Versions Compared

Old Version 3

changes.mady.by.user Patrick Ahmed

Saved on

compared with

New Version 4

changes.mady.by.user Patrick Ahmed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section contains information on how to write a custom Agent Validator, what it is and when it makes sense to do it.

What is an Agent Validator

An Agent Validator is a kind of plugin to the Agent, which can do custom authorization checking - it as a piece of code which handles validating permissions, group membership checking as well as retrieving available ACL or group names.

When to

...

Create Your Own

Unless you specify anything else, dk.itp.security.passticket.DefaultValidator is used - and its implementation should be enough in most cases. If you need additional functionality, please contact us first to see if we cannot fit it into the existing concept - only in rare cases will you need to create your own validator.

Some cases might include setups where you do not have RBAC (Role-Based Access Control) because you do not have roles but need other types of permissions - e.g. some stored on a user at point of login to do simulated group checking.

What

...

Interfaces to

...

Implement

There are a number of interfaces where the validator can implement one or more of them; Since the agents need to work with earlier java versions, unfortunately default methods in the interfaces are not possible so instead there are different interfaces you can implement depending on the functionality you need. Our strategy has been to create additional interfaces with new methods for new functionality to ensure that all existing implementations with the existing interfaces.

...

Code Block
languagejava
titleIExtendedAgentValidator2
package dk.itp.security.passticket;

/**
 * Added even more finegraded methods to a validator - allows separating permission checks per identifier.
 *  
 * @author Kim Rasmussen
 * @version $Revision$
 *
 * <pre>
 * Ceptor - http://ceptor.io
 * Copyright(c) 2017, Asseco Denmark A/S, All rights reserved.
 * 
 * This source code is confidential.
 * </pre>
 */
public interface IExtendedAgentValidator2 extends IExtendedAgentValidator {
	/**
	 * Checks if the user has permission to the acl / resource, taking into account the additional data delivered, e.g. for data based authorization.
	 * 
	 * @param agent Instance of the agent performing the check
	 * @param user User/Session
	 * @param identifier Identifier used to separate different ACL entries for different applications - use null for default
	 * @param aclName ACL name to check
	 * @param sessionID Session ID
	 * @param additionalData Application specific data
	 * @return true if access is allowed, false if not
	 * @throws PTException Thrown if an error occurs
	 * @throws dk.itp.security.authorization.client.AdditionalDataRequiredException Thrown if additional data is required
	 * @throws AclNotFoundException Thrown if the specified ACL was not found 
	 */
	boolean checkPermission(IAgent agent, User user, String identifier, String aclName, String sessionID, Object additionalData) throws PTException;

}


Example code

Below, is example code for a validator - this validator supports context-dependant authorization, and "magic" group names where environment name, authorization level etc. can be part of the group name a resource is protected by.

...