Page History

...

Scope

Scope

This article describes the configuration of user authentication and authorization by directly editing the shiro.ini file and is therefore directly applicable to the 1.11.x Releases and Release 1.12.0. This method of configuration can be used with all three methods of user authentication and authorization - Shiro, LDAP and Database - for these releases.

The JOC Cockpit also provides a configuration editor for authentication and user authorization, which is described in the Authentication and Authorization - Managing User Accounts article. For the 1.11.x Releases and Release 1.12.0 the functions of this editor do not cover all aspects of authentication and authorization and direct configuration of the shiro.ini file is required when LDAP and Database authentication and authorization are used. LDAP configuration is described in the LDAP Configuration article.

With Releases 1.12.1 onward, the configuration editor can be used for all aspects of authentication and authorization. In addition, the Reporting database is used for the storage of authentication instead of the shiro.ini file and the shiro.ini file is given a new function as a configuration import medium. However, the organization of the authentication and authorization configuration remains the same and the contents of this article provide a detailed insight into the Shiro configuration.

Note that with Releases 1.12.1 onward the JOC cockpit automatically exports the authentication and authorization information from the Reporting database to a shiro.ini.active file. This file is organized identically to the  shiro.ini file and is intended to provide a convenient overview of the configuration. It can also function as a backup source in the event of a loss of the database.

Updating to Release 1.12.1 and newer

Migration of an existing configuration from a shiro.ini file to the Reporting database takes place automatically as part of the update procedure. After migration the shiro.ini file is deleted and the new shiro.ini.active file generatedThis article describes the configuration of user authentication and authorization by directly editing the shiro.ini file. This method of configuration can be used with all three methods of user authentication. The JOC Cockpit also provides a configuration editor for authentication and user authorization, which is described in the Authentication and Authorization - Managing User Accounts article. Note that some direct configuration of the shiro.ini file will still be required when the configuration editor is used with LDAP authentication and when Database authentication is used. 

Configuration File Structure

...

• Passwords are written in plain text in releases 1.11.0 to 1.11.4. Passwords are hashed by default with release 1.11.5 and newer.
  
  • The configuration of password hashing and how to add password hashing to releases 1.11.0 to 1.11.4 is described in the [main] section Thebelowbelow.
• The function of individual Roles is described in more detail in the Matrix of Roles and Permissions section of the JOC Cockpit - Authentication and Authorization article. The roles are then mapped onto permissions in the [roles] section of this file (described below).
• "As delivered" only one user/role mapping is active - root, with a default password as shown in the listing above. The other user configurations are commented out. System administrators can add and modify these configurations as required.
• It should be clear that the default passwords should replaced either before user profiles are activated or as soon as possible afterwards.
• In this default configuration user names and role names are identical. This is not necessary.
• Note that the api_user is not intended for use with the JOC Cockpit but instead for use by other applications accessing the JobScheduler Web Services.

...