This page describe all the steps to enable Atlassian Crowd based authorization and authentication to an IHTSDO tools application using Identity Management Service.
Step-by-step guide
Login to crowd interface
In order to create application user group, user should have crowd admin role.- Define a application user group(s)
Create application specific group. For example WRP admin can be ihtsdo-wrp-admin. A normal WRP user can be categorize under ihtsdo-wrp-users
This step can be skipped if application want to use default user group - ihtsdo-users to an application for authorization
Enable back end security using spring security.
In order to enable spring based security, application should use dependency of ihtsdo-crowd-resources and ihtsdo-crowd-bridge modules in its maven build. An example of these is given as below.
Authorization is specific to individual application under IHTSDO tools and application should decide how to enforce authorization to available roles to application.Maven Dependency<dependency> <groupId>org.ihtsdo.otf</groupId> <artifactId>ihtsdo-crowd-resources</artifactId> <version>x.x.x</version> <classifier>resources</classifier> <type>zip</type> <scope>provided</scope> </dependency> <dependency> <groupId>org.ihtsdo.otf</groupId> <artifactId>ihtsdo-crowd-bridge</artifactId> <version>x.x.x</version> </dependency>Load crowd spring bean resources application-im-common-security-config.xml and applicationContext-CrowdClient.xml. Loading can be done using both xml or java annotation way. Example is
Crowd Spring BeansXml Config <import resource="classpath:applicationContext-CrowdClient.xml" />, <import resource="classpath:application-im-common-security-config.xml" /> or Java annotation @ImportResource({"classpath:applicationContext-CrowdClient.xml","classpath:application-im-common-security-config.xml"})Bundle above crowd spring bean resource files in war.
Maven Crowd Resources Loading<resources> <resource> <directory>${basedir}/src/main/resources</directory> </resource> <resource> <directory>${project.build.directory}/generated-resources</directory> <filtering>true</filtering> </resource> </resources> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-dependency-plugin</artifactId> <version>2.10</version> <executions> <execution> <id>unpack-crowd-resources</id> <goals> <goal>unpack-dependencies</goal> </goals> <phase>generate-resources</phase> <configuration> <outputDirectory>${project.build.directory}/generated-resources</outputDirectory> <includeGroupIds>${project.groupId}</includeGroupIds> <includeArtifacIds>ihtsdo-crowd-resources</includeArtifacIds> <excludeArtifactIds>*</excludeArtifactIds> <excludeTransitive>true</excludeTransitive> <scope>provided</scope> <includes>crowd.properties, application-im-common-security-config.xml, applicationContext-CrowdClient.xml, crowd-ehcache.xml </includes> </configuration> </execution> </executions> </plugin>Enable method lavel security using spring security annotation or xml config.
Method Security Configuration<sec:global-method-security pre-post-annotations="enabled"/>
- Use Method annotation or resource annotation to enforce authorization to desired role. See example in Identity Service module or Refset service module.