OHDSI Home | Forums | Wiki | Github

New Wiki Entry: Setting up Basic Security for a demo environment

security
atlas
webapi

(Frank DeFalco) #1

I’ve put together a new wiki entry that describes the process for setting up basic security using a custom database for credentials. The article describes the process for setting up the OHDSI WebAPI and ATLAS with security enabled. This is useful for those looking to work on developing features that leverage security but may not be in an environment with ‘enterprise’ security established.

http://www.ohdsi.org/web/wiki/doku.php?id=documentation:software:webapi:basic_security


(Rohan Surdikar) #2

Hi Frank,

Thanks for the wiki article on webapi security. I followed instructions as you mentioned but I keep on getting 404 not found error when I submit login form.

Also, I am not sure which bcrypt hash to choose for my password?
Currently, I have used same email/password combination given on wiki page.

Here is my settings.xml

<settings>
<profiles>
  <profile>
    <id>webapi-mssql</id>
    <properties>
      <datasource.driverClassName>com.microsoft.sqlserver.jdbc.SQLServerDriver</datasource.driverClassName>
      <datasource.url>jdbc:sqlserver://localhost;databasename=cdmtestdb</datasource.url>
      <datasource.username>sa</datasource.username>
      <datasource.password>*****</datasource.password>
      <datasource.dialect>sql server</datasource.dialect>
      <datasource.ohdsi.schema>webapi</datasource.ohdsi.schema>
      <flyway.datasource.driverClassName>${datasource.driverClassName}</flyway.datasource.driverClassName>
      <flyway.datasource.url>${datasource.url}</flyway.datasource.url>
      <flyway.datasource.username>${datasource.username}</flyway.datasource.username>
      <flyway.datasource.password>${datasource.password}</flyway.datasource.password>
      <flyway.locations>classpath:db/migration/sqlserver</flyway.locations>
      <security.enabled>true</security.enabled>
      <security.origin>*</security.origin>
      <security.db.datasource.url>${datasource.url}</security.db.datasource.url>
        <security.db.datasource.driverClassName>${datasource.driverClassName}</security.db.datasource.driverClassName>
        <security.db.datasource.schema>${datasource.ohdsi.schema}</security.db.datasource.schema>
        <security.db.datasource.username>ohdsi</security.db.datasource.username>
        <security.db.datasource.password>ohdsi</security.db.datasource.password>
        <security.db.datasource.authenticationQuery>select password from ${datasource.ohdsi.schema}.demo_security where email = ?</security.db.datasource.authenticationQuery>
    </properties> 
  </profile>  
</profiles>
</settings>

And my config-local.js file

define([], function () {
    var configLocal = {};
 
    configLocal.api = {
        name: 'Test',
        url: 'http://localhost:8080/WebAPI/'
    };
 
    configLocal.userAuthenticationEnabled = true;

    configLocal.authProviders = [{
        "name": "Test CDM Security",
        "url": "user/login/db",
        "ajax": true,
        "icon": "fa fa-database",
        "isUseCredentialsForm": true
    }];
    
    return configLocal;
});

Any advise or guidance would be appreciated. Thanks.


(Shweta) #3

I have same issue. It gives me 404.

webapi    | 2019-04-30 18:44:12.849 ERROR http-nio-8080-exec-9 org.ohdsi.webapi.shiro.realms.JdbcAuthRealm -  - There was a SQL error while authenticating user [ohdsi]
webapi    | org.postgresql.util.PSQLException: The column index is out of range: 1, number of columns: 0.
webapi    | 	at org.postgresql.core.v3.SimpleParameterList.bind(SimpleParameterList.java:56)
webapi    | 	at org.postgresql.core.v3.SimpleParameterList.setStringParameter(SimpleParameterList.java:118)
webapi    | 	at org.postgresql.jdbc2.AbstractJdbc2Statement.bindString(AbstractJdbc2Statement.java:2324)
webapi    | 	at org.postgresql.jdbc2.AbstractJdbc2Statement.setString(AbstractJdbc2Statement.java:1403)
webapi    | 	at org.postgresql.jdbc2.AbstractJdbc2Statement.setString(AbstractJdbc2Statement.java:1385)
webapi    | 	at com.zaxxer.hikari.pool.HikariProxyPreparedStatement.setString(HikariProxyPreparedStatement.java)
webapi    | 	at org.ohdsi.webapi.shiro.realms.JdbcAuthRealm.createPreparedStatement(JdbcAuthRealm.java:111)
webapi    | 	at org.ohdsi.webapi.shiro.realms.JdbcAuthRealm.getPasswordForUser(JdbcAuthRealm.java:90)
webapi    | 	at org.ohdsi.webapi.shiro.realms.JdbcAuthRealm.doGetAuthenticationInfo(JdbcAuthRealm.java:66)
webapi    | 	at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
webapi    | 	at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219)
webapi    | 	at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269)
webapi    | 	at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
webapi    | 	at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
webapi    | 	at org.ohdsi.webapi.shiro.lockout.LockoutWebSecurityManager.login(LockoutWebSecurityManager.java:66)
webapi    | 	at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
webapi    | 	at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53)
webapi    | 	at org.ohdsi.webapi.shiro.filters.JdbcAuthFilter.onAccessDenied(JdbcAuthFilter.java:58)
webapi    | 	at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133)
webapi    | 	at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)
webapi    | 	at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)
webapi    | 	at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)
webapi    | 	at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)
webapi    | 	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
webapi    | 	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
webapi    | 	at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
webapi    | 	at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
webapi    | 	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
webapi    | 	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
webapi    | 	at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
webapi    | 	at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
webapi    | 	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
webapi    | 	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
webapi    | 	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:118)
webapi    | 	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
webapi    | 	at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
webapi    | 	at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
webapi    | 	at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
webapi    | 	at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
webapi    | 	at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
webapi    | 	at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
webapi    | 	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi    | 	at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
webapi    | 	at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
webapi    | 	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi    | 	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
webapi    | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi    | 	at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105)
webapi    | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi    | 	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
webapi    | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi    | 	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
webapi    | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi    | 	at org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:115)
webapi    | 	at org.springframework.boot.web.support.ErrorPageFilter.access$000(ErrorPageFilter.java:59)
webapi    | 	at org.springframework.boot.web.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:90)
webapi    | 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
webapi    | 	at org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:108)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
webapi    | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
webapi    | 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
webapi    | 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
webapi    | 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
webapi    | 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
webapi    | 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
webapi    | 	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
webapi    | 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
webapi    | 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
webapi    | 	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
webapi    | 	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
webapi    | 	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
webapi    | 	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
webapi    | 	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
webapi    | 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
webapi    | 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
webapi    | 	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
webapi    | 	at java.lang.Thread.run(Thread.java:748)

Really appreciate help on this. As none of the Authentication methods are working for me.

Thanks


t