Security
Table of contents
- Managing Users
- Managing User Accounts and Groups
- Managing Permissions
- Single Sign-On for JMap Pro
- Managing Sessions
- Using HTTPS with JMap
Security management in JMap encompasses several aspects.
Identity management can be handled by JMap Server or assigned to another system, such as Microsoft Active Directory, an LDAP directory, or identity managers with web-based single sign-on (SSO) such as OpenID Connect or SAML. See the Managing Users and Managing User Accounts and Groups sections for more information. JMap also supports single sign-on for JMap Pro users. See the Single Sign-On for JMap Pro section for more information.
Access management, or rather permission management, is applied to all the resources handled by JMap. This includes user access to JMap applications as well as the access permissions of JMap administrators. See the Managing Permissions section for more information.
JMap allows you to easily use the HTTPS protocol for JMap Admin and for the various applications. See section Using HTTPS with JMap for more information.
Managing Users
In JMap Admin, the user manager configuration can be accessed by clicking on Users / Groups in the JMap Server section. Select the User manager tab.
The user manager allows you to define how JMap will manage user accounts and groups. There are two ways to manage this information with JMap:
-
Using the JMap user account database: you create and delete the user accounts directly from JMap Admin;
-
By connecting to an existing database of user accounts such as a Windows Active Directory system, an LDAP compatible system or a relational database or by connecting to an identity manager using protocols such as SAML2 or Open Id Connect.
Several systems can also be combined to be used simultaneously (e.g. the JMap database and Windows Active Directory). These systems are then used as a single system. When JMap Server connects to an existing database, user account management is simplified because no account or user group needs to be created and managed in JMap.
The following sections describe each available option.
JMap DB user manager
This type of user account management records users and groups directly into JMap Server’s System database or in an external database containing the required tables and fields. The JMap administrator must create and manage all user accounts and groups.
Click on the User manager tab from the Users / Groups section. Select JMap DB user manager to indicate that user accounts will be managed within a relational database. To store information in JMap Server’s System database, select the JMap Server database option.
You can also use any relational database that contains at least the required tables and fields by selecting the External database option. When you do this, an interface displays, allowing you to define the configuration parameters. Using this configuration interface, select the database you wish to use. Afterwards, select the tables and fields containing the various information pertaining to users and groups. If needed, you can select Read-only mode to prevent account information from being modified by JMap Admin.
Once this configuration has been defined, you can create, modify and delete user accounts directly from JMap Admin.
Composite user manager
This type of user management allows you to combine several managers together. You can add as many user managers as necessary. All user managers will function as a single user manager. Refer to the previous sections for information on user manager configuration.
A composite user manager is recommended if your system integrates several managers or if you wish to transition towards a web-based single-sign on system.
Active Directory user manager
You can connect to Windows Active Directory (in read-only mode). In order for the Active Directory user manager option to be available in the User manager tab of the Users / Groups section in JMap Admin, you must include the following line in the JMAP_HOME/conf/jmapserver.properties file:
usermanager.ad=com.kheops.jmap.server.security.ActiveDirectoryUserManager
We recommend you use the Composite user manager instead of simply using the Active Directory user manager. This will allow you to maintain access to JMap Admin even if errors arise in the configuration of Active Directory.
In the User manager section, select the Composite user manager and add the Active Directory user manager. A new interface opens, allowing you to enter the settings to configure the connection to the Active Directory server.
Active Directory | |
---|---|
Friendly name | Name used to easily identify the Active Directory user manager. |
Server address | Address of the Windows domain controller server configured with Active Directory. You can add several Active Directory servers by separating them with a space. Example: ldap://host1 ldap://host2 where host1 and host2 are the Active Directory server URL. Active Directory is based on LDAP. |
DN | Unique identifier (Distinguished Name) pointing at the root of the directory. Composed of a list of DC (Domain Component) entries. Example: dc= k2 ,dc=com |
Domain | Name of the Windows domain. Example: k2.com |
User / SPN | User name that JMap Server will use to connect to the Active Directory. It is recommended to create a user especially for JMap. Its password should never expire. If you wish to use single sign-on, you will have to create an SPN (Service Principal Name) associated with this user. See Single Sign-On for more details. |
Password | Password of the user JMap Server will use to connect to the Active Directory. |
Admin. password | A user named administrator must always exist in JMap. If no administrator user exists in the Active Directory, JMap will simulate one. In such a case, provide the password associated with this user. If the user administrator does exist in the Active Directory and a password is entered, this password will simply be ignored. |
Enable single sign-on | Enables the single sign-on option. See Single Sign-On for more details. |
Default / Custom LDAP configuration | Active Directory is based on LDAP. This option allows for the use of LDAP parameters that are most commonly used for Active Directory. However, if those parameters don’t match the ones in use, it is possible to specify custom values. The settings are described in the following section, JMap LDAP user manager. |
Max page size | Active Directory limits the transaction size to a maximum number of records at a time (page size). The value of this parameter must not be greater than the maximum size authorized by Active Directory (1000 is the default value in Active Directory). If the size is too small, this can reduce performance. A size greater than the authorized limit will cause missing data in the user list. |
JMap LDAP user manager
You can connect to any LDAP compliant directory (in read-only mode). Unix, Linux and Windows systems offer many LDAP compliant directories.
In order for the JMap LDAP user manager option to be available in the User manager tab of the Users / Groups section in JMap Admin, you must include the following line in the JMAP_HOME/conf/jmapserver.properties file:
usermanager.ldap=com.kheops.jmap.server.security.LDAPUserManager
We recommend you use the Composite user manager instead of simply using the LDAP user manager. This will allow you to maintain access to JMap Admin even if errors arise in the configuration of LDAP.
In the User manager section, select the Composite user manager and add the JMap LDAP user manager. A new interface opens, allowing you enter the settings to configure the connection to the LDAP server.
JMap LDAP user manager | |
---|---|
Friendly name | Name used to easily identify the LDAP user manager. |
Server URL | LDAP server address. You can add several LDAP servers by separating the addresses with a space. Example: ldap://host1 ldap://host2 where host1 and host2 are the URLs of the LDAP servers. |
DN | Unique identifier (Distinguished Name) used to define the root of the directory. Includes a list of Domain Component entries. Example: dc= k2geospatial ,dc=com |
User | User name that will be used by JMap Server to connect to the LDAP directory. It is recommended to have a user created specifically for JMap purposes. This user’s password should never expire. The user name must be accompanied by the domain the user belongs to. Example: cn= admin ,dc=k2geospatial ,dc=com |
Password | The user password that JMap Server will use to connect to the LDAP directory. |
Admin. password | A user named administrator must always exist in JMap. If there is no administrator user in the LDAP directory, JMap will simulate one. In this case, you must provide the password associated with this user. If the administrator user exists in the LDAP directory and a password is entered, it will be ignored. |
Use prefix and suffix | Select this option if the LDAP server uses a prefix and a suffix for user authentication. |
Authentication prefix | Some LDAP servers require a prefix to be concatenated with the user name in order to proceed with authentication. Example: Prefix: a_domain\ User: a_user Result: a_domain\a_user |
Authentication suffix | Some LDAP servers require a suffix to be concatenated with the user name to proceed with authentication. Example: Suffix= @a_domain User= a_user Result: a_user@a_domain |
User class | This setting and the ones that follow depend on the internal structure of the LDAP server, i.e. the way the users are organized into groups. This information is used to identify the LDAP users and groups. You must indicate the corresponding parameters in the LDAP server to which you connect. Name of the LDAP object class used to identify a user in the LDAP directory. |
Group class | Name of the LDAP object class used to identify a group in the LDAP directory. |
User filter | Search filter used to extract users from the LDAP directory. This filter must be formatted according to the standard LDAP syntax. |
Group filter | Search filter used to extract groups from the LDAP directory. This filter must be formatted according to the standard LDAP syntax. |
User attribute | The attribute of an LDAP user that defines this user’s identity. |
Group attribute | The attribute of an LDAP group that defines this group’s identity. |
Member attribute | The attribute of an LDAP group that defines which users are members of this group. |
Full name attribute | The attribute of an LDAP user that defines this user’s full name. |
Email attribute | The attribute of an LDAP user that defines this user’s email address. |
Max page size | In LDAP directories, the size of transactions is limited to a maximum number of recordings at once (the size of the page). The value of this parameter must not exceed the maximum size permitted by the directory (1000 is the default value in LDAP directories). If the size is too small, this could affect performance. If the size is larger than the authorized limit, data will be missing in the user list. |
For more information on the LDAP protocol, refer to http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol.
OpenID Connect (OIDC) user manager
You can allow users who already have an account in OpenID Connect (OIDC) user managers to connect to JMap Web and JMap NG applications using that account.
For detailed information on this protocol, visit the OpenID Connect 1.0 website.
Configuring an OIDC user manager is complex. Your organization’s IT department will provide the OIDC settings. The following table describes the settings related to JMap.
OIDC user manager | |
---|---|
Friendly name | This name allows you to easily identify the OIDC user manager in JMap Server and identify the users from this manager. |
Administrator password | An administrator is automatically created when this manager is used. You must enter the password of this account in this field. |
Groups | Unlike with Active Directory and LDAP, user accounts from the OIDC manager are not known in advance because they are created as the users connect to a JMap Web or JMap NG application. That said, how can permissions be granted on JMap’s resources to users who are not known in advance? Groups that are defined in advance allow you to grant permissions related to JMap’s resources. When a user connects to a JMap application for the first time, OIDC assigns the user to one or more of the groups defined in Groups attribute based on the information in that user’s profile. Since the OIDC user manager is in read-only mode, you cannot create users or groups in JMap’s Users and Groups sections. This setting allows you to create groups by entering their names. Afterwards, you can grant permissions to these groups, which contain the users from OIDC. There must be an exact match between the names of the groups in OIDC and the groups you create using this setting. If a user connects to an application for the first time via OIDC and his/her profile indicates a group that doesn’t exist in JMap, the group will be created automatically and will be displayed in the Groups section. |
Default group | Select the group to which you will assign all users who are not assigned to a group in OIDC (in Groups attribute). Example: you can create a group called Guests; all users who connect to a JMap Web or JMap NG application for the first time and whose OIDC profile doesn’t indicate a group will be assigned to this Guests group. You can grant access permissions to the Guests group for a specific project. |
Button image | This image appears in the homepage of the JMap Web or JMap NG application and identifies the access to the OIDC manager to log in. Press Choose to select the image. The image must have a maximum size of 100 * 100 pixels. |
Button label | This text appears in the identification button with the image. |
SSO callback URL | Your IT department will provide this information. |
Client name | The name given by JMap to the OIDC user manager. This name integrates and completes the URL of the OIDC manager. |
Discovery URI | Your IT department will provide this information. |
Client ID | Your IT department will provide this information. |
Client secret | Your IT department will provide this information. |
Scope | Your IT department will provide this information. |
Response type | Your IT department will provide this information. |
Response mode | Your IT department will provide this information. |
Use nonce | Your IT department will provide this information. |
With state | Your IT department will provide this information. |
Disable PKCE | Your IT department will provide this information. |
Username / ID attribute | Optional setting. Indicates the attribute containing the user name in OIDC. Your IT department will provide this information. |
Email attribute | Optional setting. Indicates the attribute containing the email address in OIDC . Your IT department will provide this information. |
First name attribute | Optional setting. Indicates the attribute containing the user’s first name in OIDC. Your IT department will provide this information. |
Last name attribute | Optional setting. Indicates the attribute containing the user’s last name in OIDC. Your IT department will provide this information. |
Groups attribute | Optional setting. Indicates the customizable attribute that allows you to define groups in OIDC to which the users are assigned. These groups are displayed in the Users and Groups sections in JMap. Your IT department will assist you with this setting. |
SAML2 user manager
You can allow users who already have an account in an identity manager that uses SAML2 to connect to JMap Web and JMap NG applications using that account.
SAML is an open standard that establishes a single sign-on between an identity manager and an application server such as JMap. This site provides details on SAML2.
Configuring a SAML2 user manager is complex. Your organization’s IT department will provide the settings related to SAML2. The following table describes the settings related to JMap.
SAML2 user manager | |
---|---|
Friendly name | This name allows you to easily identify the SAML2 user manager in JMap Server and identify the users from this manager. |
Administrator password | An administrator is automatically created when this manager is used. You must enter the password of this account in this field. |
Groups | Unlike with Active Directory and LDAP, user accounts from the SAML2 manager are not known in advance because they are created as the users connect to a JMap Web or JMap NG application. That said, how can permissions be granted on JMap’s resources to users who are not known in advance? Groups that are defined in advance allow you to grant permissions related to JMap’s resources. When a user connects to a JMap application for the first time, SAML2 assigns the user to one or more of the groups defined in Groups attribute based on the information in that user’s profile. Since the SAML2 user manager is in read-only mode, you cannot create users or groups in JMap’s Users and Groups sections. This setting allows you to create groups by entering their names. Afterwards, you can grant permissions to these groups, which contain the users from SAML2. There must be an exact match between the names of the groups in SAML2 and the groups you create using this setting. If a user connects to an application for the first time via SAML2 and his/her profile indicates a group that doesn’t exist in JMap, the group will be created automatically and will be displayed in the Groups section. |
Default group | Select the group to which you will assign all users who are not assigned to a group in SAML2 (in Groups attribute). Example: you can create a group called Guests; all users who connect to a JMap Web or JMap NG application for the first time and whose profile in SAML2 doesn’t indicate a group will be assigned to this Guests group. You can grant access permissions to the Guests group for a specific project. |
Button image | This image appears in the homepage of the JMap Web or JMap NG application and identifies the access to the SAML2 manager to log in. Press Choose to select the image. The image must have a maximum size of 100 * 100 pixels. |
Button label | This text appears in the identification button with the image. |
SSO callback URL | Your IT department will provide this information. |
Client name | The name given by JMap to the SAML2 user manager. This name integrates and completes the URL of the SAML2 manager. |
IdP Metadata | Your IT department will provide this information. |
SP Entity ID | Your IT department will provide this information. |
Username / ID attribute | Optional setting. Indicates the attribute containing the user name in SAML2. Your IT department will provide this information. |
Email attribute | Optional setting. Indicates the attribute containing the email address in SAML2. Your IT department will provide this information. |
First name attribute | Optional setting. Indicates the attribute containing the user’s first name in SAML2. Your IT department will provide this information. |
Last name attribute | Optional setting. Indicates the attribute containing the user’s last name in SAML2. Your IT department will provide this information. |
Groups attribute | Optional setting. Indicates the customizable attribute that allows you to define groups in SAML2 to which the users are assigned. These groups are displayed in the Users and Groups sections in JMap. Your IT department will assist you with this setting. |
Synchronizing user permissions
When you connect to a user or identity manager that is external to JMap (Active Directory, LDAP, OIDC, SAML2 or an external relational database), it is useful to synchronize JMap Server with the database for 2 reasons :
-
When users or groups are deleted from the database and those deleted users or groups had been given permissions in JMap (e.g. to open a project or view certain layers), the permissions are not deleted from JMap Server permission lists. This can happen because JMap Server is not aware the users or groups have been deleted from the database. When synchronizing, JMap Server removes all existing permissions for deleted users and groups. However, even if you don’t synchronize, there is no security problem because deleted users will fail at login.
-
When the contents of user groups are modified (members added or removed), so that JMap Server can reload the lists of users that belong to the groups. JMap Server keeps the group member lists in memory for performance reasons.
You can automate the synchronization by selecting the option Synchronize automatically every… and specifying a time period.
Managing User Accounts and Groups
In JMap, user accounts and groups are used for access control and collaboration purposes. You can manage users and groups in JMap Admin by clicking on Users / Groups from the JMap Server section.
Two special users and two special groups always exist in JMap: administrator, anonymous, everyone, and authenticated users.
Special users and groups | |
---|---|
Administrator | The administrator user allows you to access JMap Admin following a new installation (this user has administration rights in JMap). This user’s password field is left blank, therefore, it is highly recommended to add a password as soon as possible. Read below for more information. The administrator user always exists in JMap and cannot be deleted. |
Anonymous | The anonymous user allows users who are not authenticated to access certain resources. It can be used to configure access to a project without authentication, for instance. The anonymous user always exists in JMap and cannot be deleted. In addition, this user’s password (blank) cannot be modified. |
Everyone | The everyone group is used to give all users access to a resource, provided they are authenticated. The everyone user is not displayed in the list of JMap groups. It is only visible in interfaces that allow you to define permissions, where applicable. |
Authenticated users | The authenticated users group is used to allow all users except anonymous to access a resource. Authentication is required for this group. |
Creating users and groups
You can create a new user or group by pressing Create from the Users / Groups section. This will bring you to the new user or group configuration section. Note that you can only create users and groups if you are using the JMap account database or an external database that is not in read-only mode.
Users | |
---|---|
User name | Enter a unique user name (login name) for the new user. You will not be able to save it if the name already exists. |
Password | Enter a password for the new user. The password field can be empty but this is not recommended. Users of JMap Web applications can change their password from the application. This is only possible if the user accounts are managed with JMap DB user manager. |
Confirm password | Enter the password a second time to confirm. |
Full name | Enter the full name (first name and last name) for the new user. This is optional. |
Enter the email address of the new user. It is used when sending maps to the user. This is optional. | |
Hidden | Select this option if you want the new user to be hidden from user directories. |
Groups | |
---|---|
Group name | Enter a unique group name for the new group. You will not be able to save it if the name already exists. |
Modifying users and groups
You can modify an existing user or group by clicking on its name in the list. Note that once a user is created, its user name cannot be modified. To add users to a group, press and a list of available users will be displayed. Select the users to add to the group and press Add. To remove users from a group, select the users to remove and press .
Deleting users and groups
You can delete a user or group by selecting it in the list and pressing Delete.
Managing Permissions
Permissions in JMap are divided into two families: permissions for the users of applications (Pro, Web and Survey) and permissions for the administrators (JMap Admin).
User permissions
User permissions determine what the users can do inside JMap Pro, JMap Web, and JMap Survey applications.
The following table presents the different permission groups that are available for the users.
User permissions | |
---|---|
Permissions on projects | See section Project Permissions for more information. |
Permissions on layers | See section Layer Permissions for more information. |
Permissions on personal layers | Create personal layers This permission gives a user the right to create personal layers in JMap Pro applications. By default, JMap users are not allowed to create personal layers. You can configure this permission in subsection Permissions of the JMap Server section. |
Permissions on forms | See section Database Forms for more information. |
Administrator permissions
Administrator permissions determine what JMap administrators are authorized to do in JMap Admin. Some permissions are global (permissions to do some tasks) while other permissions apply to specific resources.
Several of the global permissions are configured in the Permissions subsection of the JMap Server section.
The following table describes the global administration permissions.
Global administration permissions | |
---|---|
Access JMap Admin | This permission is required for an administrator to access JMap Admin. After the installation of JMap, only the administrator user has this permission. Note that the password is initially left empty for this user. It is strongly recommended to enter a password for the administrator user. See section Managing User Accounts and Groups for more information on modifying passwords. Also make sure to leave at least one user with this permission and with a known password. Otherwise, it will be impossible to access JMap Admin. |
Create database | This permission is required for an administrator to create new databases in JMap Admin. |
Create remote connection | This permission is required for an administrator to create new connections to remote JMap Server instances in JMap Admin. |
Create deployment | This permission is required for an administrator to create new application deployments in JMap Admin. |
Create metadata templates | This permission is required for an administrator to create new metadata templates in JMap Admin. |
Create style templates | This permission is required for an administrator to create new style templates in JMap Admin. |
Create project | This permission is required for an administrator to create new projects in JMap Admin. |
Create data source | This permission is required for an administrator to create new spatial data sources in JMap Admin. |
Administration permissions that are specific to resources determine what an administrator can do with each resource. The following table describes those permissions.
Resource specific administration permissions | |
---|---|
Access … | The administrator can view the detailed information of a resource and use the resource, but cannot modify it. Example: To use a spatial data source in order to create a layer, the administrator must at least have the Access permission on the data source. |
Administrate … | Allows the administrator to modify the resource and manage the user permissions for the resource. Does not allow the administrator to delete the resource or manage its administration permissions. Example: To add a layer in a project, the administrator must have the Administrate permission for the project. |
Use SQL console | (Applies only to databases) Allows the administrator to use the SQL console on the database. The SQL console is used to show the database structure and to execute SQL queries on the database. |
Remote access | Allows the administrator to access the resource from another instance of JMap Server. This permission is generally granted to a generic account used to open communication sessions between different instances of JMap Server. For more information, see sections Sharing Layers and Sharing Spatial Data Sources. |
Owners of a resource
Most resources managed in JMap Admin have one or more owners. Owners of a resource are the only ones that are allowed to:
-
manage administration permissions for the resource;
-
manage the list of owners for the resource;
-
delete the resource.
Super administrators
Super administrators are special accounts that can do everything in JMap Admin. They are the only ones who are allowed to:
-
manage the list of super administrators;
-
manage global administration permissions;
-
manage users and groups;
-
modify JMap Server’s working parameters;
-
display the log files;
-
import and export configurations.
You can manage the list of super administrators from subsection Permissions in section JMap Server. Select the Super administrators tab.
The following table presents administration tasks with examples, and indicates which profile or permission is required to perform each task.
Tasks | Super Administrator | Administrator |
---|---|---|
Access JMap Admin | YES | If permission Access JMap Admin |
Manage the list of Super administrators | YES | NO |
Manage global administration permissions • Give an administrator permission to create projects • Remove an administrator’s permission to create spatial data sources • Give an administrator permission to create metadata templates for layers. | YES | NO |
Perform management tasks for JMap Server • Modify JMap Server’s working parameters (ports, memory, etc.) • Manage users and groups •Import and export JMap Server configurations • View log files or modify their settings | YES | NO Can change user account password |
Create a resource • Create a project • Create a database • Create an application deployment | YES | If permission Create … |
Use a resource • Use a database to create a spatial data source • Use a data source to create a layer • Use a connection to JMap Server to create a layer by reference | YES | If permission Access … |
View detailed information about a resource • Click on a database and view all of its parameters • Click on a project to view all of its parameters | YES | If permission Access … |
Modify a resource • Change the name of a project • Add a layer in a project • Modify the connection parameters for a database • Modify the projection of a spatial data source | YES | If permission Administrate … |
Delete a resource • Delete a project • Delete an application deployment • Delete a style template | YES | If owner of the resource |
Manage user permissions of a resource • Give a user permission to open a project • Give a user permission to edit the elements of a project layer • Remove a user’s permission to copy the data of a project layer | YES | If permission Administrate |
Manage the administrator permissions of a resource • Give an administrator permission to use a spatial data source • Give an administrator permission to modify a project • Remove an administrator’s permission to modify a database | YES | If owner of the resource |
Manage the list of owners of a resource | YES | If owner of the resource |
Permission reports
Permission reports allow you to view all the permissions that a user or a group has on a single report. A permission report is a convenient way to get the information without checking every resource. The reports are accessible from the Users and Groups tabs in the Users / Groups section, by clicking on .
Single Sign-On for JMap Pro
Single sign-on provides a secure way for users to access JMap Pro applications without authentication. The Windows session authentication is used to automatically launch the JMap session. Single sign-on is only available for Windows environments using Active Directory. A special configuration is required on the Windows server and on each computer where single sign-on is wanted. Note that the Enable single sign-on option must also be selected when deploying a JMap Pro application.
For more details on single sign-on configuration, refer to this article.
Managing Sessions
Each user that is connected to JMap Server using a JMap application has an open session on the server. The session remains open as long as the JMap application is not closed. Sessions contain information about the identity of the user. Depending on your license agreement, you may be limited to a certain number of simultaneous sessions.
To access the session management section, click on Sessions in the JMap Server section.
Five different types of sessions are possible. The following table describes each type of session.
Type of JMap session | |
---|---|
JMap Pro | This type of session is used when a user connects to JMap Server using a JMap Pro application. The number of concurrent sessions of this type is defined by your JMap license. |
JMap Survey | This type of session is used when a user connects to JMap Server using JMap Survey. The number of concurrent sessions of this type is defined by your JMap license. |
JMap Web | This type of session is used when a user connects to JMap Server using a JMap Web application. The number of concurrent sessions of this type is defined by your JMap license. |
JMap NG | This type of session is used when a user connects to JMap Server using a JMap NG application. The number of concurrent sessions of this type is defined by your JMap license. |
JMap Admin | This type of session is opened when a user connects to JMap Admin to administrate JMap Server. This type of session is not controlled, therefore the number of concurrent JMap Admin sessions is unlimited. |
JMap Server | This type of session is used when a JMap Server connects to another JMap Server. The session opens on the server that accepted the connection. This type of session is used for JMap to JMap data sharing. This type of session must be authorized by your JMap user license. |
Active sessions
You can view the list of open sessions. By selecting the Active sessions tab, the list of current sessions will be displayed along with useful information on each session. You can close open sessions by selecting them and clicking on Close session(s).
Reserved sessions
Reserved sessions are special sessions for users who have priority over the other users. These users can always open a JMap Pro, JMap Web or JMap Survey session, even if the maximum number of sessions is reached, according to your license. These reserved sessions are recorded separately from the rest of the sessions.
If your JMap user license permits it, you can assign a certain number of reserved sessions to the users of your choice. Press to select a user and assign him/her a reserved session. Once the maximum number of reserved sessions has been assigned, you cannot assign any to other users. You can remove a reserved session from a user by selecting that person’s name and clicking on .
Statistics
Session statistics provide basic information on user activity over time. You can determine the total number of sessions over a given period and the highest number of concurrent sessions reached over a period of time. Statistics are displayed in a bar graph. Click on Update to generate the graph.
Session statistics | |
---|---|
Display | Select the information to display, either the Total number of sessions or the Highest number of concurrent sessions. |
Users | Select one or more users for which the information will be displayed. |
Time unit | Select the time unit to be used to display information. Possible units are Hour, Day, Week or Month. |
The sessions information is stored in the JMap System database for a period of 18 months. Sessions that are older than 18 months are automatically deleted from the System database.
Using HTTPS with JMap
The HTTPS protocol allows you to use JMap in a more secure way by encrypting all communication between JMap applications, JMap Admin, and JMap Server.
Using HTTPS with JMap Admin
In order to use HTTPS with JMap Admin, you must install a security certificate in JMap Server. A security certificate is required for data encryption.
During the JMap installation process, an option is available to create and automatically install a temporary security certificate. This type of certificate ensures communication will be well secured, but it will cause warning messages to display in web browsers because it is not issued by a recognized security organization (CA or Certificate Authority).
You can also install a security certificate issued specifically for your organization, if you have one. For detailed steps on how to install a certificate, read the following article: https://k2geospatial.atlassian.net/wiki/x/EQAtAQ.
Once the security certificate has been installed in JMap Server, you can launch JMap Admin with a URL similar to the following:
https://myserverjmap (assuming the default port 443 is used)
At any time, if you wish to force the use of the HTTPS protocol for JMap Admin, you can enable automatic redirection. For more information, refer to the JMap Server Settings section.
Using HTTPS with JMap applications
When you deploy JMap Pro or Web applications with JMap Admin, you can indicate which protocol (HTTP or HTTPS) will be used for communication between the application and JMap Server. If the deployment type is local (app hosted on JMap Server), the HTTPS protocol is available only if a security certificate is installed on the JMap Server. It is the same certificate as that which is used for JMap Admin (read above). If the deployment type is external (app hosted on another Web server), the 2 protocols are always offered.
For JMap Pro, the HTTP and HTTPS protocols are used only if the Proxy connection option is selected during deployment.