| OHDSI Home | Forums | Wiki | Github |
I’ve put together a new wiki entry that describes the process for setting up basic security using a custom database for credentials. The article describes the process for setting up the OHDSI WebAPI and ATLAS with security enabled. This is useful for those looking to work on developing features that leverage security but may not be in an environment with ‘enterprise’ security established.
http://www.ohdsi.org/web/wiki/doku.php?id=documentation:software:webapi:basic_security
Hi Frank,
Thanks for the wiki article on webapi security. I followed instructions as you mentioned but I keep on getting 404 not found error when I submit login form.
Also, I am not sure which bcrypt hash to choose for my password?
Currently, I have used same email/password combination given on wiki page.
Here is my settings.xml
<settings>
<profiles>
<profile>
<id>webapi-mssql</id>
<properties>
<datasource.driverClassName>com.microsoft.sqlserver.jdbc.SQLServerDriver</datasource.driverClassName>
<datasource.url>jdbc:sqlserver://localhost;databasename=cdmtestdb</datasource.url>
<datasource.username>sa</datasource.username>
<datasource.password>*****</datasource.password>
<datasource.dialect>sql server</datasource.dialect>
<datasource.ohdsi.schema>webapi</datasource.ohdsi.schema>
<flyway.datasource.driverClassName>${datasource.driverClassName}</flyway.datasource.driverClassName>
<flyway.datasource.url>${datasource.url}</flyway.datasource.url>
<flyway.datasource.username>${datasource.username}</flyway.datasource.username>
<flyway.datasource.password>${datasource.password}</flyway.datasource.password>
<flyway.locations>classpath:db/migration/sqlserver</flyway.locations>
<security.enabled>true</security.enabled>
<security.origin>*</security.origin>
<security.db.datasource.url>${datasource.url}</security.db.datasource.url>
<security.db.datasource.driverClassName>${datasource.driverClassName}</security.db.datasource.driverClassName>
<security.db.datasource.schema>${datasource.ohdsi.schema}</security.db.datasource.schema>
<security.db.datasource.username>ohdsi</security.db.datasource.username>
<security.db.datasource.password>ohdsi</security.db.datasource.password>
<security.db.datasource.authenticationQuery>select password from ${datasource.ohdsi.schema}.demo_security where email = ?</security.db.datasource.authenticationQuery>
</properties>
</profile>
</profiles>
</settings>
And my config-local.js file
define([], function () {
var configLocal = {};
configLocal.api = {
name: 'Test',
url: 'http://localhost:8080/WebAPI/'
};
configLocal.userAuthenticationEnabled = true;
configLocal.authProviders = [{
"name": "Test CDM Security",
"url": "user/login/db",
"ajax": true,
"icon": "fa fa-database",
"isUseCredentialsForm": true
}];
return configLocal;
});
Any advise or guidance would be appreciated. Thanks.
I have same issue. It gives me 404.
webapi | 2019-04-30 18:44:12.849 ERROR http-nio-8080-exec-9 org.ohdsi.webapi.shiro.realms.JdbcAuthRealm - - There was a SQL error while authenticating user [ohdsi]
webapi | org.postgresql.util.PSQLException: The column index is out of range: 1, number of columns: 0.
webapi | at org.postgresql.core.v3.SimpleParameterList.bind(SimpleParameterList.java:56)
webapi | at org.postgresql.core.v3.SimpleParameterList.setStringParameter(SimpleParameterList.java:118)
webapi | at org.postgresql.jdbc2.AbstractJdbc2Statement.bindString(AbstractJdbc2Statement.java:2324)
webapi | at org.postgresql.jdbc2.AbstractJdbc2Statement.setString(AbstractJdbc2Statement.java:1403)
webapi | at org.postgresql.jdbc2.AbstractJdbc2Statement.setString(AbstractJdbc2Statement.java:1385)
webapi | at com.zaxxer.hikari.pool.HikariProxyPreparedStatement.setString(HikariProxyPreparedStatement.java)
webapi | at org.ohdsi.webapi.shiro.realms.JdbcAuthRealm.createPreparedStatement(JdbcAuthRealm.java:111)
webapi | at org.ohdsi.webapi.shiro.realms.JdbcAuthRealm.getPasswordForUser(JdbcAuthRealm.java:90)
webapi | at org.ohdsi.webapi.shiro.realms.JdbcAuthRealm.doGetAuthenticationInfo(JdbcAuthRealm.java:66)
webapi | at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
webapi | at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219)
webapi | at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269)
webapi | at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
webapi | at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
webapi | at org.ohdsi.webapi.shiro.lockout.LockoutWebSecurityManager.login(LockoutWebSecurityManager.java:66)
webapi | at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
webapi | at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53)
webapi | at org.ohdsi.webapi.shiro.filters.JdbcAuthFilter.onAccessDenied(JdbcAuthFilter.java:58)
webapi | at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133)
webapi | at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)
webapi | at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)
webapi | at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)
webapi | at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)
webapi | at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
webapi | at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
webapi | at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
webapi | at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
webapi | at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
webapi | at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
webapi | at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
webapi | at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
webapi | at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
webapi | at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
webapi | at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)
webapi | at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
webapi | at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
webapi | at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
webapi | at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
webapi | at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
webapi | at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
webapi | at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
webapi | at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
webapi | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi | at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
webapi | at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
webapi | at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
webapi | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi | at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
webapi | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
webapi | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi | at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105)
webapi | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
webapi | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi | at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
webapi | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
webapi | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi | at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
webapi | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
webapi | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi | at org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:115)
webapi | at org.springframework.boot.web.support.ErrorPageFilter.access$000(ErrorPageFilter.java:59)
webapi | at org.springframework.boot.web.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:90)
webapi | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
webapi | at org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:108)
webapi | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
webapi | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
webapi | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
webapi | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
webapi | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
webapi | at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
webapi | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
webapi | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
webapi | at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
webapi | at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
webapi | at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
webapi | at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
webapi | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
webapi | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
webapi | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
webapi | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
webapi | at java.lang.Thread.run(Thread.java:748)
Really appreciate help on this. As none of the Authentication methods are working for me.
Thanks