openeai-authorization-module
Purpose
Currently, in order for a web service/webapp to check the permission for an authenticated user, each web service/webapp has to use AuthorizationClient in the code to call AuthorizationService. The purpose of this module is to deploy this either as an axis2 module, or as a servlet filter in the servlet container, such that all web services or web apps can be configured to check the permissions for its authenticated users.
Applicability
The authorization module is designed to be used for apps/web services whose users are already authenticated – which means those apps are already shibbolized. The authorization module in turn call authorization service which calls ldap. The authorization module is designed for ease of use of the authorization service. The wiki for authorization module probably need to be explicitly stated this way.
For more complicated apps which require multiple role-based security/permission, maybe more sophisticated infrastructures or framework are more suitable.
Implementation Artifacts
Source: https://wush.net/svn/openeai/trunk/projects/openeai-authorization-module
Note: openeai-authorization-module.mar and openeai-authorization-module.jar are the same file, just with a different suffix to serve different purposes.
How It works
Once activated, this openeai-authorization-module will try to find its corresponding permission entry from its appConfig file by its context path. Its appConfig file is the same as forESB AuthorizationService, which is emoryoit/deployment/jboss/dev/dev2a/bin/configs/messaging/Environments/Examples/Deployments/AuthorizationService.xml. If it doesn't find permission entry, it return isAuthorized=true. Otherwise, it forward request to ESB AuthorizationService and return what it gets from there.
Usage Examples
Dependent jars:
for webapp, add to war/WEB-INF/lib any-openeai-enterprise.moa.jar, openeai-authorization-service-2.0.jar, and openeai-authorization-module.jar, in addition to openeai service dependent jars (openeai.jar,commons-lang-2.6.jar, log4j-1.2.15.jar, sonic_Client.jar,gnu-regexp-1.0.8.jar, mail.jar ,sonic_Crypto.jar, mfcontext.jar sonic_SSL.jar, sonic_XA.jar, jdom.jar openeai-authorization-service-2.0.jar, jms-1.1.jar)
for web services, all the above jars are put into axis2.war/WEB-INF/lib directory.
Webapp Usage example: JmsSend
1) config web.xml to plugin the filter, and add openeai-authorization-module.jar (and dependent commons-jci-fam-1.0.jar) to the classpath (/WEB-INF/lib directory, or uppler level common directory)
|
2) add pathToPermission entry
|
Web Service Usage Example: JmsSendService
1) add openeai-authorization-module.mar to directory emoryoit/deployment/jboss/dev/dev2a/server/all/deploy/axis2.war/WEB-INF/modules and add authorizationPhase to "InFlow" type in emoryoit/deployment/jboss/dev/dev2a/server/all/deploy/axis2.war/WEB-INF/axis2.xml. Add dependent commons-jci-fam-1.0.jar to WEB-INF/lib.
|
2) 3 options to activate the module
a) To permanently activate the module for all web services, modify the file emoryoit/deployment/jboss/dev/dev2a/server/all/deploy/axis2.war/WEB-INF/conf/axis2.xml by adding the line
|
b) To permanently activate the module for this web service only, modify your service.xml inside the file jmssend.aar (for example) by adding the line
|
c) To dynamically engage or disengage the module, go to https://intjavadev2a.cc.emory.edu:8443/axis2/axis2-admin/, and https://intjavadev2b.cc.emory.edu:8443/axis2/axis2-admin/, and click engage or disengage.
3) add your property name/value pair to the pathToPermission config
|
How to Disable the Authorization Service for this WebService or WeApp
comment out this to disable the Authorization Service for this WebService (Authorization Module will return true if no entry found)
<\!\--file: emoryoit/deployment/jboss/dev/dev2a/bin/configs/messaging/Environments/Examples/Deployments/AuthorizationService.xml-\-> ... <PropertyConfig name="pathToPermission">
<!--
<Property>
<PropertyName>JmsSendService</PropertyName>
<PropertyValue>edu.emory.JmsSendWebapp.query</PropertyValue>
</Property>--> </PropertyConfig> ...