Authentication

The PureWeb server uses Spring Security role-based authorization to control login authentication and authorization. Detailed information on this model can be found on their web site.

Any authorization plug-in that conforms to the Spring 3.1.x security model will work, as long as it grants applicable security roles supported by the PureWeb SDK.

Spring Security includes a built-in LDAP provider, but this provider does not have the ability to map LDAP groups to custom roles. To offer this functionality, the PureWeb server uses its own LDAP provider, MappedLdapAuthenticationProvider, which is otherwise similar to the one included with Spring Security. You add this provider through a plugin.xml file.

Once you have set up your authentication, you can restrict access to pages based on a user's role.

The configuration files also allow you to control how the application responds to an unauthorized access attempt.

For instructions on how to add users, and how to assign passwords and security roles, see User management.


Security roles

The roles required by the PureWeb SDK are as follows:

  • Administrator: This role is used to perform administrative tasks in the server. It has access to all the server’s menu options. It is the only role who has access to the server's Configuration page and who is authorized to cancel sessions that are in progress. In Spring, it is defined as ROLE_PUREWEB_SERVER_ADMIN.
  • User: This role is used for normal users of PureWeb applications, for instance it can launch client applications. When logged in with User level permissions, you do not have access to any of the server pages, except the Apps page. In Spring, it is defined as ROLE_PUREWEB_USER.
  • Monitor: This role is used for monitoring the server; it does not have access to the configuration pages, and cannot launch applications. In Spring, it is defined as ROLE_PUREWEB_SERVER_MONITOR.
  • Collaborator: This role is used internally by the SDK to define permissions for collaborators who join a session. In Spring, it is defined as ROLE_PUREWEB_COLLABORATOR.
  The default configuration includes an additional role ROLE_PUREWEB_USER_ADMIN that is not currently used, but left in the default admin user credentials for legacy reasons.

Configuring an LDAP plug-in

The PureWeb server uses Spring Security role-based authorization. Spring Security includes a built-in LDAP provider, but this provider does not have the ability to map LDAP groups to custom roles. To offer this functionality, the server uses its own LDAP provider, MappedLdapAuthenticationProvider, which is otherwise similar to the one included with Spring Security.

The simplest way to use this provider is through a plug-in.

  1. Create a new text file called ldap-plugin.xml and place it at the following location:
    [installed_directory]\Server\conf
  2. Add the provider bean below to this file.
  3. Edit the parameters in the bean to reflect the values for your own implementation. The parameters need to match the LDAP parameters used by your directory.
    PropertyValue
    serverUrlThe address of your LDAP or database authentication server.
    serverUsernameThe user name used to connect to the authentication server.
    serverPasswordThe password used to connect to the authentication server.
    userSearchBaseThe node in your tree to search for users.
    userSearchFilterThe field in the user element to use as the user's name.
    groupSearchBaseThe node in your tree to search for groups.
    groupSearchFilterThe field in the group element to find the user's name to see if they are in that group.
    roleMapA mapping of existing LDAP or JDBC roles to their PureWeb equivalent to provide site-specific configuration without requiring changes to existing LDAP directories or database roles.

Controlling access to applications

Using the PureWeb server, you can restrict access to pages by editing the security policies found in the pureweb-context.xml file. These policies are based on security roles.

You can navigate to this configuration file in two ways:

  • Go to the server's Configuration page. Scroll down the page until you see that file's name as a link. Click the link to open the file for editing in the browser.
  • Open the file directly in a text editor. Its location in the server directory is as follows:
    [installed_directory]\Server\webapp\WEB-INF\pureweb-context.xml

Once the file is open:

  1. Edit the values of the intercept-url pattern and access elements. For example:

    <s:intercept-url pattern="/pureweb/app/**" access="hasRole('ROLE_PUREWEB_USER')"/>

  1. Click Save to commit the changes.
  2. Close the file.

You must perform a reload or restart the server before server configuration or plug-in file changes take effect.

To perform a reload, navigate to the server's Configuration page and click the Reload button for the section where the file is located within the page (for example, if you edited a plug-in configuration file, click the Reload Plugins button, if you edited a logging configuration file, click the Reload Logging button, and so on).

If you edit a configuration file, the server will display a reload required message beside this file in the Configuration page as a reminder until the changes have been applied.