Security
Table of contents
- Managing Users
- Managing User Accounts and Groups
- Managing Permissions
- Single Sign-On
- Managing Sessions
- Using HTTPS with JMap
Security management in JMap encompasses several aspects.
Identity management can be handled by JMap Server or assigned to another system, such as Microsoft Active Directory or an LDAP directory. See the Managing Users and Managing User Accounts and Groups sections for more information. JMap also supports single sign-on for JMap Pro. See the Single Sign-On section for more information.
Access management, or rather permission management, is applied to all the resources handled by JMap. This includes user access to JMap applications as well as the access permissions of JMap administrators. See the Managing Permissions section for more information.
JMap allows you to easily use the HTTPS protocol for JMap Admin and for the various applications. See section Using HTTPS with JMap for more information.
Managing Users
In JMap Admin, the user manager configuration can be accessed by clicking on Users / Groups in the JMap Server section. Select the User manager tab.
The user manager allows you to define how JMap will manage user accounts and groups. There are two ways to manage this information with JMap:
- Using the JMap user account database: you create and delete the user accounts directly from JMap Admin;
- By connecting to an existing database of user accounts such as a Windows Active Directory system, an LDAP compatible system or a relational database.
Several systems can also be combined to be used simultaneously (e.g. the JMap database and Windows Active Directory). These systems are then used as a single system. When JMap Server connects to an existing database, user account management is simplified because no account or user group needs to be created and managed in JMap.
The following sections describe each available option.
JMap DB user manager
This type of user account management records users and groups directly into JMap Server’s System database or in an external database containing the required tables and fields. The JMap administrator must create and manage all user accounts and groups.
Click on the User manager tab from the Users / Groups section. Select JMap DB user manager to indicate that user accounts will be managed within a relational database. To store information in JMap Server’s System database, select the JMap Server database option.
You can also use any relational database that contains at least the required tables and fields by selecting the External database option. When you do this, an interface displays, allowing you to define the configuration parameters. Using this configuration interface, select the database you wish to use. Afterwards, select the tables and fields containing the various information pertaining to users and groups. If needed, you can select Read-only mode to prevent account information from being modified by JMap Admin.
Once this configuration has been defined, you can create, modify and delete user accounts directly from JMap Admin.
Composite user manager
This type of user management allows you to combine several managers together. You can add as many user managers as necessary. All user managers will function as a single user manager. Refer to the previous sections for information on user manager configuration.
Active Directory user manager
You can connect to Windows Active Directory (in read-only mode). In order for the Active Directory user manager option to be available in the User manager tab of the Users / Groups section in JMap Admin, you must include the following line in the JMAP_HOME/conf/jmapserver.properties file:
usermanager.ad=com.kheops.jmap.server.security.ActiveDirectoryUserManager
We recommend you use the Composite user manager instead of simply using the Active Directory user manager. This will allow you to maintain access to JMap Admin even if errors arise in the configuration of Active Directory.
In the User manager section, select the Composite user manager and add the Active Directory user manager. A new interface opens, allowing you to enter the settings to configure the connection to the Active Directory server.
Active Directory | |
---|---|
Friendly name | Name used to easily identify the Active Directory user manager. |
Server address | Address of the Windows domain controller server configured with Active Directory. You can add several Active Directory servers by separating them with a space. Example: ldap://host1 ldap://host2 where ‘host1’ and ‘host2’ are the Active Directory server URL. Active Directory is based on LDAP. |
DN | Unique identifier (Distinguished Name) pointing at the root of the directory. Composed of a list of DC (Domain Component) entries. Example: dc=k2,dc=com |
Domain | Name of the Windows domain. Example: k2.com |
User / SPN | User name that JMap Server will use to connect to the Active Directory. It is recommended to create a user especially for JMap. Its password should never expire. If you wish to use single sign-on, you will have to create an SPN (Service Principal Name) associated with this user. See Single Sign-On for more details. |
Password | Password of the user JMap Server will use to connect to the Active Directory. |
Admin. password | A user named administrator must always exist in JMap. If no administrator user exists in the Active Directory, JMap will simulate one. In such a case, provide the password associated with this user. If the user administrator does exist in the Active Directory and a password is entered, this password will simply be ignored. |
Enable single sign-on | Enables the single sign-on option. See Single Sign-On for more details. |
Default / Custom LDAP configuration | Active Directory is based on LDAP. This option allows for the use of LDAP parameters that are most commonly used for Active Directory. However, if those parameters don’t match the ones in use, it is possible to specify custom values. Les paramètres sont décrits dans la section suivante, JMap LDAP user manager. |
Max page size | Active Directory limits the transaction size to a maximum number of records at a time (page size). The value of this parameter must not be greater than the maximum size authorized by Active Directory (1000 is the default value in Active Directory). If the size is too small, this can reduce performance. A size greater than the authorized limit will cause missing data in the user list. |
JMap LDAP user manager
You can connect to any LDAP compliant directory (in read-only mode). Unix, Linux and Windows systems offer many LDAP compliant directories.
In order for the JMap LDAP user manager option to be available in the User manager tab of the Users / Groups section in JMap Admin, you must include the following line in the JMAP_HOME/conf/jmapserver.properties file:
usermanager.ldap=com.kheops.jmap.server.security.LDAPUserManager
We recommend you use the Composite user manager instead of simply using the LDAP user manager. This will allow you to maintain access to JMap Admin even if errors arise in the configuration of LDAP.
In the User manager section, select the Composite user manager and add the JMap LDAP user manager. A new interface opens, allowing you enter the settings to configure the connection to the LDAP server.
JMap LDAP user manager | |
---|---|
Friendly name | Name used to easily identify the LDAP user manager. |
Server URL | LDAP server address. You can add several LDAP servers by separating the addresses with a space. Example: ldap://host1 ldap://host2 where host1 and host2 are the URLs of the LDAP servers. |
DN | Unique identifier (Distinguished Name) used to define the root of the directory. Includes a list of Domain Component entries. Example: dc=k2geospatial,dc=com |
User | User name that will be used by JMap Server to connect to the LDAP directory. It is recommended to have a user created specifically for JMap purposes. This user’s password should never expire. The user name must be accompanied by the domain the user belongs to. Example: cn=admin,dc=k2geospatial,dc=com |
Password | The user password that JMap Server will use to connect to the LDAP directory. |
Admin. password | A user named administrator must always exist in JMap. If there is no administrator user in the LDAP directory, JMap will simulate one. In this case, you must provide the password associated with this user. If the administrator user exists in the LDAP directory and a password is entered, it will be ignored. |
Use prefix and suffix | Select this option if the LDAP server uses a prefix and a suffix for user authentication. |
Authentication prefix | Some LDAP servers require a prefix to be concatenated with the user name in order to proceed with authentication. Example: Prefix: a_domain User: a_user Result: a_domain\a_user |
Authentication suffix | Some LDAP servers require a suffix to be concatenated with the user name to proceed with authentication. Example: Suffix=@a_domain User=a_user Result: a_user@a_domain |
User class | This setting and the ones that follow depend on the internal structure of the LDAP server, i.e. the way the users are organized into groups. This information is used to identify the LDAP users and groups. You must indicate the corresponding parameters in the LDAP server to which you connect. Name of the LDAP object class used to identify a user in the LDAP directory. |
Group class | Name of the LDAP object class used to identify a group in the LDAP directory. |
User filter | Search filter used to extract users from the LDAP directory. This filter must be formatted according to the standard LDAP syntax. |
Group filter | Search filter used to extract groups from the LDAP directory. This filter must be formatted according to the standard LDAP syntax. |
User attribute | The attribute of an LDAP user that defines this user’s identity. |
Group attribute | The attribute of an LDAP group that defines this group’s identity. |
Member attribute | The attribute of an LDAP group that defines which users are members of this group. |
Full name attribute | The attribute of an LDAP user that defines this user’s full name. |
Email attribute | The attribute of an LDAP user that defines this user’s email address. |
Max page size | In LDAP directories, the size of transactions is limited to a maximum number of recordings at once (the size of the page). The value of this parameter must not exceed the maximum size permitted by the directory (1000 is the default value in LDAP directories). If the size is too small, this could affect performance. If the size is larger than the authorized limit, data will be missing in the user list. |
For more information on the LDAP protocol, refer to http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol.
Synchronizing user permissions
When you connect to an existing user account database (Active Directory, LDAP or external relational database), it may be useful to synchronize JMap Server with the database for 2 reasons:
- When users or groups are deleted from the database and those deleted users or groups had been given permissions in JMap (e.g. to open a project or view certain layers), the permissions are not deleted from JMap Server permission lists. This can happen because JMap Server is not aware the users or groups have been deleted from the database. When synchronizing, JMap Server removes all existing permissions for deleted users and groups. However, even if you don’t synchronize, there is no security problem because deleted users will fail at login.
- When the contents of user groups are modified (members added or removed), so that JMap Server can reload the lists of users that belong to the groups. JMap Server keeps the group member lists in memory for performance reasons.
You can automate the synchronization by selecting the option Synchronize automatically every… and specifying a time period.
Managing User Accounts and Groups
In JMap, user accounts and groups are used for access control and collaboration purposes. You can manage users and groups in JMap Admin by clicking on Users / Groups from the JMap Server section.
Two special users and two special groups always exist in JMap: administrator, anonymous, everyone, and authenticated users.
Special users and groups | |
---|---|
Administrator | The administrator user allows you to access JMap Admin following a new installation (this user has administration rights in JMap). This user’s password field is left blank, therefore, it is highly recommended to add a password as soon as possible. Read below for more information. The administrator user always exists in JMap and cannot be deleted. |
Anonymous | The anonymous user allows users who are not authenticated to access certain resources. It can be used to configure access to a project without authentication, for instance. The anonymous user always exists in JMap and cannot be deleted. In addition, this user’s password (blank) cannot be modified. |
Everyone | The everyone group is used to give all users access to a resource, provided they are authenticated. The everyone user is not displayed in the list of JMap groups. It is only visible in interfaces that allow you to define permissions, where applicable. |
Authenticated users | The authenticated users group is used to allow all users except anonymous to access a resource. Authentication is required for this group. |
Creating users and groups
You can create a new user or group by pressing Create from the Users / Groups section. This will bring you to the new user or group configuration section. Note that you can only create users and groups if you are using the JMap account database or an external database that is not in read-only mode.
Users | |
---|---|
User name | Enter a unique user name (login name) for the new user. You will not be able to save it if the name already exists. |
Password | Enter a password for the new user. The password field can be empty but this is not recommended. Users of JMap Web applications can change their password from the application. This is only possible if the user accounts are managed with JMap DB user manager. |
Confirm password | Enter the password a second time to confirm. |
Full name | Enter the full name (first name and last name) for the new user. This is optional. |
Enter the email address of the new user. It is used when sending maps to the user. This is optional. | |
Hidden | Select this option if you want the new user to be hidden from user directories. |
Groups | |
---|---|
Group name | Enter a unique group name for the new group. You will not be able to save it if the name already exists. |
Modifying users and groups
You can modify an existing user or group by clicking on its name in the list. Note that once a user is created, its user name cannot be modified. To add users to a group, press and a list of available users will be displayed. Select the users to add to the group and press Add. To remove users from a group, select the users to remove and press .
Deleting users and groups
You can delete a user or group by selecting it in the list and pressing Delete.
Managing Permissions
Permissions in JMap are divided into two families: permissions for the users of applications (Pro, Web and Survey) and permissions for the administrators (JMap Admin).
User permissions
User permissions determine what the users can do inside JMap Pro, JMap Web, and JMap Survey applications.
The following table presents the different permission groups that are available for the users.
User permissions | |
---|---|
Permissions on projects | See section Project Permissions for more information. |
Permissions on layers | See section Layer Permissions for more information. |
Permissions on personal layers | Create personal layers This permission gives a user the right to create personal layers in JMap Pro applications. By default, JMap users are not allowed to create personal layers. You can configure this permission in subsection Permissions of the JMap Server section. |
Permissions on forms | See section Database Forms for more information. |
Administrator permissions
Administrator permissions determine what JMap administrators are authorized to do in JMap Admin. Some permissions are global (permissions to do some tasks) while other permissions apply to specific resources.
Several of the global permissions are configured in the Permissions subsection of the JMap Server section.
The following table describes the global administration permissions.
Global administration permissions | |
---|---|
Access JMap Admin | This permission is required for an administrator to access JMap Admin. After the installation of JMap, only the administrator user has this permission. Note that the password is initially left empty for this user. It is strongly recommended to enter a password for the administrator user. See section Managing User Accounts and Groups for more information on modifying passwords. Also make sure to leave at least one user with this permission and with a known password. Otherwise, it will be impossible to access JMap Admin. |
Create database | This permission is required for an administrator to create new databases in JMap Admin. |
Create remote connection | This permission is required for an administrator to create new connections to remote JMap Server instances in JMap Admin. |
Create deployment | This permission is required for an administrator to create new application deployments in JMap Admin. |
Create metadata templates | This permission is required for an administrator to create new metadata templates in JMap Admin. |
Create style templates | This permission is required for an administrator to create new style templates in JMap Admin. |
Create project | This permission is required for an administrator to create new projects in JMap Admin. |
Create data source | This permission is required for an administrator to create new spatial data sources in JMap Admin. |
Administration permissions that are specific to resources determine what an administrator can do with each resource. The following table describes those permissions.
Resource specific administration permissions | |
---|---|
Access … | The administrator can view the detailed information of a resource and use the resource, but cannot modify it. Example: To use a spatial data source in order to create a layer, the administrator must at least have the Access permission on the data source. |
Administrate … | Allows the administrator to modify the resource and manage the user permissions for the resource. Does not allow the administrator to delete the resource or manage its administration permissions. Example: To add a layer in a project, the administrator must have the Administrate permission for the project. |
Use SQL console | (Applies only to databases) Allows the administrator to use the SQL console on the database. The SQL console is used to show the database structure and to execute SQL queries on the database. |
Remote access | Allows the administrator to access the resource from another instance of JMap Server. This permission is generally granted to a generic account used to open communication sessions between different instances of JMap Server. For more information, see sections Sharing Layers and Sharing Spatial Data Sources. |
Owners of a resource
Most resources managed in JMap Admin have one or more owners. Owners of a resource are the only ones that are allowed to:
- manage administration permissions for the resource;
- manage the list of owners for the resource;
- delete the resource.
Super administrators
Super administrators are special accounts that can do everything in JMap Admin. They are the only ones who are allowed to:
- manage the list of super administrators;
- manage global administration permissions;
- manage users and groups;
- modify JMap Server’s working parameters;
- display the log files;
- import and export configurations.
You can manage the list of super administrators from subsection Permissions in section JMap Server. Select the Super administrators tab.
The following table presents administration tasks with examples, and indicates which profile or permission is required to perform each task.
Tasks | Super Administrator | Administrator |
---|---|---|
Access JMap Admin | YES | If permission Access JMap Admin |
Manage the list of Super administrators | YES | NO |
Manage global administration permissions • Give an administrator permission to create projects • Remove an administrator’s permission to create spatial data sources • Give an administrator permission to create metadata templates for layers. | YES | NO |
Perform management tasks for JMap Server • Modify JMap Server’s working parameters (ports, memory, etc.) • Manage users and groups •Import and export JMap Server configurations • View log files or modify their settings | YES | NO Can change user account password |
Create a resource • Create a project • Create a database • Create an application deployment | YES | If permission Create … |
Use a resource • Use a database to create a spatial data source • Use a data source to create a layer • Use a connection to JMap Server to create a layer by reference | YES | If permission Access … |
View detailed information about a resource • Click on a database and view all of its parameters • Click on a project to view all of its parameters | YES | If permission Access … |
Modify a resource • Change the name of a project • Add a layer in a project • Modify the connection parameters for a database • Modify the projection of a spatial data source | YES | If permission Administrate … |
Delete a resource • Delete a project • Delete an application deployment • Delete a style template | YES | If owner of the resource |
Manage user permissions of a resource • Give a user permission to open a project • Give a user permission to edit the elements of a project layer • Remove a user’s permission to copy the data of a project layer | YES | If permission Administrate |
Manage the administrator permissions of a resource • Give an administrator permission to use a spatial data source • Give an administrator permission to modify a project • Remove an administrator’s permission to modify a database | YES | If owner of the resource |
Manage the list of owners of a resource | YES | If owner of the resource |
Permission reports
Permission reports allow you to view all the permissions that a user or a group has on a single report. A permission report is a convenient way to get the information without checking every resource. The reports are accessible from the Users and Groups tabs in the Users / Groups section, by clicking on .
Single Sign-On
Single sign-on provides a secure way for users to access JMap Pro applications without authentication. The Windows session authentication is used to automatically launch the JMap session. Single sign-on is only available for Windows environments using Active Directory. A special configuration is required on the Windows server and on each computer where single sign-on is wanted. Note that the Enable single sign-on option must also be selected when deploying a JMap Pro application.
For more details on single sign-on configuration, refer to this article.
Managing Sessions
Each user that is connected to JMap Server using a JMap application has an open session on the server. The session remains open as long as the JMap application is not closed. Sessions contain information about the identity of the user. Depending on your license agreement, you may be limited to a certain number of simultaneous sessions.
To access the session management section, click on Sessions in the JMap Server section.
Five different types of sessions are possible. The following table describes each type of session.
Type of JMap session | |
---|---|
JMap Pro | This type of session is used when a user connects to JMap Server using a JMap Pro application. The number of concurrent sessions of this type is defined by your JMap license. |
JMap Survey | This type of session is used when a user connects to JMap Server using JMap Survey. The number of concurrent sessions of this type is defined by your JMap license. |
JMap Web | This type of session is used when a user connects to JMap Server using a JMap Web application. The number of concurrent sessions of this type is defined by your JMap license. |
JMap Admin | This type of session is opened when a user connects to JMap Admin to administrate JMap Server. This type of session is not controlled, therefore the number of concurrent JMap Admin sessions is unlimited. |
JMap Server | This type of session is used when a JMap Server connects to another JMap Server. The session opens on the server that accepted the connection. This type of session is used for JMap to JMap data sharing. This type of session must be authorized by your JMap user license. |
Active sessions
You can view the list of open sessions. By selecting the Active sessions tab, the list of current sessions will be displayed along with useful information on each session. You can close open sessions by selecting them and clicking on Close session(s).
Reserved sessions
Reserved sessions are special sessions for users who have priority over the other users. These users can always open a JMap Pro, JMap Web or JMap Survey session, even if the maximum number of sessions is reached, according to your license. These reserved sessions are recorded separately from the rest of the sessions.
If your JMap user license permits it, you can assign a certain number of reserved sessions to the users of your choice. Press to select a user and assign him/her a reserved session. Once the maximum number of reserved sessions has been assigned, you cannot assign any to other users. You can remove a reserved session from a user by selecting that person’s name and clicking on .
Statistics
Session statistics provide basic information on user activity over time. You can determine the total number of sessions over a given period and the highest number of concurrent sessions reached over a period of time. Statistics are displayed in a bar graph. Click on Update to generate the graph.
Session statistics | |
---|---|
Display | Select the information to display, either the Total number of sessions or the Highest number of concurrent sessions. |
Users | Select one or more users for which the information will be displayed. |
Time unit | Select the time unit to be used to display information. Possible units are Hour, Day, Week or Month. |
The sessions information is stored in the JMap System database for a period of 18 months. Sessions that are older than 18 months are automatically deleted from the System database.
Using HTTPS with JMap
The HTTPS protocol allows you to use JMap in a more secure way by encrypting all communication between JMap, JMap Admin, and JMap Server applications.
Using HTTPS with JMap Admin
In order to use HTTPS with JMap Admin, you must install a security certificate in JMap Server. A security certificate is required for data encryption.
During the JMap installation process, an option is available to create and automatically install a temporary security certificate. This type of certificate ensures communication will be well secured, but it will cause warning messages to display in web browsers because it is not issued by a recognized security organization (CA or Certificate Authority).
You can also install a security certificate issued specifically for your organization, if you have one. For detailed steps on how to install a certificate, read the following article: https://k2geospatial.atlassian.net/wiki/x/EQAtAQ.
Once the security certificate has been installed in JMap Server, you can launch JMap Admin with a URL similar to the following:
https://myserverjmap (assuming the default port 443 is used)
At any time, if you wish to force the use of the HTTPS protocol for JMap Admin, you can enable automatic redirection. For more information, refer to the JMap Server Settings section.
Using HTTPS with JMap applications
When you deploy JMap Pro or Web applications with JMap Admin, you can indicate which protocol (HTTP or HTTPS) will be used for communication between the application and JMap Server. If the deployment type is local (app hosted on JMap Server), the HTTPS protocol is available only if a security certificate is installed on the JMap Server. It is the same certificate as that which is used for JMap Admin (read above). If the deployment type is external (app hosted on another Web server), the 2 protocols are always offered.
For JMap Pro, the HTTP and HTTPS protocols are used only if the Proxy connection option is selected during deployment.