Skip to main content
Version: 8.2411.x.x RR

Configuring authorization

When using an authentication infrastructure that also provides authorization profiles (mapped as a flat security model as described in chapter Proposed Security Role Model of the nevisAuth Reference Guide), nevisProxy also provides support for authentication stepup and access control.

Authentication stepup

Authentication stepup is performed when the SecurityRoleFilter requires security roles, and the user has none of the required roles. The filter triggers an authentication stepup, which may require additional user credentials (e.g., a one-time password), and may in turn return one of the requested roles. If no required security role is returned, access is denied (also for subsequent requests on the same resources).

The configuration sample shown here after, adds access control by using two roles, representing authentication strength (auth.weak and auth.strong) as well as a an authorization to access an application as a customer (role.customer).

The following scenario shows the details:

EventRequired rolesAccumulated roles from authentication and/or stepupResult
User2 accesses /appl1/weak and logs in with userid/password.auth.weakrole.customerauth.weakrole.customerUser2 passes
User1, who is not registered as a customer, accesses /appl1/weak and logs in with userid/password.auth.weakrole.customerauth.weak (as the user is not a regular customer)User1 passes Authentication and AuthWeak, but is blocked by RoleCustomer filter
User2 accesses /appl2 and is forced to provide a one-time password.auth.strongrole.customerauth.weakauth.strongrole.customerUser2 passes
User2 accesses /appl3auth.strongauth.weakauth.strongrole.customerUser2 passes

These configuration steps lead to the following entries in the web.xml file (using op nevisproxy config webapp):

<filter>
<filter-name>AuthWeak</filter-name>
<filter-class>ch::nevis::isiweb4::filter::auth::SecurityRoleFilter</filter-class>

<init-param>
<param-name>AuthenticationServlet</param-name>
<param-value>EsAuthConnector</param-value>
</init-param>
<init-param>
<param-name>LoginRendererServlet</param-name>
<param-value>LoginRenderer</param-value>
</init-param>
<init-param>
<param-name>RolesRequired</param-name>
<param-value>auth.weak auth.strong</param-value>
</init-param>
</filter>

<filter>
<filter-name>AuthStrong</filter-name>
....
<init-param>
<param-name>RolesRequired</param-name>
<param-value>auth.strong</param-value>
</init-param>
</filter>

<filter>
<filter-name>RoleCustomer</filter-name>
....
<init-param>
<param-name>RolesRequired</param-name>
<param-value>role.customer</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>AuthWeak</filter-name>
<url-pattern>/appl1/weak/{*}</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>AuthStrong</filter-name>
<url-pattern>/appl2/{*}</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>AuthStrong</filter-name>
<url-pattern>/appl3/{*}</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>RoleCustomer</filter-name>
<url-pattern>/appl1/weak/{*}</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>RoleCustomer</filter-name>
<url-pattern>/appl2/{*}</url-pattern>
</filter-mapping>

The order of the two mappings, the IdentityCreationFilter and the SecurityRoleFilter, is important because they are matching the same URLs. The IdentityCreationFilter must be configured first to establish an initial session.