Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

scopedAffiliation is made up of two parts, e.g. role@scope. In this use-case the scope needs to be extracted (the role section could be used for greater granularity such as telling 'staff' from 'student' or 'alum'. There are a small number of possible values).

Implementing an authorisation filter

...

Code Block
themeEclipse
package com.sp.example.web.authorisation;
 
/* Need to include the import files */
 
..................
 
public class Authorise implements Filter {
        
        ..................
 
 
    /**
     * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
     */
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse) response;
        HttpServletRequest req = (HttpServletRequest) request;
        HttpSession session = req.getSession();
        @SuppressWarnings("unchecked")
        List<String> usersOrganisation = (List<String>) session
                .getAttribute("OA_URN_OID_1_3_6_1_4_1_5923_1_1_1_9");
 // Extract scope from scopedAffilation
        String scope = usersOrganisation.get(0).split("@")[01];
 // Ensure that we have a value.
        if (usersOrganisation != null && !usersOrganisation.isEmpty()) {
            // This value will be single valued.
            String _usersOrganisation = scope;
 
            if (this.isAuthorised(_usersOrganisation)) {
                // User is authorised so call next filter in chain.
                chain.doFilter(request, response);
                return;
            }
        }
                // If we are where the user is not authorised.
                // We send a 403, but you will probably want to
                // redirect to an error page.
        res.sendError(HttpServletResponse.SC_FORBIDDEN);
    }
 
    /* The authorisation logic */
    private boolean isAuthorised(String org) {
        // This list is hard coded but you would 
        // derive yours from your customer database.
        Set<String> whiteList = new HashSet<String>(1);
        whiteList.add("examplescope.com");
        return whiteList.contains(org);
    }
}

...

  1. User attempts access
  2. User is not yet authenticated so the AtacamaAuthFilter redirects the user to their Identity Provider's login page
  3. The user logs in and is returned
  4. The AtacamaBaseFilter intercepts the Identity Provider's response and, assuming there are no problems, the subject and user attributes are written to the user session
  5. The AtacamaAuthFilter is called again but this time as the subject variable is in the session, control is passed to our authorisation filter
  6. If the user is from an organisation with an authorised scope the underlying content will be display to the user, else an 'unauthorised' response will be returned.

...