Versions Compared

Old Version 14

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 15

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If you want to use authorization, you'll have to at least add for the start by adding the following configuration to shrine.conf after the shrine block:

Code Block
languageyml
themeMidnight
shrine {

...

}
...
...
...
...
...
...

  authorizer : {
    name : net.shrine.authzconfig.providerService.authorize.HmsAuthorizer
  }

...

Code Block
languageyml
themeMidnight
shrine.queryEntryPoint.authenticationType authorizer.requireAuthorization = "ssotrue"
shrine.webclient.ssoLogoutUrl = "https://<your hostname>/shrine-api/authorizer/logout"
shrine.config.authorizer.shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=<return urlURL provided by your idP provider>idP>"
shrine.config.authorizer.requireAuthorization = "true"
// comes from reference.conf. You can override it here:
// shrine.webclient.unauthorizedMessage = "You


First this:

Code Block
languageyml
themeMidnight
 currently do not have access to SHRINE. Please contact your institution's SHRINE administrator for more information."



The authorization system works with a number of attribute providers which generates "attributes", and each requiring its own configuration, and one authorization provider which determines based on the attribute providers whether the user is authorized or not. Beyond the configuration items above, the config file has the following overall structure

Code Block
languageyml
themeMidnight
shrine.config.authorizer : {

  unauthorizedUrl = "/shrine-api/shrine-webclient?isAuth=false"
  shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=https://sso.med.harvard.edu/adfs/ls/?wa=wsignout1.0"

  attributeProviders :
  [  

  attributeProviders :
  [  
    ...
    ...
  ],
  authorizer : {
    ...
  }
}

The information gathered by the attribute providers will have the following shape, where each "attribute type" corresponds to an AttributeProvider class. AttributeProvider classes in turn generate a list of attributes, each with one or more values. The authorizer class will use this data to decide whether to authorize the user or not.

Code Block
languageyml
themeRDark
* {
   *   attribute type 1 -> {
   *     attribute 1 -> [value 1, value 2, ...],
   *     attribute 2 -> [value 1, value 2, ...],
   *     ...
   *   },
   *   attribute type 2 -> {
   *     attribute 1 -> [value 1, value 2, ...],
   *     attribute 2 -> [value 1, value 2, ...],
   *     ...
   *   },
   *   ...
   * }
Code Block
languageyml
themeMidnight
shrine.config.authorizer : {

  unauthorizedUrl = "/shrine-api/shrine-webclient?isAuth=false"
  shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=https://sso.med.harvard.edu/adfs/ls/?wa=wsignout1.0"

  attributeProviders :
  [
    {
      class = net.shrine.authz.providerService.attributes.WhiteBlackListAttrProvider
      name = wb-list,
      // DB config here should correspond to tomcat's Resource in its context.xml
      database: {
        dataSourceFrom = "JNDI"
        jndiDataSourceName = "java:comp/env/jdbc/blackWhiteTableDB"
        timeout = "30 seconds"
        createTablesOnStart = false
      }
    }
    {
      class = net.shrine.authz.providerService.attributes.EndpointAttrProvider
      name = profiles_faculty_type_and_id
      url = "https://connects.catalyst.harvard.edu/API/Profiles/Public/ProfilesDataAPI/getPeople/xml/ecommonsList/{userId}/columns/affiliation"
      userIdPlaceHolder="{userId}"
      attributeRegexes : [
        {
          name = "person-id"
          regex = "PersonID=\"([0-9]+)\""
        }
        {
          name = "faculty_type"
          regex = "<Affiliation Primary=\"true\">.*?FacultyTypeSort=\"(.)\""
        }
      ]
    }
    {
      class = net.shrine.authz.providerService.attributes.EndpointAttrProvider
      name = profiles_everything
      url = "https://connects.catalyst.harvard.edu/API/Profiles/Public/ProfilesDataAPI/getPeople/xml/ecommonsList/{userId}/columns/affiliation"
      userIdPlaceHolder="{userId}"
      attributeRegexes : [
        {
          name = "everything"
          regex = "(.+)"
        }
      ]
    }
    {
      class = net.shrine.authz.providerService.attributes.RequestHeadersAttrProvider
      name = headers,
      headerNames :
        [
           AJP_userId
           AJP_email
           AJP_firstName
           AJP_lastName
        ]
      }
  ],

  authorizer : {
    name : net.shrine.authz.providerService.authorize.HmsAuthorizer
  }

  ////////////////////////////////////////////////////////////
  // example of an alternate authorizer: RegexAuthorizer    //
  ////////////////////////////////////////////////////////////
  authorizer : {
      name : net.shrine.authz.providerService.examples.RegexAuthorizer
      regexTerms :
          [
             "wb-list.isBlack.false"
             "(wb-list.isWhite.true)|(profiles_faculty_type_and_id.faculty_type.[0-4])"
             "!(fp77)"
          ]

    }

}

...