“The kbmMW Authorization manager explained” whitepaper

[moctes]

Hi Kim,

I am exploring the authorization manager capabilities, I have create succesfully a smartservice, created Roles, actors and granted access using attributes e.g. ( [kbmMW_Auth(‘role:[MyRole], grant:true’)] ) for that I followed your advice in the blog post on Rest easy with kbmmw 4 – Access management looking for more info I came across the white paper (kind of dated) The kbmMW Authorization manager explained on the last page reads the following :

This paper only touches the surface of what can be done with the authorization manager. We haven’t discussed how we could add finer grained authorization on the actual data table, how logins time out after not being used, how you can save and load the complete authorization setup to/from XML, how constrains can be added to both login and authorizations, how to allow anonymous/unknown users access to specific features, how to define actors on the fly based on external resources (a database for example) etc.
But it’s all supported with the new authorization manager

So I’m interested in all of the points mentioned in that paragraph (emphasis mine):

• How we could add finer grained authorization on the actual data table
• How logins time out after not being used
• How you can save and load the complete authorization setup to/from XML
• How constrains can be added to both login and authorizations
• How to allow anonymous/unknown users access to specific features
• How to define actors on the fly based on external resources (a database for example) – For this one you alredy have a blog post

I have googled around, checked the kbmMW demos, the included help file looking for more info/demos unsuccessfully.

Could you or someone point me to resources to learn how to do these things?  Small demo apps would be very welcome

[kimbomadsen]

Hi,

– How we could add finer grained authorization on the actual data table

Usually a program is asking the authorization manager for if a specific permission is allowed in accessing a specific resource, using the IsAuthorized method. The resource is something that usually is defined by the developer to refer to a specific “thing” you want to have specific restrictions on, after which the authorizations are granted or denied using appropriate methods.

So one way is to define as many resource strings as needed for various tables and use the IsAuthorized method to figure out, if the user actually is allowed to read/write/delete or access the table.

– How logins time out after not being used

Each time an actor logs in, it is registered in the authorization manager. An actor can have a specific MaxIdleTimeout specified which indicates how many seconds any logins made while being this actor, can be idle before being garbage collected. If no specific value has been defined for the actor, the value 3600 (one hour) is used.

As the garbage collection thread default only runs every 60 seconds, a login can idle for until 60 seconds (regardless of MaxIdleTimeout settings) until the garbage thread has run.

– How you can save and load the complete authorization setup to/from XML

You define an instance of TkbmMWXMLAuthorizationStorage, set its Manager property to the TkbmMWAuthorizationManager instance, and call xmlauthstorage.Save(‘authorizations.xml’) or xmlauthstorage.Load(‘authorizations.xml’);

– How constrains can be added to both login and authorizations:

You define an authorization using the Grant or Deny methods of the TkbmMWAuthorizationManager. It will return a TkbmMWAuthorization object. That object has a Constraints property on which you can define specific constraints for that particular authorization.

Eg.

auth:=mgr.Grant(...);
if auth<>nil then
begin
  con:=TkbmMWAuthorizationUTCTimeConstraint.Create;
  con.FromWeekDay:=mwwdMonday;
  con.ToWeekDay:=mwwdFriday;
  auth.Constraints.Add(con); // the ownership of con is transferred to the authorization object.
end;

The above example will limit access to that particular “grant” authorization for work weekdays (Monday to Friday).

Any number of constraints can be added.

The same way, you can add constraints to prevent login at specific times or from specific transports etc.

Further you can create your own constraints by subclassing TkbmMWCustomAuthorizationConstraint and register it like this:

kbmMWKnownAuthorizationConstraintClasses.RegisterConstraint(TMyConstraint);

– How to allow anonymous/unknown users access to specific features

Firstly you will need to set the authorization managers Options to allow for anonymous/unknown user logins. (mwaoAllowAnonymous)

Then you need to grant/deny authorizations for an unknown user and/or unknown role. There are two constant names that are predefined for that:
KBMMWAUTHORIZATION_UNKNOWN_USER and KBMMWAUTHORIZATION_UNKNOWN_ROLE
The moment a login is attempted, and no defined actor or role match that login, it will (provided anonymous logins are supported as described above), fall back to attempt getting authorized as an unknown/anonymous user.

/Kim

[Author]

Posts