...
If you want to use authorization, you'll have to at least add for the start by adding the following configuration to shrine.conf after the shrine block:
Code Block |
---|
|
shrine {
...
}
...
...
...
...
...
...
authorizer : {
name : net.shrine.authzconfig.providerService.authorize.HmsAuthorizer
}
|
...
Code Block |
---|
|
shrine.queryEntryPoint.authenticationType authorizer.requireAuthorization = "ssotrue"
shrine.webclient.ssoLogoutUrl = "https://<your hostname>/shrine-api/authorizer/logout"
shrine.config.authorizer.shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=<return urlURL provided by your idP provider>idP>"
shrine.config.authorizer.requireAuthorization = "true"
// comes from reference.conf. You can override it here:
// shrine.webclient.unauthorizedMessage = "You |
First this:
Code Block |
---|
|
currently do not have access to SHRINE. Please contact your institution's SHRINE administrator for more information."
|
The authorization system works with a number of attribute providers which generates "attributes", and each requiring its own configuration, and one authorization provider which determines based on the attribute providers whether the user is authorized or not. Beyond the configuration items above, the config file has the following overall structure
Code Block |
---|
|
shrine.config.authorizer : {
unauthorizedUrl = "/shrine-api/shrine-webclient?isAuth=false"
shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=https://sso.med.harvard.edu/adfs/ls/?wa=wsignout1.0"
attributeProviders :
[
attributeProviders :
[
...
...
],
authorizer : {
...
}
} |
The information gathered by the attribute providers will have the following shape, where each "attribute type" corresponds to an AttributeProvider class. AttributeProvider classes in turn generate a list of attributes, each with one or more values. The authorizer class will use this data to decide whether to authorize the user or not.
Code Block |
---|
|
* {
* attribute type 1 -> {
* attribute 1 -> [value 1, value 2, ...],
* attribute 2 -> [value 1, value 2, ...],
* ...
* },
* attribute type 2 -> {
* attribute 1 -> [value 1, value 2, ...],
* attribute 2 -> [value 1, value 2, ...],
* ...
* },
* ...
* } |
Code Block |
---|
|
shrine.config.authorizer : {
unauthorizedUrl = "/shrine-api/shrine-webclient?isAuth=false"
shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=https://sso.med.harvard.edu/adfs/ls/?wa=wsignout1.0"
attributeProviders :
[
{
class = net.shrine.authz.providerService.attributes.WhiteBlackListAttrProvider
name = wb-list,
// DB config here should correspond to tomcat's Resource in its context.xml
database: {
dataSourceFrom = "JNDI"
jndiDataSourceName = "java:comp/env/jdbc/blackWhiteTableDB"
timeout = "30 seconds"
createTablesOnStart = false
}
}
{
class = net.shrine.authz.providerService.attributes.EndpointAttrProvider
name = profiles_faculty_type_and_id
url = "https://connects.catalyst.harvard.edu/API/Profiles/Public/ProfilesDataAPI/getPeople/xml/ecommonsList/{userId}/columns/affiliation"
userIdPlaceHolder="{userId}"
attributeRegexes : [
{
name = "person-id"
regex = "PersonID=\"([0-9]+)\""
}
{
name = "faculty_type"
regex = "<Affiliation Primary=\"true\">.*?FacultyTypeSort=\"(.)\""
}
]
}
{
class = net.shrine.authz.providerService.attributes.EndpointAttrProvider
name = profiles_everything
url = "https://connects.catalyst.harvard.edu/API/Profiles/Public/ProfilesDataAPI/getPeople/xml/ecommonsList/{userId}/columns/affiliation"
userIdPlaceHolder="{userId}"
attributeRegexes : [
{
name = "everything"
regex = "(.+)"
}
]
}
{
class = net.shrine.authz.providerService.attributes.RequestHeadersAttrProvider
name = headers,
headerNames :
[
AJP_userId
AJP_email
AJP_firstName
AJP_lastName
]
}
],
authorizer : {
name : net.shrine.authz.providerService.authorize.HmsAuthorizer
}
////////////////////////////////////////////////////////////
// example of an alternate authorizer: RegexAuthorizer //
////////////////////////////////////////////////////////////
authorizer : {
name : net.shrine.authz.providerService.examples.RegexAuthorizer
regexTerms :
[
"wb-list.isBlack.false"
"(wb-list.isWhite.true)|(profiles_faculty_type_and_id.faculty_type.[0-4])"
"!(fp77)"
]
}
} |
...