Next Step:
SHRINE 4.1.0 Appendix A.9 - Starting and Stopping the Software
If you want to use authorization, you'll have to at least add for the the following configuration to shrine.conf after the shrine block:
shrine { ... } ... ... ... ... ... ... authorizer : { name : net.shrine.authz.providerService.authorize.HmsAuthorizer } //////////////////////////////////////////////////////////// // example of an alternate authorizer: RegexAuthorizer // //////////////////////////////////////////////////////////// authorizer : { name : net.shrine.authz.providerService.examples.RegexAuthorizer regexTerms : [ "wb-list.isBlack.false" "(wb-list.isWhite.true)|(profiles_faculty_type_and_id.faculty_type.[0-4])" "!(fp77)" ] }
First this:
shrine.queryEntryPoint.authenticationType = "sso" shrine.webclient.ssoLogoutUrl = "https://<your hostname>/shrine-api/authorizer/logout" shrine.config.authorizer.shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=<return url provided by your idP provider>" shrine.config.authorizer.requireAuthorization = "true" // comes from reference.conf. You can override it here: // shrine.webclient.unauthorizedMessage = "You currently do not have access to SHRINE. Please contact your institution's SHRINE administrator for more information."
The authorization system works with a number of attribute providers which generates "attributes", and each requiring its own configuration, and one authorization provider which determines based on the attribute providers whether the user is authorized or not.
shrine.config.authorizer : { unauthorizedUrl = "/shrine-api/shrine-webclient?isAuth=false" shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=https://sso.med.harvard.edu/adfs/ls/?wa=wsignout1.0" attributeProviders : [
shrine.config.authorizer : { unauthorizedUrl = "/shrine-api/shrine-webclient?isAuth=false" shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=https://sso.med.harvard.edu/adfs/ls/?wa=wsignout1.0" attributeProviders : [ { class = net.shrine.authz.providerService.attributes.WhiteBlackListAttrProvider name = wb-list, // DB config here should correspond to tomcat's Resource in its context.xml database: { dataSourceFrom = "JNDI" jndiDataSourceName = "java:comp/env/jdbc/blackWhiteTableDB" timeout = "30 seconds" createTablesOnStart = false } } { class = net.shrine.authz.providerService.attributes.EndpointAttrProvider name = profiles_faculty_type_and_id url = "https://connects.catalyst.harvard.edu/API/Profiles/Public/ProfilesDataAPI/getPeople/xml/ecommonsList/{userId}/columns/affiliation" userIdPlaceHolder="{userId}" attributeRegexes : [ { name = "person-id" regex = "PersonID=\"([0-9]+)\"" } { name = "faculty_type" regex = "<Affiliation Primary=\"true\">.*?FacultyTypeSort=\"(.)\"" } ] } { class = net.shrine.authz.providerService.attributes.EndpointAttrProvider name = profiles_everything url = "https://connects.catalyst.harvard.edu/API/Profiles/Public/ProfilesDataAPI/getPeople/xml/ecommonsList/{userId}/columns/affiliation" userIdPlaceHolder="{userId}" attributeRegexes : [ { name = "everything" regex = "(.+)" } ] } { class = net.shrine.authz.providerService.attributes.RequestHeadersAttrProvider name = headers, headerNames : [ AJP_userId AJP_email AJP_firstName AJP_lastName ] } ], authorizer : { name : net.shrine.authz.providerService.authorize.HmsAuthorizer } //////////////////////////////////////////////////////////// // example of an alternate authorizer: RegexAuthorizer // //////////////////////////////////////////////////////////// authorizer : { name : net.shrine.authz.providerService.examples.RegexAuthorizer regexTerms : [ "wb-list.isBlack.false" "(wb-list.isWhite.true)|(profiles_faculty_type_and_id.faculty_type.[0-4])" "!(fp77)" ] } }
Overview
Content Tools