Apama Documentation : Building and Using Dashboards : Dashboard Deployment : Administering Dashboard Security : Administering authorization : Providing a login module that supports a Scenario or Event Authority
Providing a login module that supports a Scenario or Event Authority
When you implement a Scenario or Event Authority, the methods that you implement have a UserCredentials argument. Typical implementations retrieve an instance of javax.security.auth.Subject from the UserCredentials object, and use the Subject's characteristics to determine whether to return true or false (that is, whether to grant or deny access).
The characteristics of a particular Subject (for example its associated roles, as returned by Subject.getPrinciples) are established by a JAAS login module that is called by the Data Server or Display Server. It is this module's responsibility to establish those characteristics on which the Scenario or Event Authority will rely.
For local deployments, this login module is responsible for authenticating the current end user (see Authentication for local and WebSphere deployments) as well as for setting the characteristics of the Subject. For web deployments, this login module is responsible only for setting the characteristics of the Subject (since authentication is performed by application server.
For both web and local deployments, the default Data Server and Display Server login module is NoOpLoginModule, which does not set any characteristics of the Subject. With this module, the Subject passed into IScenarioAuthority methods has no associated roles.
Typical implementations of LoginModule store the Subject passed into LoginModule.initialize as local state, and set the Subject's characteristics in LoginModule.commit.
Note that UserFileLoginModule supports Scenario Authorities by setting Subject roles at the time of authentication. To use UserFileLoginModule in order to support Scenario Authorities for web-based deployments (where authentication is performed by the application server), set validateUser to false when you install UserFileLoginModule; see Installing UserFileLoginModule.
For web-based deployments, the Data Server and Display Server receive only user names (and not passwords) from the application server. This means that you cannot use a JAAS login module that requires both user names and passwords in order to authenticate users and retrieve their roles. To perform role based authorization for web-based deployments, use a JAAS login module that can retrieve the roles for a user by using only the user name.
Copyright © 2013-2017 Software AG, Darmstadt, Germany. (Innovation Release)

Product LogoContact Support   |   Community   |   Feedback