Security

Web UI - Configuring an Anonymous User Principal Name

Introduction



In order to submit content to the Registry, a Registry Client must have the proper credentials. One kind of proper credential is a client certficate. When submitting content using the Web UI, the client certificate may be imported into your web browser and sent to the web container over a secure connection. The certificate is used by the Web UI to identify and authenticate the Client. See the Using HTTPS document for details. This is the recommended configuration for production deployments.

For developer deployments, however, there is another Web UI option that does involve less configuration. You can set a property to indicate which user principal name to use for authentication. The user principal name maps to the alias of the client certificate. So, instead of each user sending their client certificate over a secure connection, the Registry will load a client certificate from the client keystore file using the principal name. The client keystore is located in this file:

${user.home}/${omar.name}/${dist.version}/jaxr-ebxml/security/keystore.jks

The omar.name and dist.version properties are set in omar/build.properties.



Note: this option is only available for Web UI deployments that do not have container-managed authentication. This kind of authentication involves the web container protecting the Web UI's resources such as its JSP pages. The container manages the authentication, and, as a result, handles the setting of the Client's principal name. Since the container sets the principal name, configuring an anonymous one is not an option.

Getting Started

To enable this option, do the following:

  1. Create a user account and its associated credentials (client certificate)

    The client certificate will be loaded by the Web UI during authentication. The easiest approach is to run the 'createTestUser' target contained in omar/build-dist.xml. The principal name (certificate alias) is set to 'testuser'. See the build.xml for how this is set via the ${testUserAlias} property.



  2. Set the following property to the certificate's alias in omar-common.properties:

    omar.security.anonymousUserPrincipalName=<certificate alias>
    In the above example, <certificate alias> is replaced by 'testuser'.



  3. Run the 'ant deploy' target.



  4. Restart your web container.



  5. When you publish content to the Registry, the Web UI will use the above property to load the client certificate from the client keystore. It will then set the Current User: <certificate alias> in the Web UI's banner page, replacing the default 'Current User: Registry Guest' setting for unauthenticated users. The change of the Current User is a visual way to determine that this kind of authentication was successful.