Creating the authorization service

An authorization service component must implement the CtsSecurity::AuthorizationService IDL interface, and be stateless to support refresh. It must be one of:

• Java CORBA

• PowerBuilder Non-Visual User Object (NVO)

• C++ CORBA

• Component Object Model (COM)

                    interface AuthorizationService {
                         boolean isAuthorized( 
                                 in CtsSecurity::SessionInfo sessionInfo, 
                                 in StringSeq resource,
                                 in StringSeq roles,
                                 in boolean isMember, 
                                  in long permTimeDelta);

isAuthorized checks if the client is authorized to access a resource. The client’s credentials can be obtained from sessionInfo.

resource is the entity the client is trying to access. The resource is represented as an ordered array of strings, and each string represents a scoped entity. A string starts with one of these prefixes:

• A: – application

• WA: – Web application

• P: – package

• C: – component

• M: – method

• S: – servlet

• HM: – HTTP method (GET, PUT, POST, and so on)

For example, if the resource being accessed is a servlet or a JSP that belongs to a Web application, which belongs to an application, then the array might contain the following string sequence:

A:ApplicationName; WA:WebApplicationName; S:servletName; HM:httpMethod; 

roles lists all the roles associated with the resource (if any). The server first checks if the role is defined in the repository. If the role is defined, then membership checks are performed and if the user is in at least one of the roles, the authorization check succeeds. isAuthorized is still invoked, and the caller can audit the resource access. isMember is set to AUTH_OK to indicate that the authorization succeeded. If a role is not defined, it is assumed that the user is not a member of the role.

If the user is not a member of all the roles, then isMember is set to AUTH_FAILED. isAuthorized then determines whether to authorize the client. isAuthorized returns true if the user is allowed access to the resource, and returns false otherwise.

permTimeDelta is the time difference in seconds, since the last time isAuthorized was invoked for this particular user and resource combination. This value can be used by the authorization component logic to determine whether to audit the event. A value of zero (0) implies that the isMember was not determined from the internal permission cache. A positive value indicates that the isMember was determined from the internal permission cache. permTimeDelta is always less than or equal to the server-wide authorization permission cache timeout value (see the com.sybase.jaguar.server.authorization.permcachetimeout property).

For more information, see the generated documentation for the CtsSecurity::AuthorizationService IDL interface.