This section describes how to configure username and password based authentication methods. For single sign-on methods, see section 4.10.
When users start a Spotfire client, they are presented with a login dialog. They first select the Spotfire Server to log into, and if that server uses a username and password based authentication method, they also supply their username and password.
The username and password are then transferred to the Spotfire Server over the HTTP BASIC protocol (the username and password authentication methods are sometimes also referred to as BASIC authentication methods). This protocol BASE 64-encodes the credentials for safe transport, but they are not encrypted and the information can easily be collected by other eavesdropping computers on the network. To use any user-name and password authentication method in a safe manner, make sure to also enable TLS/SSL to safely transfer the username and the password to the Spotfire Server over the encrypting HTTPS protocol.
The username and password authentication methods supported by Spotfire are:
Spotfire Database
LDAP Directory
Windows NT Domain (Legacy, use only if you cannot use LDAP)
Custom JAAS
For all methods, entries are created in the Spotfire database. When using an external authentication method, appropriate information is copied to the Spotfire database.
4.9.1 Spotfire Database
This authentication method requires that the User Directory is configured for Spotfire Database mode. The database will store the names and passwords of all users, and an administrator will have to create all user accounts in advance. This is the default behavior, and no configuration is needed for this authentication method. This is a sim-ple solution recommended for small sites.
The Spotfire Database authentication mode is the default on the server and does not require any configuration on a new installation.
4.9.2 LDAP
This authentication method integrates with an existing LDAP directory and delegates the actual authentication duty to its configured LDAP servers. The result is that only users with valid accounts in the LDAP directory can log into the Spotfire Server. This authentication method is recommended for all larger sites. It can be combined with both Spotfire Database and LDAP User Directory mode.
It is typically recommended to combine the LDAP authentication method with an LDAP User Directory mode. However, in some cases, for example where the LDAP directory contains a very large number of users and there is no fine-granular partition of the users that can be used to select only a smaller subset, combining the LDAP authentication method with a Spotfire Database User Directory mode will reduce the set of users tracked within the Spotfire Server to include only the users that are logging into the Spotfire Server. This makes the Spotfire Server's User Directory easier to manage and overview.
When combining it with a Spotfire Database User Directory mode, the Post-Authenti-cation Filter must be configured in creating mode, so that the users will be auto-matically added to the User Directory. When combining it with an LDAP User Directory mode, the default blocking mode of the Post-Authentication Filter is already correct.
The Spotfire Server supports the following LDAP servers:
Microsoft Active Directory
Sun ONE Directory Server
Sun Java System Directory Server
If your site is using another type of LDAP server, the Spotfire Server may be able to use a custom LDAP configuration, which is slightly more advanced to configure.
To configure the Spotfire Server for the LDAP authentication method:
1 Use the create‐ldap‐config command (page 170) to create an LDAP configuration.
2 Use the config‐basic‐ldap‐auth command (page 151) to configure the LDAP
authentication method to use the previously created LDAP configuration. This will result in a JAAS application configuration called SpotfireLDAP.
3 Use the set‐auth‐mode command (page 195) to activate the LDAP authentication method.
When running these commands, you need to provide them specific information about your LDAP directory and your LDAP servers. See section 4.14, particularly the authentication information indicated by an A in “LDAP Directory” on page 64. If you do not have the necessary information, contact the responsible LDAP directory admin-istrator or your IT department.
4.9.3 Windows NT Domain (legacy)
With this authentication method, user authentication is delegated to Windows NT domain controllers. To be able to use this method, the Spotfire Server must be running on Windows and you must have a working Windows NT 4 Server Domain Controller or a Windows Server 2000 (or later) Domain Controller running in Mixed Mode. This is a legacy solution that should only be used if LDAP cannot be used.
Just like the LDAP authentication method, the Windows NT Domain authentication method can be combined with a User Directory in either Windows NT Domain mode or in Spotfire Database mode.
When combining it with a Spotfire Database User Directory mode, the Post-Authenti-cation Filter must be configured in creating mode, so that the users will be auto-matically added to the User Directory. When combining it with a Windows NT Domain User Directory mode, the default blocking mode of the Post-Authentication Filter is already correct.
To configure for the Windows NT Domain authentication method:
1 Use the config‐basic‐windows‐auth command (page 151) to configure the Windows NT Domain authentication method. This will result in a JAAS application configuration called SpotfireWindows.
2 Use the command set‐auth‐mode (page 195) to activate the Windows NT Domain authentication method.
When running these commands, you have to provide the name of the Windows domain or domains. If you do not have this information, contact the responsible sys-tem administrator or your IT department.
4.9.4 Custom JAAS Module
All authentication methods described above are implemented as Java Authentication and Authorization Service (JAAS) modules. Spotfire also supports third-party JAAS modules. You may therefore use a JAAS module of your own or one from a third-party supplier, provided that it is suitable for username and password authentication and that it uses JAAS’ NameCallback and PasswordCallback objects for collecting the usernames and passwords.
When using a custom JAAS module, you must place the module file in the <installation dir>/tomcat/webapps/spotfire/WEB‐INF/lib directory on all Spotfire Servers.
To configure the Custom JAAS Module authentication method:
1 Use the “JAAS Commands” on page 31.
2 Use the set‐auth‐mode (page 195) to activate the custom JAAS module method.
To run these commands, you need the specific information below. If you do not have it, contact the provider of the Custom JAAS module
Consult the JAAS Reference Guide for more information on how to configure JAAS modules.