Documentation on integration with the IHTSDO Identity Management Service.
This tool has a configurable security architecture that allows for a variety of possible security implementations to be used. For IHTSDO deployments of the tool, we make use of a handler (and login page override) that interacts with the identity management service.
The security layer itself assigns auth tokens which get passed back-and-forth between client and server. This handler verifies that the user is indeed logged in (or redirects them to the "guest" view of the tool). If logged in, an auth token from the application is requested that is good until the timeout period is reached.
There are several important parts to how this works:
In the deployment config.properties file, the security handler must be set to an IMS handler that is properly configured. For example:
security.timeout=7200000 security.guest.disabled=false security.handler=IMS security.handler.IMS.class=org.ihtsdo.otf.refset.jpa.services.handlers.ImsSecurityServiceHandler security.handler.IMS.url=https://ims.ihtsdotools.org |
The ImsSecurityServiceHandler is used with a IMS URL of ims.ihtsdotools.org
In order for this all to work the system must be deployed on an ihtsdotools.org server which has a local "ims-api" link that redirects properly to IMS. For example,
# in the nginx configuration file for refset deployment
location /ims-api {
proxy_pass https://ims.ihtsdotools.org/api;
} |
This allows the application to check this URL to determine if the user is, in fact logged in.
The normal login controller handles a username/password form. For IMS security, an override of the login controller (in the config/prod project) is used to customize the functionality. Instead, it first checks whether the user is logged in by probing the /ims-api link (shown above).
NOTE: this is not a normal thing to need to do - default build with username/password security is recommended for DEV environments.
In a local dev environment, IMS security can also be used. In this case, the user must set the deployment URL (which is presumed to be running on http://localhost:8080/refset-rest) to instead be https://local.ihtsdotools.org/refset-rest (which redirects back to localhost:8081).
The local dev environment then needs to have a configuration setup something like this (to support the localhost:8081 redirection back to localhost:8080 and the /ims-api link)
http {
include mime.types;
server {
listen 8081;
server_name localhost;
location / {
proxy_pass http://127.0.0.1:8080;
}
# may need to be uat-ims for uat-authoring
location /ims-api {
proxy_pass https://ims.ihtsdotools.org/api;
}
}
} |
In order for this to work, nginx must be running on the dev machine.
Finally, to truly use IMS security in a local dev environment, the project will need to be built locally with "-Dconfig.artifactId=refset-config-prod" passed to Maven so the overridden login controller can be deployed.
Alternatively, if IMS is needed simply to support pass-through of auth tokens (e.g. for testing Snowowl terminology handler), then the default login setup can be used (with normal username/password security) and as long as the user is actually logged into IMS and the application is being run on https://local.ihtsdotools.org, then the tokens should be successfully passed through to the handler.