User authentication

Authentication of users in Vidispine can be performed in a number of ways depending on the requirements of the calling application.

  1. By passing the user credentials to Vidispine on each request and letting Vidispine authenticate the user based on the credentials stored in the Vidispine database.

    The default HTTP authentication method is HTTP basic authentication. To use a custom HTTP authentication method, have a look at Apache Shiro Integration.

  2. Using Run-As: The application can itself authenticate the user and then connect to Vidispine using a service account with the Run-As privilege and with the Run-As option enabled, so that the request is then performed as the already authenticated user.

  3. Creating a time-limited token using the API with one of the options above, see Get an authentication token for a user. This token can then be used in subsequent calls as credential by specifying the http header:

    Authorization: token {token}
    

Run-As option

The API supports the operation of having the calling application authenticate itself via a single password or a single certificate credential. The actual end-user can then be specified by the RunAs HTTP header. The calling application credential must have _administrator or _runas role. The actual end-user roles will be determined by the RunAs user’s credentials.

A typical UI application scenario would be:

  1. Have the user log in by providing user name and password.
  2. Authenticate the user with /user/{user-name}/validate.
  3. Store the user name with the session.
  4. Use the RunAs header with all communication to the Vidispine API.

Apache Shiro Integration

New in version 4.1.

As of Vidispine 4.1 requests can be forwarded to Apache Shiro for authentication, making it is possible to customize how existing users in Vidispine are authenticated. The Apache Shiro version that is bundled with Vidispine can be seen in the table below.

Vidispine version Apache Shiro version
4.1 1.2.2

Custom configuration

On startup Vidispine will try to read a Apache Shiro INI configuration file from $instanceRoot/[config/]shiro.ini. On GlassFish installations the instance root folder is typically glassfish/domains/domain1/.

The default configuration file that can be used as a template can be seen below.

Note

The token authentication filter and the Vidispine realm must always be kept so that requests performed internally by Vidispine will still function.

[main]
vidispineRealm = com.vidispine.security.auth.DefaultVidispineRealm
tokenAuth = com.vidispine.security.auth.TokenAuthenticationFilter
deny = com.vidispine.security.auth.DenyFilter

securityManager.realms = $vidispineRealm
authcBasic.applicationName = vidispineRealm

[urls]
/** = noSessionCreation, tokenAuth[permissive], authcBasic

Installing a custom filter or realm

  1. Make the JAR file containing your custom filter or realm available on the classpath. On GlassFish the JAR file should be copied to glassfish/lib/.
  2. Create a shiro.ini file based on the above template and modify it to your needs.
  3. Start/Restart the application server.

Example: Static credentials

This is an example showing how to add a custom realm, in this case a IniRealm that defines credentials for a static set of users directly in the configuration file.

[main]
vidispineRealm = com.vidispine.security.auth.DefaultVidispineRealm
tokenAuth = com.vidispine.security.auth.TokenAuthenticationFilter
deny = com.vidispine.security.auth.DenyFilter

securityManager.realms = $iniRealm, $vidispineRealm
authcBasic.applicationName = "vidispineRealm"

[urls]
/** = noSessionCreation, tokenAuth[permissive], authcBasic

[users]
admin=password

Testing the configuration:

GET /API/version HTTP/1.1
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
User-Agent: curl/7.32.0
Host: localhost:8080
Accept: */*

HTTP/1.1 200 OK
...
GET /API/version HTTP/1.1
Authorization: Basic YWRtaW46YWRtaW4=
User-Agent: curl/7.32.0
Host: localhost:8080
Accept: */*

HTTP/1.1 200 OK
...
GET /API/version HTTP/1.1
Authorization: Basic YWRtaW46aW52YWxpZA==
User-Agent: curl/7.32.0
Host: localhost:8080
Accept: */*

HTTP/1.1 401 Unauthorized
...

Note

By default Apache Shiro will accept a request if at least one realm accepts the provided credentials, which is why the passwords password (accepted by iniRealm and admin (accepted by vidispineRealm) are both accepted.