Authentication

An authorization system always requires authentication. The ImageMaster Integration Service architecture assumes that authentication is managed by outer service layers. It can be based on token mechanisms, such as they are suggested by WS Security (e.g. username token profile, X.509 certification token profile or SAML token profile). Depending on the customized ImageMaster environment, the details of authentication handling will vary. In the TLS/SSL approach a goal is to conceal sensitive information from the public, based on cryptographic protocols, which hide information such as the role or user ID in request headers.

Authenticator modules and SSL

By default, an ImageMaster user is authenticated with Basic Authentication using their user name and password. A user can be configured to have an SSL certificate, and once a user has an associated SSL certificate, the login via username and password will be denied for that user. Web service access for that user requires the SSL certificate for access. For configuration details see chapter Basic authentication and SSL certificates in [IM ImageMaster].

Starting from version 9.9.1 ImageMaster supports a set of configurable authenticators based on an authentication module and an identity store:

  • If no authentication module is configured, only the internal database is used to check the credentials.

  • If an authentication module is active, it decides about how the credentials are checked.

  • If no identity store is configured, the system tries to fall back on the authentication module.

  • If both are configured, username and password are checked with the authentication module, but finally the user data is retrieved from the identity store.

The list below contains all classes that can be used as an Authenticator or Identity Store module. Both module types:

  • can be used simultaneously

  • are supported on web client level as well as on web service level

    In the AdminClient configuration, for example, there are separate fields for:

    • “Auth Module” and “Webservice Auth Module”

    • “Identity Store” and “Webservice Identity Store”

Display name

Class / Description

Basic User Authentication

com.tsystems.ima.userlib.auth.BasicUserAuthentication

Authentication and authorization via username and password through ImageMaster internal user database

Basic Username Authentication

com.tsystems.ima.authenticator.BasicUsernameAuthenticator

Authentication via username provided through HTTP basic auth header, authorization via ImageMaster with a role specified by JVM/system property:

com.tsystems.ima.client.basicusernameauthenticator.role

JVM Option Authenticator

com.tsystems.ima.authenticator.JVMOptionAuthenticator

Authorization via ImageMaster Authentication via username specified by JVM/system property:

com.tsystems.ima.client.jvmoptionauthenticator.username

(default is useradm)

LDAP Authentication

com.tsystems.ima.userlib.ldap.LdapAuthentication

Authentication and authorization via username and password through LDAP

(maps the “imageMasterRole” attribute to user roles)

LDAP Group Authentication

com.tsystems.ima.userlib.ldap.LdapGroupAuthentication

Authentication and authorization via username and password through LDAP. Maps LDAP groups to user roles. This entry replaces the deprecated classes:

  • com.tsystems.ima.userlib.ldap.LdapSSOGroupAuthentication
  • com.tsystems.ima.userlib.ldap.LdapAuthenticationFallback

Secret LDAP SSO Authenticator

com.tsystems.ima.authenticator.SecretLdapSSOAuthenticator

Authentication with secret via password manager, authorization via LDAP

Simple LDAP Authenticator

com.tsystems.ima.authenticator.SimpleLdapAuthenticator

Authentication with username and password via LDAP, authorization via ImageMaster

Siteminder Authenticator

com.tsystems.ima.authenticator.SiteminderAuthenticator

Authentication via SiteMinder (user info is set in the HTTP request), authorization via ImageMaster by resolving the roles specified in the request

Trusted User Authenticator

com.tsystems.ima.authenticator.TrustedUserAuthenticator

No authentication (although the user is still resolved and thus must exist in ImageMaster internal user database), authorization via ImageMaster

Windows Authenticator

com.tsystems.ima.authenticator.WindowsAuthenticator

Authentication via username provided through HTTP basic auth or remote user headers, authorization via ImageMaster with a role specified by JVM/system property:

com.tsystems.ima.client.basicusernameauthenticator.role

Table 344: List of authenticators and identity stores