Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

The tia Core Status UI allows to two modes of authentication:

  • Basic Authentication (default)

  • OpenAuth 2.0

Note: Basic Authentication is suitable for test system and easy to configure. When considering for production usage, following additional security configurations must be taken:

  • Basic Authentication is not transported security from client to server in HTTP message. So for security reasons, the transport must be configured for TSL-encryption (HTTPS)

  • Modern browsers remember user credentials when using Basic Authentication. So when multiple users sharing a client machine, login may not be properly secured.

The configuration for authentication of tia Core Status UI has to be made as application-wide setting, see tia Core Configuration Basics.

Configuring tia Status UI for Basic Authentication

Following parameters needs to be specified for basic authentication:

  • webapp.security.auth.type=basic

  • webapp.security.auth.basic.username=<username>

  • webapp-security.auth.basic.password=<password hash>

When the basic authentication (default) is used, but the password is not configured here, the tia Core Status UI application will generate random password at startup which can be looked up from the container logs.

Example: 

2023-09-01 13:49:21.651 [                /                ] [W] [                main]      .k.a.s.c.SecurityConfiguration.logGeneratedPassword ( 322) : |======================================================================|
2023-09-01 13:49:21.651 [                /                ] [W] [                main]      .k.a.s.c.SecurityConfiguration.logGeneratedPassword ( 323) : | Temporary generated password for the status webapp: 5KdJZ7EKQ.p0%etp |
2023-09-01 13:49:21.651 [                /                ] [W] [                main]      .k.a.s.c.SecurityConfiguration.logGeneratedPassword ( 324) : |======================================================================|

The password hash in the configuration has to be the bcrypt-hash value of the password.

Example value:

$2y$10$BVN92BjOQag3b5onDKHH9OQuoRtLTlIKi7cTUPjFGVV54t/XvfShy

Hint: This value always contains $-characters. When using this from command prompt in Linux or Windows environment, this character may need to be escaped or the complete string quoted (try both: single- or double-quotes).

Creating a bcrypt-hash value

The Apache2 utilities provide a tool called htpasswd. Create bcrypt-hashs using this tool.

Example command and output to generate the hash for string “plainpassword”:

$ htpasswd -nbBC 10 USER plainpassword
USER:$2y$10$1J2BG6LJYImEcZVRxXn1TOs9iRKLvJvWWSf5/AE5ZOaWUlmZxQJsa

Hint: On Linux systems apache2-utils can be installed using the installed package manager. Probably administrative privileges are required, so the sudo command may be required.

Example command when using apt package manager:

  • apt install apache2-utils

Configuring tia Status UI for OAuth2 Authentication

The tia Core Status UI implements the OAuth2 PKCE Authorization Code Flow.

The configuration requires:

  1. registration of the application at the OAuth2 Authorization Server

  2. configuration of these parameters in the application-wide-settings:

  • webapp.security.auth.type=oauth2

  • webapp.security.auth.oauth2.authenticationEndpointUrl=<OAuth2 endpoint URL>

  • webapp-security.auth.oauth2.clientId=<OAuth2 client id>

  • webapp-security.auth.oauth2.redirectUrl=<local URL to /info/login-callback>

  • No labels