Configuring a custom transaction authorization provider

To configure a custom transaction authorization provider, take the following steps:

Procedure

  1. Write a transaction authorization provider class to implement the AuthorizationProvider interface. This interface is in the com.dwl.base.security.interface package inside the com.ibm.mdm.server.dwlcommonservices bundle. The class specification for this interface is:
    The class diagram of the AuthorizationProvider Java interface

    Internally the class can implement the logic directly or by calling into other third party transaction authorization providers such as SiteMinder, ClearTrust and others. It should return true only if the user or the group is authorized for the passed in resource and false otherwise.

  2. Configure the new transaction authorization provider class by specifying its name in the configuration repository as shown in the Security Configuration section.
  3. The new authorization provider class needs to be packaged in a OSGi bundle. An Authorization Provider service must also be defined in this bundle for the new provider. The following is the service blueprint template which must be followed:
    <service id="MyNewAuthorizationProvider" interface="com.ibm.mdm.common.servicefactory.api.CommonServiceFactory">
		<service-properties>
			<entry key="common.service" value="AuthorizationProvider.my.company.MyNewAuthorizationProvider"/>
		</service-properties>
		<bean class="com.ibm.mdm.common.servicefactory.CommonServiceFactoryImpl">
			<argument type="java.lang.Class" value="com.dwl.base.security.AuthorizationProvider"/>
			<argument type="java.lang.Class" value="my.company.MyNewAuthorizationProvider" />			
			<argument ref="blueprintBundle"/>			
		</bean>
	</service>
    Important: The common.service service property must be prefixed by AuthorizationProvider followed by the new authorization provider class name. The first class argument must be com.dwl.base.security.AuthorizationProvider, which represent the service interface. The second class argument must be set to the new authorization provider class.
  4. Deploy the bundle on the server in a composite bundle (CBA), and set it as a composition unit (CU) extension of the Operational Server EBA.

Last updated: 9 Dec 2016