Versions Compared

Old Version 14

changes.mady.by.user Tim Donohue

Saved on

compared with

New Version 15

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: user registration docs

...

An authentication method is a class that implements the interface org.dspace.authenticate.AuthenticationMethod. It authenticates a user by evaluating the credentials (e.g. username and password) he or she presents and checking that they are valid.

The basic authentication procedure in the DSpace Web UI is this:

  1. A request is received from an end-user's browser that, if fulfilled, would lead to an action requiring authorization taking place.
  2. If the end-user is already authenticated:
    • If the end-user is allowed to perform the action, the action proceeds
    • If the end-user is NOT allowed to perform the action, an authorization error is displayed.
    • If the end-user is NOT authenticated, i.e. is accessing DSpace anonymously:
  3. The parameters etc. of the request are stored.
  4. The Web UI's startAuthentication method is invoked.
  5. First it tries all the authentication methods which do implicit authentication (i.e. they work with just the information already in the Web request, such as an X.509 client certificate). If one of these succeeds, it proceeds from Step 2 above.
  6. If none of the implicit methods succeed, the UI responds by putting up a "login" page to collect credentials for one of the explicit authentication methods in the stack. The servlet processing that page then gives the proffered credentials to each authentication method in turn until one succeeds, at which point it retries the original operation from Step 2 above.
    Please see the source files AuthenticationManager.java and AuthenticationMethod.java for more details about this mechanism.

Authentication by Password

...

  • Use of inbuilt e-mail address/password-based log-in. This is achieved by forwarding a request that is attempting an action requiring authorization to the password log-in servlet, /password-login. The password log-in servlet (org.dspace.app.webui.servlet.PasswordServlet) contains code that will resume the original request if authentication is successful, as per step 3. described abovesending login information to the "/api/authn/login" endpoint of the REST API, in order to obtain a JSON Web Token.  This JSON Web token must be sent on every later request which requires authentication.
  • Users can register themselves (i.e. add themselves as e-people without needing approval from the administrators), and can set their own passwords when they do this
  • Users are not members of any special (dynamic) e-person groups
  • You can restrict the domains from which new users are able to register. To enable this feature, uncomment the following line from dspace.cfg: authentication.password.domain.valid = example.com Example options might be '@example.com' to restrict registration to users with addresses ending in @example.com, or '@example.com, .ac.uk' to restrict registration to users with addresses ending in @example.com or with addresses in the .ac.uk domain.

...

Configuration File:

[dspace]/config/modules/authentication-password.cfg

Property:

user.registration

Example Value:user.registration = false
Informational Note:This option allows you to disable all self-registration.  When set to "false", no one will be able to register new accounts with your system.  Default is "true".

Property:

authentication-password.domain.valid

Example Value:

authentication-password.domain.value = @mit.edu, .ac.uk

Informational Note:

This option allows you to limit self-registration to email addresses ending in a particular domain value. The above example would limit self-registration to individuals with "@mit.edu" email addresses and all ".ac.uk" email addresses. (This setting only works when user.registration=true)

Property:

authentication-password.login.specialgroup

Example Value:

authentication-password.login.specialgroup = My DSpace Group

Informational Note:

This option allows you to automatically add all password authenticated user sessions to a specific DSpace Group (the group must exist in DSpace) for the remainder of their logged in session.

Property:

authentication-password.digestAlgorithm

Example Value:

authentication-password.digestAlgorithm = SHA-512

Informational Note:

This option specifies the hashing algorithm to be used in converting plain-text passwords to more secure password digests. The example value is the default. You may select any digest algorithm available through java.security.MessageDigest on your system. At least MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 should be available, but you may have installed others. Most sites will not need to adjust this.

Property:

authentication-password.regex-validation.pattern

Example Value:

authentication-password.regex-validation.pattern = ^.{8\,}$

Informational Note:

This option specifies a regular expression which all new passwords MUST validate against.  By default, DSpace just requires a new password to be 8 or more characters (see above example value). However, sites can modify this regex in order to require more robust passwords of all users.  One example of a complex rule is:

authentication-password.regex-validation.pattern = ^(?=.*?[a-z])(?=.*?[A-Z])(?=\\S*?[0-9])(?=\\S*?[!?$@#$%^&+=]).{8\,15}$

This example requires all users to adopt a more complex password:

  • (?=.*?[a-z]) - the password must contain at least one lowercase character

  • (?=.*?[A-Z]) - the password must contain at least one uppercase character

  • (?=\\S*?[0-9]) - the password must contain at least one numeric character

  • (?=\\S*?[!?$@#$%^&+=]) - the password must contain at least one of the following special character: !?$@#$%^&+=

  • .{8\,15} - the password must be at least 8 and at most 15 characters long  (NOTE: the "\," is required to escape the comma, which is a special character)

...