Authentication
Authenticator modules and SSL
By default, an ImageMaster user is authenticated with Basic Authentication using their user name and password. A user can be configured to have an SSL certificate, and once a user has an associated SSL certificate, the login via username and password will be denied for that user. Web service access for that user requires the SSL certificate for access. For configuration details see chapter Basic authentication and SSL certificates in [IM ImageMaster].
Starting from version 9.9.1 ImageMaster supports a set of configurable authenticators based on an authentication module and an identity store:
-
If no authentication module is configured, only the internal database is used to check the credentials.
-
If an authentication module is active, it decides about how the credentials are checked.
-
If no identity store is configured, the system tries to fall back on the authentication module.
-
If both are configured, username, and password are checked with the authentication module, but finally the user data is retrieved from the identity store.
The list below contains all classes that can be used as an Authenticator or Identity Store module. Both module types:
-
can be used simultaneously
-
are supported on web client level as well as on web service level
In the AdminClient configuration, for example, there are separate fields for:
-
“Auth Module” and “Webservice Auth Module”
-
“Identity Store” and “Webservice Identity Store”
-
|
Display name |
Class / Description |
|---|---|
|
Basic User Authentication |
com.tsystems.ima.userlib.auth.BasicUserAuthentication Authentication and authorization via username and password through ImageMaster internal user database |
|
Basic Username Authentication |
com.tsystems.ima.authenticator.BasicUsernameAuthenticator Authentication via username provided through HTTP basic auth header, authorization via ImageMaster with a role specified by JVM/system property: com.tsystems.ima.client.basicusernameauthenticator.role |
|
JVM Option Authenticator |
com.tsystems.ima.authenticator.JVMOptionAuthenticator Authorization via ImageMaster Authentication via username specified by JVM/system property: com.tsystems.ima.client.jvmoptionauthenticator.username (default is useradm) |
|
LDAP Authentication |
com.tsystems.ima.userlib.ldap.LdapAuthentication Authentication and authorization via username and password through LDAP (maps the “imageMasterRole” attribute to user roles) |
|
LDAP Group Authentication |
com.tsystems.ima.userlib.ldap.LdapGroupAuthentication Authentication and authorization via username and password through LDAP. Maps LDAP groups to user roles. This entry replaces the deprecated classes:
|
|
Secret LDAP SSO Authenticator |
com.tsystems.ima.authenticator.SecretLdapSSOAuthenticator Authentication with secret via password manager, authorization via LDAP |
|
Simple LDAP Authenticator |
com.tsystems.ima.authenticator.SimpleLdapAuthenticator Authentication with username and password via LDAP, authorization via ImageMaster |
|
Siteminder Authenticator |
com.tsystems.ima.authenticator.SiteminderAuthenticator Authentication via SiteMinder (user info is set in the HTTP request), authorization via ImageMaster by resolving the roles specified in the request |
|
Trusted User Authenticator |
com.tsystems.ima.authenticator.TrustedUserAuthenticator No authentication (although the user is still resolved and thus must exist in ImageMaster internal user database), authorization via ImageMaster |
|
Windows Authenticator |
com.tsystems.ima.authenticator.WindowsAuthenticator Authentication via username provided through HTTP basic auth or remote user headers, authorization via ImageMaster with a role specified by JVM/system property: com.tsystems.ima.client.basicusernameauthenticator.role |
|
Table 346: List of authenticators and identity stores |
|