accessmanager
This configuration is required when using the plugin AccessManager.
-
Documentation
-
YAML Format
-
XML Format
| Fill relevant inputs (blue boxes) and click the blue bars on the left to copy XML configuration snippets. |
The AccessManager allows the operation of Cadenza with user management. It can be configured here. For Cadenza Desktop and Cadenza Web, separate configuration files are required in the following directories: Cadenza Desktop: <cadenza_home>/CadenzaDesktop/config/ Cadenza Web: <cadenza_home>/CadenzaWeb/cadenza-config/ . Important: As they contain security relevant data (database connections, URL, usernames, passwords), these files must not be accessible by the client (i.e. via URL query) and therefore must be excluded from the directories. Note: Global Cadenza variables and system variables may be used in this file.
toUpperCase - The username will be automatically transformed to upper case before login. toLowerCase- The username will be automatically transformed to lower case before login. default - The username will not be transformed. Thus, it is handled by Cadenza in a case-sensitive way. Note: The password is always case-sensitive.
Specifies the user providers whose users will be shown with their real names in user pickers. (User providers must also be listed in userSuggestion.) Default: all user providers; if empty: no user provider.
DEPRECATED: This configuration is not used in Cadenza anymore.
true to define that the value of <autoLoginUserName> should only include the variable name without $SYSTEM{} syntax. In this case, the variable is resolved when needed on client side when running in client/server mode. The setting has no effect in standalone mode. false to define that the value of <autoLoginUserName> must be embedded into the $SYSTEM{} syntax.
Default: false
To log in to Cadenza, you can use the same username that was previously used to log in to the operating system (system variable USERNAME on Windows or USER on Linux). Attention: Please note that configuring this feature is a security risk. Anyone who logs in to your computer can access Cadenza. Example: $SYSTEM{USERNAME}.
Number of previous passwords that must be different from the new password. This only applies to passwords that are changed via the menu. Changes within the user management component for administrators are not affected.
true to forbid a user to use a password set by an administrator a second time. It has to be changed after first usage. false to allow a user to use a password set by an administrator more than once.
Default: false
Specification settings for a new password.
Specification settings for a new password compared to the previous password.
Security policy settings for users that are saved in the database.
ISO 8601 Duration Format
Format: P[n]Y[n]M[n]DT[n]H[n]M[n]S
- P is the duration designator (period) placed at the start of the duration representation
- Y is the number of years
- M is the number of months
- D is the number of days
- T is the time designator that precedes the time components
- H is the number of hours
- M is the number of minutes
- S is the number of seconds
Examples:
PT5M- 5 minutesPT1H30M- 1 hour and 30 minutesP1D- 1 dayP1Y2M3DT4H5M6S- 1 year, 2 months, 3 days, 4 hours, 5 minutes, and 6 seconds
Interval at which polling should be performed. The duration is specified in the PnYnMnDTnHnMnS format, e.g. PT600S means until in 600 seconds from now. For more information see https://www.w3.org/TR/xmlschema-2/#duration.
DEPRECATED: Principal update polling has been replaced by messaging. For single-node installations, no further configuration is necessary. For clusters consisting of several Cadenza application servers using the same user management databases, consider enabling the 'Message_Broker' plugin and configuring 'messagebroker-config.xml' accordingly.
Authentication settings.
DEPRECATED: 'connectionIdleTimeout' has been deprecated and should be removed. Due to improvements in connection pooling, Cadenza works with fixed-size connection pools, so the 'connectionIdleTimeout' setting no longer has any effect. A future Cadenza version may fail to start if the configuration is still present.
Additional datasource properties
DEPRECATED: This used to configures the authorization database schema for the Classic authorization database. Classic authorization has been removed with Cadenza 10, and all authorizations stored in the configured authorization database will be ignored. A future Cadenza version may fail to start if the configuration is still present.
DEPRECATED: 'connectionIdleTimeout' has been deprecated and should be removed. Due to improvements in connection pooling, Cadenza works with fixed-size connection pools, so the 'connectionIdleTimeout' setting no longer has any effect. A future Cadenza version may fail to start if the configuration is still present.
Additional datasource properties
Settings for authenticators. Defines the methods used for the authentication, group mapping and property mapping and their order. Multiple authenticators can be defined. If a user is not known by an authenticator, authentication is attempted with the next authenticator in the order. If the password is wrong, login fails.
Some rules should be observed when configuring these authenticators as having the wrong order may cause an authenticator to never trigger: - Non-interactive authenticators must come before interactive ones - OAuth must be named as the last SSO procedure
true to disable login button, false to enable. Applicable only when guestsAllowed is true.
Default: false
Settings for an authenticator. They are mandatory if guest login is not used (but also can be used in combination with guest login).
Method or protocol for authentication. Current possible values: CadenzaDb, LDAP, JWT, SPNEGO, OAuth, autologin-httpheader, Embedded and apikey-httpheader.
A mapping of a user to user groups after successful authentication. Several group mapping variants can be specified. If assignment was not possible with the first group mapping variant, the next one will be tried. The first successful assignment will be used. If assignment was not possible with any group mapping variant, login fails.
Method or protocol for mapping. Current possible values: CadenzaDb, LDAP, JWT, OAuth, Embedded and apikey-httpheader.
User properties that should be passed to Cadenza as user variable after successful authentication. If several propertyMappings are defined, the results of all are considered. Current possible values: CadenzaDb, LDAP, JWT, OAuth, Embedded and UserName.
| This is a generated sample file with fake data and all the possible options shown, refer to the Documentation tab for what combinations are valid and what is required or not. |
cadenzaconfig:
settings:
accessmanager:
passwordEncryptor: "text"
userNameHandling: "text"
userSuggestion:
providers:
- "OAuth"
- "OAuth"
userPrintNameSuggestion:
providers:
- "OAuth"
- "OAuth"
additionalLoginHelpLink:
url: "text"
label: "text"
autoLoginUserName:
systemVariable: true
value: "text"
securityPolicies:
allowedLoginAttempts: 15
allowedChangesIn24Hours: 15
minimumNumberOfPreviousDifferentPasswords: 15
passwordExpirationTimeInDays: 15
warnBeforePasswordExpirationInDays: 15
allowedUserInactiveTimeInDays: 15
forbidUsageOfPasswordsSetByAdmin: true
newPassword:
minimumLength: 15
minimumLetters: 15
minimumDigits: 15
comparedToPreviousPassword:
minimumChangedCharacters: 15
minimumChangedLetters: 15
minimumChangedDigits: 15
polling:
enabled: true
duration: "P2DT3M"
changelog:
enabled: true
authentication:
datasource:
driverName: "text"
jdbcURL: "text"
user: "text"
password: "text"
connectionPoolSize: 15
connectionIdleTimeout: 15
properties:
- name: "text"
description: "text"
value: "text"
- name: "text"
description: "text"
value: "text"
authorization:
datasource:
driverName: "text"
jdbcURL: "text"
user: "text"
password: "text"
connectionPoolSize: 15
connectionIdleTimeout: 15
properties:
- name: "text"
description: "text"
value: "text"
- name: "text"
description: "text"
value: "text"
authenticators:
guestsAllowed: true
disableLoginButton: true
authenticator:
- refid: "text"
groupMapping:
- refid: "text"
value: "text"
- refid: "text"
value: "text"
propertyMapping:
- refid: "text"
value: "text"
- refid: "text"
value: "text"
- refid: "text"
groupMapping:
- refid: "text"
value: "text"
- refid: "text"
value: "text"
propertyMapping:
- refid: "text"
value: "text"
- refid: "text"
value: "text"Filename: accessmanager-config.xml
| This is a generated sample file with fake data and all the possible options shown, refer to the Documentation tab for what combinations are valid and what is required or not. |
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<userRegistry>
<passwordEncryptor>text</passwordEncryptor>
<userNameHandling>text</userNameHandling>
<userSuggestion>
<providers>
<provider>OAuth</provider>
<provider>OAuth</provider>
</providers>
</userSuggestion>
<userPrintNameSuggestion>
<providers>
<provider>OAuth</provider>
<provider>OAuth</provider>
</providers>
</userPrintNameSuggestion>
<additionalLoginHelpLink>
<url>text</url>
<label>text</label>
</additionalLoginHelpLink>
<autoLoginUserName systemVariable="true">text</autoLoginUserName>
<securityPolicies>
<allowedLoginAttempts>15</allowedLoginAttempts>
<allowedChangesIn24Hours>15</allowedChangesIn24Hours>
<minimumNumberOfPreviousDifferentPasswords>15</minimumNumberOfPreviousDifferentPasswords>
<passwordExpirationTimeInDays>15</passwordExpirationTimeInDays>
<warnBeforePasswordExpirationInDays>15</warnBeforePasswordExpirationInDays>
<allowedUserInactiveTimeInDays>15</allowedUserInactiveTimeInDays>
<forbidUsageOfPasswordsSetByAdmin>true</forbidUsageOfPasswordsSetByAdmin>
<newPassword>
<minimumLength>15</minimumLength>
<minimumLetters>15</minimumLetters>
<minimumDigits>15</minimumDigits>
</newPassword>
<comparedToPreviousPassword>
<minimumChangedCharacters>15</minimumChangedCharacters>
<minimumChangedLetters>15</minimumChangedLetters>
<minimumChangedDigits>15</minimumChangedDigits>
</comparedToPreviousPassword>
</securityPolicies>
<polling enabled="true">
<duration>P2DT3M</duration>
</polling>
<changelog enabled="true"/>
<authentication>
<datasource>
<driverName>text</driverName>
<jdbcURL>text</jdbcURL>
<user>text</user>
<password>text</password>
<connectionPoolSize>15</connectionPoolSize>
<connectionIdleTimeout>15</connectionIdleTimeout>
<properties>
<property name="text" description="text">text</property>
<property name="text" description="text">text</property>
</properties>
</datasource>
</authentication>
<authorization>
<datasource>
<driverName>text</driverName>
<jdbcURL>text</jdbcURL>
<user>text</user>
<password>text</password>
<connectionPoolSize>15</connectionPoolSize>
<connectionIdleTimeout>15</connectionIdleTimeout>
<properties>
<property name="text" description="text">text</property>
<property name="text" description="text">text</property>
</properties>
</datasource>
</authorization>
<authenticators guestsAllowed="true" disableLoginButton="true">
<authenticator refid="text">
<groupMapping refid="text">text</groupMapping>
<groupMapping refid="text">text</groupMapping>
<propertyMapping refid="text">text</propertyMapping>
<propertyMapping refid="text">text</propertyMapping>
</authenticator>
<authenticator refid="text">
<groupMapping refid="text">text</groupMapping>
<groupMapping refid="text">text</groupMapping>
<propertyMapping refid="text">text</propertyMapping>
<propertyMapping refid="text">text</propertyMapping>
</authenticator>
</authenticators>
</userRegistry>