Parameters of the configuration file used by the AUTHENTICATION service in productive systems.

Characteristics

Configuration File Name	`authentication-prod.yml`
Referenced by Services	`authentication`
Storage Location	Git root directory

Parameters

Parameter Description Default Value

routing.defaultEntryPoint

Defines a path that will be added to the URL automatically if https://<host>/ is called.

'/client/index.html'

server.servlet.session.cookie

Section of Parameters for session cookie configuration.

Note

Please note the impacts on the login via browser below.

same-site

Configures whether browser sessions are allowed where yuuvis® Momentum is embedded in an external web page, e.g., via iframe. Available values:

Strict - Sessions are deleted in case of external embedding or external reference. Not usable in combination with an identity provider as it is considered as external reference.
Lax - Sessions are deleted in case of external embedding, e.g., via iframes.
None - Sessions are allowed in any context. Requires SSL (HTTPS protocol) and server.servlet.session.cookie.secure: true.

'Lax'

secure

Prohibits unprotected sessions. Available values:

false - Sessions are allowed with and without SSL.
true - Sessions are allowed only with SSL.

false

http-only

Configures whether JavaScript functionality of a browser application can access the session cookie. Available values:

false - Script access allowed.
true - Script access prohibited.

1800

server.servlet.session.timeout Defines the duration for which the session between gateway and client is authorized. Specified in seconds. 1800

routing.endpoints

List of services for which the AUTHENTICATION service endpoints are available. Those services can be accessed via AUTHENTICATION service.

Also external services can be added here.
>> Accessing External Services via AUTHENTICATION Service

- 'authentication'
- 'api'
- 'search' - 'client'
- 'api-web'
- 'tenant-management'
- 'viewer'
- 'architect'
- 'custom'
- 'userservice' - 'bpm-engine' - 'renditionrepository'
- 'dashlet365'
- 'office365'

authorization.cacheUserAttributes

Available as of 2023 Autumn.

If true, the user attributes retrieved via GET user.info webhook are stored in a Redis cache. To reduce the header size of cluster-internal HTTP requests, the JWT does NOT contain the user attributes authorities and abac anymore. Those attributes can be retrieved via GET /session/updateUserAttributeCache/{tenant}/{userId}.

If false, all user attributes are stored only in the JWT but NOT in a cache.

false

authorization.accesses

Definition of permissions for the access to individual endpoints and sub-paths.

Structured as a list of endpoints and their individual access conditions specified via the parameters endpoints, access, method and expose.

Any endpoint that should be accessible via AUTHENTICATION service has to be listed here.

Syntax and examples are described in the article on the AUTHENTICATION Service.

See code block below.

spring.session.store-type (as of 2022 Spring)

Specifies whether the user session states are stored centrally in a Redis database (value redis) or managed by a single AUTHENTICATION service instance (if parameter is not specified).

For scaling and fail-safe operation of the AUTHENTICATION service, set the value redis.

-

management.health.redis.enabled (as of 2022 Spring)

If true, the AUTHENTICATION service checks the connection to the Redis database at regular intervals.

For scaling and fail-safe operation of the AUTHENTICATION service, set true.

false

The values for the parameters can be modified as described here.
>> Configuring Services using Profiles.

Default Configuration for 'authorization.accesses:'

    ### Manage-Endpunkte
      - endpoints: /manage/**
        expose: true
      - endpoints: /*/manage/**
        access: hasAuthority('YUUVIS_SYSTEM_INTEGRATOR')
    ### API-Endpunkte
      - endpoints: /api/system/**
        access: hasAuthority('YUUVIS_SYSTEM_INTEGRATOR')
      - endpoints: /api/admin/**
        access: hasAuthority('YUUVIS_TENANT_ADMIN')
      - endpoints: /api/dms/**
    ### Endpunkte für Swagger-Webclient des API-Gateways
      - endpoints: /api/swagger-ui.html/**,/api/**/springfox-swagger-ui/**,/api/**/swagger-resources/**,/api/**/v2/api-docs/**
      - endpoints: /api/swagger-ui/**,/api/swagger/v3/api-docs/**
      - endpoints: /api/api/system/**
        access: hasAuthority('YUUVIS_SYSTEM_INTEGRATOR')
      - endpoints: /api/api/admin/**
        access: hasAuthority('YUUVIS_TENANT_ADMIN')
      - endpoints: /api/api/dms/**
    ### Webclient
      - endpoints: /search/**,/viewer/**,/architect/**
      - endpoints: /client/**
        expose: true
    ### Viewer Service
      - endpoints: /viewer/view/**,/viewer/assets/**,/viewer/download/**
        expose: true
      - endpoints: /viewer/**    
    ### Userservice
      - endpoints: /userservice/**
    ### bpm-engine
      - endpoints: /bpm-engine/internal/**
        # access: denyAll
      - endpoints: /bpm-engine/**
    ### Metricsservice
      - endpoints: /metricsservice/**
        access: hasAuthority('YUUVIS_SYSTEM_INTEGRATOR')
    ### api-web
      - endpoints: /api-web/swagger-ui.html,/api-web/swagger-ui/**,/api-web/**/v3/api-docs/**
      - endpoints: /api-web/api/resources/**,/api-web/api/users/**,/api-web/api/bpm/**,/api-web/api/dms/**
      - endpoints: /api-web/api/system/**
        access: hasAuthority('YUUVIS_SYSTEM_INTEGRATOR')
      - endpoints: /api-web/api/admin/**
        access: hasAuthority('YUUVIS_TENANT_ADMIN') 
    ### tenant-management
      - endpoints: /tenant-management/swagger-ui.html,/tenant-management/swagger-ui/**,/tenant-management/**/v3/api-docs/**
      - endpoints: /tenant-management/api/system/**
        access: hasAuthority('YUUVIS_SYSTEM_INTEGRATOR')
      - endpoints: /tenant-management/api/admin/**
        access: hasAuthority('YUUVIS_TENANT_ADMIN')
    ### office 365
      - endpoints: /office365/**
      - endpoints: /dashlet365/**

Impacts of Cookies on the Login via Browser

The following impacts of the server.servlet.session.cookie.same-site configuration parameter (see description above) are tested with Firefox (version 113) and Google Chrome (version 113). The Connection has to be protected via SSL (HTTPS protocol).

Loop means here an infinite loop of requests between authentication service and identity provider. It is not possible to authenticate.

System integrators or administrators have to be aware of the behavior and configure their installation according to their needs.

value for 'same-site'	Behavior in Own Context	Behavior in Embedded Context	Comment
`None`	Firefox OK, Chrome OK	Firefox OK, Chrome OK	low CSRF-Schutz (OWASP SameSite)
`Lax`	Firefox OK, Chrome OK	Firefox Loop, Chrome looses session	default configuration
`Strict`	Firefox Loop, Chrome OK	Firefox Loop, Chrome loses session	highest protection but not recommended