config-external-auth
Configures the external authentication method.
config-external-auth
[-c value | --configuration=value]
[-b value | --bootstrap-config=value]
[-e <true|false> | --enabled=<true|false>]
[-m value | --declared-auth-method=value]
[-a value | --request-attribute=value]
[-r value | --request-header=value]
[-o value | --request-cookie=value]
[-n value | --custom-authenticator-class-name=value]
[-f <true|false> | --use-authentication-filter=<true|false>]
[-x value | --expression=value]
[-d <true|false> | --downcase=<true|false>]
[-s <true|false> | --require-tls=<true|false>]
[-h value | --allowed-hosts=value]
{-Rvalue}
{-Ikey=value}
Overview
This command is used to configure external authentication, which is typically used when a reverse-proxy or similar in front of the Spotfire Server handles authentication. The authentication method can either be used as the main authentication method, as configured by the config-auth command, or as a complementary authentication method where it is combined with the main method. It is typically used as the main method when the clients only can access the server(s) through a proxy or a load-balancer. It is typically used as a complementary method when the clients can access the server(s) both directly and through a proxy or a load-balancer. To use it as a complementary method, simply configure and enable the method using this command. To use it as the main authentication method, first configure and enable the method using this command and then set it to the main method using the config-auth command.
Options
Option | Optional or Required | Default Value | Description |
---|---|---|---|
|
Optional | configuration.xml | The path to the server configuration file. |
|
Optional | none | The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file. |
|
Optional | true | Specifies whether the external authentication method should be enabled. |
|
Optional | NTLM | The authentication method that should be declared to clients when external authentication is used as the main authentication method. The following methods are supported: CLIENT_CERT, NTLM, KERBEROS, and WEB. |
|
Optional | REMOTE_USER | The name of an HTTP request attribute
containing the name of the authenticated user. The
--request-attribute ,
--request-header ,
--request-cookie ,
--custom-authenticator-class-name , and
--use-authentication filter arguments are
mutually exclusive.
|
|
Optional | none | The name of an HTTP header containing the
name of the authenticated user. The
--request-attribute ,
--request-header ,
--request-cookie ,
--custom-authenticator-class-name , and
--use-authentication filter arguments are
mutually exclusive.
|
|
Optional | none | The name of an HTTP cookie containing the
name of the authenticated user. The
--request-attribute ,
--request-header ,
--request-cookie ,
--custom-authenticator-class-name , and
--use-authentication filter arguments are
mutually exclusive.
|
|
Optional | none | The name of a class implementing the
com.spotfire.server.security.CustomAuthenticator interface that should be used
for authentication. Initialization parameters for the Custom Authenticator may
be specified using the
-I argument. The
--request-attribute ,
--request-header ,
--request-cookie ,
--custom-authenticator-class-name , and
--use-authentication-filter arguments are
mutually exclusive.
|
|
Optional | false | Specifies that the identity of the
authenticated user is provided by a custom authentication filter (as the value
of the
getUserPrincipal<> method of
jakarta.servlet.http.HttpServletRequest ).
Note: The
Authentication Filter API is deprecated and will be removed in a future
release; consider using a Custom Authenticator instead.
The
--request-attribute ,
--request-header ,
--request-cookie ,
--custom-authenticator-class-name , and
--use-authentication-filter arguments are
mutually exclusive.
|
|
Optional | none | A regular expression that can be used to
filter the username extracted from the specified HTTP request attribute. The
value of the regular expression's first capturing group will be used as the new
username. A typical scenario is to extract the username from a composite name
containing both username and domain name when using the "collapse domains"
option.
For example, the regular expression "\S+\\<\S+>" can be used to extract the username from a value in the format "domain\username". Make sure to enclose the specified expression in quotes and to quote all special characters that might otherwise be consumed by the command-line shell. |
|
Optional | false | Specifies whether the username should be converted to lower case. |
|
Optional | false | Specifies whether a secure HTTPS connection is required to perform external authentication. |
|
Optional | none | A comma-separated list of hostnames and/or
IP addresses of the client computers that are permitted to perform external
authentication. If this, or at least one -R argument, is not specified, then
all client computers are permitted to perform external authentication.
Because this is a potential security risk, it is strongly recommended to restrict the permissions to use this feature. Typically, this feature is locked down so that only proxies or load balancers are permitted to use it. A scenario where all client computers can be allowed to use this feature is when a custom post-authentication filter is also in use. Then this filter would be responsible for performing the final authorization, for example by validating additional HTTP headers. |
|
Optional | none | A regular expression (in the syntax
supported by java.util.regex.Pattern) that should match IP addresses of remote
hosts that are permitted to perform external authentication. See also the
--allowed-hosts argument. This argument can be
specified multiple times with different values.
|
|
Optional | none | Specifies initialization parameters that
will be provided to the Custom Authenticator when the init(Map<String,
String>) method is called.
This argument can only be specified together with the
Example: To set the Custom Authenticator initialization
parameter "debug" to "true":
|