SecuritySecurity
Security
Home > Books > NetKernel Technologies > Security
Preface
Cron
GUI Events
HTTP
InTray
JMS
LDAP
Mail
RDBMS
Security
Sessions
SOAP

Rate this page:
Really useful
Satisfactory
Not helpful
Confusing
Incorrect
Unsure
Extra comments:

 send 

Security in NetKernel is based on allowing or disallowing requests entry into an address space by using the URI Gatekeeper. The gatekeeper acts as a control point between two address spaces. It is very easy to turn the various zones managed by the gatekeeper on or off facilitating easy development and then full security when a system is in production.

The operation of the URI GateKeeper is straight forward. Requests sent to it have their URI matched against a regular expression to see if they are in a particular access control zone. If they are they are routed to an access controller for examination. The access controller returns a valid or not valid response. If valid, the original request is re-issued into the module's address space. If not valid then the URI Gatekeeper returns the login resource as the response to the original request.

For example, in the image below a module's URI address space has the URI Gatekeeper as an overlay. For simplicity we show only one access control zone.

  1. A request is made for a resource whose URI matches the access zone definition.
  2. The URIGateKeeper issues a request to the Access Controller for this zone.
  3. The Access Controller response indicates the request is either valid or invalid.
    1. If the request is valid the URI Gatekeeper re-issues the request into the module's address space.
    2. If the request is not valid the URI Gatekeeper returns the login resource to the original request.

Services

NetKernel provides the URI GateKeeper in the ext_xsecurity module.

The most straight forward approach to use the gatekeeper is to route all requests to the gatekeeper with a rewrite rule such as:

<rule>
  <match>(.*)</match>
  <to>active:gk+uri@$1</to>
</rule>

The URI Gatekeeper requests its configuration information from the resource ffcpl:/etc/GateKeeperPolicy.xml.

Configuration

The resource ffcpl:/etc/GateKeeperPolicy.xml specifies the gatekeeper security configuration and references the Access Controller that define the security policy for each zone.

<GateKeeperPolicy>
  <zone>
    <match>.*/secured/(?!login).*</match>
    <isValidURI>active:dpml+operand@ffcpl:/secured/sessionvalidator.idoc</isValidURI>
    <loginURI>ffcpl:/secured/login</loginURI>
  </zone>
</GateKeeperPolicy>

The policy specifies a zone as follows

  • match Specifies a regular expression used to match the URI of each request.
  • isValidURI The URI of the Access Controller.
  • loginURI The URI of the login resource.

Access Controller Request

When the URI Gatekeeper issues its request to the Access Controller it will attach all arguments from the original request which are not already included in the isValidURI element.

The access controller must return a boolean resource which is true if the request is authorized.

© 2003-2007, 1060 Research Limited. 1060 registered trademark, NetKernel trademark of 1060 Research Limited.