Prev Part III. Developer Documentation Next

Chapter 32. How to write a login provider

32.1. What are login providers
32.2. Writing login providers
32.3. Using login providers

32.1. What are login providers

Login providers can be used by OGSA-DAI data resources to map information held in security contexts to database user names and passwords. OGSA-DAI does not force the use of login providers - how such mappings are done and, more generally, how other data resource authorization is executed is specific only to the implementations of data resources used - no other parts of the OGSA-DAI framework have knowledge of these.

Login providers implement the: 

uk.org.ogsadai.authorization.LoginProvider

interface. This supports the following operations:

  • Given a data resource ID and a security context return a user name and password.
  • Return a boolean flag indicating if the login provider would provide a login for a data resource given a specific security context.
  • Deny access to the data resource using information in a given security context to determine who or what is denied.
  • Permit access to the data resource using information in a given security context to determine who or what is permitted and using a given login.
  • Completely deny access to the data resource.
  • Return a boolean flag indicating whether the login provider can provide logins for a given resource.

Login providers are based around the notion of a security context. Unlike the rest of the OGSA-DAI framework, login providers can make assumptions as to the nature of information within a security context. This is since login providers used by an OGSA-DAI server are specified as part of the server configuration (see for example Section 18.8, “Login provider”) and so login providers consistent with application specific or presentation layer requirements can be deployed.

OGSA-DAI, by default, distributes the following class that implements the LoginProvider interface: 

uk.org.ogsadai.authorization.file.SimpleFileLoginProvider

which provides mappings from the caller's distinguished name (DN) to database user names and passwords for 0 or more data resources. This class expects the security context to implement the DistinguishedNameProvider interface so that the caller's DN can be obtained. If the security context does not implement this interface then a null DN is used that can only match with wildcard entries in the mappings. The mappings are held in a text file on the OGSA-DAI server. For more information see Section 16.1.3, “Configuring database logins” and Section 17.2.3, “Logins File”.

32.2. Writing login providers

To write an OGSA-DAI login provider you need to provide an implementation of the interface: 

uk.org.ogsadai.authorization.LoginProvider

You will need to make the following decisions:

  • Whether the login provider will handle logins for one resource or many.
  • What attributes the login provider expects to find in the security context. This will determine the presentation layers that the login provider can be used with since different presentation layers may populate a security context with different attributes.
  • How the relationship between resource IDs, security context-specific information, usernames and passwords is accessed and stored, e.g. is it in a file, a database, a callout to a service.
  • What configuration your login provider needs and how this is provided e.g. via values assumed to be in the OGSA-DAI context and provided via specific configuration properties (e.g. see Section 18.9, “Miscellaneous objects” or via setter methods on your login provider (e.g. see Section 18.9.2, “External information on JNDI”).

32.3. Using login providers

Once a login provider has been written an OGSA-DAI server can be configured to make this available to its components. Section 18.8, “Login provider” contains information on how this can be done.

How to configure data resources to use your login provider will depend upon the configuration expected by the implementations of those data resources. If using the OGSA-DAI JDBC or XMLDB data resources then configuring these to use your login provider basically involves specifying the ID used to deploy your login provider onto the server as part of the data resource configuration. Data resource configuration is described in Section 17.2.8, “Data resource configuration properties and classes”.

Prev Up Next
Chapter 31. Security contexts Home Chapter 33. How to write a monitoring framework