Cmobilecom AF 5.19 Developer Guide

11 Authentication

A login bean will be shown on index page if there is no website found, and it will be shown on manage page if user is not logged in.

Embed Login in Web Page

A login bean can be embedded into any web page. See Embedded Objects - Login.

Password Encoding

Password is encoded using one-way hash. It is not possible to guess plain password from an encoded password. If user chooses to remember credential on a trusted device so that the user can login automatically from the same device afterwards, a credential cookie will be created. 
	cookie name: credential
	cookie value: username/double-encoded-password
The password is encoded twice using one-way hash, and it is not possible to guess plain password.

Cookie age can be configured in the ViewConfig of an embedded login object using parameter credential.cookie.age. Its value is a number of days. Default cookie age is 90 days. 


	<viewConfig>
		<param name="credential.cookie.age" value="120" />
	</viewConfig>
The cookie expiration date will be refreshed every time the cookie is used to authenticate user successfully. So the cookie will never expire if user accesses the system/subsystem before its expiration date.

The credential cookie will be removed in the following cases:

If user changes password, the credential cookie will become invalid. The cookie will be removed once the system fails to authenticate the user by the cookie.

Auth Token

When a user is authenticated in one DataAccessUnit(e.g., system instance), then redirected to another DataAccessUnit for auto sign in if auth token is generated.

To enable auth token generation, set redirectURL and genAuthToken: 


	LoginBean loginBean = LoginBean.getInstance(containerBean, true);
	LoginForm loginForm = loginBean.getEntity();
	loginForm.setRedirectURL(url);
	loginForm.setGenAuthToken(true);
or set them in embedded LoginBean XML: 

	<object xmlns="http://www.cmobilecom.com/af/objects" type="entity">
		<entityType>System.LOGIN</entityType>
		<mode>INPUT_DATA</mode>

		<criteriaElements>
			<function name="EQ" property="redirectURL">url</function>
			<function name="EQ" property="genAuthToken">true</function>
		</criteriaElements>

		<viewConfig>
			<viewType>ENTITY</viewType>
			<propertiesToShow>username,password</propertiesToShow>
		</viewConfig>
	</object>

Auth token is a random generated 80-byte code. It is for one time use, and valid for a few seconds. If a user already logged into the redirect URL, auth token will be ignored.

Password Policy

Password policy can be configured in System Config file conf/system-config.xml. Password policy is password minimum length and types of characters that a password must contain. For example, minimum 12 characters and must contain Uppercase, Lowercase, Number and Special characters. 
	<param name="password.policy" value="12,ULNS"/>
Character types:

Multi-Factor Authentication

To enhance security, Multi-Factor Authentication (MFA) can be enabled in Security Settings under System module in manage center. When a user logins from a new device or from a device that is not trusted, a one time 6-digit code will be generated, and user is required to verify the code. A verification code is valid for 15 minutes, and user has maximum two times to input the correct code.

Prevent Brute-Force Attack

In addition to Multi-Factor Authentication, other measures are in place to prevent brute-force attack on login.

Enable Instance Selection

By default, user can login to current bound DataAccessUnit (instanceType or instance). If current bound DataAccessUnit is system instance of an InstanceType, user can select an instance to login. To enable instance selection during login, set property login.select.instance to true in conf/system.properties. 
	login.select.instance=true
Clear cache under system module, and system.properties will be reloaded.
FlowAccess ControlFrames / No Frames
© 2014-2024 Cmobilecom and/or its licensors. All rights reserved.