Next Step:
SHRINE 4.1.0 Appendix A.9 - Starting and Stopping the Software
If you want to use authorization, you must first add the following configuration to shrine.conf, after the existing shrine block:
shrine {
...
}
...
shrine.config.authorizer.requireAuthorization = "true"
shrine.webclient.ssoLogoutUrl = "https://<your hostname>/shrine-api/authorizer/logout"
shrine.config.authorizer.shibLogoutUrl = "https://<your hostname>/Shibboleth.sso/Logout?return=<return URL provided by your idP>"
You have the option to tailor the non-authorized message to your needs: uncomment this line and insert the desired text:
// shrine.webclient.unauthorizedMessage = "You currently do not have access to SHRINE. Please contact your institution's SHRINE administrator for more information."
The authorization system works with any number of individually configured attribute providers which each generate "attributes". Further, a single authorization provider, also configured here, will determine based on the provided attributes whether the user is authorized or not. Beyond the configuration items above, the config file has the following overall structure:
shrine.config.authorizer : {
unauthorizedUrl = "/shrine-api/shrine-webclient?isAuth=false"
attributeProviders :
[
{...}
{...}
{...}
],
authorizer : {
...
}
}
The information gathered by the attribute providers will have the following shape, where each "attribute type" corresponds to an AttributeProvider class. AttributeProvider classes in turn generate a list of attributes, each with one or more values. The authorizer class will use this data to decide whether to authorize the user or not.
* {
* attribute type 1 -> {
* attribute 1 -> [value 1, value 2, ...],
* attribute 2 -> [value 1, value 2, ...],
* ...
* },
* attribute type 2 -> {
* attribute 1 -> [value 1, value 2, ...],
* attribute 2 -> [value 1, value 2, ...],
* ...
* },
* ...
* }
The system comes with 3 AttributeProviders and 3 Authorizers, ready to be used. If you want to create your own, this requires a bit more legwork than can easily be described here. Contacting us would be the best option.
Let's start with the attribute providers.
The WhiteBlackListAttrProvider queries a database's table of whitelisted and blacklisted users. Its typical configuration follows.
{
class = net.shrine.authz.providerService.attributes.WhiteBlackListAttrProvider
name = wb-list,
// DB config here should correspond to tomcat's Resource in its context.xml
database: {
dataSourceFrom = "JNDI"
jndiDataSourceName = "java:comp/env/jdbc/blackWhiteTableDB"
timeout = "30 seconds"
createTablesOnStart = false
}
}
Note that the table and column names are not configurable. The db table must be named "bw_user" and the columns "ssoId", "whitelisted", and "blacklisted". As configured above, the database name is "blackWhiteTableDB"; but it could be configured to another name. Also, the context.conf file in the tomcat configuration must contain must contain the following:
<Resource name="jdbc/blackWhiteTableDB" auth="Container" type="javax.sql.DataSource"
maxTotal="128" maxIdle="32" maxWaitMillis="10000"
username="shrine" password="demouser" driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/blackWhiteTableDB?serverTimezone=UTC"
testOnBorrow="true" validationQuery="SELECT 1"/>
It generates attributes of this shape:
wb-list: -> {
isBlack -> (true/false},
isWhite -> (true/false}
}
The following attribute provider fetches data from a remote URL and extracts attributes from that data by using Regexes. As an example is extracts 2 attributes, person_id and faculty_type:
{
class = net.shrine.authz.providerService.attributes.EndpointAttrProvider
name = profiles_faculty_type_and_id
url = ".....{userId}....."
userIdPlaceHolder="{userId}"
attributeRegexes : [
{
name = "person-id"
regex = "PersonID=\"([0-9]+)\""
}
{
name = "faculty_type"
regex = "<Affiliation Primary=\"true\">.*?FacultyTypeSort=\"(.)\""
}
]
}
The attributes generated by an EndpointAttrProvider as configured above will have this shape:
profiles_faculty_type_and_id -> {
person-id: [...]
faculty_type: [...]
}
As an example, the same attribute provider class could be configured as follows
{
class = net.shrine.authz.providerService.attributes.EndpointAttrProvider
name = profiles_everything
url = "https://connects.catalyst.harvard.edu/API/Profiles/Public/ProfilesDataAPI/getPeople/xml/ecommonsList/{userId}/columns/affiliation"
userIdPlaceHolder="{userId}"
attributeRegexes : [
{
name = "everything"
regex = "(.+)"
}
]
}
The attributes generated by an EndpointAttrProvider as configured above will have this shape, where "everything" will contain the entire payload from the call to the 3rd party end-point
profiles_everything -> {
everything: [...]
}
Another attribute provider extracts values from the HTTP request headers:
{
class = net.shrine.authz.providerService.attributes.RequestHeadersAttrProvider
name = headers,
headerNames :
[
AJP_userId
AJP_email
AJP_firstName
AJP_lastName
]
}
Finally the authorizer is named and configured. In the present case, the HmsAuthorizer, which makes use of the attributes generated by a WhiteBlackListAttrProvider and a REST call to the HMS profiles service.
authorizer : {
name : net.shrine.authz.providerService.authorize.HmsAuthorizer
}
A more flexible authorizer could be the following. It concatenates all the received attributes and values, and then applies any number of Regexes to it. Authorization is granted if all regexes find a match.
////////////////////////////////////////////////////////////
// example of an alternate authorizer: RegexAuthorizer //
////////////////////////////////////////////////////////////
authorizer : {
name : net.shrine.authz.providerService.examples.RegexAuthorizer
regexTerms :
[
"wb-list.isBlack.false"
"(wb-list.isWhite.true)|(profiles_faculty_type_and_id.faculty_type.[0-4])"
"!(fp77)"
]
}
Overview
Content Tools