Security and authentication improvements

The following improvements regarding security and authentication have been made.

Case deletion restricted to global administrators (#661105)

The possibility to delete cases on the Case administration page of the Web Admin Suite has been restricted to users with full administrator permissions for both configuration and runtime data, i.e. the administrators with the permission Administrate full system + access all entities. The Delete icons are not shown anymore for administrators, who have only the permission Administrate full system. This avoids the situation that administrators who do not have access to runtime data in the Web Client are allowed to delete runtime data in the Web Admin Suite.

New authentication application for users (#661274, #662092)

Authentication in the Web Client and Web Admin Suite can now be done with the new authentication application, which serves as an internal OIDC provider. It can retrieve the credentials from database or LDAP. In addition, it can be used with an external ID provider as Azure AD/Entra ID or ADFS.

The session opened in the authentication application is valid for both the Web Client and Web Admin Suite, regardless of the application for which it was opened. If the user does not have administrator permissions, a corresponding error message is shown when he tries to access the Web Admin Suite.

There are two deployment option:

In the same application server as ConSol CM: cmas-auth-user.war
As a standalone application: cmas-auth-user.jar (requires the cmas-auth-user.properties file in the same directory)

The following system properties have been added to the module cmas-core-security:

oidc.web.globalLogout.default and oidc.was.globalLogout.default: Determines if the user is also logged out from the OIDC provider when logging out of the Web Client or the Web Admin Suite. The default value is "true", which is correct for an internal provider. For an external provider, the value is usually "false", so that sessions in other applications, which are provided by the same provider, are not closed.
oidc.web.providerType.default and oidc.was.providerType.default: The type of OIDC provider. The default value is "internal", which means that the ConSol CM authentication application is used as an OIDC provider. Select "external" if a third-party application, such as Azure AD or ADFS should be used.
cmas.auth.user.oidc.session.lifetime: The lifetime for a freshly created OIDC user session in the authentication application. An OIDC session is created on the first login of a user and is extended by the same lifetime on any subsequent login of the same user in another client. The default value is 15 minutes.
oidc.auth.rememberme.enabled: Determines if the Keep me logged in checkbox is shown on the login page of the Web Client. The default value after setup and update is "false", so that the feature is disabled.
oidc.auth.rememberme.key: Defines the key to identify tokens created for authentication with the Keep me logged in feature.
oidc.auth.rememberme.lifetime: Allows specifying how long (in hours) a token is valid for the Keep me logged in feature.

info

The Keep me logged in checkbox is ignored for users with administrator permissions.

Several new templates are added automatically during setup and update of ConSol CM:

auth-password-reset-template: Defines the content of the email which is sent to the users when they request a new password.
mail-auth-user-many-account-auth-failures: Defines the content of the email which is sent to the user when his account was blocked due to the authentication protection feature.
mail-auth-admin-user-unblock-code: Defines the content of the email which is sent to the admin when a user account was blocked due to the authentication protection feature.

The layout and wording of the authentication-related screens has been improved. It is now the same for both the Web Client and the Web Admin Suite. New logout pages have been added:

Web Client: CM_URL/cm-client/oidc/logout (can be overwritten by the system property cmweb-server-adapter, urlLogoutPath)
Web Admin Suite: CM_URL/was/logout

The example proxy configuration has been updated with the required information about running the application behind a proxy.

The session cookies of the authentication application can use the secure attribute, so that the users will not be able to log in if they access the Web Client or Web Admin Suite via the insecure HTTP protocol. Secure cookies can be enabled by setting enforce.secure.cookies to "true" in the cm6-config.properties or cm6-domain-config.properties file. This setting applies to all ConSol CM clients.

Initial administrator

The credentials of the administrator who was created during setup (see system property cmas-core-security, admin.login) are always saved to the database. If you use LDAP-only as an authentication method, the initial administrator will stop working. Therefore, you first need to assign administrator permissions to a user managed in LDAP.

Standalone deployment

If the authentication application is run in standalone mode, you need to enable secure cookies in the start command of the authentication application by adding:

server.servlet.session.cookie.secure=true

hinweis

The checkbox Keep me logged in is only available via HTTPS or on localhost because secure cookies are used for this feature.

Two-factor authentication (#661849, #661850, #662092)

Two-factor authentication has been introduced as an optional feature for the Web Client, the Web Admin Suite and CM/Track V3. The second factor is a one-time code which is sent by email.

If two-factor authentication is enabled, the login flow looks as follows:

The user opens the login page and enters his credentials (username and password).
If the credentials are correct, an email with a one-time code is sent.
The user enters the one-time code to log in. If configured, he can decide to remember this browser, so that he is not prompted for a one-time code again in the configured time period.

The configuration is done separately for the authentication application (auth for the Web Client and Web Admin Suite) and the portal authentication application (auth.portal for CM/Track V3). The following system properties were added:

cmas.auth.(portal.)user.2fa.mode: If set to "email", two-factor authentication is enabled.
cmas.auth.(portal.)user.2fa.email.code.length: The length of the one-time code sent by email (default 6).
cmas.auth.(portal.)user.2fa.email.code.validity.minutes: Validity of the one-time code in minutes (default 15)
cmas.auth.(portal.)user.2fa.rememberBrowser.enabled: If set to "true", the Remember this device checkbox is available and the user can decide to skip the second factor.
cmas.auth.(portal.)user.2fa.rememberBrowser.period.days: The time period for remembering the browser.
cmas.auth.(portal.)user.2fa.rememberBrowser.key: The key to identify tokens for remembering the browser.
cmas.auth.(portal.)user.2fa.whitelist: Comma-separated whitelist of usernames who can skip two-factor authentication.
cmas.auth.user.2fa.scope: If set to "admin", two-factor authentication is required only for users with administrator permissions. If set to "all", all users have two-factor authentication enabled. Only for the Web Client and Web Admin Suite.

The email which sends the one-time code can be adjusted in the following new templates:

track-auth-2fa-mailcode-template: Template for CM/Track V3
auth-2fa-mailcode-template: Template for the Web Client and Web Admin Suite

info

The Remember browser feature is only available via HTTPS or on localhost because secure cookies are always used for this feature.

Secure cookies enabled for CM/Track V3 (#662024, #662092)

The session cookies of CM/Track V3 can now use the secure attribute, so that the users will not be able to log in if they access CM/Track V3 via the insecure HTTP protocol. Secure cookies can be enabled by setting enforce.secure.cookies to "true" in the cm6-config.properties or cm6-domain-config.properties file. This setting applies to all ConSol CM clients.

Standalone deployment

If the authentication application for CM/Track V3 is run in standalone mode, you need to enable secure cookies in the start command of the authentication application by adding:

server.servlet.session.cookie.secure=true

Referrer-Policy header added to communication (#662171)

The setting Referrer-Policy: origin has been added to the headers used by CM/Track V3 for communication. This limits the amount of referrer information included in the requests, thus improving security and ensuring compliance with best practices.

Default encryption setting for Microsoft SQL databases changed (#662293)

Encryption has been disabled by default for JDBC connections to Microsoft SQL Server databases to avoid possible performance problems which can arise when encrypting the complete traffic.

The ConSol CM configuration files cm6-config.properties, cm6-domain-config.properties and cmrf.properties have been modified by adding encrypt=false to the database connection string for this purpose.

Credentials

This setting does not affect credentials, as they are always encrypted.

hinweis

If encryption of the complete traffic between the database and ConSol CM is needed, you can set encrypt=true after careful testing

Configurable timeout for sessions in the portal authentication application (#662926)

The timeout for OIDC sessions using the portal authentication application, introduced in CM/Track V3 as new portal application (#657428), can now be defined in the system property cmas.auth.portal.user.oidc.session.lifetime. The default value is 15 minutes.

Third-party library changes

The following third-party libraries have been updated or replaced in this ConSol CM version:

axios (#662261): Updated from version 1.5.1 to 1.7.7
codemirror (#662747): Updated to the latest version in the Web Admin Suite.
commons-io (#662894): Updated from version 2.7 to 2.14.0.
cookie (#662950): Updated from version 0.6.0 to 0.7.0
ejs (#661053): Updated from version 3.1.9 to 3.1.10
express (#662656): Updated from version 4.19.2 to 4.20
follow-redirects (#661053): Updated from version 1.15.4 to 1.15.6
formik (#662747): Updated from version 2.2.6 to 2.4.6 in the Web Admin Suite.
formio (#662367): Updated from version 4.15.1 to 4.16.0. This solved an issue with selecting dates when using the Web Client with a German browser.
froala (#660826): Updated from version 4.0.19 to 4.2.0
micromatch (#662539): Updated from version 4.0.5 to 4.0.8
msal4j (#662066): Updated from version 1.14.1 and 1.14.3 to 1.15.1
primereact (#662261): Updated from version 10.6.5 to 10.8.2 in CM/Track V3. This solved an issue with invalid autocorrection when entering a date in the date picker component.
react (#662747): Updated from version 18.2.0 to 18.3.1 in the Web Admin Suite.
react-select (#662747): Updated from version 4.3.1 to 5.8.1 in the Web Admin Suite.
redux (#662747): Updated from version 4.1.0 to 5.0.1 in the Web Admin Suite.
rollup (#662804): Updated from version 2.79.0 to 2.79.2
spring (#662396): Updated from version 5.3.32 to 5.3.39 in ETL Runner
webpack (#662539): Updated from version 5.88.2 to 5.94.0
vite (#662676, #662751): Updated from versions 5.2.12 / 5.4.2 to 5.4.6
ws (#662079): Updated to versions 6.2.3, 7.5.10 and 8.18.0

Case deletion restricted to global administrators (#661105)​

New authentication application for users (#661274, #662092)​

Two-factor authentication (#661849, #661850, #662092)​

Secure cookies enabled for CM/Track V3 (#662024, #662092)​

Referrer-Policy header added to communication (#662171)​

Default encryption setting for Microsoft SQL databases changed (#662293)​

Configurable timeout for sessions in the portal authentication application (#662926)​

Third-party library changes​