Implementing authorization

Authorization is implemented using access tokens that must be set.

A user, or the groups to which the user belongs to, can be associated with zero-to-many access token values. The access token values are set on the DWLControl object so that the values are accessible during the transaction.

InfoSphere® MDM provides a data model to support a default access token authorization.

Data model for access tokens.
The com.dwl.base.accessToken.DefaultAccessTokenAccessor class is used to retrieve the collection of access tokens associated with the user and group. It then sets this collection to the DWLControl object. The collection of access tokens can be retrieved using the DWLControl.getAccessTokenCollection() method during the transaction. The collection can be queried using the methods provided by the com.dwl.base.accessToken.AccessTokenCollection class.

Implementing another access token accessor

You do not have to manage access tokens with the default data model. If you have a different data model, or an external authorization system that you want to integrate with InfoSphere MDM, you may want to use those instead of the default data model.

To override the default access token accessor, set the CONFIGELEMENT record /IBM/DWLCommonServices/AccessToken/AccessTokenAccessor/className to a value that corresponds to another accessor class implementation. The accessor class must implement the com.dwl.base.accessToken.AccessTokenAccessor interface.

In addition, the custom accessor implementation must be exposed to InfoSphere MDM as a common service. This is done by defining a blueprint service using the following template:
<service id="AccessTokenAccessor" interface="com.ibm.mdm.common.servicefactory.api.CommonServiceFactory">
		<service-properties>
			<entry key="common.service" value="AccessTokenAccessor.<my accessor implementation class>"/>
		</service-properties>
		<bean class="com.ibm.mdm.common.servicefactory.CommonServiceFactoryImpl">
			<argument type="java.lang.Class" value="com.dwl.base.accessToken.AccessTokenAccessor"/>
			<argument type="java.lang.Class" value="<my accessor implementation class>" />			
			<argument ref="blueprintBundle"/>			
		</bean>
	</service>
<my accessor implementation class> must be replaced with the fully qualified class name of your accessor.

The blueprint service definition must be places in a bundle along with the accessor implementation class and deployed as a CBA composition unit extension.