You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Next »

Next Step:

SHRINE 4.1.0 Appendix A.9 - Starting and Stopping the Software

If you want to use authorization, you must first add the following configuration to shrine.conf, after the existing shrine block:

shrine {

...

}
... 
shrine.config.authorizer.requireAuthorization = "true"
shrine.webclient.ssoLogoutUrl = "https://<your hostname>/shrine-api/authorizer/logout"
shrine.config.authorizer.shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=<return URL provided by your idP>"


You have the option to tailor the non-authorized message to your needs: uncomment this line and insert the desired text:

 // shrine.webclient.unauthorizedMessage = "You currently do not have access to SHRINE. Please contact your institution's SHRINE administrator for more information."



The authorization system works with any number of individually configured attribute providers which each generate "attributes".  Further, a single authorization provider, also configured here, will determine based on the provided attributes whether the user is authorized or not. Beyond the configuration items above, the config file has the following overall structure:

shrine.config.authorizer : {

  unauthorizedUrl = "/shrine-api/shrine-webclient?isAuth=false"

  attributeProviders :
  [  
    {...}
    {...}
    {...}
  ],
  authorizer : {
    ...
  }
}

The information gathered by the attribute providers will have the following shape, where each "attribute type" corresponds to an AttributeProvider class. AttributeProvider classes in turn generate a list of attributes, each with one or more values. The authorizer class will use this data to decide whether to authorize the user or not.

* {
   *   attribute type 1 -> {
   *     attribute 1 -> [value 1, value 2, ...],
   *     attribute 2 -> [value 1, value 2, ...],
   *     ...
   *   },
   *   attribute type 2 -> {
   *     attribute 1 -> [value 1, value 2, ...],
   *     attribute 2 -> [value 1, value 2, ...],
   *     ...
   *   },
   *   ...
   * }

The system comes with 3 AttributeProviders and 3 Authorizers, ready to be used. If you want to create your own, this requires a bit more legwork than can easily be described here. Contacting us would be the best option.

Let's start with the attribute providers.

The WhiteBlackListAttrProvider queries a database's table pf whitelisted and blacklisted users. Its typical configuration follows.

{
      class = net.shrine.authz.providerService.attributes.WhiteBlackListAttrProvider
      name = wb-list,
      // DB config here should correspond to tomcat's Resource in its context.xml
      database: {
        dataSourceFrom = "JNDI"
        jndiDataSourceName = "java:comp/env/jdbc/blackWhiteTableDB"
        timeout = "30 seconds"
        createTablesOnStart = false
      }
    }

And it generates attributes of this shape:

    wb-list: -> {
              isBlack -> (true/false},
              isWhite -> (true/false}
                }

The following attribute provider fetches data from a remote URL and extracts attributes from that data by using Regexes:

    {
      class = net.shrine.authz.providerService.attributes.EndpointAttrProvider
      name = profiles_faculty_type_and_id
      url = "https://connects.catalyst.harvard.edu/API/Profiles/Public/ProfilesDataAPI/getPeople/xml/ecommonsList/{userId}/columns/affiliation"
      userIdPlaceHolder="{userId}"
      attributeRegexes : [
        {
          name = "person-id"
          regex = "PersonID=\"([0-9]+)\""
        }
        {
          name = "faculty_type"
          regex = "<Affiliation Primary=\"true\">.*?FacultyTypeSort=\"(.)\""
        }
      ]
    }

The attributes generated by an EndpointAttrProvider as configured above will have this shape:

profiles_faculty_type_and_id -> {
   person-id: [...]
   faculty_type: [...]
}
  



    



    
    {
      class = net.shrine.authz.providerService.attributes.EndpointAttrProvider
      name = profiles_everything
      url = "https://connects.catalyst.harvard.edu/API/Profiles/Public/ProfilesDataAPI/getPeople/xml/ecommonsList/{userId}/columns/affiliation"
      userIdPlaceHolder="{userId}"
      attributeRegexes : [
        {
          name = "everything"
          regex = "(.+)"
        }
      ]
    }
    {
      class = net.shrine.authz.providerService.attributes.RequestHeadersAttrProvider
      name = headers,
      headerNames :
        [
           AJP_userId
           AJP_email
           AJP_firstName
           AJP_lastName
        ]
      }
  ],

  authorizer : {
    name : net.shrine.authz.providerService.authorize.HmsAuthorizer
  }

  ////////////////////////////////////////////////////////////
  // example of an alternate authorizer: RegexAuthorizer    //
  ////////////////////////////////////////////////////////////
  authorizer : {
      name : net.shrine.authz.providerService.examples.RegexAuthorizer
      regexTerms :
          [
             "wb-list.isBlack.false"
             "(wb-list.isWhite.true)|(profiles_faculty_type_and_id.faculty_type.[0-4])"
             "!(fp77)"
          ]

    }

}



  • No labels