This specifies an interface for performing authorization and auditing. User can write an implementation of this interface and control the authorization at the Jaguar Package level, Web Application, Application level or Server level. An example of authorization, could be a time based authorization service. For instance, only a select group of users can be permitted to access a resource over the weekend, and during other times, they are not allowed to.
The component type can be one of the following only:
The component must be a stateless component in order to support refresh.
To configure an authorization service at the server level, set the property com.sybase.jaguar.server.authorization.service to the URL by which to access that Jaguar component that implements this service.
To configure an authorization service at the package level, set the property com.sybase.jaguar.package.authorization.service to the name of the URL by which to access the component that implements this interface.
To configure an authorization service at the web application level, set the property com.sybase.jaguar.webapplication.authorization.service to the URL by which to access the component that implements this interface.
To configure an authorization service at the application level, set the property com.sybase.jaguar.application.authorization.service to the URL by which to access the component that implements this interface.
Multiple Packages, WebApplications or Applications may share the same authorization service, by simply setting the same value for the authorization service component. The server will load only 1 instance of the component.
There are 2 accepted forms for the URL.
For example, to set the authorization service at the server level, set the server level property to com.sybase.jaguar.server.authorization.service=Security/Authorizer assuming, Security is the name of the Jaguar package that containing a Jaguar component called Authorizer that implements this interface.
Components implemented for pseudo component access, must be thread safe. Pseudo components cannot be refreshed. Hence, a server refresh, or refresh of the component using the Jaguar Manager, will not have any effect on the refresh on the authorization service. You must restart the Jaguar Server if there is a need to refresh the authorization service component. For more information on Jaguar Pseudo components, please refer to your Jaguar documentation.
For performance, the authorization service component may be implemented as a pseudo C++ CORBA component.
A special value for the URL is NONE. This value is used to disable the authorization service component at a component or servlet level. The following conditions however apply:
If an authorization service is defined at the server level, then applications that do not want to utilize the authorization service can set the URL to NONE. All packages and web applications belonging to this application will then ignore the server-wide authorization service.
If an authorization service is defined at the server level, and stand-alone packages or web application do not wish to utilize the server-wide authorization component, then the value NONE may be set for the URL at the package or web application level. The authorization service is then ignored for all components belonging to this package, and for all servlets contained in the web application.
NOTE: The check for NONE is case-insensitive.
Checks if the client is authorized to access a resource. The client's credentials can be obtained from sessionInfo.
boolean isAuthorized ( in CtsSecurity::SessionInfo si, in CtsSecurity::StringSeq resource, in CtsSecurity::StringSeq roles, in boolean isMember, in long lastUsedTime );
resource is the entity the client is trying to access. The resource is represented as an ordered array strings, each string representing a scoped entity. A string starts with an entity prefix. The table below lists the possible values for the prefix and its meaning.
Prefix | Description |
---|---|
A: | Application |
WA: | Web Application |
P: | Package |
C: | Component |
M: | Method |
S: | Servlet |
HM: | HTTP Method (GET, PUT... ) |
URL: | complete URL being accessed. |
For example, if the resource being accessed is a servlet or a JSP page, then the array might contain the following string sequence: A:ApplicationName; WA:Web Application Name; S: servlet name; HM:http method; URL: http url including query string (if any) assuming the servlet is part of an web application, which is part of an application.
roles lists all the roles associated with the resource (if any). Jaguar will check the role membership, and if the user is in at least one of the roles, then the authorization check is assumed to have succeeded. This method is still invoked, the caller can audit the resource access. isMember is set to true to indicate that the authorization succeeded.
If however, user is not a member of all the roles, then isMember is set to false. This method should then determine whether to authorize the client.
lastUsedTime is the time difference in seconds, since the last time this method was invoked for this particular user and resource combination. This value can be used by the authorization component logic to determine whether to re-audit frequently occurring events. A value of zero (0), implies that the isMember was not determined from the internal permission cache. A positive value indicates that the isMember was determined from the internal permission cache. lastUsedTime will always be less than or equal to the server wide authorization permission cache timeout value (see property com.sybase.jaguar.server.authorization.permcachetimeout).
Returns true if the user should be allowed access to the resource. Returns false otherwise.