Login process configuration (fs-jaas.conf)

The file fs-jaas.conf is located in the FirstSpirit Server subdirectory conf and contains configuration settings for the login process at the FirstSpirit Server.

The configuration file fs-jaas.conf can be changed via the FirstSpirit ServerManager (see JAAS configuration) or via ServerMonitoring (see Login configuration). The changes are subsequently written into the configuration file and updated on the server. If access to the file system is available, fs-jaas.conf can also be changed directly via the configuration file. Comments commence with //.

If the configuration file fs-jaas.conf is changed via the file system, the file is automatically updated on the server (default: every 60 sec.). The server does not have to be restarted.

JAAS modules

FirstSpirit uses the Java standard JAAS (Java Authentication and Authorization Service) for user authentication. The JAAS modules on the following pages are already integrated in FirstSpirit and provide various user authentication methods (each module name starts with the prefix de.espirit.firstspirit.server.authentication., i.e. for example de.espirit.firstspirit.server.authentication.FSUserLoginModule):

General notes about the JAAS configuration

A user account is automatically transferred into the FirstSpirit system after successful authentication for all login modules. The login name is used as a unique identifier; thus ensuring the allocation of user accounts to projects in project exports.

Automatic creation of user accounts can be suppressed by adding the parameter JAAS.autoCreateUser to the fs-server.conf file and setting it to the value false: JAAS.autoCreateUser=false If the parameter is not set, the default value is true. Thus, new user accounts are automatically created if JAAS.autoCreateUser is not set.

The login modules can be allocated to the FirstSpirit components SiteArchitect, ContentCreator, Webmonitor and Access API. Symbolic names are at first chosen as an intermediate step for the allocation; these symbolic names are allocated to individual FirstSpirit components at a later date. Enter one or more login modules under each individual symbolic name in file fs-jaas.conf.

If several login modules are entered, they are processed in the specified sequence until the user has been successfully authenticated. Please note that authentication methods without password but with ticket are entered in front of those with password check. Additionally, each login module has to be allocated with the JAAS attribute optional. “Optional” means that at least one of the login modules should have executed successful authentication to permit user login at FirstSpirit. Other JAAS attributes, such as sufficient, required or requisite, should not be used for FirstSpirit, otherwise FirstSpirit-specific login attributes will not be transferred from one login module to the other. These FirstSpirit-specific login attributes are also the reason that external JAAS modules can only be used for FirstSpirit with an additional wrapper class.

The following symbolic names are used as default allocation: plain, sso, webplain, websso, system.

Allocation of the symbolic names to the individual FirstSpirit components occurs in file fs-server.conf via the parameters JAAS.*.

The default configuration as defined during installation is shown below:

JAAS=${cmsroot}/conf/fs-jaas.conf
JAAS.admin=sso
JAAS.client=sso
JAAS.system=system
JAAS.websso=websso
JAAS.webnonsso=webplain

Allocation of the FirstSpirit components to the parameter names: