/
UserAdmin Server Properties

Ceptor - Get a Free Trial

UserAdmin Server Properties

Owned by Kim Rasmussen
Last updated: Mar 25, 2025

This user administration server has its own configuration server entry in the portalprotect configuration files. It configures database connectivity, plugins, etc.

For database connectivity description, see example the in section regarding Ceptor User Administration Server 
The Ceptor distribution contains sample configuration listing and documenting all these properties.

PropertyValue
db.usernameUsername to use when connecting to the database
db.credentialsPassword to use for connecting with the database
db.dbtype

The type of database (flavor) used. SQL statements are modified slightly depending on the database flavor. Currently supported is 

  • DB2
  • cloudscape
  • javadb
  • derby
  • mysql
  • sqlserver
  • oracle10
  • postgres
db.connectionurlJDBC URL to access database (example: jdbc:postgresql://10.1.1.1:5432/ppdata)
db.drivernameName of database JDB Driver - must be Java 1.6 or upwards compatible
db.testtableThe table to test on. If this string is prefixed with "SQL" the string after that will be used as the test SQL
db.testonreserveDefines whether a check on the connection should be made when fetched from the pool
db.searchstartwithwildcardIf true, all searches will be prefixed with a wildcard to find characters in the middle of the search string
db.maxconnectionusageThe max. number of times a connection is reused (or 0 if no max)
db.maxconnectionlifeThe max. number of seconds a connection is allowed to live (or 0 if no max)
db.initialpoolsizeInitial size of database connection pool
db.getconnectiontimeoutThe maximum time to wait for a new connection from the connection pool
db.delaygetconnection

A delay is added inside the user administration server, simulating that it takes additional time to aquire a new database connection. The time is given in milliseconds.

This will allow to test how the system (mostly applications connected to the user administration server) will react to a slow database

For performance and failure testing purpose only

db.debugIf set to true, debug information on connections and queries are logged in the user admin server log
db.checkexecuteupdateCheck if SQL update returns 0 rows update (some database flavors will not support this!)


The database access layer caches the less frequent changed part of the user administration database. The properties to control this cache are these:

PropertyValue
db.caching.status.timeCaching timeout for status objects, time is in seconds
db.caching.profile.timeCaching timeout for profile objects, time is in seconds
db.caching.group.timeCaching timeout for group objects, time is in seconds
db.caching.authmethod.timeCaching timeout for authentication method objects, time is in seconds
db.caching.acl.timeCaching timeout for ACL objects, time is in seconds


This section will contain documentation on additional properties apart from the properties described in the section above.

Property

Value

superuser

<super user name>

If set it is the userid of the "super user" who has access to all users in the database.

It only sets the userid – not how this user is authenticated – that is controlled by nmormal login mechanisms.

enableRevisionLogging

<true/false>

Wether or not revision logging is done on certain tables in the database (old values are retained in history tables).

False is the default value

users.multiorg

<true/false>

Support multiple organisations per user in the database. This is done through a new table PP_ORG_USR that needs to be created using the scripts. The feature will fail if this table is not created.

False is the default value

Note: If the value on an existing system is changed from false to true – data MUST be migrated from pp_user table to the new table. The old value organisation_id in the pp_user table will be ignored after this value is set to true. Also in this scenario the organisation_id field should be cleared after migration (to avoid database constraint issues!).

search.user.max

The number of maximum users returned in the user search method.

If not set, the default value is 256.

It is not recommended to set this too high as it can put a high load on the database and the network between the user administration server and the application using it. Better to design the application with use cases limiting the searches to less users

enableRevisionLogging

<true/false>

If set revision logging is done on certain updates in the user administration database

Some plugins can be added to the user administration server to serve for example infrastructure purposes or allow other systems to be notified on certain changes.

PropertyValue
user.attribute

A class name of a class impementing the dk.itp.portalprotect.useradmin.plugin.IUserAttributeValidator interface which will be called to check if it is allowed to update, insert or delete certain attributes (or values thereof) on a user.

The class can also be used to notify other systems of changes if needed

user.attributelist

A class name of a class implementing the dk.itp.portalprotect.useradmin.plugin.IAttributeList.

This class must return a list of attribute names that is allowed to change no a user obbject from the user administration client - so this can be controlled centrally.

By default the user administration client will allow changes to all user attributes (pending ACL check)

user.postcreate

A class name of a class implementing the dk.itp.portalprotect.useradmin.plugin.IUserCreate interface.

The class will be called when the user has been created. This can for example be used to notify other systems that a user has been created.

user.precreate

A class name of a class implementing the dk.itp.portalprotect.useradmin.plugin.IUserCreate interface.

The class will be called to check if it is allowed to create the user with the given logon id and credentials. 

organisation.attributeslist

A class name of a class implementing the dk.itp.portalprotect.useradmin.plugin.IAttributeList.

This class must return a list of attribute names that is allowed to change on an organisation from the user administration client - so this can be controlled centrally.

By default the user administration client will allow changes to all organisation attributes (pending ACL check)

credentials.pregenerate

A class name of a class implementing the dk.itp.portalprotect.useradmin.plugin.ICredentialsGenerator plugin

The preGenerateCredentials method is called before the credentials are created.

 /** 
* This method is called prior to the <code>generateCredentials</code> call
* if for example some cleaning up is required
*
* @param services An interface providing access to user administration functions
* @param logonID The logon id of the user whos credentials is to be changed
* @param authenticationMethod The authentication method id of the authentication method to generate new credentials for
* @param requestData Application specific request object, which may contain information relevant to the plugin (if any - this is not the case when creating new credentials from the user administration client)
*/
public void preGenerateCredentials( UserAdminServices services, String logonID, int authenticationMethod, Object requestData ) throws PluginException;
credentials.generate.XXXX

A class name of a class implementing the dk.itp.portalprotect.useradmin.plugin.ICredentialsGenerator plugin - XXXX is replaced with the authentication method ID

The genereateCredentials method is called so it can intercept and change or create new credentials when the createCredentials method is called in the UserAdmin API or if lostCredentials() method is called.

 /**
* This method will be called by the server if the
* "credentials lost" method is activated or if a new 
* challenge is being created
* 
* @param services An interface providing access to user administration functions
* @param logonID The logon id of the user whos credentials is to be changed
* @param authenticationMethod The authentication method id of the authentication method to generate new credentials for
* @param defaultCredentials The default credentials, typically sent in a createCredentials command.
* @param requestData Application specific request object, which may contain information relevant to the plugin (if any - this is not the case when creating new credentials from the user administration client)
* @param credentialsLost True if this plugin is called because the credentials were lost, false if called because new credentials are being created.
* @param authenticationLevel Authentication level, or 0 if unknown.
* @return The credentials generated (they are put in the database and parsed to the post generate method)
*/
public byte[] generateCredentials( UserAdminServices services, String logonID, int authenticationMethod, byte[] defaultCredentials, Object requestData, boolean credentialsLost, int authenticationLevel ) throws PluginException;
credentials.postgenerate

A class name of a class implementing the dk.itp.portalprotect.useradmin.plugin.ICredentialsGenerator plugin

The postGenerateCredentials method is called after credentials have been generated.

 /** 
* This method is called after to the <code>generateCredentials</code> call
* if for example some cleaning up is required
* 
* @param services An interface providing access to user administration functions
* @param logonID The logon id of the user whos credentials is to be changed
* @param authenticationMethod The authentication method id of the authentication method to generate new credentials for
* @param credentials The credentials generated by the <code>generateCredentials</code> method
* @param requestData Application specific request object, which may contain information relevant to the plugin (if any - this is not the case when creating new credentials from the user administration client)
* @param deliveryMethod The deliverymethod that should be used to notify the user (if any - this might not be set!)
* @return replyData object, which is passed back to the caller (if any - this is not the case when creating new credentials from the user administration client)
*/
public Object postGenerateCredentials( UserAdminServices services, String logonID, int authenticationMethod, int deliveryMethod, byte[]credentials, Object requestData) throws PluginException;

This section relates to the multi schema functionality, used to keep different users in the database physically separated by using different schemas.

Property

Value

schema.enable

<true/false>

Enables the multi schema support for the user admin server - allowing users of the API to define through the "getInstance" or "getSchemaInstace" which schema to access and store users.

False is the default value

schema.instance.root

<root schema name> 

The root schema name used when "schema.enable" is set to true. This schema name will be used when "null" is given as the instance name to the "getInstance" or "getSchemaInstace" methods on the user admin API. 

The value must be set if the property "schema.enable" is set to true. For the sample derby database provided with the Ceptor installation, "APP" is the schema name to provide here.

schema.instance.XXX

<schema name for instance XXX> 

The schema name used when "schema.enable" is set to true for a given instance XXX. This schema name will be used when "XXX" is given as the instance name to the "getInstance" or "getSchemaInstace" methods on the user admin API. 

The value must be set for each of the schemas/instances used in the API. 

Related content

© Ceptor ApS. All Rights Reserved.