...
| Code Block |
|---|
|
shrine {
...
}
...
...
...
...
...
...
authorizer : {
name : net.shrine.authz.providerService.authorize.HmsAuthorizer
}
////////////////////////////////////////////////////////////
// example of an alternate authorizer: RegexAuthorizer //
////////////////////////////////////////////////////////////
authorizer : {
name : net.shrine.authz.providerService.examples.RegexAuthorizer
regexTerms :
[
"wb-list.isBlack.false"
"(wb-list.isWhite.true)|(profiles_faculty_type_and_id.faculty_type.[0-4])"
"!(fp77)"
]
} |
First this:
| Code Block |
|---|
|
shrine.queryEntryPoint.authenticationType = "sso"
shrine.webclient.ssoLogoutUrl = "https://<your hostname>/shrine-api/authorizer/logout"
shrine.config.authorizer.shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=<return url provided by your idP provider>"
shrine.config.authorizer.requireAuthorization = "true"
// comes from reference.conf. You can override it here:
// shrine.webclient.unauthorizedMessage = "You currently do not have access to SHRINE. Please contact your institution's SHRINE administrator for more information."
|
The authorization system works with a number of attribute providers which generates "attributes", and each requiring its own configuration, and one authorization provider which determines based on the attribute providers whether the user is authorized or not.
| Code Block |
|---|
|
shrine.queryEntryPointconfig.authenticationTypeauthorizer = "sso"
shrine.webclient.ssoLogoutUrl: {
unauthorizedUrl = "https://<your hostname>/shrine-api/authorizer/logout"
shrine.config.authorizer.shrine-webclient?isAuth=false"
shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=https://sso.med.harvard.edu/adfs/ls/?wa=wsignout1.0"
shrine.webclient.sessionTimeout = "30 minutes"
shrine.config.authorizer.requireAuthorization attributeProviders :
[ |
| Code Block |
|---|
|
= "true"
// comes from reference.conf
// shrine.webclient.unauthorizedMessage = "You currently do not have access to SHRINE. Please contact your institution's SHRINE administrator for more information."
shrine.config.authorizer : {
unauthorizedUrl = "/shrine-api/shrine-webclient?isAuth=false"
shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=https://sso.med.harvard.edu/adfs/ls/?wa=wsignout1.0"
attributeProviders :
[
{
class = net.shrine.authz.providerService.attributes.WhiteBlackListAttrProvider
name = wb-list,
// DB config here should correspond to tomcat's Resource in its context.xml
database: {
dataSourceFrom = "JNDI"
jndiDataSourceName = "java:comp/env/jdbc/blackWhiteTableDB"
timeout = "30 seconds"
createTablesOnStart = false
}
}
{
class = net.shrine.authz.providerService.attributes.EndpointAttrProvider
name = profiles_faculty_type_and_id
url = "https://connects.catalyst.harvard.edu/API/Profiles/Public/ProfilesDataAPI/getPeople/xml/ecommonsList/{userId}/columns/affiliation"
userIdPlaceHolder="{userId}"
attributeRegexes : [
{
name = "person-id"
regex = "PersonID=\"([0-9]+)\""
}
{
name = "faculty_type"
regex = "<Affiliation Primary=\"true\">.*?FacultyTypeSort=\"(.)\""
}
]
}
{
class = net.shrine.authz.providerService.attributes.EndpointAttrProvider
name = profiles_everything
url = "https://connects.catalyst.harvard.edu/API/Profiles/Public/ProfilesDataAPI/getPeople/xml/ecommonsList/{userId}/columns/affiliation"
userIdPlaceHolder="{userId}"
attributeRegexes : [
{
name = "everything"
regex = "(.+)"
}
]
}
{
class = net.shrine.authz.providerService.attributes.RequestHeadersAttrProvider
name = headers,
headerNames :
[
AJP_userId
AJP_email
AJP_firstName
AJP_lastName
]
}
],
authorizer : {
name : net.shrine.authz.providerService.authorize.HmsAuthorizer
}
////////////////////////////////////////////////////////////
// example of an alternate authorizer: RegexAuthorizer //
////////////////////////////////////////////////////////////
authorizer : {
name : net.shrine.authz.providerService.examples.RegexAuthorizer
regexTerms :
[
"wb-list.isBlack.false"
"(wb-list.isWhite.true)|(profiles_faculty_type_and_id.faculty_type.[0-4])"
"!(fp77)"
]
}
} |
...