I have added the FIDO2 / Passkey identity service to JOC Cockpit. Now it is possible to login with e.g. Windows Hello, Yubikey or other Passkeys. It is also possible to add the FIDO2 authentication as a second factor to any other identity service like LDAP, OIDC or JOC Intern.

I have added the OIDC Identity Serive to JOC Cockpit. Now the login is possible e.g. with Google, Keycloack or Microsoft Azure.

The authentication and authorization with SHIRO depends on the implementitation in so called realms. SHIRO is used in JS7 and JobScheduler. For JS7 it should be removed.

I have implemented a replacement for SHIRO that is based on Identity Services. The identity services to provide an access token as SHIRO does. I have implemented the Identity Services

• SHIRO: Until it is removed completly from JS7 the SHIRO implementation is covered by a Identity Service layerJOC: This is a intern user/password authentication.
• VAULT: Vault is an extern Identity access Management system that provides different security systems. I have implemented the identity service for user/password and ldap.
• VAULT-JOC: Like VAULT but the roles are managed internally and not by VAULT policies.
• VAULT-JOC-ACTIVE: Like VAULT-JOC but the users are manaeged internally and will be synchronized with the VAULT users
• LDAP: Usind an active directory or open ldap system for authentication and authorization. Using groups coming from LDAP and implementing a groups roles mapping to JS7 roles.
• LDAP-JOC: Like LDAP but the roles are managed internally and not by VAULT policies.

To achive the group roles mapping on a LDAP Server that does not support the memberOf option, I have implemented a group search for LDAP users in the LDAP Authorization realm to get the list of groups a user is a member of.

Currently I have implenented the starttls support for the LdapAuthorization Realm.

To achive this I did setup an 389 Directory Server on an centos 6.9 machine. I created a self signed certificate and integrated this on the server and imported in the private trust store on the client site. I enabled the starttls capability in the 389 Directory Server to test the starttls implementation.

Einbindung von Shiro Apache  in unser JobScheduler Dashboard. Ich habe einen Hibernate und einen LDAP Realm erstellt und diesen in JID eingebunden. Damit wird einerseits die Authentifizierung (also login) also auch die Authorisierung für bestimmte Funktionen realisiert. Zu Beginn wird sich darauf beschränkt, bestimmte Programmteile sichtbar zu machen bzw. zu verbergen.

Der Autorisierungsserver stellt die Autentifizierung und Autorisierung über REST-Webservice Aufrufe zur Verfügung.

Uwe Risse Profile

Uwe Risse Kurzprofil


1988 erhielt ich den Abschluss zum Diplom Informatiker der Technischen Universität Berlin

2004 absolvierte ich den Mysql Core Certification Examen