Asset Publisher

Users and security configuration


 

Users and security configuration

The latest version of Cartodruid gives us the possibility to identify the user who opens the project with basic authentication capabilities. This allows, on the one hand, to register in the project's database which user has modified a Feature, and to establish a simple access control to the project.

To do this we have to add a file called crtdrdSecurity.<Project Name>.xml to the config folder. The file structure would be as follows::

<securityManager>
       <credentialResolver class="<classname>">
       </credentialResolver>
       <authenticationProvider class="<classname>"/>
       <userAttResolver class="<classname>"/>
</securityManager>

Once we have configured the user in the app, if we add the "USERNAME" field to any of our tables, when we create or modify an entity in said table, the user who made the modification will be automatically saved. If you have added the "USERNAME" field to the table, but the project does not have a security configuration, the field will be filled with the value "defaultUser".

There are three components involved in configuring security:

  • CredentialResolver, determines what credentials the user is going to use to identify himself.
  • AuthenticationProvider, allows you to set limitations on which users can open a project based on credentials.
  • UserAttResolver, allows locating additional user information from the credential.

 

CredentialResolver 

It establishes how we are going to obtain the user's credentials (name and password). We have several options for this:

  • BasicCredentialResolver: allows us to indicate username and password directly in the configuration file

  <credentialResolver class="BasicCredentialResolver">  
        <user>Usuario</user>
        <password>Password</password>
  </credentialResolver>

  • GoogleAccountCredentialResolver: set the device's Gmail account as user. Requires permissions to access contacts.

  <credentialResolver class="GoogleAccountCredentialResolver"/>

  • UserPassCredentialResolver: when the application starts, it shows a dialog for the user to enter their name and password:
     

  <credentialResolver class="UserPassCredentialResolver"/>    

 

AuthenticationProvider 

Authenticates the user to the system. At the moment we have these authentication options:

  • NoOPAuthenticationProvider: if atuthenticaion is not required.

  <authenticationProvider class="NoOPAuthenticationProvider"/>

  • TableAuthenticationProvider: Credentials are checked against data stored in a database table. The configuration would be the following:

<authenticationProvider class="TableAuthenticationProvider">
    <table>
        <bdName>
bd.sqlite</bdName>
        <tableName>
users</tableName>
        <idFieldName>
userName</idFieldName>
        <passFieldName>
password</passFieldName>
        <encryptionMode>
SHA-256</encryptionMode>

    </table>
</authenticationProvider>

      

El password dentro de la base de datos debe estar encriptado con el algoritmo que definamos en encryptionMode.

En encryptionMode podemos utilizar cualquiera de los métodos de encriptación que admite la clase MessageDigest de Java.

https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#MessageDigest

 

UserAttResolver 

It is responsible for loading user attributes.

If we have the user's attributes stored in a database table and we want to retrieve them, we can add it to the configuration.

  • TableUserAttResolver:   

<userAttResolver class="TableUserAttResolver">
    <table>
        <bdName>bd.sqlite</bdName>
        <tableName>userAtributes</tableName>
        <idFieldName>userid</idFieldName>
        <fields>att1,att2,att3</fields>                  
    </table>            
    <condition>att1=expectedValue</condition>
</userAttResolver>
      

bdName

Name of the database file containing the attribute table

tableName

Name of the table containing the attributes

idFieldName

Name of the field by which the table will be filtered to obtain the attributes

fields

List of the fields of the table separated by "," that are going to be loaded as attributes. If we want to add all the fields we can use "*".

condition (optional)

Condition to check if an attribute has a certain value. "AttributeName=ExpectedValue"

 

Default configuration 

If the user configuration file does not exist or one of its components is not configured, the default configuration will be as follows:

  • CredentialResolver: BasicCredentialResolver with values user="defaultUser" and password="password"
  • AuthenticationProvider: NoOPAuthenticationProvider
  • UserAttResolver: BasicUserAttResolver

 

Restricciones 

TableAuthenticationProvider can only be used together with UserPassCredentialResolver or BasicCredentialResolver since if we want to validate the credentials against a database table, it is necessary that the credentials have a username and password. Using another type of CredentialResolver will not check authentication against the table..

 

Configuration examples 

  • Example 1:

<securityManager>
       <credentialResolver class="UserPassCredentialResolver"/>
       <authenticationProvider class="TableAuthenticationProvider">
              <table>
                    <bdName>users.sqlite</bdName>
                    <tableName>users</tableName>
                    <idFieldName>username</idFieldName>
                    <passFieldName>pasword</passFieldName>
                    <encryptionMode>SHA-256</encryptionMode>                
              </table>            
       </authenticationProvider>   
       <userAttResolver class="TableUserAttResolver">
              <table>
                    <bdName>users.sqlite</bdName>
                    <tableName>users</tableName>
                    <idFieldName>username</idFieldName>
                    <fields>*</fields>                
              </table>                         
       </userAttResolver>
</securityManager>

Link to download the project to import into CartoDruid:  Example1.crtd

  • Example 2:

<securityManager>
       <credentialResolver class="GoogleAccountCredentialResolver"/>
       <authenticationProvider class="NoOPAuthenticationProvider"/>     
</securityManager>

Link to download the project to import into CartoDruid:  Example2.crtd