This authentication plugin will work with an ICAT version of 4.9 or greater.


Summary of steps

  1. Please follow the generic installation instructions
  2. Update the file if necessary for the icat.server to see the authenticator and restart icat to see the change. The easiest way is to rerun the setup script for the icat.server. Remember that restful authenticators are identified by url rather than jndi.
  3. Add users
  4. Check that it works.

The file

May be either Glassfish or JBoss - though only glassfish is working fully at the moment.
is the top level of the container installation. For glasssfish it must contain "glassfish/domains" and for wildfly it must contain jboss-modules.jar.
is the administration port of the container which is typically 4848 for glassfish and 9990 for wildfly.
must be set to true or false. If true then only https and not http connections will be allowed.
This is optional and may be used to control the SQL generated by the JPA. Values must be chosen from: TargetDatabase
is the name of the jdbc driver and must match the jar file for your database that you stored in the previous step.
url to connect to your database. For example: jdbc:mysql://localhost:3306/icat
username to connect to your database.
password to connect to your database.

The file

If access to the DB authentication should only be allowed from certain IP addresses then provide a space separated list of allowed values. These take the form of an IPV4 or IPV6 address followed by the number of bits (starting from the most significant) to consider.
if specified is a label to appear before the user name as it is made available to the icat.server for authorization. For example if this is set to 'db' then the user 'root' will be provided to ICAT as 'db/root', but of no mechanism is specified it will be provided simply as 'root'.

Update the file for your ICAT

This is required for the icat.server to see a new authenticator. If you are just updating an existing restful authenticator then the of the icat.server will not need changing.

Assuming that you still have the installation directory for icat.server then edit the to refer to the new authenticator and type: ./setup install

Add users

Users should be added by manually adding them to the database table PASSWD. This has two columns, one for the username and one for the password. The password may be entered as clear text without a leading "$" or a cryptographic hash of a password may be stored. A password hash must start with a "$" character and be in the same form as found in the shadow(5) password file. It may be created using the mkpasswd(1) utility on Debian systems or grub-crypt on Red Hat derived systems or the python crypt module. The supported hash algorithms are MD5, SHA-256, and SHA-512.

Check that authn.db works

Use testicat (which is installed with ICAT) with one of the entries in the database PASSWD table. It should report that it logs in but may or may not have the permission to run the rest of the test. If it does not report that it has logged in then please check the server.log and the authn_db.log files which can both be found in the logs directory below your domain.