Authentication and Authorization
InfoGlue has a very modular authentication and authorization system. The first thing to understand is the difference between Authentication which is about identifying who a user are during login etc and Authorization which is about deciding what the authenticated user has right to see/do in the system. When it comes to the latter InfoGlue supports setting access rights on user level as always it’s recommended using roles and groups for access control to avoid cumbersome maintenance.
InfoGlue supports custom modules for both Authentication and Authorization. By default InfoGlue is installed with the module that uses the infoglue-database for both authentication and authorization. That means that when a user logs on his/her login info is compared to the cmSystemUser table and associated tables by the default Authentication Module and then access rights are controlled by the InfoGlue Authorization Module against cmSystemUser, cmRole and cmGroup tables. This is all fine in some situations but sometimes the organization using InfoGlue would want to reuse the users/roles/groups available in their global user directory. Many organisations also has some kind of Single Sign On system they want to use. This is why you in InfoGlue can set up references to other Authentication/Authorization modules and even write your own if the ones shipped are not enough. These moduls are included:
InfoGlue Basic Authentication / Authorization
InfoGlue itself can act as the source of authentication and authorization. This is the default setup.
SSO through CAS
Apart from the InfoGlue default authentication module InfoGlue ships with a single sign on module written to support CAS(Central Authentication Service). CAS is a open source authentication system developed by the university world. Those of you who have worked with CAS will recognize the validate-service etc under application settings and hopefully know how to configure it. Later a more detailed example will be posted.
If InfoGlue runs inside a J2EE container InfoGlue can be told to operate with J2EE-security and accept the principal coming in from the container.
An module which can be configured against any JDBC-datasource. Queries can be defined in extra security settings.
Both Authentication and Authorization can be directed to use the included LDAP-modules. They were written for integration with Active Directory but should work with many more LDAP-servers. These modules let you use users/groups and roles in InfoGlue which are fetched directly from your LDAP-directory thereby reusing that information and avoiding redundant information. The lookups are made online so there is no periodic export into InfoGlue or anything like that. In InfoGlue there is no difference between users/roles/groups coming from InfoGlue’s own user-db or from an external resource.
There are also combinations of these modules.
comments powered by Disqus