~~NOTRANS~~
~~Title: Configure Application Authentication~~
The default JVx application has a login screen and the user must enter a valid username and password for successful authentication. It does not offer automatic login or login with different authentication mechanism like OpenID, Facebook, etc.
With ProjX, it's easy to integrate new authentication mechanism or change authentication mechanism.
Configure an authenticator in the application.xml of your application, like:
com.sibvisions.apps.auth.UserPwdAuthenticator
It's allowed to use more than one authenticator, comma separated. We have ready-to-use authenticators for username/password, auto-login for returning users, online registration, NTLM.
If you need a different authenticator, simply implement com.sibvisions.apps.auth.IAuthenticator.
Our username and password authenticator contains the following code:
public Hashtable getCredentials(ILauncher pLauncher)
{
Hashtable htCred = new Hashtable();
String sValue = pLauncher.getParameter("Application.Login.application");
if (sValue != null)
{
htCred.put(APPLICATION, sValue);
}
sValue = pLauncher.getParameter("Application.Login.username");
if (sValue != null)
{
htCred.put(USERNAME, sValue);
}
sValue = pLauncher.getParameter("Application.Login.password");
if (sValue != null)
{
htCred.put(PASSWORD, sValue);
}
if (htCred.isEmpty() || htCred.size() == 1)
{
//empty: no login data available
//1 entry: only application name is not enough;
// only username is not enough
return null;
}
return htCred;
}
It needs some more lines in application.xml:
jvx
welcome
If you implement your own authenticator, consider that you need (or don't need) a custom security manager because the authenticator is client side only. If you configure an authenticator, ProjX tries to open a new MasterConnection and sets your "credentials" as connection properties. The security manager checks given credentials and authenticates a user.
In ProjX we have a security manager that allows anonymous authentication. It allows an application to show database content before a user is authenticated. It's not a security problem because the client sends an authentication request and the security manager checks if anonymous authentication is enabled. An anonymous user has no screens assigned. It only has access to the session life cycle object.