...
- REST client first need to get ticket from CAS server by providing username,password and the service url (essently service URL of open registry) either by invoking heavy weight SOAP service or REST call to CAS server.
- The client then need to pass username='cas_stateless' and password ='ticket got from CAS in step 1 to open registry.
Authorization on Service Layer
Security Trimming
Implementation of the Open registry may want to restrict the search results based on authorized principal's granted authority. This is must be done at service layer. Necessary configuration has been made in the security context to create spring security aop proxies to apply the pre/post filtration/authorization on the service layer. Security trimming is done by the following annotation in the default person service
@PostFilter("hasPermission(filterObject, 'read')")
Default Implementation of permission evaluation has been provided in the class org.openregistry.core.service.security.auth.PermissionEvaluator
That returns true i.e. doesn't apply security criteria on the service layer.
PreAuthorization
Implementation of the Open registry may want to restrict the adding of the person based on the authorized principal's granted authority and the data.Reauthorization on the service layer has been done using the following annotation
@PreAuthorize("hasPermission(#sorRole, 'admin')")
Default implementation that doesn't apply any pre authorization criteria has been provided in class PermissionEvaluator
Schema for Role Persistence (Oracle)
...