next up previous
Next: Configuration Up: Administration GUI Previous: Administration GUI

Internal structure

The Administration GUI is implemented by a set of Java servlets, which can directly operate on one instance of Authorization Manager. The servlets interact with the Authorization Manager through the API provided by the latter. They can read/change configuration parameters and create/remove associations used by AttributeRepositories and Translations. Any operation that modifies the Authorization Manager configuration is immediately propagated to the underlying physical implementation.

All incoming requests directed to the Administration GUI are first examined by a filter that verifies if they are originated from a client authorized to act as administrator of the Authorization Manager. Only after successful authorization the requested command is executed. The Policy and role to be used for the authorization of the client are specified in the configuration file of the authorization enforcer (Authorization Filter or Axis Authorization Handler).

Figure: Administration GUI process flow
5#5
The authorization decision is based on the identity of the client, corresponding to the subject DN of the client certificate. The web browser used to connect to the Administration GUI must be able to perform SSL mutual authentication and to handle client certificates; text-based browser (such as Lynx and w3m) do not support these features and cannot be used to connect to the Administration GUI.

The current deployment model uses one instance of Authorization Manager for each web application. This single instance is shared among the Administration GUI, the authorization enforcer and any other program belonging to the web application that needs to use the Authorization Manager API.


next up previous
Next: Configuration Up: Administration GUI Previous: Administration GUI
2004-05-05