Chapter 35 Role and Authorization Service Components

Using the authorization service

You can install your own service component to authorize clients to access resources (packages, Web applications, or applications) on any Jaguar server. The component must implement the CtsSecurity::AuthorizationService IDL interface, and be stateless to support refresh. It must be one of:

Java CORBA
PowerBuilder NVO
C++ CORBA
COM

There are two accepted forms of the URL:

For all component types, the URL can be set to the JaguarPackage/JaguarComponent and the component must be installed in the server.
For example, to set the authorization service at the server level, set the server level property to:

com.sybase.jaguar.server.authorization.service =Security/Authorizer

Where Security is the name of the Jaguar package that contains a Jaguar component called Authorizer that implements this interface.
Java CORBA and C++ CORBA components can be accessed using the pseudocomponent object URL. The syntax for a Java pseudocomponent is:
```
pseudo://java/JavaClass/JaguarPackage/JaguarComponent
```
The syntax for a C++ pseudocomponent is:
```
pseudo://cpp/SharedLibraryName/JaguarPackage/JaguarComponent
```
You can also set the authorization service property to the pseudocomponent object URL. For example, the server-level authorization service to:
```
pseudo://cpp/libAuthorizer/Security/Authorizer 
```
where libAuthorizer is the name of the shared library that contains the C++ Security/Authorizer component's implementation.

Components implemented for pseudocomponent access must be thread-safe, and you must restart the Jaguar server to refresh the component.

For more information on Jaguar pseudocomponents, see Chapter 34, "Creating and Using Jaguar Pseudocomponents".

Usage

                    interface AuthorizationService {
                         boolean isAuthorized( 
                                 in CtsSecurity::SessionInfo sessionInfo, 
                                 in StringSeq resource,
                                 in StringSeq roles,
                                 in boolean isMember, 
                                  in long permTimeDelta);

isAuthorized checks if the client is authorized to access a resource. The client's credentials can be obtained from sessionInfo.

resource is the entity the client is trying to access. The resource is represented as an ordered array of strings, and each string represents a scoped entity. A string starts with one of these prefixes:

A: - application
WA: - Web application
P: - package
C: - component
M: - method
S: - servlet
HM: - HTTP method (GET, PUT, POST, and so on)

For example, if the resource being accessed is a servlet or a JSP that belongs to a Web application, which belongs to an application, then the array might contain the following string sequence:

A:ApplicationName; WA:WebApplicationName; S:servletName; HM:httpMethod;

roles lists all the roles associated with the resource (if any). Jaguar checks the role membership, and if the user is in at least one of the roles, the authorization check succeeds. isAuthorized is still invoked, and the caller can audit the resource access. status is set to AUTH_OK to indicate that the authorization succeeded.

If the user is not a member of all the roles, then status is set to AUTH_FAILED. isAuthorized then determines whether to authorize the client. isAuthorized returns true if the user is allowed access to the resource, and returns false otherwise.

permTimeDelta is the time difference in seconds, since the last time isAuthorized was invoked for this particular user and resource combination. This value can be used by the authorization component logic to determine whether to audit the event. A value of zero (0) implies that the isMember was not determined from the internal permission cache. A positive value indicates that the isMember was determined from the internal permission cache. permTimeDelta is always less than or equal to the server-wide authorization permission cache timeout value (see the com.sybase.jaguar.server.authorization.permcachetimeout property).

For more information, see the documentation for the CtsSecurity::AuthorizationService IDL interface.

Enabling the authorization service

You can write an implementation of the interface and control the authorization at the Jaguar package, Web application, or application level. Use Jaguar Manager to install the authorization service component in the server. Refer to Chapter 33, "Creating Service Components" for information about service components. Use Jaguar Manager to enable the authorization service. There are two ways in which you can make the authorization service available to all components on your Jaguar server:

Allow multiple packages, Web applications, or applications to share the same authorization service by setting the same value for the authorization service component. If the application utilizes a particular authorization service, then all components accessed by the application also utilize the same authorization service. To configure an authorization service:
- At the package level, set the com.sybase.jaguar.package.authorization.service property to the name of the component that implements this interface in the All Properties tab of the Package Properties window.
- At the Web application level, set the com.sybase.jaguar.webapplication.authorization.service property to the name of the component that implements this interface in the All Properties tab of the Web Applications Properties window.
- At the application level, set the com.sybase.jaguar.application.authorization.service property to the name of the component that implements this interface in the All Properties tab of the Applications Properties window.
Enable the interface on the entire server. Set the com.sybase.jaguar.server.authorization.service property to the name of the Jaguar component that implements this interface in the All Properties tab of the Server Properties window. Packages, Web applications, and applications can utilize the authorization service.