Documentation » CoreDevelopersGuide » CoreDevelopersGuideExtendingSecurity
Login|Register|Print
Broadcast on Broadcast off
The Documentation for Project Zero has moved. Please update your bookmarks to: http://www.projectzero.org/documentation/
Table of
Contents...Hide

Project Zero Developer’s Guide

Concepts and components
Basic concepts overview
Event processing
Writing Java handlers
Writing Groovy handlers
Firing events
Global Context
Global Context reference
Application directory layout
Virtualized directories
Assemble
PHP
Features and configuration
Configuration
Debugging
Dependencies
Packaging
Application classpath
Logging and tracing
RESTful resources
RESTful documentation
File serving
Response rendering
Validators and validation
HTTP error handling
Calling a remote resource
Using the Connection API
Sending an email using EmailConnection
Configuring destinations
Configuring protocols
Configuring connection handlers
Creating a connection handler
Creating a custom protocol transport
Simple logging connection handlers
Protocol reference
Client programming with Dojo
Runtime options
Deployment modifications
HTTP configuration
SSL configuration
Proxy configuration
Extending the CLI
Security considerations
Authentication
OpenID authentication
Extending security
Security tokens
CSRF prevention support
Extending token support
Leveraging TAI
User service
File based user service
LDAP user service
Extending user service
Security Utilities
Leveraging XOREncoder
Extensions
Atom support
RSS support
JSON support
XMLEncoder
REST to SOAP extension
URIUtils
Developer Web tools
Database setup tools
Configuring data access
Common query patterns
Advanced query patterns
Update patterns
Local database transactions
Extending data access
Configuration vendor differences
PHP data access
Resource model
Configuring ZRM
Resource model declaration
Programmatic model API
HTTP REST API
A ZRM mini tutorial
Active content filtering support
Default filters
Custom filters
Runtime management
Management commands
Zero socket opener
Other extension modules
Amazon E-commerce service
Flickr service
WeatherZero forecast service
Wikipedia service
Reference
Zero command line interface
JavaDoc - Public API
JavaDoc - Public SPI
JavaDoc - All Classes

 

Extending security

Project Zero security leverages the flexible event-based system to make it easy to add your own security implementations. With this enhanced flexibility, you can implement your own request processing event handler for secure and authorize events. For more information on the secure and authorize events, see the Application life cycle events section of the Event processing article. The following sections of this article provide more information about how you can extend security:

Secure event processing

The following table summarizes the sub-events, in order, run by Project Zero during security processing of the secure event:

Event name Description Maximum number of handlers invoked Early termination criteria Reaction to Exceptions
<authType>Secure Perform authentication check based on authType 1 /request/status is set Return status code 500; skip to the log event
authorize Perform authorization checks No limit /event/isAuthorized is set to true Return status code 500; skip to the log event

Extending authentication

To implement authentication, use the following steps:

  1. Choose a name for your authentication scheme to be specified in the security rules as authType.
  2. Implement a handler for the event name <authType>Secure.
  3. Register the event name in the configuration file of your library or application as a handler for that event.

For example, if your authType is digest, you would implement a handler with the method onDigestSecure and add the following stanza to the configuration file: 

/config/handlers += [{
   "events" : "digestSecure",
   "handler" : "com.myimpl.DigestSecurityHandler.class"
}]

This event is run by the global security handler after performing the requireSSL check. It allows you to use your handler with the standard security rules.

Extending authorization

To implement a custom authorization handler, create a handler with a method name of onAuthorize then define the appropriate application handler stanza. Note that whereas the <authType>Secure event can only be associated with one handler, the authorization handler allows multiple handlers to be registered in addition to the default authorization handler that is provided as part of Project Zero security. Depending on the rules that are matched for the request, one or more handlers could be run for the authorize event. Once a handler sets the value isAuthorized to true in the event zone, processing of additional handlers is terminated.

Defining a custom authorization handler

In the following example, the custom authorization handler checks to ensure that the custom event handler data myCustomSetOfRules matches ADMIN and is authorized to view this resource: 


/config/handlers += [{
   "events" : "authorize",
   "handler" : "zero.core.security.auth.CustomAuthorizationHandler.class",
   "conditions" : "/request/path =~ /formauth/subject(/.*)?",
   "instanceData" : {
               "myCustomSetOfRoles" : "ADMIN"
            }
}]

Because there are no explicit definitions of user, group or role in the security constraint, the default authorization handler does not authorize this user.

r16 - 29 Jan 2008 - 18:13:24 - todkap
Quick Links: Forum | Bugzilla| Blog| Getting Started| Developer's Guide| FAQ
Syndicate this site RSS ATOM
Copyright 2007 © IBM Corporation | Privacy | Terms of Use | About this site