Page Properties | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
Resources & Remarks Modification History
|
...
Configuration File Name | authentication-prod.yml |
---|---|
Referenced by Services | authentication |
Storage Location | Git root directory |
Parameters
Parameter | Description | Default Value | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
routing.defaultEntryPoint | Defines a path that will be added to the URL automatically if | '/client/index.html' | ||||||||
server.servlet.session.cookie | Section of Parameters for session cookie configuration.
| |||||||||
same-site | Configures whether browser sessions are allowed where yuuvis® Momentum is embedded in an external web page, e.g., via iframe. Available values:
| 'Lax' | ||||||||
secure | Prohibits unprotected sessions. Available values:
| false | ||||||||
http-only | Configures whether JavaScript functionality of a browser application can access the session cookie. Available values:
| 1800 | ||||||||
server.servlet.session.timeout | Defines the duration for which the session between gateway and client is authorized. Specified in seconds. | 1800 | ||||||||
routing.endpoints | List of services for which the AUTHENTICATION service endpoints are available. Those services can be accessed via AUTHENTICATION service. Also external services can be added here. |
| ||||||||
authorization.cacheUserAttributes | Available as of 2023 Autumn. If If | false | ||||||||
authorization.accesses | Definition of permissions for the access to individual endpoints and sub-paths. Structured as a list of endpoints and their individual access conditions specified via the parameters Any endpoint that should be accessible via AUTHENTICATION service has to be listed here. Syntax and examples are described in the article on the AUTHENTICATION Service. | See code block below. | ||||||||
spring.session.store-type (as of 2022 Spring) | Specifies whether the user session states are stored centrally in a Redis database (value For scaling and fail-safe operation of the AUTHENTICATION service, set the value | - | ||||||||
management.health.redis.enabled (as of 2022 Spring) | If For scaling and fail-safe operation of the AUTHENTICATION service, set | false |
The values for the parameters can be modified as described here.
>> Configuring Services using Profiles.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
### Manage-Endpunkte - endpoints: /manage/** expose: true - endpoints: /*/manage/** access: hasAuthority('YUUVIS_SYSTEM_INTEGRATOR') ### API-Endpunkte - endpoints: /api/system/** access: hasAuthority('YUUVIS_SYSTEM_INTEGRATOR') - endpoints: /api/admin/** access: hasAuthority('YUUVIS_TENANT_ADMIN') - endpoints: /api/dms/** ### Endpunkte für Swagger-Webclient des API-Gateways - endpoints: /api/swagger-ui.html/**,/api/**/springfox-swagger-ui/**,/api/**/swagger-resources/**,/api/**/v2/api-docs/** - endpoints: /api/swagger-ui/**,/api/swagger/v3/api-docs/** - endpoints: /api/api/system/** access: hasAuthority('YUUVIS_SYSTEM_INTEGRATOR') - endpoints: /api/api/admin/** access: hasAuthority('YUUVIS_TENANT_ADMIN') - endpoints: /api/api/dms/** ### Webclient - endpoints: /search/**,/viewer/**,/architect/** - endpoints: /client/** expose: true ### Viewer Service - endpoints: /viewer/view/**,/viewer/assets/**,/viewer/download/** expose: true - endpoints: /viewer/** ### Userservice - endpoints: /userservice/** ### bpm-engine - endpoints: /bpm-engine/internal/** # access: denyAll - endpoints: /bpm-engine/** ### Metricsservice - endpoints: /metricsservice/** access: hasAuthority('YUUVIS_SYSTEM_INTEGRATOR') ### api-web - endpoints: /api-web/swagger-ui.html,/api-web/swagger-ui/**,/api-web/**/v3/api-docs/** - endpoints: /api-web/api/resources/**,/api-web/api/users/**,/api-web/api/bpm/**,/api-web/api/dms/** - endpoints: /api-web/api/system/** access: hasAuthority('YUUVIS_SYSTEM_INTEGRATOR') - endpoints: /api-web/api/admin/** access: hasAuthority('YUUVIS_TENANT_ADMIN') ### tenant-management - endpoints: /tenant-management/swagger-ui.html,/tenant-management/swagger-ui/**,/tenant-management/**/v3/api-docs/** - endpoints: /tenant-management/api/system/** access: hasAuthority('YUUVIS_SYSTEM_INTEGRATOR') - endpoints: /tenant-management/api/admin/** access: hasAuthority('YUUVIS_TENANT_ADMIN') ### office 365 - endpoints: /office365/** - endpoints: /dashlet365/** |
Impacts of Cookies on the Login via Browser
The following impacts of the server.servlet.session.cookie.same-site configuration parameter (see description above) are tested with Firefox (version 113) and Google Chrome (version 113). The Connection has to be protected via SSL (HTTPS protocol).
Loop means here an infinite loop of requests between authentication service and identity provider. It is not possible to authenticate.
System integrators or administrators have to be aware of the behavior and configure their installation according to their needs.
value for 'same-site' | Behavior in Own Context | Behavior in Embedded Context | Comment |
---|---|---|---|
None | Firefox OK, Chrome OK | Firefox OK, Chrome OK | low CSRF-Schutz (OWASP SameSite) |
Lax | Firefox OK, Chrome OK | Firefox Loop, Chrome looses session | default configuration |
Strict | Firefox Loop, Chrome OK | Firefox Loop, Chrome loses session | highest protection but not recommended |