Page tree
Skip to end of metadata
Go to start of metadata

Overview

Some AIE modules include Web-based user interfaces, known as "Webapps." AIE can be configured to restrict Webapps to authorized users, or to a narrower group of users who participate in a specific "role." A default authentication provider can be configured for all webapps, or each AIE Webapp can be configured differently with a specific authentication provider. 

HTTP Basic Authentication and HTTPS Encryption

AIE uses  HTTP Basic Authentication to send user passwords across the network.  HTTP Basic Authentication does not adequately protect passwords from interception, so Attivio recommends also configuration webapps to use HTTPS with any form of user authentication.

Some applications, like Business Center, always require authentication and are configured to request AIE Administrator credentials by default. Authentication providers can be used to add additional user access as well.

 

View incoming links.

Authentication Provider

AIE supports multiple types of Authentication Providers to authenticate users and return their group membership.  The most commonly used authentication providers are the Active Directory Authentication Provider and the XML Authentication Provider.  Once an authentication provider is configured, it can be set as a default for all webapps, or it can be set individually on specific webapps. 

Default Authentication Provider

The easiest way to configure authentication for all AIE webapps as well as AIE-SQL is to specify the default-authentication-provider element in the <project-dir>\conf\configuration.xml configuration as follows, with the appropriate authentication provider bean name:

conf/configuration.xml
<configuration>    
 ...
 <security ...>
   <default-authentication-provider authentication-provider-ref="myAuthProviderBeanName"/>
 </security>
</configuration>

Enabling this setting will enable authentication on all of the following:

  • All web pages (Webapp Authentication)
  • AIE-SQL
  • Java API's (JMX Authentication)

Authentication WILL NOT be enabled on the following:

  • Endpoint Authentication (click here for instructions on how to enable)


Per-Webapp Authentication Provider

If the default-authentication-provider is not specified, or if a different authentication provider is desired on individual webapps, then it can be configured directly using the deployWebapp feature. Look in the <project-dir>\conf\features\core directory for files that begin with DeployWebapp.  For instance, most projects contain a DeployWebapp.-adminui.xml file:

<project-dir\conf\features\core\DeployWebapp.-adminui.xml
<f:deployWebapp context-path="/adminui" directory="webapps/adminui" enabled="true" featureNameSource="contextPath" nodeset="*"/>

To enable authentication, add the authentication-provider-ref attribute to this line with the name of the authentication provider bean.  

<project-dir\conf\features\core\DeployWebapp.-adminui.xml
<f:deployWebapp context-path="/adminui" directory="webapps/admin" enabled="true"
   nodeset="*" authentication-provider-ref="myAuthProviderBeanNameForAdminUI"/>

AIE Administrators

By default, AIE creates one root user called aieadmin with password "attivio".  These users have access to all parts of AIE and can be used for administrative webapp login.  See AIE Administrative Users for more information on this user.

Webapp Security Changes 

When authentication configuration changes occur, they will be active only after deploying and restarting AIE.

How to Log Off

Note that AIE will block access to the Webapp until it receives a legitimate user/password credential. From that point on, the Webapp will remain available in that browser without further authentication. To "log off" and reset the password challenge, exit from the browser. When you reopen the browser, you will be challenged for the password again.

Webapp Access Restrictions by Role

Role elements can be added to the deployWebapp feature to restrict access to users who belong to a specific user group. The Active Directory Authentication Provider and the XML Authentication Provider automatically convert user groups into roles. In the following example, only users who are a member of the Administrators group have access to the admin interface.

<f:deployWebapp directory="webapps/admin" context-path="/admin" nodeset="*" authentication-provider-ref="defaultAuthenticationProvider">
  <f:role name="Administrators"/>
</f:deployWebapp>

Role Name

Note that the "role" is the group id, which is the first half of a typical group name. The fully-qualified group name might be "Administrators@attivio," but the corresponding role name would be "Administrators" alone.

Role-Based Authorizations for Business Center

Extra role-based authorization is required for some AIE webapps, like Business Center.  For details, see Manage Attivio and Business Center Users

Users and groups used by Role-Based security must be ingested into the aieprincipals index (see User and Group Sources (Principals)).

Enabling SSL for Encrypted HTTPS Webapps

See Enabling SSL HTTPS for AIE Web Applications for configuring webapps to encrypt traffic using HTTPS.


 

  • No labels