1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
---
layout: post
title: "Authorization & Authentication Flow and Configuration"
description: "Authorization & Authentication flow for webservices using the opentox-ruby gem"
category: Installation
tags: [Configuration, Setup, Webservices]
---
{% include JB/setup %}
see also [webservice configuration example](/Installation/2013/05/03/authorization--authentication-configuration-opentox-serverclient--300/) for opentox-(client/server) version >= 3.0.0.
A&A How it works
-------
A&A is located in a before filter method of the ruby framework sinatra, which means every request (REST) to the sinatra application is controlled by the code inside this filter befor anything else happens.
If A&A is activated:
1. every request is disallowed.
2. you can define exeptions in the configuration file => __CONFIGURATION__
* authentication exeptions
* authorization exeptions
3. you can allow one or more REST request (GET, POST, PUT, DELETE) to an URI controlled by the openSSO server, defined in policies. => __POLICIES__
A&A Flow opentox-ruby gem
-------
Graphical Flow of Authorization & Authentication for webservices using the opentox-ruby gem. Webservice configuration is located in **/home/USERNAME/.opentox/config/ENVIRONMENT.yaml**
Configuration options
-------
inside the authorization block (see also configuration example)
* `server`- openSSO server URI. If this line is set to `:server: ` A&A is disabled.
* `free_request` - requests without any Authorization and Authentication **GET, POST, PUT, DELETE** (maybe also HEAD in newer Versions)
* `authenticate_request` - requests with Authentication but without Authorization **GET, POST, PUT, DELETE**
* `authorize_request` - requests controlled by Authentication and Authorization **GET, POST, PUT, DELETE**
* `free_uris` - YAML hash of requests and URIs not controlled by A&A
* `authorize_exceptions` - YAML hash of requests and URIs only authenticated, without authorization (user has to be logged in)
<br />
String or regex URIs
-------
URIs in `free_uris` and `authorize_exceptions` are possible as string or regex
e.G.:
:free_uris:
? - :GET
: - !ruby/regexp /http:\/\/SERVER\/algorithm/
- "http://SERVER/model"
defines free access to GET request for "http://SEVER/model" exact URI, not to "http://SERVER/model/ID".
the regex `!ruby/regexp /http:\/\/SERVER\/algorithm/` gives free GET request to "http://SERVER/agorithm/" and all addresses below like "http://SERVER/algorithm/bbrc/".
Configuration-file example
-------
# OpenSSO Authorization
# set ":server: " to disable A&A
:authorization:
:server: https://opensso.in-silico.ch
:free_request: #request-method not controlled by A&A
- ""
:authenticate_request: #only for authenticated user
- ""
:authorize_request: #only for authenticated and authorized user
- "GET"
- "POST"
- "HEAD"
- "DELETE"
- "PUT"
# Exceptions:
:free_uris: #request-method for uri not controlled by A&A
? - :GET
: - !ruby/regexp /http:\/\/SERVER\/algorithm/
- "http://SERVER/model"
- "http://SERVER/dataset"
- "http://SERVER/validation"
- "http://SERVER/toxcreate"
- !ruby/regexp /http:\/\/SERVER\/validation\/resources/
- !ruby/regexp /http:\/\/SERVER\/validation\/[a-z,A-Z,\/,_\-]*$/
? - :GET
- :POST
- :HEAD
: - !ruby/regexp /http:\/\/SERVER\/toxcreate\/[a-z,A-Z,\/,_\-]*$/
- !ruby/regexp /http:\/\/SERVER\/task/
- !ruby/regexp /http:\/\/SERVER\/compound/
- !ruby/regexp /sign_(in|out)$/
? - :PUT
: - !ruby/regexp /http:\/\/SERVER\/task/
? - :DELETE
: - "http://SERVER/task/cleanup"
:authorize_exceptions: #request-method for uri only authenticated, no authorization
? - :POST
: - !ruby/regexp /http:\/\/SERVER\/algorithm/
- "http://SERVER/dataset"
- "http://SERVER/model"
- "http://SERVER/validation"
- !ruby/regexp /http\:\/\/SERVER\/validation\/[a-z,A-Z,\/,_\-]*$/
|
