Security Configuration
Security specific configuration.
| Admin console label | Config field Id | Description | Default value | Type | Variable replacement |
|---|---|---|---|---|---|
| Security Module Class Path | classPath | Additional classpath for built-in Security module or for defining custom security module. | List<String> |
✅ | |
| Security Module Name | module | Select one of built-in modules or enter full class name of custom security module (has to implement org.webswing.server.services.security.api.WebswingSecurityModule interface). Note the class and its dependencies has to be on classpath defined above. | INHERITED | String |
|
| Security Module Config | config | Security module specific configuration. | AnonymWebswingSecurityModuleConfig DatabaseSecurityModuleConfig EmbeddedSecurityModuleConfig KeycloakSecurityModuleConfig LdapSecurityModuleConfig OpenIDConnectSecurityModuleConfig PropertySecurityModuleConfig Saml2SecurityModuleConfig |
||
| Authorization Config | authorizationConfig | Define users and roles authorized to access this application. | AuthorizationConfig |
||
| Security Context per Tab | securityContextPerTab | Separate security context for each browser tab. | false | boolean |
|
| Allow Server Admin Access | allowServerAdminAccess | If application's security module is not INHERITED, user with admin rights authenticated with the server security context will be allowed to access this application | true | boolean |
AnonymWebswingSecurityModuleConfig
| Admin console label | Config field Id | Description | Default value | Type | Variable replacement |
|---|---|---|---|---|---|
| Logout URL | logoutUrl | Webswing will redirect to this URL after logout. If empty, user is redirected to login page. | String |
✅ | |
| Extensions | extensions | List of security extensions enabled. Use one of build in names or custom class name. | List<String> |
||
| Random Username | randomUsername | By default the each user has a id anonym. If true each user has a random username in format usr_XXXXXX. | false | Boolean |
DatabaseSecurityModuleConfig
| Admin console label | Config field Id | Description | Default value | Type | Variable replacement |
|---|---|---|---|---|---|
| Logout URL | logoutUrl | Webswing will redirect to this URL after logout. If empty, user is redirected to login page. | String |
✅ | |
| Extensions | extensions | List of security extensions enabled. Use one of build in names or custom class name. | List<String> |
||
| DataSource Class | dataSourceClass | Database specific implementation of javax.sql.DataSource. Jar with this class should be available on classpath defined by security module. | String Values: "org.apache.derby.jdbc.ClientDataSource", "org.firebirdsql.pool.FBSimpleDataSource", "org.h2.jdbcx.JdbcDataSource", "org.hsqldb.jdbc.JDBCDataSource", "com.ibm.db2.jcc.DB2SimpleDataSource", "com.informix.jdbcx.IfxDataSource", "com.microsoft.sqlserver.jdbc.SQLServerDataSource", "com.mysql.jdbc.jdbc2.optional.MysqlDataSource", "org.mariadb.jdbc.MySQLDataSource", "oracle.jdbc.pool.OracleDataSource", "com.orientechnologies.orient.jdbc.OrientDataSource", "com.impossibl.postgres.jdbc.PGDataSource", "org.postgresql.ds.PGSimpleDataSource", "com.sap.dbtech.jdbc.DriverSapDB", "org.sqlite.SQLiteDataSource", "com.sybase.jdbc4.jdbc.SybDataSource" |
||
| DataSource Settings | dataSourceProperties | Java bean property names and value pairs for the DataSource class specified. | Map<String, String> |
||
| Authentication Query | authenticationQuery | select password, password_salt from users where username = ? | String |
||
| User Roles Query | userRolesQuery | select role_name from user_roles where username = ? | String |
||
| Permissions Query | permissionsQuery | select permission from roles_permissions where role_name = ? | String |
||
| Resolve Permissions | permissionsEnabled | false | boolean |
||
| Salted Password Hash | passwordSalted | true | boolean |
||
| Hash Matcher Algorithm | hashAlgorithm | NONE | String |
||
| Hash Iterations | hashIterations | 1 | int |
||
| Hash Hex Encoded | hashHexEncoded | Select if password hash in stored as Hex value, otherwise Base64 encoded hash is expected. | false | boolean |
EmbeddedSecurityModuleConfig
| Admin console label | Config field Id | Description | Default value | Type | Variable replacement |
|---|---|---|---|---|---|
| Logout URL | logoutUrl | Webswing will redirect to this URL after logout. If empty, user is redirected to login page. | String |
✅ | |
| Extensions | extensions | List of security extensions enabled. Use one of build in names or custom class name. | List<String> |
||
| Users | users | User definitions | List<EmbeddedUserEntry> |
KeycloakSecurityModuleConfig
| Admin console label | Config field Id | Description | Default value | Type | Variable replacement |
|---|---|---|---|---|---|
| Logout URL | logoutUrl | Webswing will redirect to this URL after logout. If empty, user is redirected to login page. | String |
✅ | |
| Extensions | extensions | List of security extensions enabled. Use one of build in names or custom class name. | List<String> |
||
| Keycloak URL | keycloakUrl | URL of the Keycloak Server | https://<keycloak_host>:<_port> | String |
✅ |
| Realms | realms | At least one realm is required. First realm is the default one. | List<RealmEntry> |
||
| Callback URL | callbackUrl | URL of the webswing server where auth token will be received. Must end with /login | https://<webswing_host>:<webswing_port>/<swing_path>/login | String |
✅ |
| Client ID | clientId | Client ID / API key | String |
✅ | |
| Trusted Certs File (PEM) | trustedPemFile | Trusted cert chains to establish TLS connection with Open Id server. To disable cert validation use 'DISABLED' (only for testing) | String |
✅ | |
| Username Attribute Name | usernameAttributeName | ID Token claim name to be used as username | preferred_username | String |
✅ |
| Roles Attribute Name | rolesAttributeName | Leave empty if not required | String |
✅ | |
| Scopes | scopes | Space separated list of scopes. Scopes are used by an application during authentication to authorize access to a user's details. Each scope returns a set of user attributes. | openid profile | String |
✅ |
| Attribute Mapping | attributeMapping | List of user attributes that will be stored in the session token cookie. Cookie size is limited to 4096 characters. | List<String> |
✅ |
LdapSecurityModuleConfig
| Admin console label | Config field Id | Description | Default value | Type | Variable replacement |
|---|---|---|---|---|---|
| Logout URL | logoutUrl | Webswing will redirect to this URL after logout. If empty, user is redirected to login page. | String |
✅ | |
| Extensions | extensions | List of security extensions enabled. Use one of build in names or custom class name. | List<String> |
||
| Connection URL | connectionURL | The connection URL for the LDAP server used for authentication. | String |
✅ | |
| Connection User | connectionUser | Optional Technical account to authenticate a user with LDAP server. If left blank the user is authenticated directly with LDAP. Example: cn=admin,dc=example,dc=org | String |
✅ | |
| Connection Password | connectionPassword | Optional password for the technical account of the LDAP server. If left blank the user is authenticated directly with LDAP. | String |
✅ | |
| User Base DN | userBase | Base of the distinguished name to indicate the starting point within the directory information tree. | String |
✅ | |
| Domain | domain | Domain part of username. For Windows Active Directory authentication, you can use the UPN format. Example: john@example.com | String |
✅ | |
| User Search Filter | userFilter | Pattern specifying the LDAP search filter to use after substitution of the username. Use '{0}' as placeholder for the username including domain or '{1}' for username without domain. | (&(objectClass=user)(userPrincipalName={0})) | String |
✅ |
| Username Attribute Name | usernameAttributeName | Attribute name which value will be used as username | display_name | String |
✅ |
| Roles Attribute Name | rolesAttributeName | Name of attribute that contains list of roles. Leave empty if not required | roles | String |
✅ |
| Attribute Mapping | attributeMapping | List of user attributes that will be stored in the session token cookie. Cookie size is limited to 4096 characters. | List<String> |
✅ | |
| Search Scope | searchScope | Specifies the LDAP search scope. OBJECT_SCOPE will contain one if the named object satisfies the search filter zero element if not. ONELEVEL_SCOPE (default) contains elements with objects in the named context that satisfy the search filter. SUBTREE_SCOPE contains elements of objects from the entire subtree that satisfy the search filter. | ONELEVEL_SCOPE | SearchScope Enum Values: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE |
OpenIDConnectSecurityModuleConfig
| Admin console label | Config field Id | Description | Default value | Type | Variable replacement |
|---|---|---|---|---|---|
| Logout URL | logoutUrl | Webswing will redirect to this URL after logout. If empty, user is redirected to login page. | String |
✅ | |
| Extensions | extensions | List of security extensions enabled. Use one of build in names or custom class name. | List<String> |
||
| OpenID Connect Discovery URL | importDiscoveryJson | URL of OpenID configuration | https://<keycloak_host>:<keycloak_port>/realms/<realm_name>/.well-known/openid-configuration | String |
✅ |
| Callback URL | callbackUrl | URL of the webswing server where auth token will be received. Must end with /login | https://<webswing_host>:<webswing_port>/<swing_path>/login | String |
✅ |
| Force url-encode Callback URL | forceUrlEncodeCallbackUrl | Use strict encoding of redirect_uri parameter in authentication redirect using the application/x-www-form-urlencoded format as defined in OAuth2.0 spec. | false | Boolean |
|
| Client ID | clientId | Client ID / API key | String |
✅ | |
| Client Secret | clientSecret | Leave empty if not required | String |
✅ | |
| Trusted Certs File (PEM) | trustedPemFile | Trusted cert chains to establish TLS connection with Open Id server. To disable cert validation use 'DISABLED' (only for testing) | String |
✅ | |
| Username Attribute Name | usernameAttributeName | ID Token claim name to be used as username | preferred_username | String |
✅ |
| Roles Attribute Name | rolesAttributeName | Leave empty if not required | String |
✅ | |
| Scopes | scopes | Space separated list of scopes. Scopes are used by an application during authentication to authorize access to a user's details. Each scope returns a set of user attributes. | openid profile | String |
✅ |
| Trusted audiences | trustedAudiences | Space separated list of trusted audience claims. The Client Id is implicitly trusted, but if ID Token contains multiple audience claims, list them here as trusted. | String |
✅ | |
| Attribute Mapping | attributeMapping | List of user attributes that will be stored in the session token cookie. Cookie size is limited to 4096 characters. | List<String> |
✅ | |
| Welcome page | welcomePage | Add welcome page before redirect | false | boolean |
|
| Welcome page content | welcomePageContent | HTML content or file accessible from Web Folder path only | Welcome to Webswing <br> <a href='{{{redirectUrl}}}' >Login</a> | String |
✅ |
| Cookies | cookies | List of cookies that will be copied from request to webswing user attributes | List<String> |
✅ | |
| User Attributes Logging | logUserAttributes | Enables the logging of all user attributes from ID Token received from the Identity Provider. | false | boolean |
|
| Forced Origin of Redirect URL | forcedRedirectUrlOrigin | This string replaces the origin (<scheme>://<host>:<port>) in authorization redirect URL. Leave empty to use original authorization URL from IdP. | String |
✅ |
PropertySecurityModuleConfig
| Admin console label | Config field Id | Description | Default value | Type | Variable replacement |
|---|---|---|---|---|---|
| Logout URL | logoutUrl | Webswing will redirect to this URL after logout. If empty, user is redirected to login page. | String |
✅ | |
| Extensions | extensions | List of security extensions enabled. Use one of build in names or custom class name. | List<String> |
||
| File | file | Path pointing to users properties file. User entry format: user.<username>=<password>[,role1][,role2] | ${webswing.rootDir}/user.properties | String |
✅ |
Saml2SecurityModuleConfig
| Admin console label | Config field Id | Description | Default value | Type | Variable replacement |
|---|---|---|---|---|---|
| Logout URL | logoutUrl | Webswing will redirect to this URL after logout. If empty, user is redirected to login page. | String |
✅ | |
| Extensions | extensions | List of security extensions enabled. Use one of build in names or custom class name. | List<String> |
||
| Identity Provider Metadata URI | identityProviderMetadataFile | Identity provide Metadata xml file local or remote URI. | String |
✅ | |
| Service Provider Consumer URL | serviceProviderConsumerUrl | Url that verifies the SAML2 token. Should be 'https://<webswing_host>:<webswing_port>/<current_app_path>/login'. SP metadata xml will be available on same URL with '?metadata' query param. | https://<webswing_host>:<webswing_port>/<context_path>${webswing.appPath}/login | String |
✅ |
| Service Provider Entity ID | serviceProviderEntityId | Identitficator used when registering Webswing with Idp. | String |
✅ | |
| AuthnRequests Signed | authnRequestSigned | Indicates whether the Idp expects signed AuthnRequests. Idp needs the public key stored in Key store configured below to validate this signature. | false | boolean |
|
| Logout Requests Signed | logoutRequestSigned | Indicates whether the Idp expects signed Logout Requests. Idp needs the public key stored in Key store configured below to validate this signature. | false | boolean |
|
| NameId Policy Format | nameIdPolicyFormat | The name Id format to use for the subject. | String Values: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" |
||
| Username Attribute Name | userAttributeName | Name of SAML2 attribute defining the username. If empty, NameId value will be used. | String |
✅ | |
| Roles Attribute Name | rolesAttributeName | Name of SAML2 attribute that contains list of roles. Leave empty if not required | roles | String |
✅ |
| Attribute Mapping | attributeMapping | List of user attributes that will be stored in the session token cookie. Cookie size is limited to 4096 characters. | List<String> |
✅ | |
| Use Single Logout | singleLogout | Webswing will trigger Idp log-out | true | boolean |
|
| Key Store | keyStore | PKCS#12 or JKS Key Store file containing the private key used to decrypt the assertions returned by server. If file does not exits it will be generated. | ${webswing.homeFolder}/saml2-generatedKeystore.jks | String |
✅ |
| Key Store Alias | decryptionKeyAlias | Key alias the private key is stored under. | String |
✅ | |
| Key Store Password | keyStorePwd | Password to access the key store. | Change-Me! | String |
✅ |
| Private Key Password | keyPwd | Password to access the private key. | Change-Me! | String |
✅ |
| Maximum Authentication Lifetime | maximumAuthenticationLifetime | Maximum period of time for which the user's authentication can be considered valid without re-authentication in seconds. | 28800 | long |
✅ |
EmbeddedUserEntry
| Admin console label | Config field Id | Description | Default value | Type | Variable replacement |
|---|---|---|---|---|---|
| Username | username | String |
✅ | ||
| Password | password | String |
✅ | ||
| Roles | roles | List<String> |
✅ |
RealmEntry
| Admin console label | Config field Id | Description | Default value | Type | Variable replacement |
|---|---|---|---|---|---|
| Realm Name | realm | String |
✅ | ||
| Client Secret | clientSecret | Leave empty if not required | String |
✅ | |
| Logout URL | logoutUrl | Webswing will redirect to this URL after logout for user logged in against this realm. | String |
✅ |