config-external-auth
Configures the external authentication method.
config-external-auth
[-c value | --configuration=value]
[-b value | --bootstrap-config=value]
[-e <true|false> | --enabled=<true|false>]
[-m value | --declared-auth-method=value]
[-a value | --request-attribute=value]
[-r value | --request-header=value]
[-o value | --request-cookie=value]
[-n value | --custom-authenticator-class-name=value]
[-f <true|false> | --use-authentication-filter=<true|false>]
[-x value | --expression=value]
[-d <true|false> | --downcase=<true|false>]
[-s <true|false> | --require-tls=<true|false>]
[-h value | --allowed-hosts=value]
{-Rvalue}
{-Ikey=value}Overview
This command is used to configure external authentication, which is typically used when a reverse-proxy or similar in front of the Spotfire Server handles authentication. The authentication method can either be used as the main authentication method, as configured by the config-auth command, or as a complementary authentication method where it is combined with the main method. It is typically used as the main method when the clients only can access the server(s) through a proxy or a load-balancer. It is typically used as a complementary method when the clients can access the server(s) both directly and through a proxy or a load-balancer. To use it as a complementary method, simply configure and enable the method using this command. To use it as the main authentication method, first configure and enable the method using this command and then set it to the main method using the config-auth command.
Options
| Option | Optional or Required | Default Value | Description |
|---|---|---|---|
|
Optional | configuration.xml | The path to the server configuration file. |
|
Optional | none | The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file. |
|
Optional | true | Specifies whether the external authentication method should be enabled. |
|
Optional | NTLM | The authentication method that should be declared to clients when external authentication is used as the main authentication method. The following methods are supported: CLIENT_CERT, NTLM, KERBEROS, and WEB. |
|
Optional | REMOTE_USER | The name of an HTTP request attribute containing the name of the authenticated user. The --request-attribute,
--request-header,
--request-cookie,
--custom-authenticator-class-name, and
--use-authentication filter arguments are mutually exclusive.
|
|
Optional | none | The name of an HTTP header containing the name of the authenticated user. The
--request-attribute,
--request-header,
--request-cookie,
--custom-authenticator-class-name, and
--use-authentication filter arguments are mutually exclusive.
|
|
Optional | none | The name of an HTTP cookie containing the name of the authenticated user. The
--request-attribute,
--request-header,
--request-cookie,
--custom-authenticator-class-name, and
--use-authentication filter arguments are mutually exclusive.
|
|
Optional | none | The name of a class implementing the com.spotfire.server.security.CustomAuthenticator interface that should be used for authentication. Initialization parameters for the Custom Authenticator may be specified using the
-I argument. The
--request-attribute,
--request-header,
--request-cookie,
--custom-authenticator-class-name, and
--use-authentication-filter arguments are mutually exclusive.
|
|
Optional | false | Specifies that the identity of the authenticated user is provided by a custom authentication filter (as the value of the getUserPrincipal<> method of javax.servlet.http.HttpServletRequest).
Note: The Authentication Filter API is deprecated and will be removed in a future release; consider using a Custom Authenticator instead.
The
--request-attribute,
--request-header,
--request-cookie,
--custom-authenticator-class-name, and
--use-authentication-filter arguments are mutually exclusive.
|
|
Optional | none | A regular expression that can be used to filter the username extracted from the specified HTTP request attribute. The value of the regular expression's first capturing group will be used as the new username. A typical scenario is to extract the username from a composite name containing both username and domain name when using the "collapse domains" option.
For example, the regular expression "\S+\\<\S+>" can be used to extract the username from a value in the format "domain\username". Make sure to enclose the specified expression in quotes and to quote all special characters that might otherwise be consumed by the command-line shell. |
|
Optional | false | Specifies whether the username should be converted to lower case. |
|
Optional | false | Specifies whether a secure HTTPS connection is required to perform external authentication. |
|
Optional | none | A comma-separated list of hostnames and/or IP addresses of the client computers that are permitted to perform external authentication. If this, or at least one -R argument, is not specified, then all client computers are permitted to perform external authentication.
Because this is a potential security risk, it is strongly recommended to restrict the permissions to use this feature. Typically, this feature is locked down so that only proxies or load balancers are permitted to use it. A scenario where all client computers can be allowed to use this feature is when a custom post-authentication filter is also in use. Then this filter would be responsible for performing the final authorization, for example by validating additional HTTP headers. |
|
Optional | none | A regular expression (in the syntax supported by java.util.regex.Pattern) that should match IP addresses of remote hosts that are permitted to perform external authentication. See also the
--allowed-hosts argument. This argument can be specified multiple times with different values.
|
|
Optional | none | Specifies initialization parameters that will be provided to the Custom Authenticator when the init(Map<String, String>) method is called.
This argument can only be specified together with the
Example: To set the Custom Authenticator initialization parameter "debug" to "true":
|