JAAS

There are four types of authentication using the JAAS protocol:

• The default authentication of LumisXP, using the lumis.portal.authentication.LumisLoginModule;
• Authentication using com.sun.security.auth.module.Krb5LoginModule in Active Directory;
• Custom authentication in the database using the DatabaseLoginModule;
• Authentication using a custom LoginModule.

The LumisXP uses JAAS Login Module to perform authentication in Active Directory.

It is possible to use other login modules for authentication in LumisXP. For example, if user information is in an external database, simply implement a Login Module that accesses the table with the information and configure the lumisdata/config/lumissecuritylogin.config to use your custom module.

Below is an example of Login Module configuration.

LumisPortal { lumis.portal.authentication.LumisLoginModule sufficient debug=true; com.sun.security.auth.module.Krb5LoginModule sufficient debug=true; mydomain.authentication.DatabaseLoginModule sufficient debug=true table=test_users loginColumn=login passwordColumn=password; };

Active Directory

To delegate authentication to Active Directory, just change the following files:

• lumisdata/config/lumisportalconfig.xml: Uncomment the configuration for kerberos that defines which file will be used by JAAS: <security> <!-- Uncomment to configure a HTTP authenticator. See LumisXP documentation for details about included authenticators. <httpAuthenticator className="lumis.portal.authentication.http.SpnegoAuthenticator" ></httpAuthenticator> --> <!-- Uncomment to configure Kerberos Authentication Protocol. See LumisXP documentation for details. <kerberos> <configurationFile>security/krb5.conf</configurationFile> </kerberos> --> </security> <!-- Uncomment to specify a custom security alias. <securityAlias></securityAlias> -->

  The tag <securityAlias> allows specifying another alias to replace the default "LumisPortal", which in the case of Tomcat, is specified in the file lumisdata/config/lumissecuritylogin.config.

• lumisdata/config/security/krb5.conf: Configuration file for the Kerberos protocol, used by JASS, which defines the properties of the system responsible for authentication.

  Assuming that the domain name is mydomain.net and the server name of the AD is server01, the file would look like this:

  [domain_realm] mydomain.net = MYDOMAIN.NET [libdefaults] default_realm = MYDOMAIN.NET dns_lookup_kdc = true [realms] MYDOMAIN.NET = { admin_server = server01 default_domain = MYDOMAIN.NET kdc = server01 }

• lumisdata/config/lumissecuritylogin.config: Include the login module Krb5LoginModule for authentication with the Kerberos protocol:

  LumisPortal { com.sun.security.auth.module.Krb5LoginModule sufficient debug=true; lumis.portal.authentication.LumisLoginModule sufficient debug=true; };

  This configuration is for Lumis to try to log in with the AD first and, if authentication is not successful, try the default authentication in the LumisXP database.