User authentication
JDBCLoginModule
Configure Kpow to read authentication and role information from a database via JDBC.
In Depth: For specifics on JAAS / JDBC configuration see the Jetty JDBCLoginModule docs.
Configuration
To enable LdapLoginModule authentication you must:
- Create a JAAS configuration file
- Set the
AUTH_PROVIDER_TYPE=jetty
environment variable. - Start the JAR or Docker container with
-Djava.security.auth.login.config=/path/to/jaas.conf
JAAS configuration
Create a JAAS JDBC configuration file (the kpow realm is very important).
kpow {
org.eclipse.jetty.jaas.spi.JDBCLoginModule required
dbUrl="jdbc:hsqldb:."
dbUserName="sa"
dbDriver="org.hsqldb.jdbcDriver"
userTable="myusers"
userField="myuser"
credentialField="mypassword"
userRoleTable="myuserroles"
userRoleUserField="myuser"
userRoleRoleField="myrole";
};
Environment configuration
To activate Jetty JAAS authentication set the environment variable AUTH_PROVIDER_TYPE=jetty
JAR startup
Specify the JAAS config file by setting the following system property when starting the JAR:
-Djava.security.auth.login.config=/path/to/jaas.conf
Note: System properties must come after java but before -jar.
AUTH_PROVIDER_TYPE=jetty \
<... more env vars ...> \
java -Djava.security.auth.login.config=/opt/kpow/jaas.conf -jar /opt/kpow/latest.jar
Docker container startup
Note: The JVM provides an environment variable called JAVA_TOOL_OPTIONS
that can be used in place of system properties. We use this the thread the JAAS config to Docker.
Set the env var JAVA_TOOL_OPTIONS=-Djava.security.auth.login.config=/path/to/jaas.conf
Note: When your JAAS config is on the host machine and not within the container you will need to configure a docker volume mount so that Kpow can read that configuration:
docker run --volume="/config/path:/config/path/" -p 3000:3000 --env-file ...
When starting the docker container you will see logging output similar to:
Picked up JAVA_TOOL_OPTIONS: -Djava.security.auth.login.config=/path/to/jaas.conf
User experience
When configured your users will be prompted to authenticate on each new browser session.