ESciDoc Authorization Authentication Architecture

From MPDLMediaWiki
Jump to navigation Jump to search

Present architecture

At present only core services are secured:

  1. Each resource handler has built-in service interceptor that is intercepting all requests to the service
  2. The service interceptor analyzes the request and forwards it to the PDP engine
  3. The PDP engine provides allow/deny response for the request
  4. In case of deny response from the PDP engine the service responses with a security exception to the service requestor


Img service interceptor.jpg


The figure above gives a very simple example for the authorization mechanism. However, in case when the user requests e.g. a list of items from the ItemService based on a certain filter or query criteria the authorization must be evaluated for each item respecively. In this case:

  1. Item service analyzes the filter/query criteria and creates the internal result list
  2. for each entry in the result list the PDP engine is consulted for allow/deny response
  3. all entries from internal result list with allow response are returned back to the service requestor
Retrieved from "https://colab.mpdl.mpg.de/mw010/index.php?title=ESciDoc_Authorization_Authentication_Architecture&oldid=3849"