tia® Status UI Authentication

The tia® Status UI allows to two modes of authentication:

Basic Authentication (default)
OpenAuth 2.0

Note: Basic Authentication is suitable for test system and easy to configure. When considering for production usage, following additional security configurations must be taken:

Basic Authentication is not transported securely from client to server in HTTP message. For security reasons, the transport must be configured for TSL-encryption (HTTPS)
Modern browsers remember user credentials when using Basic Authentication. When multiple users sharing a client machine, login may not be properly secured.

The configuration for authentication of tia® Status UI has to be made as Application wide settings.

Configuring tia Status UI for Basic Authentication

Following parameters needs to be specified for basic authentication:

webapp.security.auth.type=basic
webapp.security.auth.basic.username=<username>
webapp.security.auth.basic.password=<password hash>

When the basic authentication (default) is used, but a password is not configured, the tia® Status UI application will generate a random password at startup which can be looked up from the container logs.

Example:

2023-09-01 13:49:21.651 [                /                ] [W] [                main]      .k.a.s.c.SecurityConfiguration.logGeneratedPassword ( 322) : |======================================================================|
2023-09-01 13:49:21.651 [                /                ] [W] [                main]      .k.a.s.c.SecurityConfiguration.logGeneratedPassword ( 323) : | Temporary generated password for the status webapp: 5KdJZ7EKQ.p0%etp |
2023-09-01 13:49:21.651 [                /                ] [W] [                main]      .k.a.s.c.SecurityConfiguration.logGeneratedPassword ( 324) : |======================================================================|

The password hash in the configuration has to be the bcrypt-hash value of the password. Read more about creating bcrypt-hashs here: Creating a bcrypt-hash value

Example value:

$2y$10$BVN92BjOQag3b5onDKHH9OQuoRtLTlIKi7cTUPjFGVV54t/XvfShy

Hint: This value always contains $-characters. When using this from command prompt in Linux or Windows environment, this character may need to be escaped or the complete string quoted (try both: single- or double-quotes).

Configuring tia® Status UI for OAuth2 Authentication

The tia® Status UI implements the OAuth2 PKCE Authorization Code Flow.

The configuration requires:

registration of the application at the OAuth2 Authorization Server
configuration of these parameters in the Application wide settings :

webapp.security.auth.type=oauth2
webapp.security.auth.oauth2.authenticationEndpointUrl=<OAuth2 endpoint URL>
webapp.security.auth.oauth2.clientId=<OAuth2 client id>
webapp.security.auth.oauth2.redirectUrl=<local URL to /info/login-callback>