URI GateKeeper guide
Security
Release Notes
URI GateKeeper guide
License
Change History
NetKernel History
Acknowledgements

URIGateKeeper Guide

A guide to URI GateKeeper Access Control

URI Gatekeeper is provided in the ext_xsecurity module

Intro

Access control is vital in a production application but can cause headaches during the application development cycle. The URIGateKeeper was developed to provide access control zones which can be applied over a module URI address space. The zones can be easily disabled for development and enabled for production.

Access Control Zones

The image below shows a module's URI address space. In this example the URIGateKeeper is used to provide a single access control zone.

  1. A request is made for a resource whose URI is matched by a URIGateKeeper access control zone.
  2. The URIGateKeeper issues a request to the Access Controller for this zone.
  3. The response is either valid or invalid
    1. The requestor is validated and the URIGateKeeper issues the request for the resource
    2. The request is not valid. The URIGateKeeper serves the requestor the login resource

The URIGateKeeper is a simple transparent filter of the URI address space. It attempts to match a URI request to see if it is in an access control zone. If it is it issues a request to a registered access controller for the zone. The access controller either validates the request - in which case the URIGateKeeper transparently reissues the original request. If the request is invalid it serves the requestor with the Login Resource (usually a login prompt).

Configuration

The URIGateKeeper is a transparent URI filter. It is configured such that all requests to an access controlled module are directed through the URIGateKeeper. The URIGateKeeper accessor maps all gk: scheme URI's. All requests can be directed to the URIGateKeeper with the following rewrite rule...

<rule>
  <match>(.*)</match>
  <to>gk:$1</to>
</rule>

The URIGateKeeper reads it's configuration from a ffcpl:/GateKeeperPolicy.xml document in the access controlled module. The gatekeeper policy specifies one or more access control zones.

<GateKeeperPolicy>
  <zone>
    <match>.*/secured/(?!login).*</match>
    <isValidURI>active:dpml+operand@ffcpl:/secured/sessionvalidator.idoc</isValidURI>
    <loginURI>ffcpl:/secured/login</loginURI>
  </zone>
</GateKeeperPolicy>

The policy specifies a zone as follows

  • match is a regex that will be used to match request. Note the matched URI is the URI received by the GateKeeper module including any previous rewrites it may have had.
  • isValidURIThe URI the GateKeeper will issues a validation request on.
  • loginURIThe URI of the login resource to serve if the validation fails.

Validation Request

The URIGateKeeper issues a request to the validation URI specified in the Access control zone policy. It attempts to attach to the validation URI all arguments from the original request which are not duplicated in the validation URI.

The URIGateKeeper does not make any interpretation of the requests. It is a simple transparent request director. It is the developers job to ensure the validator URI receives the information it needs to make a validation decision - this could be a simple cookie based mechanism or a more sophisticated session mapping pattern.


1060® NetKernelTM Documentation
(C) 2003-2004 1060 Research Limited

Send Feedback
© 2003,2004, 1060® Research Limited
1060 registered trademark, NetKernel trademark of 1060 Research Limited