[ accessmanager authorization identityservices sdn ]
One new area of work in OpenSSO is Identity Services, allowing a developer to easily write code to authenticate users, check if those users are authorized to access resources, retrieve those users' attributes etc. While all of this functionality has long been available in different forms, the new Identity Services work collects common identity tasks into an easy-to-use set of web services accessible via SOAP and REST. Now developers working in just about any language can join the identity party 
Last month, Aravindan and Marina published a Sun Developer Network article showing how to use OpenSSO's identity services for authentication. This month, Lakshman Abburi joins them to cover authorization with identity services. The identity services client from part 1 is extended to check whether the authenticated user should be allowed access to a given resource, in this example, a URL. Although the article focuses on Java and NetBeans, as I mention above, you can invoke identity services from just about anywhere. Go read the articles, have a play, and leave a comment here or there if you do something really cool.
![[Feed]](http://blogs.sun.com/roller/resources/superpat/feed-icon16x16.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}
how do we define authorization policies for webservices? i have webservice & wsclient deployed on diff tomcat instances. my opensso runs on another tomcat instance. i use jax-ws handlers to enforce authentication. how do i enforce authorization?
Posted by shashi on January 21, 2009 at 02:39 PM PST #
Hi Shashi - this thread on the users@opensso.dev.java.net mailing list covers the topic - http://markmail.org/thread/4ip2ld6eoxmdixyc - and points to the documentation at http://docs.sun.com/app/docs/doc/820-4803/ghupc?a=view
Posted by Pat Patterson on February 09, 2009 at 07:45 PM PST #
It seems like OpenSSO allows for developers to authorize users only by utilizing the attributes residing in the token that was created after OpenSSO has authenticated a user. Am I correct to assume that OpenSSO doesn't allow for a developer to access a different attribute authority after authentication has occurred to obtain attributes that way?
Posted by Chi on April 16, 2009 at 04:56 AM PDT #
I'm not sure I understand the question. Can you elaborate on your use case, either here or on the OpenSSO users mailing list?
Posted by Pat Patterson on April 20, 2009 at 02:34 PM PDT #
Pat:
I have been able to integrate Liferay and OpenSSO, with respect to authentication. However I have been struggling with the integration aspect relating to authorization. I am not sure if it is even reasonable to assume that Liferay can be integrated with an external "authorization" data store. The questions that invariable arise when you talk about integrating a portal to an external authorization data store are:
a. Can you setup communities and pages dynamically for a user, with information retrieved from OpenSSO's policies (authorization). Is this even realistic?
b. Can you selectively show pages and portlets based on policies in OpenSSO for that user.
I would appreciate your thoughts on this topic and if you can share some documents on if/how this can be done, that would be even better.
Posted by Pradeep Balachandran on September 14, 2009 at 11:35 AM PDT #