LDSTechForumProjects

Example: using conditions (SSO Simulator)

Overview and Requirements

This example builds upon the dual debug page example and shows how to add additional restrictions on access to resources beyond just authenticating. Understand that example before diving into this one.

Building upon the dual debug page example lets add to our site resources a URL that only allows access to members of a specific group. To make configuration less confusing we'll remove support for the /public and /secure versions. The single URL supported by our new version of the site is shown in URLs for our Site. Access to this URL will require that a user be a member of a group in addition to requiring the user to be signed-in before proxying is allowed to the back-end application. As before, since /extra-secure does not match /admin our configuration will must perform request URL rewriting prior to proxying to the back-end debug page.


Listing: URLs for our Site

http://localhost.lds.org/extra-secure/debug.jsp


Implementation via Embedded <conditions> Element

For historical reasons there are two ways to accomplish this. We'll exhibit the best practice version first. The configuration that exposes our debug.jsp page at the new path is shown in Listing: Using Conditions Site Example. The line numbers are to facilitate discussion and are not part of the file. This example was created using version 5.23 and hence allowed for elimination of lines 8 and 9 from the Dual Debug Page Site Example. These two lines defined the location of the sign-in page and declaration of the policy-service-url header respectively.

In Listing: Using Conditions Site Example lines 9 through 13 have been added. Lines 9 and 13 hold the <conditions> element that can contain one or more condition aliases. For our purpose a single alias is sufficient as defined in lines 10 through 12 using the <condition> element which declares the reference-able name of our alias to be debug-users-group. Line 11 contains a single <HasLdsApplication> element that dictates that this condition requires that a user have a value of debug-page in their multi-valued ldsApplications attribute to access any resource protected by this condition.

To protect a resource with this condition we enhance the <allow> element by adding its optional condition attribute. Without this attribute the element only requires that users be authenticate to access the protected resource. With this attribute and the referenced condition the user must further meet the requirements of the condition to access the resource. Hence the <allow> elements in lines 23 and 24 include this attribute and use an alias macro to specify which condition to use, the debug-users-group condition. Also note the change in line 18 mapping the debug page to /extra-secure within our localhost.lds.org site.

Finally, a user must be granted access to the debug-page lds application using the ldsApplications element. User ngib is granted access to that application in line 32 while user ngia is granted no such access.

Running the Example

Save this version of the file to condition-example.xml and restart with the following line using a 5.20 or greater version of the simulator (5.23 is shown here):

java -cp SSOSim-5.23.jar org.lds.sso.appwrap.Service conditions-example.xml


After starting up, point your browser to the URL in URLs for our Site. You are presented with the sign-in page. Upon selecting ngia you are fobidden access to the resource. Pressing the back button and selecting the ngib user you are presented with the debug page since that user meets the condition requirement beyond just authenticating.

This concludes this example.

Best Practice Config File

Listing: Using Conditions Site Example

 1 <?alias rest-port=1776?>
 2 <?alias console-port={{rest-port}}?>
 3 <?alias http-port=80?>
 4 
 5 <config proxy-port="{{http-port}}" console-port="{{console-port}}" rest-version="CD-OESv1">
 6   <console-recording sso="true" rest="true" max-entries="1000" enable-debug-logging="true"/>
 7   <sso-cookie name="lds-policy" domain=".lds.org"/>
 8 
 9   <conditions>
10      <condition alias="debug-users-group">
11         <HasLdsApplication value="debug-page"/>
12      </condition>
13   </conditions>
14 
15   <sso-traffic>
16      <by-site host="localhost.lds.org" port="80">
17         <cctx-mapping 
18                  cctx="/extra-secure/*" 
19                  thost="127.0.0.1" 
20                  tport="{{console-port}}" 
21                  tpath="/admin/*"/>
22 
23          <allow action="GET,POST" cpath="/extra-secure/debug*" condition="{{debug-users-group}}"/>
24          <allow action="GET,POST" cpath="/extra-secure/debug*?*" condition="{{debug-users-group}}"/>
25       </by-site>
26    </sso-traffic>
27 
28    <users>
29       <user name="ngia" pwd="pwda">
30       </user>
31       <user name="ngib" pwd="pwdb">
32           <ldsApplications value="debug-page"/>
33       </user>
34   </users>
35 </config>

Config without Line Numbers

If you want to copy and paste the configuration for this example into the condition-example.xml text file using the version below will allow you to do so without having to strip our the line numbers.

<?alias rest-port=1776?>
<?alias console-port={{rest-port}}?>
<?alias http-port=80?>

<config proxy-port="{{http-port}}" console-port="{{console-port}}" rest-version="CD-OESv1">
  <console-recording sso="true" rest="true" max-entries="1000" enable-debug-logging="true"/>
  <sso-cookie name="lds-policy" domain=".lds.org"/>

  <conditions>
     <condition alias="debug-users-group">
        <HasLdsApplication value="debug-page"/>
     </condition>
  </conditions>

  <sso-traffic>
     <by-site host="localhost.lds.org" port="80">
        <cctx-mapping 
                 cctx="/extra-secure/*" 
                 thost="127.0.0.1" 
                 tport="{{console-port}}" 
                 tpath="/admin/*"/>

         <allow action="GET,POST" cpath="/extra-secure/debug*" condition="{{debug-users-group}}"/>
         <allow action="GET,POST" cpath="/extra-secure/debug*?*" condition="{{debug-users-group}}"/>
      </by-site>
   </sso-traffic>

   <users>
      <user name="ngia" pwd="pwda">
      </user>
      <user name="ngib" pwd="pwdb">
          <ldsApplications value="debug-page"/>
      </user>
  </users>
</config>


Implementation via External Condition Files (Not Best Practice)

The condition syntax is a XML dialect distinct from the XML used to configure the simulator. As such support for conditions was initially added via classpath-ref, resource-ref, or file-ref aliases. This allowed for simpler parsing of configuration. Support for embedding condition syntax in the configuration file was added in version 5.20. Since deploying an application to the WAM environment requires use of the simulator configuration file to convey the set of policies needed to support that application it is now considered Best Practice to embed condition syntax within the file rather than submitting many files to convey the complete picture.

To help migrate from use of external files to embedding condition syntax with the configuration file the configuration below shows how to accomplish the same example using external files as is done with embedded conditions above. Line 4 is added to now be the directive that declares the debug-users-group alias and directs the simulator to acquire its content from a classpath located file by name is-debug-user.xml. This could also have been a file-ref alias.

The next change is removal of the <conditions> directive and its content. The contents of the <condition> directive are then placed in a is-debug-user.xml file and located in the same directory as our configuration file. It can be placed elsewhere but will require that a corresponding classpath be specified when running the example. Note from the Contents of is-debug-user.xml File listing that the only the contents of the <condition> directive are included. The directive's start and end tags should not be included in the file since they are not part of the condition syntax.

Running the External Conditions Example

Save this version of the configuration file to condition-ext.xml and restart with the following line adjusting as needed for the version of the jar that you are using and for what path separator is required for the classpath in your environment. I happen to be using cygwin on windows hence the semicolon preceded with a back slash in the classpath to add the current directory to the classpath so that is-debug-user.xml can be found.

java -cp SSOSim-5.23.jar\;. org.lds.sso.appwrap.Service conditions-ext.xml


After starting up and pointing your browser to the URL as before the behavior of the site should be identical.

This concludes this example.

External Conditions Config File

Listing: Using Conditions Site Example

 1 <?alias rest-port=1776?>
 2 <?alias console-port={{rest-port}}?>
 3 <?alias http-port=80?>
 4 <?alias debug-users-group=classpath:is-debug-user.xml?>
 5 
 6 <config proxy-port="{{http-port}}" console-port="{{console-port}}" rest-version="CD-OESv1">
 7   <console-recording sso="true" rest="true" max-entries="1000" enable-debug-logging="true"/>
 8   <sso-cookie name="lds-policy" domain=".lds.org"/>
 9 
10   <sso-traffic>
11      <by-site host="localhost.lds.org" port="80">
12         <cctx-mapping 
13                  cctx="/extra-secure/*" 
14                  thost="127.0.0.1" 
15                  tport="{{console-port}}" 
16                  tpath="/admin/*"/>
17 
18          <allow action="GET,POST" cpath="/extra-secure/debug*" condition="{{debug-users-group}}"/>
19          <allow action="GET,POST" cpath="/extra-secure/debug*?*" condition="{{debug-users-group}}"/>
20       </by-site>
21    </sso-traffic>
22 
23    <users>
24       <user name="ngia" pwd="pwda">
25       </user>
26       <user name="ngib" pwd="pwdb">
27           <ldsApplications value="debug-page"/>
28       </user>
29   </users>
30 </config>

Contents of is-debug-user.xml File

<HasLdsApplication value="debug-page"/>


External Conditions Config without Line Numbers

If you want to copy and paste the configuration for this example into the condition-example.xml text file using the version below will allow you to do so without having to strip our the line numbers.

<?alias rest-port=1776?>
<?alias console-port={{rest-port}}?>
<?alias http-port=80?>

<config proxy-port="{{http-port}}" console-port="{{console-port}}" rest-version="CD-OESv1">
  <console-recording sso="true" rest="true" max-entries="1000" enable-debug-logging="true"/>
  <sso-cookie name="lds-policy" domain=".lds.org"/>

  <conditions>
     <condition alias="debug-users-group">
        <HasLdsApplication value="debug-page"/>
     </condition>
  </conditions>

  <sso-traffic>
     <by-site host="localhost.lds.org" port="80">
        <cctx-mapping 
                 cctx="/extra-secure/*" 
                 thost="127.0.0.1" 
                 tport="{{console-port}}" 
                 tpath="/admin/*"/>

         <allow action="GET,POST" cpath="/extra-secure/debug*" condition="{{debug-users-group}}"/>
         <allow action="GET,POST" cpath="/extra-secure/debug*?*" condition="{{debug-users-group}}"/>
      </by-site>
   </sso-traffic>

   <users>
      <user name="ngia" pwd="pwda">
      </user>
      <user name="ngib" pwd="pwdb">
          <ldsApplications value="debug-page"/>
      </user>
  </users>
</config>

This page was last modified on 5 April 2011, at 18:55.

Note: Content found in this wiki may not always reflect official Church information. See Terms of Use.