Security Settings

1 Authentication type
2 Authentication method
3 Domain
4 LDAP security principal
5 Reset Settings

Authentication type

Form authentication means providing a username and password input boxes for accepting authentication credentials. The username and password are sent in plain text.

Basic authentication (or HTTP Authentication) means using browser's popup window to collect username and password. The username and password are sent in plain base64-encoded text and stored in browser's headers.

For more information on the authentication standard, see http://www.w3.org/TR/NOTE-authentform.

In general, form authentication with SSL is recommended (usually seen as https:// in browser address bar).

Authentication method

There are three modes in which the application can authenticate against:

Database - This refers to the user accounts (username/password) stored in kwokdb database.

LDAP - If you're trying to use LDAP Server authentication (such as Microsoft's Active Directory), please have the following setup/ready:

Information about the LDAP server you're going to use such as server address, port number, etc. e.g. ldapserver.yourdomain:389
Have user accounts with a username such as username@yourdomain

The way authentication works is the application would make a call to the LDAP server with the username and password you provide on the login page. If you have a Windows machine running somewhere, you may notice that to logon to a Windows machine, you need to enter "Username", "Password", "Logon to". Same concept here, let's say your company's domain name is "example.com" and you have a user called "ldap-test" in your Active Directory, you'll need to create a user in the app with username "ldap-test@example.com". You may have seen another username format like "example\ldap-test".

Database + LDAP - This means users can login using either database or LDAP authentication.

Sample case:

If there is an app user test@yourdomain.com, password is "password1", and there is also a LDAP user test@yourdomain.com, password is "password2".

When authentication is "Database", test@yourdomain.com + password1 is valid. test@yourdomain.com + password2 is invalid.

When authentication is "LDAP", test@yourdomain.com + password1 is invalid. test@yourdomain.com + password2 is valid

When authentication is "LDAP + Database", both test@yourdomain.com + password1 and test@yourdomain.com + password2 are valid

Domain

The domain field is to simplify the username you would otherwise type on the login form's username field. For example, instead of typing username "ldap-test@example.com", if you have "Domain" field set to "example.com", ldap-test user can type in only "ldap-test" in the username field.

LDAP security principal

This is an optional field. It allows building a more complicated security principal such as uid=${USERNAME},ou=IT,dc=example,dc=com, where ${USERNAME} is replaced with the actual username during login.

If you use Active Directory, you can leave this field empty.

Reset Settings

Base on user feedback, the LDAP authentication is quite hard to figure out. Only try it if you're patient enough. If your app users cannot be authenticated by the LADP server because you don't have the correct configuration or your LDAP server is not available, you can switch back to use database authentication by manually editing system_config table, reset the value for config_value column to "app" for column config_key="auth.authenticationMethod".

For example, by running this sql statement:

update system_config set config_value='app' where config_key='auth.authenticationMethod'

To empty out the domain drop-down list:

update system_config set config_value='' where config_key='auth.domain'

Then, restart your tomcat server for the changes to take effect.