extend A&A description

1 files changed, 13 insertions, 2 deletions

diff --git a/_posts/2012-09-03-authorization--authentication-flow-and-configuration.md b/_posts/2012-09-03-authorization--authentication-flow-and-configuration.md
index 393f493..142b1de 100644
--- a/_posts/2012-09-03-authorization--authentication-flow-and-configuration.md
+++ b/_posts/2012-09-03-authorization--authentication-flow-and-configuration.md
@@ -8,6 +8,17 @@ tags: [Setup, webservices]
 {% include JB/setup %}
 
 
+A&A How it works
+=========
+A&A is located in a before filter method of the ruby framework sinatra, which means every request (REST) to the sinatra application is controlled by the code inside this filter befor anything else happens.
+
+If A&A is activated: 
+
+1.  every request is disallowed.
+2.  you can define exeptions in the configuration file => __CONFIGURATION__
+  *  authentification exeptions
+  *  authorization exeptions
+3.   you can allow one or more REST request (GET, POST, PUT, DELETE) to an URI controlled by the openSSO server, defined in policies. => __POLICIES__
 
 
 A&A Flow opentox-ruby gem
@@ -21,8 +32,8 @@ Graphical Flow of Authorization & Authentication for webservices using the opent
 Configuration options
 =========
 inside the authorization block (see also configuration example)
-* `server`- openSSO server URI
-* `free_request` - requests without any Authorization and Authentication **GET, POST, PUT, DELETE** (maybe HEAD in newer Versions)
+* `server`- openSSO server URI. If this line is set to `:server: ` A&A is disabled.
+* `free_request` - requests without any Authorization and Authentication **GET, POST, PUT, DELETE** (maybe also HEAD in newer Versions)
 * `authenticate_request` - requests with Authentication but without Authorization **GET, POST, PUT, DELETE**
 * `authorize_request` - requests controlled by  Authentication and Authorization **GET, POST, PUT, DELETE**
 * `free_uris` - YAML hash of requests and URIs not controlled by A&A