Difference between revisions of "ESciDoc Authorization Authentication Architecture"
Jump to navigation
Jump to search
m |
|||
| Line 6: | Line 6: | ||
#The PDP engine provides allow/deny response for the request | #The PDP engine provides allow/deny response for the request | ||
#In case of deny response from the PDP engine the service responses with a security exception to the service requestor | #In case of deny response from the PDP engine the service responses with a security exception to the service requestor | ||
[[Image:img_service_interceptor.jpg]] | [[Image:img_service_interceptor.jpg]] | ||
The figure above gives a very simple example for the authorization mechanism. However, in case when the user requests e.g. a list of items from the ItemService based on a certain filter or query criteria the authorization must be evaluated for each item respectively (note more info from Torsten needed): | |||
The figure above gives a very simple example for the authorization mechanism. However, in case when the user requests e.g. a list of items from the ItemService based on a certain filter or query criteria the authorization must be evaluated for each item | |||
#Item service analyzes the filter/query criteria and creates the internal result list | #Item service analyzes the filter/query criteria and creates the internal result list | ||
Revision as of 12:14, 15 October 2007
Present architecture
At present only core services are secured:
- Each resource handler has built-in service interceptor that is intercepting all requests to the service
- The service interceptor analyzes the request and forwards it to the PDP engine
- The PDP engine provides allow/deny response for the request
- In case of deny response from the PDP engine the service responses with a security exception to the service requestor
The figure above gives a very simple example for the authorization mechanism. However, in case when the user requests e.g. a list of items from the ItemService based on a certain filter or query criteria the authorization must be evaluated for each item respectively (note more info from Torsten needed):
- Item service analyzes the filter/query criteria and creates the internal result list
- for each entry in the result list the PDP engine is consulted for allow/deny response
- all entries from internal result list with allow response are returned back to the service requestor