Cross-cutting Concepts

Communication Channels

All communication between external clients and the GDI node needs to performed over HTTPS. Other attempts must fail (blocked by runtime exceptions, if necessary).

Authentication

The GDI node uses national authentication service for authentication national users (identified by personal ID code)

For the SPE, international two-factor authentication will be provided. For example: MyAccessID.

Successful authentication results in a local user-session with unique ID. The local session is designed to avoid passing and validating JWTs every time. Session information is stored in the database. Session expires in 15 minutes since the last request. User-interface should inform the user about the expired session, and perform the logout operation on client-side.

Some API endpoints can be public, and may ignore any provided authentication.

There can be only one session per user. New login invalidates existing active session.

Logging

Software must support:

  1. configuration for customising logging
  2. mainly logging to STDOUT
  3. plain-text vs. JSON-formatted output
  4. changing logging levels (may require application restart)

Eventually, system administrators will want to customise logging for their own environment.

Activities to be logged:

  1. HTTP requests and responses (general info)
  2. system-triggered requests and responses (general info)
  3. user activities (login, logout, changes)
  4. system background activities
  5. system warnings, errors and exceptions (with stack-traces)

Each activity record must identify event properties: when, who, what, where. Here “when” is a timestamp, “who” can be an application or user ID, session ID, IP address, “what” can be text but also structured info, and “where” refers to the component and server (pod).

Logging is mostly based on the standard (structured) logging tools that write to files and/or console. Activities information should be collected for better monitoring, and can be also stored in some storage service (e.g. database, Kafka) for better analysis.

The technical solution of the logging will be defined in a separate document.