which the values specified in the deploy.json file are redefined.

# Максимальный срок действия пароля
# Минимальный срок действия пароля
# Минимальная длина пароля
# Вести журнал паролей размере паролей
# Время до сброса счетчика блокировки
# Пороговое значение блокировки
# Продолжительность блокировки учетной записи
# Время жизни авторизованной сессии, при отсутствии активности

Setting the session length in the system

Set the session length in the в config/config.json in sessionHandler, using placeholders for the cookie.maxAgeparameter:

"sessionHandler": {
  "module": "lib/session",
  "initMethod": "init",
  "initLevel": 1,
  "options": {
    "app": "ion://application",
    "dataSource": "ion://Db",
    "session": {
      "secret": "ion:demo:secret",
      "resave": false,
      "saveUninitialized": true,
      "cookie": {
        "httpOnly": true,
        "secure": false,
        "maxAge": "[[auth.sessionLifeTime]]"

Add this setting in the deploy.ini-file of the project. The format is the same as for the period setting in the auth:

You can also set it in numbers, and then it will be in milliseconds.

To store the session not in the database, but in the redis caching server, add the caching settings and parameters to the deploy.ini file of the project .. code-block:


Setting to disable the authorization form to go to the module page

In the core setting the “auth” field has the excludesetting:

"auth": {
  "module": "lib/auth",
  "initMethod": "init",
  "initLevel": 2,
  "options": {
    "app": "ion://application",
    "logger": "ion://sysLog",
    "dataSource": "ion://Db",
    "denyTopLevel": "[[auth.denyTop]]",
    "authCallbacks": ["[[auth.callback]]"],
    "publicRegistration": "[[auth.registration]]",
    "exclude": ["[[auth.exclude1]]", "[[auth.exclude2]]", "[[auth.exclude3]]"]

So in the ini-file of the project, write the following:

When you go to the page specified in the module settings - the data is displayed without the authorization.

Deactivation of the authorization for static paths on the example of the develop-and-test project: