Configuring the Genero Application Server / How to implement delegation |
Three examples of possible uses for the delegation mechanism.
You can develop a simple delegation service to authenticate and authorize users to have access to one or several applications on the Genero Application Server.
The delegation service will respond to the request with an HTML form, asking for a user name and password. In this case, HTTPS is required; otherwise the login and password will be sent in clear text.
A request with user name and password as parameters will be processed by the delegation service. The service will check for the user name and password in its database. If the user name and password are correct, a digest authentication will be created, stored in the database, and sent back to the user-agent in a cookie. The delegation service will instruct the user agent to delegate on the same URL (so the user agent will use its newly set cookie).
A request with a cookie will be processed by the delegation service. The cookie will be checked in the database. The corresponding user id, as well as the user role (administrator, user, guest, and so on), will be set as application parameters and the Genero Application Server will be instructed to allow the launch of the application.
A simple local authentication / authorization mechanism is provided in the Genero Application Server tutorials located at FGLDIR/web_utilities/services/simplesso.
You can develop a delegation service to authenticate and authorize users to access one or more applications on the Genero Application Server based on standard SSO services such as OpenID Connect (see OpenID Connect SSO) or SAML (see SAML SSO ).
The delegation service responds to a simple request for delegation to the SSO service, with reference to the requested application.
A request with a cookie will be processed by the delegation service. The cookie will be checked by the SSO service (by means specific to the SSO protocol). The corresponding user id and user role (as allowed by the SSO protocol) will be set as application parameters and the Genero Application Server will be instructed to allow the launch of the application.
Samples for implementing OpenID Connect and SAML authentication and authorization services are provided in $FGLDIR/web_utilities/services, ready for you to use.
You can develop a simple delegation service to monitor and log all requests to a given service. Each request can be logged in a dedicated database by the delegation service. The Genero Application Server can then be instructed to pass the request to the GWSProxy. The delegation for Web services is called each time a request is sent to that service.