When logging on to the CMS Ametys application, a contributor must provide identification details. Once this information has been verified, the contributor may or may not be authorized to access CMS.
CMS Ametys provides several ways of authenticating users. It's up to the integrator to choose the solution that best suits their needs.
To do so, he will have to answer 3 questions:
- how should contributors enter their login/password? Popup, Form, CAS server ...
- how do you check that the login and password entered are correct?
- how do you check that the contributor has the right to access the application?
- Authentication process
- Credentials retrieval: choice of CredentialsProvider
- Automatic authentication: org.ametys.runtime.plugins.core.authentication.Defined
- HTTP basic authentication: org.ametys.runtime.plugins.core.authentication.Basic
- Connection form: org.ametys.runtime.plugins.core.authentication.FormBased
- Network authentication: org.ametys.runtime.plugins.core.authentication.Remote or org.ametys.runtime.plugins.core.authentication.Jcifs
- CAS authentication: org.ametys.runtime.plugins.core.authentication.CAS or org.ametys.runtime.plugins.core.authentication.GatewayCAS
- CAS + HTTP basic authentication: org.ametys.runtime.plugins.core.authentication.GatewayCASBasic
- The authentication manager :
- Check login existence
- Credentials retrieval: choice of CredentialsProvider
- Rules of use
- FAQ
Authentication process
Authentication is a 3-step process:
- Login recovery
The choice of CredentialsProvider defines how the user's login and password are retrieved: pop-up, form, CAS, ... - Login authorization
L'AuthenticationManager determines how to proceed: password verification, checking that a user has at least one right, etc. - Check that the login is in the contributor database ;
Visit UsersManager manages the contributor database (how it works is described on the User management)
The diagram below shows the authentication process, which is described in detail in the following paragraphs:
Credentials retrieval: choice of CredentialsProvider
The extension point org.ametys.runtime.authentication.CredentialsProvider allows you to define how to retrieve the login details of a user connecting to the application.
This is a simple extension point, meaning that only one implementation can be chosen
The credentials provider is selected via the file WEB-INF/param/runtime.xml of the application (cf. Runtime file.xml) or through thePlugins and Workspace"Available from the administration interface.
To date, the following extensions are available for this extension point:
Automatic authentication: org.ametys.runtime.plugins.core.authentication.Defined
The extension org.ametys.runtime.plugins.core.authentication.Defined defines a single "anonymous" contributor, automatically logged in.
The password is not checked in the next step.
This value is used, for example, for a demonstration if you don't want to go through the login and password stage.
To find out more
To create an automatic connection with your own contributor, please visit the Customized automatic connection page.
HTTP basic authentication: org.ametys.runtime.plugins.core.authentication.Basic
In this mode, the user is prompted for login details by the browser, via a pop-up window.
This mode requires the "realm" configuration parameter to identify the protection domain.
The password must be verified in the next step.
Connection form: org.ametys.runtime.plugins.core.authentication.FormBased
In this mode, the user provides his login and password via a form HTML. The password must be verified in the next step.
This form is used, for example, when you want to customize the login and password entry page.
Further information
To create your own login form, follow the instructions on the plugin login form page.
Network authentication: org.ametys.runtime.plugins.core.authentication.Remote or org.ametys.runtime.plugins.core.authentication.Jcifs
These extensions define network authentication. The password does not need to be verified in the next step.
These values are used when using authentication networks (SSO).
CAS authentication: org.ametys.runtime.plugins.core.authentication.CAS or org.ametys.runtime.plugins.core.authentication.GatewayCAS
These extensions enable authentication on a CAS server ( Single Sign On authentication). The user is authenticated by the CAS server, so the password does not need to be verified in the next step.
The extension org.ametys.runtime.plugins.core.authentication.GatewayCAS enables CAS to be used in gateway mode. This is an implementation reserved for the front-office application.
In this mode, the user's login is retrieved if he/she is already authenticated on the CAS server. Otherwise, the connection screen is only displayed if the user explicitly requests to connect (Connect button). Thus, in an extranet-type site, the user has access to limited-access pages if he's authenticated on the CAS server, but if he's not logged in, he'll be able to browse the rest of the site without access to restricted pages.
CAS + HTTP basic authentication: org.ametys.runtime.plugins.core.authentication.GatewayCASBasic
This extension combines CAS authentication in gateway mode with basic HTTP authentication:
- this implementation first checks whether the user is logged on to the CAS server. If this is the case, the password need not be checked in the next step.
- if the user is not authenticated on the CAS server, the user's login credentials are requested via a pop-up window, as with basic HTTP authentication. The password must be verified in the next step.
The authentication manager :
The extension point org.ametys.runtime.authentication.AuthenticationManager determines whether the login is authorized to connect to the application.
This is a multiple extension point: in other words, several implementations can coexist.
The choice of the instantiation(s) of the AuthenticationManager is performed via the WEB-INF/param/authentication.xml application or through the "Plugins and Workspace"Available from the administration interface.
Example of an authentication file.xml
<?xml version="1.0" encoding="UTF-8"?>
<authentications>
<authentication>org.ametys.runtime.plugins.core.authentication.UsersManagerAuthentication</authentication>
<authentication>org.ametys.runtime.plugins.core.authentication.HasRightAuthentication</authentication>
</authentications>
To date, the following extensions are available for this extension point:
Important
The choice of authentication manager must be consistent with the choice of CredentialsProvider. In fact, some CredentialsProviders require password verification, while others do not.
Consult the usage rules to make your choice.
org.ametys.runtime.plugins.core.authentication.UsersManagerAuthentication
The extension org.ametys.runtime.plugins.core.authentication.UsersManagerAuthenticationverifies login and password in contributor database.
This extension should be used whenever the CredentialProvider choice requires verification of login and password.
org.ametys.runtime.plugins.core.authentication.HasRightAuthentication
The extension org.ametys.runtime.plugins.core.authentication.HasRightAuthentication authorizes the user to connect to the application if and only if the user has at least one right to the application.
This value is useful when the user base is larger than the population requiring access to CMS. For example, when the user base is on a LDAP directory containing all staff/students/... but only a limited number of staff need access to the back-office.
org.ametys.runtime.plugins.core.authentication.mixed.MixedSourceUsersManagerAuthentication
This extension is to be used only for the org.ametys.runtime.plugins.core.authentication.GatewayCASBasic. Login credentials are only checked if the user has logged on in HTTP basic mode.
Check login existence
The last step is to check that the login exists in the contributors' database (directory LDAP, database SQL, ...).
This step is delegated to the UserManager.
Rules of use
A few rules must be observed when choosing the CredentialsProvider, AuthenticationManager and UsersManager.
The table below lists the compatibility of each extension:
| CredentialsProvider : CredentialsProvider | Authentication manager: AuthenticationManager | User manager: UsersManager |
|---|---|---|
|
org.ametys.runtime.plugins.core.authentication.mixed.MixedSourceUsersManagerAuthentication | In the case of basic HTTP authentication or via an authentication form, the user manager must be able to check the password
|
| org.ametys.runtime.plugins.core.authentication.UsersManagerAuthentication org.ametys.runtime.plugins.core.authentication.HasRightAuthentication org.ametys.runtime.plugins.core.authentication.mixed.MixedSourceUsersManagerAuthentication |
|
| org.ametys.runtime.plugins.core.authentication.UsersManagerAuthentication org.ametys.runtime.plugins.core.authentication.HasRightAuthentication org.ametys.runtime.plugins.core.authentication.mixed.MixedSourceUsersManagerAuthentication | In the case of CAS or network authentication, password verification is not the responsibility of the user manager.
|
| org.ametys.runtime.plugins.core.authentication.UsersManagerAuthentication org.ametys.runtime.plugins.core.authentication.HasRightAuthentication
|
|
FAQ
If you encounter a problem or have a question, visit FAQ or go to our forum in the Setup and Integration section.
Back to top