Guides
R24 AMR | Min(s) read

Configuring Security

To ensure that the implementation of the API is secure, implement the authentication and configure SSL on the application server.

Configuring JWT Token-based Authentication

In IRIS, to enable the JWT token based authentication, the following configuration should be done in the war-file.

spring-jwt-iris-authenticator.xml is used to define spring beans and should get loaded as part of the configuration.

By default, IRIS is shipped with this configuration disabled, and the user must enable it. In web.xml inside the <context-param>, un-comment the below lines.

<param-value>classpath:spring-jwt-iris-authenticator.xml</param-name>

The following bean needs to be enabled, and all other "t24SecurityFilter" need to be disabled in the \WEB-INF\classes\applicationContext.xml file.

IRIS T24 Processors use T24 Security Context to construct OFS messages with the respective user credentials. T24SecurityFilter derives the user principal from the Spring Spring Security Context and constructs a user’s T24 security context.

Temenos provides "com.temenos.irf.comms.security.AuthImpl.T24SpringSecurityContextFilter", a T24 Security filter, to retrieve the user principal from the spring security context and construct the T24 Security context used for constructing the OFS message.

Enable the following bean in the applicationContext.xml file and disable all other ‘t24SecurityFilter’ files.

Spring-jwt-iris-authenticator.xml allows banks to configure the IRIS infrastructure based on their token validation requirements.

The section below helps configure the Spring Security Authentication Provider and Token Validation filter based on the client’srequirements.

Temenos provides a validation filter and authentication provider to validate the JWT token. The validation filter uses this XML configuration to perform the algorithm, claim, and signature validations.

The token is validated against the algorithm provided in the configuration and the original value available in the JWT token. If there is a mismatch in these two values, IRIS ignores this request and send an unauthorised response back.

<beans:property name="idTokenSignedAlg" value="RS256" />

In the above example, the token is Algorithm RS256. However, this value can be changed according to your token type.

To enable signature validation, set the below property to true. By default, this is set to false.

<beans:property name="idTokenSigned" value="" />

Every JWT token is signed by the token provider using their private key, and this signature can be validated only with the public key provided by the token provider. The public key is configured to validate the signature of the JWT token in IRIS. IRIS supports four ways to obtain the public key, and anyone of the below four properties is mandatory for IRIS to validate the signature.

  • <beans:property name="pkEncoded" value="" /> - use this property if the client has the public key as a String , which can be base64 encoded and added here.
  • <beans:property name="pkCertEncoded" value="" /> - use this property if the client has the key certificate as a String, which can be base64 encoded and added here.
  • <beans:property name="pkCertFilePath" value="" /> - use this property if the client has the key certificate as a certificate file (.cer or .pem), and that location can be directly configured here.
  • <beans:property name="pkJwksUri" value="" /> - use this property if the client can expose the JWKS URI to obtain the public key.
At least one of the four properties needs to be configured to validate the signature. If the client does not want to validate the signature, then the below property can be set as false, which skips the signature validation.

<beans:property name="idTokenSigned" value="false" />

ClaimValidator is a generic validator for different claims in the token. Each instance of the ClaimValidator validates one specific claim. The claim that needs to be validated is injected into an instance.

Following are the mandatory claims in any JWR token:

  • exp
  • iss
  • iat

The user can use the following configurations to perform any claim validations other than the default claim validations.

<beans:bean id="customClaim" class="com.temenos.irf.web.security.jwt.validator.CustomClaimValidator">

<beans:property name="customClaims">

<beans:map>

<beans:entry key="" value="" />

<beans:entry key="" value="" />

</beans:map>

</beans:property>

</beans:bean>

The user can add any number of keys and values in the above property. All the values must be validated against the values present in the JWT token, and if any validation fails, then IRIS sends an un-authenticated response to the user.

The client or support development can extract the values from the JWT token and use them later in the published or /provider services. The following bean is configured to extract those values from the token and set them in the request context header.

<beans:bean id="requiredFields" class="com.temenos.irf.web.security.jwt.parser.RequiredFieldsExtractor">

<beans:property name="claimsToExtract">

<beans:list>

<beans:value></beans:value>

<beans:value></beans:value>

</beans:list>

</beans:property>

</beans:bean>

The user can add any number of values in the above property to extract. The below screen shot is an example.

If any of the defined fields is unavailable in the token, IRIS returns an unauthorised error stating that the required claims are missing.

After the token is validated, the validation filter builds and propagates the authenticated principal and invokes the remaining filter change as usual.

Spring Security uses org.springframework.security.core.userdetails. UserDetails to manage user information across the application. After authenticating the requests, spring security makes userDetails available as a part of the Spring Authentication object.

IRISAuthenticatedUser is the iris-authenticated user object used to carry user data as part of the Spring Authentication object.

After the token is authenticated, the successfulAuthentication callback sets the Spring Authentication object references in the Spring Security Context. The Security Context holds the user information (IRISAuthenticatedUser), which is available across the IRIS Version and Enquiry processors.

To get this user principle, the user or client needs to configure the claim where the user principle is available, which is configured in the below property. The default value is "sub".

<beans:property name="principalClaim" value="sub" />

For a Luxhub supported bank, the bank must manually configure the principalClaim as 'iss', that is, the issuer (Luxhub), sets the aAttribute field with pre-authentiacted values. A user named ‘Luxhub’ is created in the T24 USER table.

In certain scenarios, the time difference between the JWT token provider and the server in which IRIS runs is some seconds, advanced, or delayed. In those cases, IRIS can be configured to ignore a specific amount of time difference in seconds. It can be configured using the below property, where the value is in seconds.

<beans:property name="expiryDelayAllowance" value="0" />

A few endpoints in the war file should be excluded from the JWT validation, such as healthz APIs and static resources. Those endpoints can be configured using the below property tag so that IRIS ignores the JWT validation and skips this filter. The user can define more than one endpoint using a comma-separated value.

<beans:property name=”skipUrls” value=”/v1/healthz , /v1/anyOtherUrl” />

 

Copyright © 2020- Temenos Headquarters SA

Contact Us

knowledge@temenos.com

Published on :
Thursday, May 30, 2024 12:08:12 PM IST