How to protect a resource
To protect a deployed resource, you have to follow a set of steps.
- First of all you have to create the resouce descriptor in the database, in order to allow define different policies. To create and manage descriptor load the Administration Console with your web browser: 'http://your_application_server_domain/mistral/admin'. set as user: 'mistral_admin' and set the password you set on the installation proccess.
Once in the console:
- Go to 'Resources Management'.
- Add a new Catalog.
- Add a new Entry. The only mandatory field in a Entry is its Id, the rest are optional.
- Add a Resource.
- Local_Name is the name of the resources into his namespace. It will be used for defining policies.
- Namespace is the domain of the resource. If namespace is not known, it can be any thing.
- Address is the URL where the resource is located. That is, the URL which will be protected.
(click to enlarge)
- Add actions (optional).
(click to enlarge)
Once you have defined the resources, you have to set the policies associated with those resources.
- Go to 'Policies Management'.
- Add as policies as you need.
- In these policies, add as rules as you need.
- In these rules, you can define if an end user with specific roles, performing specific actions over specific resouces, will be Permit or Deny.
- Secondly, you have to enable Mistral-IdM for your protected resource in your Service Provider. there are two ways to perform that, making use of Realm or making use of Filters. The Java Filter is loaded by
the application container before the servlet processes the incoming
request, catching and checking end user requests. Similarly, the
Security Realm defines constraints that all requests must fulfill
(authentication and authorization in this case) before calling the
servlet dispatcher.
- Realms are deployed and managed by the application container. They define constraints that all requests must fulfill (authentication and authorization in this case) before calling the servlet dispatcher. So you need to modify global application container configuration files to enable them. (for instance server.xml in tomcat).
- Filters are deployed on the application to protect instead. They are executed before the servlet processes the incoming request, intercepting it. So it is only necesary to edit the servlet descriptor (web.xml).
Protecting a resource with Realm
Firstly, you should activate the Mistral Realm:
Copy all files contained in '[Mistral_Installation_Folder]/libs/' to the libraries folder of your application server. For instance $TOMCAT_HOME/server/lib/ on tomcat5 or $TOMCAT_HOME/libs/ on tomcat6.
Add to your application server configuration file the following parameter (For instance $TOMCAT_HOME/conf/server.xml on tomcat):
<Realm className="org.apache.catalina.realm.MistralRealm" configFilePath="[Mistral_Installation_Folder]/config/realm_config.xml" tomcatManager="tomcat" tomcatManagerPassword="tomcat"/>
[Mistral_Installation_Folder] is the folder on which you have installed Mistral. You have to modify the tomcatManager and tomcatManagerPassword of this parameter depending on your tomcat configuration.
Secondly, you should enable the realm in the specific application. To perform that, you must modify the web descriptor of the deployed resource, web.xml.
Add to your web-xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>any name</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
Download the example application: protected_by_realms.war
This example takes the Mistral_installation_folder as /usr/share/mistral/, you can change it editing the WEB-INF/web.xml file.
Protecting a resource with Filters
If you are not using Realm, you can use Filters instead.
Copy all files contained in '[Mistral_Installation_Folder]/libs/' to the libraries folder of your application server. For instance $TOMCAT_HOME/server/lib/ on tomcat5 or $TOMCAT_HOME/libs/ on tomcat6. Or copy them to the libraries folder of the application to be protected. For instance, $TOMCAT_HOME/webapps/protected_app/WEB-INF/lib/.
Then, you should enable the Filter in the specific application. To perform that, you must modify the web descriptor of the deployed resource, web.xml.
Add to your web-xml:
<filter>
<filter-name>MistralFilter</filter-name>
<filter-class>Filters.MistralFilter</filter-class>
<init-param>
<param-name>config_file_path</param-name>
<param-value>[Mistral_installation_folder]/config/filter_config.xml</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>MistralFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
where [Mistral_installation_folder] is the folder on which you have installed Mistral.
You also have to take into account the needed libraries.
Download the example application: protected_by_filters.war
This example takes the Mistral_installation_folder as /usr/share/mistral/, you can change it editing the WEB-INF/web.xml file.