Changes between Version 7 and Version 8 of RepAaa


Ignore:
Timestamp:
Oct 13, 2010, 9:53:26 AM (14 years ago)
Author:
tim.bauge
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • RepAaa

    v7 v8  
    88[[PageOutline(2-3,Table of Contents,inline)]]
    99
    10 == How-to: adding access control to my REP ==
    11 === Choosing the form of access control ===
     10== Choosing the form of access control ==
    1211Access control in SENSEI can be done on the basis of the user's privileges, or on the basis of payment. This choice is made by the resource provider. If the access control should be performed based on payment, the REP should be registered with a payment based AAA service. Instructions for this can be found [[wiki:PrivacyAndBilling|here]].
    1312If the access control should be performed based on privileges, the REP should be registered with a privilege based AAA service. Instructions for this can be found below.
    14 === Defining an access policy ===
     13
     14== Deployment of a AAA enabled REP ==
     15A deployable AAA enabled REP is provided for testing purposes. This REP is designed to exercise the AAA functions, but does not implement plug and play capability for resources. The REP comes with an integrated synthetic sensor producing random values, as a proof of concept rather than an operational component. AAA functionality should be added to operational REPs, based on the specification provided [here]. This is a developer concern, and is therefore not described further here.
     16=== Getting the software components ===
     17* Apache Tomcat servlet container or equivalent
     18Instructions for setting up Apache Tomcat can be found [http://tomcat.apache.org/tomcat-6.0-doc/setup.html here].
     19* STS WAR file
     20The STS WAR file can be downloaded from here: [wiki:trt-war AAA downloads page].
     21The WAR files should be first configured for the deployment setup (see below) and then deployed in the servlet container. For Tomcat, instructions are provided [http://tomcat.apache.org/tomcat-6.0-doc/deployer-howto.html here] (see in particular the "Deployment on Tomcat startup" section).
     22=== Configuration ===
     23The WAR file contains one file which need configuring to run correctly on the target deployment platform. Each field requiring a deployment specific value has been identified with the string "REPLACE:". Other fields have been set to typical defaults which should satisfy most deployments. These can however be modified for advanced tuning of the AAA service. For more information contact TRT (UK).
     24The WAR file is an archive containing object code, presentation templates and configuration files. The downloaded WAR file should therefore be opened (e.g. using [http://www.7-zip.org/ 7-zip]) to edit the following configuration file:
     25* rep.war/WEB-INF/classes/messages.properties
     26||= '''Field''' =||= '''Expected content''' =||
     27||rep.id||The identifier of the REP, which should be the URL of this REP||
     28||aaaservice.uri||The URL of the AAA Service which will provide access control decisions||
     29||resDir.uri||The URL of the SENSEI resource directory||
     30
     31== Setting access policies ==
     32=== Writing policies ===
    1533First a set of policies must be defined to specify the access rules which should apply. These are specified in a text file with the .drl extension.
    1634For the enthusiasts, a full description of the rules language can be found [[http://downloads.jboss.com/drools/docs/5.1.1.34858.FINAL/drools-expert/html/ch04.html|here]]. We would recommend keeping things simple, and therefore provide an example below.
     
    5371
    5472The roles which are evaluated in these rules are the roles contained in the tokens issued by the [wiki:Aaa STS].
    55 === Registering the policy ===
     73=== Registering policies ===
    5674There may be multiple AAA services running in the domain, and the resource provider must choose which to use (in a real life deployment they may differ in terms of SLAs, or service cost etc).
    5775The AAA service implementation is provided as a WAR file deployed in a servelet container (see [wiki:Aaa here]), and the policy files should be placed in the "/WEB-INF/classes/authorisation-policies" folder of the WAR file, and the AAA service restarted.
    5876Adding, modifying or removing policies is done by changing the content of the aaa.war/WEB-INF/classes/authorisation-policies folder.
    59 === Configuring the Access Controlled REP ===
    60 The access controlled REP is provided as a WAR file, to be deployed in a servelet container such as Apache Tomcat. The REP must be configured in the messages.properties file located in /WEB-INF/classes directory of the WAR file.
    61 ||= Property =||= Description =||
    62 ||rep.id||The identifier of the REP, which should be the URI||
    63 ||aaaservice.uri||The URI of the AAA Service||
    64 ||aaaservice.request.uri||The URI of the Request interface of the AAA Service||
    65 ||resDir.uri||The URI of the resource directory||