-AAF 2.0 RESTful interface\r
-=========================\r
-\r
-Accessing RESTful\r
------------------\r
-\r
--AAF RESTful service is secured by the following:\r
--The Client must utilize HTTP/S. Non Secure HTTP is not acceptable\r
--The Client MUST supply an Identity validated by one of the following mechanisms\r
-\r
- - Valid Global Login Cookie (CSP)\r
- - BASIC AUTH protocol using CSO Registered MechID, provisioned in AAF\r
- - BASIC AUTH protocol using ATTUID@csp.att.com, Global Login Password\r
- - (Available 3rd Qtr 2015) Valid tGuard Login Cookie\r
- - (Near Future) Application level Certificate\r
-\r
-Responses\r
-\r
-Each API Entity listed shows what structure will be accepted by service (ContentType) or responded with by service (Accept). Therefore, use these in making your call. Critical for PUT/POST.\r
-\r
-Each API call may respond with JSON or XML. Choose the ContentType/Accept that has +json after the type for JSON or +xml after the Type for XML\r
-\r
-XSDs for Versions\r
-\r
-AAF can support multiple Versions of the API. Choose the ContentType/Accept that has the appropriate version=?.?\r
-\r
-All Errors coming from AAF return AT&T Standard Error Message as a String: `JSON <./example/YXBwbGljYXRpb24vRXJyb3IranNvbg==>`__ `XML <./example/YXBwbGljYXRpb24vRXJyb3IreG1s>`__ (does not apply to errors from Container)\r
-\r
-Character Restrictions\r
-\r
-- Character Restrictions must depend on the Enforcement Point used\r
-- Most AAF usage will be AAF Enforcement Point Characters for Instance and Action are:\r
- *a-zA-Z0-9,.()\_-=%*\r
- For Instance, you may declare a multi-dimensional key with : (colon) separator, example:\r
-\r
-Ask for a Consultation on how these are typically used, or, if your tool is the only Enforcement Point, if set may be expanded\r
-\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| Entity | Method | Path Info | Description |\r
-+====================+====================+====================+===================================================+\r
-| PERMISSION | POST | /authz/perm | Create a Permission |\r
-| | | | Permission consists of: |\r
-| | | | - type - a Namespace qualified identifier |\r
-| | | | specifying what kind of resource is being |\r
-| | | | protected |\r
-| | | | - instance - a key, possibly multi-dimensional |\r
-| | | | that identifies a specific instance of the |\r
-| | | | type |\r
-| | | | - action - what kind of action is allowed |\r
-| | | | Note: instance and action can be an \* |\r
-| | | | Expected HTTP Code |\r
-| | | | 201 |\r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 403, 404, 406, 409 | \r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| | PUT | /authz/perm | Set Description for Permission |\r
-| | | | Add Description Data to Perm |\r
-| | | | Expected HTTP Code |\r
-| | | | 200 |\r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 404, 406 |\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| | DELETE | /authz/perm | Delete a Permission |\r
-| | | | Delete the Permission referenced by PermKey. |\r
-| | | | You cannot normally delete a permission which |\r
-| | | | is still granted to roles, however the |\r
-| | | | "force" property allows you to do just that. To |\r
-| | | | do this: Add |\r
-| | | | 'force=true' as a query parameter. |\r
-| | | | **WARNING**: Using force will ungrant this |\r
-| | | | permission from all roles. Use with care. |\r
-| | | | Expected HTTP Code |\r
-| | | | 200 | \r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 404, 406 |\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| | DELETE | /authz/perm/:name/ | Delete a Permission |\r
-| | | :type/:action | Delete the Permission referenced by :type |\r
-| | | | :instance: action |\r
-| | | | You cannot normally delete a permission which |\r
-| | | | is still granted to roles, however the |\r
-| | | | "force" property allows you to do |\r
-| | | | just that. To do this: Add 'force=true' as a |\r
-| | | | query parameter |\r
-| | | | |\r
-| | | | WARNING: Using force will ungrant this permission |\r
-| | | | from all roles. Use with care. |\r
-| | | | ------------------------------------------------- |\r
-| | | | Parameters |\r
-| | | | type : string (Required) |\r
-| | | | instance : string (Required) |\r
-| | | | action : string (Required) |\r
-| | | | Expected HTTP Code |\r
-| | | | 200 |\r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 404, 406 |\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| | PUT | /authz/perm/:type/ | Update a Permission |\r
-| | | :instance/:action | Rename the Permission referenced |\r
-| | | | by :type :instance :action, and rename |\r
-| | | | (copy/delete) to the Permission described in |\r
-| | | | PermRequest |\r
-| | | | |\r
-| | | |---------------------------------------------------|\r
-| | | | Parameters |\r
-| | | | type : string (Required) |\r
-| | | | instance : string (Required) |\r
-| | | | action : string (Required) |\r
-| | | | Expected HTTP Code |\r
-| | | | 200 |\r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 404, 406 ,409 |\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| | GET | /authz/perms/:type | Get Permissions by Type |\r
-| | | | |\r
-| | | | List All Permissions that match the :type |\r
-| | | | element of the key |\r
-| | | | ------------------------------------------------- |\r
-| | | | Parameters |\r
-| | | | type : string (Required) |\r
-| | | | Expected HTTP Code |\r
-| | | | 200 |\r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 404, 406 |\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| | GET | /authz/perms/:type | Get Permissions by Key |\r
-| | | /:instance/:action | List Permissions that match key; |\r
-| | | | :type, :instance and :action |\r
-| | | | |\r
-| | | | --------------------------------------------------|\r
-| | | | Parameters |\r
-| | | | type : string (Required) |\r
-| | | | instance : string (Required) |\r
-| | | | action : string (Required) |\r
-| | | | Expected HTTP Code |\r
-| | | | 200 |\r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 404, 406 |\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| | GET | /authz/perms/ns/:n | Get PermsByNS |\r
-| | | s | List All Permissions that are in Namespace :ns |\r
-| | | | --------------------------------------------------|\r
-| | | | Parameters |\r
-| | | | type : ns (Required) |\r
-| | | | Expected HTTP Code |\r
-| | | | 200 |\r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 404, 406 |\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| | GET | /authz/perms/role/ | Get Permissions by Role |\r
-| | | :role | List All Permissions that are granted to :role |\r
-| | | | --------------------------------------------------|\r
-| | | | Parameters |\r
-| | | | role : string (Required) |\r
-| | | | Expected HTTP Code |\r
-| | | | 200 |\r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 404, 406 |\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| | POST | /authz/perms/user/ | Get Permissions by User, Query AAF Perms |\r
-| | | :user | |\r
-| | | | List All Permissions that match user :user |\r
-| | | | |\r
-| | | | 'user' must be expressed as full |\r
-| | | | identity (ex: id@full.domain.com) |\r
-| | | | Present Queries as one or more Permissions (see |\r
-| | | | ContentType Links below for format). If the |\r
-| | | | Caller is Granted this specific Permission, and |\r
-| | | | the Permission is valid for the User, it will be |\r
-| | | | included in response permissions,along with all |\r
-| | | | the normal permissions on the 'GET' version of |\r
-| | | | this call. If it is not valid,or caller does not |\r
-| | | | permission to see, it will be removed from the |\r
-| | | | list. |\r
-| | | | **Note**: This design allows you to make one |\r
-| | | | call for all expected permissions |\r
-| | | | |\r
-| | | | The permission to be included MUST be: |\r
-| | | | .access\|:[:key]\| |\r
-| | | | |\r
-| | | | examples: |\r
-| | | | |\r
-| | | | com.att.myns.access|:ns|write |\r
-| | | | com.att.myns.access\|:role:myrole\|create |\r
-| | | | com.att.myns.access\|:perm:mytype:myinstance: |\r
-| | | | myaction\|read |\r
-| | | | --------------------------------------------------|\r
-| | | | Parameters |\r
-| | | | user:string(Required) |\r
-| | | | Expected HTTP Code |\r
-| | | | 200 |\r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 404, 406 |\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| | GET | /authz/perms/user/ | Get Permissions by User |\r
-| | | :user | |\r
-| | | | List All Permissions that match user :user |\r
-| | | | 'user' must be expressed as full |\r
-| | | | identity (ex:id@full.domain.com) |\r
-| | | | --------------------------------------------------|\r
-| | | | Parameters |\r
-| | | | user:string(Required) |\r
-| | | | Expected HTTP Code |\r
-| | | | 200 |\r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 404, 406 |\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| ROLE | POST | /authz/role | Create Role |\r
-| | | | |\r
-| | | | Roles are part of Namespaces |\r
-| | | | Examples: |\r
-| | | | |\r
-| | | | - com.att.aaf - The team that created and |\r
-| | | | maintains AAF |\r
-| | | | |\r
-| | | | Roles do not include implied permissions for an |\r
-| | | | App. Instead, they contain explicit Granted |\r
-| | | | Permissions by any Namespace in AAF |\r
-| | | | Restrictions on Role Names: |\r
-| | | | - Must start with valid Namespace name, |\r
-| | | | terminated by .(dot/period) |\r
-| | | | - Allowed Characters are a-zA-Z0-9._- |\r
-| | | | - role names are Case Sensitive |\r
-| | | | Expected HTTP Code |\r
-| | | | 201 |\r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 403, 404, 406, 409 |\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
-| | PUT | /authz/role | Set Description for role |\r
-| | | | Add Description Data to a Role |\r
-| | | | Expected HTTP Code |\r
-| | | | 200 |\r
-| | | | Explicit HTTP Error Codes |\r
-| | | | 404, 406 |\r
-+--------------------+--------------------+--------------------+---------------------------------------------------+\r
+AAF 2.0 RESTful interface
+=========================
+
+Accessing RESTful
+-----------------
+
+AAF RESTful service is secured by the following:
+
+ * The Client must utilize HTTP/S. Non Secure HTTP is not acceptable
+ * The Client MUST supply an Identity validated by one of the following mechanisms:
+
+ * Valid Global Login Cookie (CSP)
+ * BASIC AUTH protocol using CSO Registered MechID, provisioned in AAF
+ * BASIC AUTH protocol using ATTUID@csp.att.com, Global Login Password
+ * (Available 3rd Qtr 2015) Valid tGuard Login Cookie
+ * (Near Future) Application level Certificate
+
+Responses
+
+Each API Entity listed shows what structure will be accepted by service (ContentType) or responded with by service (Accept). Therefore, use these in making your call. Critical for PUT/POST.
+
+Each API call may respond with JSON or XML. Choose the ContentType/Accept that has +json after the type for JSON or +xml after the Type for XML
+
+XSDs for Versions
+
+AAF can support multiple Versions of the API. Choose the ContentType/Accept that has the appropriate version=?.?
+
+All Errors coming from AAF return AT&T Standard Error Message as a String: `JSON <./example/YXBwbGljYXRpb24vRXJyb3IranNvbg==>`__ `XML <./example/YXBwbGljYXRpb24vRXJyb3IreG1s>`__ (does not apply to errors from Container)
+
+Character Restrictions
+
+- Character Restrictions must depend on the Enforcement Point used
+- Most AAF usage will be AAF Enforcement Point Characters for Instance and Action are:
+ *a-zA-Z0-9,.()\_-=%*
+ For Instance, you may declare a multi-dimensional key with : (colon) separator, example:
+
+Ask for a Consultation on how these are typically used, or, if your tool is the only Enforcement Point, if set may be expanded
+
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| Entity | Method | Path Info | Description |
++====================+====================+====================+===================================================+
+| PERMISSION | POST | /authz/perm | Create a Permission |
+| | | | Permission consists of: |
+| | | | - type - a Namespace qualified identifier |
+| | | | specifying what kind of resource is being |
+| | | | protected |
+| | | | - instance - a key, possibly multi-dimensional |
+| | | | that identifies a specific instance of the |
+| | | | type |
+| | | | - action - what kind of action is allowed |
+| | | | Note: instance and action can be an \* |
+| | | | Expected HTTP Code |
+| | | | 201 |
+| | | | Explicit HTTP Error Codes |
+| | | | 403, 404, 406, 409 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| | PUT | /authz/perm | Set Description for Permission |
+| | | | Add Description Data to Perm |
+| | | | Expected HTTP Code |
+| | | | 200 |
+| | | | Explicit HTTP Error Codes |
+| | | | 404, 406 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| | DELETE | /authz/perm | Delete a Permission |
+| | | | Delete the Permission referenced by PermKey. |
+| | | | You cannot normally delete a permission which |
+| | | | is still granted to roles, however the |
+| | | | "force" property allows you to do just that. To |
+| | | | do this: Add |
+| | | | 'force=true' as a query parameter. |
+| | | | **WARNING**: Using force will ungrant this |
+| | | | permission from all roles. Use with care. |
+| | | | Expected HTTP Code |
+| | | | 200 |
+| | | | Explicit HTTP Error Codes |
+| | | | 404, 406 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| | DELETE | /authz/perm/:name/ | Delete a Permission |
+| | | :type/:action | Delete the Permission referenced by :type |
+| | | | :instance: action |
+| | | | You cannot normally delete a permission which |
+| | | | is still granted to roles, however the |
+| | | | "force" property allows you to do |
+| | | | just that. To do this: Add 'force=true' as a |
+| | | | query parameter |
+| | | | |
+| | | | WARNING: Using force will ungrant this permission |
+| | | | from all roles. Use with care. |
+| | | | --------------------------------------------------|
+| | | | Parameters |
+| | | | type : string (Required) |
+| | | | instance : string (Required) |
+| | | | action : string (Required) |
+| | | | Expected HTTP Code |
+| | | | 200 |
+| | | | Explicit HTTP Error Codes |
+| | | | 404, 406 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| | PUT | /authz/perm/:type/ | Update a Permission |
+| | | :instance/:action | Rename the Permission referenced |
+| | | | by :type :instance :action, and rename |
+| | | | (copy/delete) to the Permission described in |
+| | | | PermRequest |
+| | | | --------------------------------------------------|
+| | | | Parameters |
+| | | | type : string (Required) |
+| | | | instance : string (Required) |
+| | | | action : string (Required) |
+| | | | Expected HTTP Code |
+| | | | 200 |
+| | | | Explicit HTTP Error Codes |
+| | | | 404, 406 ,409 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| | GET | /authz/perms/:type | Get Permissions by Type |
+| | | | |
+| | | | List All Permissions that match the :type |
+| | | | element of the key |
+| | | | --------------------------------------------------|
+| | | | Parameters |
+| | | | type : string (Required) |
+| | | | Expected HTTP Code |
+| | | | 200 |
+| | | | Explicit HTTP Error Codes |
+| | | | 404, 406 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| | GET | /authz/perms/:type | Get Permissions by Key |
+| | | /:instance/:action | List Permissions that match key; |
+| | | | :type, :instance and :action |
+| | | | --------------------------------------------------|
+| | | | Parameters |
+| | | | type : string (Required) |
+| | | | instance : string (Required) |
+| | | | action : string (Required) |
+| | | | Expected HTTP Code |
+| | | | 200 |
+| | | | Explicit HTTP Error Codes |
+| | | | 404, 406 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| | GET | /authz/perms/ns/:n | Get PermsByNS |
+| | | s | List All Permissions that are in Namespace :ns |
+| | | | --------------------------------------------------|
+| | | | Parameters |
+| | | | type : ns (Required) |
+| | | | Expected HTTP Code |
+| | | | 200 |
+| | | | Explicit HTTP Error Codes |
+| | | | 404, 406 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| | GET | /authz/perms/role/ | Get Permissions by Role |
+| | | :role | List All Permissions that are granted to :role |
+| | | | --------------------------------------------------|
+| | | | Parameters |
+| | | | role : string (Required) |
+| | | | Expected HTTP Code |
+| | | | 200 |
+| | | | Explicit HTTP Error Codes |
+| | | | 404, 406 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| | POST | /authz/perms/user/ | Get Permissions by User, Query AAF Perms |
+| | | :user | |
+| | | | List All Permissions that match user :user |
+| | | | |
+| | | | 'user' must be expressed as full |
+| | | | identity (ex: id@full.domain.com) |
+| | | | Present Queries as one or more Permissions (see |
+| | | | ContentType Links below for format). If the |
+| | | | Caller is Granted this specific Permission, and |
+| | | | the Permission is valid for the User, it will be |
+| | | | included in response permissions,along with all |
+| | | | the normal permissions on the 'GET' version of |
+| | | | this call. If it is not valid,or caller does not |
+| | | | permission to see, it will be removed from the |
+| | | | list. |
+| | | | **Note**: This design allows you to make one |
+| | | | call for all expected permissions |
+| | | | |
+| | | | The permission to be included MUST be: |
+| | | | .access\|:[:key]\| |
+| | | | |
+| | | | examples: |
+| | | | |
+| | | | com.att.myns.access|:ns|write |
+| | | | com.att.myns.access\|:role:myrole\|create |
+| | | | com.att.myns.access\|:perm:mytype:myinstance: |
+| | | | myaction\|read |
+| | | | --------------------------------------------------|
+| | | | Parameters |
+| | | | user:string(Required) |
+| | | | Expected HTTP Code |
+| | | | 200 |
+| | | | Explicit HTTP Error Codes |
+| | | | 404, 406 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| | GET | /authz/perms/user/ | Get Permissions by User |
+| | | :user | |
+| | | | List All Permissions that match user :user |
+| | | | 'user' must be expressed as full |
+| | | | identity (ex:id@full.domain.com) |
+| | | | --------------------------------------------------|
+| | | | Parameters |
+| | | | user:string(Required) |
+| | | | Expected HTTP Code |
+| | | | 200 |
+| | | | Explicit HTTP Error Codes |
+| | | | 404, 406 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| ROLE | POST | /authz/role | Create Role |
+| | | | |
+| | | | Roles are part of Namespaces |
+| | | | Examples: |
+| | | | - com.att.aaf |
+| | | | - The team that created andmaintains AAF |
+| | | | |
+| | | | Roles do not include implied permissions for an |
+| | | | App. Instead, they contain explicit Granted |
+| | | | Permissions by any Namespace in AAF |
+| | | | Restrictions on Role Names: |
+| | | | - Must start with valid Namespace name, |
+| | | | terminated by .(dot/period) |
+| | | | - Allowed Characters are a-zA-Z0-9._- |
+| | | | - role names are Case Sensitive |
+| | | | |
+| | | | Expected HTTP Code |
+| | | | 201 |
+| | | | Explicit HTTP Error Codes |
+| | | | 403, 404, 406, 409 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
+| | PUT | /authz/role | Set Description for role |
+| | | | Add Description Data to a Role |
+| | | | Expected HTTP Code |
+| | | | 200 |
+| | | | Explicit HTTP Error Codes |
+| | | | 404, 406 |
++--------------------+--------------------+--------------------+---------------------------------------------------+
-=================\r
-Connecting to AAF\r
-=================\r
-\r
-Methods to Connect\r
-==================\r
-\r
-- If you are a Servlet in a Container, use CADI Framework with AAF Plugin. It's very easy, and includes BasicAuth for Services. \r
-- Java Technologies\r
-- Technologies using Servlet Filters\r
-- DME2 (and other Servlet Containers) can use Servlet Filters\r
-- Any WebApp can plug in CADI as a Servlet Filter\r
-- Jetty can attach a Servlet Filter with Code, or as WebApp\r
-- Tomcat 7 has a "Valve" plugin, which is similar and supported\r
-- Use the AAFLur Code directly (shown)\r
-- All Java Technologies utilize Configuration to set what Security elements are required\r
-- example: Global Login can be turned on/off, AAF Client needs information to connect to AAF Service\r
-- There are several specialty cases, which AAF can work with, including embedding all properties in a Web.xml, but the essentials needed are:\r
-- CADI Jars\r
-- cadi.properties file (configured the same for all technologies)\r
-- Encrypt passwords with included CADI technology, so that there are no Clear Text Passwords in Config Files (ASPR)\r
-- See CADI Deployment on how to perform this with several different technologies.\r
-- AAF Restfully (see RESTFul APIS)\r
-\r
-IMPORTANT: If Direct RESTFul API is used, then it is the Client's responsibility to Cache and avoid making an AAF Service Calls too often\r
-Example: A Tool like Cassandra will ask for Authentication hundreds of times a second for the same identity during a transaction. Calling the AAF Service for each would be slow for the client, and wasteful of Network and AAF Service Capacities. \r
-Rogue Clients can and will be denied access to AAF.\r
-\r
-\r
-J2EE (Servlet Filter) Method\r
-============================\r
-\r
-1. Per J2EE design, the Filter will deny any unauthenticated HTTP/S call; the Servlet will not even be invoked.\r
-a. Therefore, the Servlet can depend on any transaction making it to their code set is Authenticated.\r
-b. Identity can be viewed based on the HttpServletRequest Object (request.getUserPrincipal() )\r
-2. Per J2EE design, AAF Filter overloads the HttpServletRequest for a String related to "Role". (request.isUserInRole("...") )\r
-a. For AAF, do not put in "Role", but the three parts of requested "Permission", separated by "|", i.e. "org.onap.aaf.myapp.myperm|myInstance|myAction".\r
-3. NOT REQUIRED: An added benefit, but not required, is a JASPI like interface, where you can add an Annotation to your Servlet. \r
-a. When used, no transaction will come into your code if the listed Permissions are not Granted to the Incoming Transaction. \r
-b. This might be helpful for covering separate Management Servlet implementations.\r
-\r
-\r
-\r
-Servlet Code Snippet\r
-=========================\r
-\r
- .. code:: bash\r
- \r
- public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {\r
- HttpServletRequest request;\r
- try {\r
- request = (HttpServletRequest)req;\r
- } catch (ClassCastException e) {\r
- throw new ServletException("Only serving HTTP today",e);\r
- }\r
- \r
- // Note: CADI is OVERLOADING the concept of "isUserInRole".. You need to think "doesUserHavePermssion()"\r
- // Assume that you have CREATED and GRANTED An AAF Permission in YOUR Namespace\r
- // Example Permission: "org.onap.aaf.myapp.myPerm * write"\r
- \r
- // Think in your head, "Does user have write permission on any instance of org.onap.aaf.myapp.myPerm\r
- if(request.isUserInRole("org.onap.aaf.myapp.myPerm|*|write")) { \r
- // *** Do something here that someone with "myPerm write" permissions is allowed to do\r
- } else {\r
- // *** Do something reasonable if user is denied, like an Error Message\r
- }\r
- \r
- }\r
-\r
-Here is a working TestServlet, where you can play with different Permissions that you own on the URL, i.e.:\r
-https://<your machine:port>/caditest/testme?PERM=org.onap.aaf.myapp.myPerm|*|write\r
-\r
-Sample Servlet (Working example)\r
-================================\r
-\r
- .. code:: bash\r
- \r
- package org.onap.aaf.cadi.debug;\r
- import java.io.FileInputStream;\r
- import java.io.IOException;\r
- import java.net.InetAddress;\r
- import java.net.UnknownHostException;\r
- import java.util.HashMap;\r
- import java.util.Map;\r
- import java.util.Map.Entry;\r
- import java.util.Properties;\r
- import javax.servlet.Servlet;\r
- import javax.servlet.ServletConfig;\r
- import javax.servlet.ServletException;\r
- import javax.servlet.ServletRequest;\r
- import javax.servlet.ServletResponse;\r
- import javax.servlet.http.HttpServletRequest;\r
- import org.eclipse.jetty.server.Server;\r
- import org.eclipse.jetty.server.ServerConnector;\r
- import org.eclipse.jetty.server.handler.ContextHandler;\r
- import org.eclipse.jetty.servlet.FilterHolder;\r
- import org.eclipse.jetty.servlet.FilterMapping;\r
- import org.eclipse.jetty.servlet.ServletContextHandler;\r
- import org.eclipse.jetty.servlet.ServletHandler;\r
- import org.onap.aaf.cadi.filter.CadiFilter;\r
- import org.onap.aaf.cadi.filter.RolesAllowed;\r
- import org.onap.aaf.cadi.jetty.MiniJASPIWrap;\r
- \r
- public class CSPServletTest {\r
- public static void main(String[] args) {\r
- // Go ahead and print Test reports in cadi-core first\r
- Test.main(args);\r
- String hostname=null;\r
- try {\r
- hostname = InetAddress.getLocalHost().getHostName();\r
- } catch (UnknownHostException e) {\r
- e.printStackTrace();\r
- System.exit(1);\r
- }\r
- Properties props = new Properties();\r
- Map<String,String> map = new HashMap<String,String>();\r
- try {\r
- FileInputStream fis = new FileInputStream("run/cadi.properties");\r
- try {\r
- props.load(fis);\r
- String key,value;\r
- for( Entry<Object, Object> es : props.entrySet()) {\r
- key = es.getKey().toString();\r
- value = es.getValue().toString();\r
- map.put(key,value);\r
- if(key.startsWith("AFT_") || key.startsWith("DME2")) {\r
- System.setProperty(key,value);\r
- }\r
- }\r
- } finally {\r
- fis.close();\r
- }\r
- } catch(IOException e) {\r
- System.err.println("Cannot load run/cadi.properties");\r
- System.exit(1);\r
- }\r
- String portStr = System.getProperty("port");\r
- int port = portStr==null?8080:Integer.parseInt(portStr);\r
- try {\r
- // Add ServletHolder(s) and Filter(s) to a ServletHandler\r
- ServletHandler shand = new ServletHandler();\r
- \r
- FilterHolder cfh = new FilterHolder(CadiFilter.class);\r
- cfh.setInitParameters(map);\r
- \r
- shand.addFilterWithMapping(cfh, "/*", FilterMapping.ALL);\r
- shand.addServletWithMapping(new MiniJASPIWrap(MyServlet.class),"/*");\r
- // call initialize after start\r
- \r
- ContextHandler ch = new ServletContextHandler();\r
- ch.setContextPath("/caditest");\r
- ch.setHandler(shand);\r
- for( Entry<Object,Object> es : props.entrySet()) {\r
- ch.getInitParams().put(es.getKey().toString(), es.getValue().toString());\r
- }\r
- //ch.setErrorHandler(new MyErrorHandler());\r
- \r
- // Create Server and Add Context Handler\r
- final Server server = new Server();\r
- ServerConnector http = new ServerConnector(server);\r
- http.setPort(port);\r
- server.addConnector(http);\r
- server.setHandler(ch);\r
- \r
- // Start\r
- server.start();\r
- shand.initialize();\r
- \r
- System.out.println("To test, put http://"+ hostname + ':' + port + "/caditest/testme in a browser or 'curl'");\r
- // if we were really a server, we'd block the main thread with this join...\r
- // server.join();\r
- // But... since we're a test service, we'll block on StdIn\r
- System.out.println("Press <Return> to end service...");\r
- System.in.read();\r
- server.stop();\r
- System.out.println("All done, have a good day!");\r
- } catch (Exception e) {\r
- e.printStackTrace();\r
- System.exit(1);\r
- }\r
- }\r
- @RolesAllowed({"org.onap.aaf.myapp.myPerm|myInstance|myAction"})\r
- public static class MyServlet implements Servlet {\r
- private ServletConfig servletConfig;\r
- \r
- public void init(ServletConfig config) throws ServletException {\r
- servletConfig = config;\r
- }\r
- \r
- public ServletConfig getServletConfig() {\r
- return servletConfig;\r
- }\r
- \r
- public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {\r
- HttpServletRequest request;\r
- try {\r
- request = (HttpServletRequest)req;\r
- } catch (ClassCastException e) {\r
- throw new ServletException("Only serving HTTP today",e);\r
- }\r
- \r
- res.getOutputStream().print("<html><header><title>CSP Servlet Test</title></header><body><h1>You're good to go!</h1><pre>" +\r
- request.getUserPrincipal());\r
- \r
- String perm = request.getParameter("PERM");\r
- if(perm!=null)\r
- if(request.isUserInRole(perm)) {\r
- if(perm.indexOf('|')<0) \r
- res.getOutputStream().print("\nCongrats!, You are in Role " + perm);\r
- else\r
- res.getOutputStream().print("\nCongrats!, You have Permission " + perm);\r
- } else {\r
- if(perm.indexOf('|')<0) \r
- res.getOutputStream().print("\nSorry, you are NOT in Role " + perm);\r
- else\r
- res.getOutputStream().print("\nSorry, you do NOT have Permission " + perm);\r
- }\r
- \r
- res.getOutputStream().print("</pre></body></html>");\r
- \r
- }\r
- \r
- public String getServletInfo() {\r
- return "MyServlet";\r
- }\r
- \r
- public void destroy() {\r
- }\r
- }\r
- }\r
- \r
-Java Direct (AAFLur) Method\r
-===========================\r
-The AAFLur is the exact component used within all the Plugins mentioned above. It is written so that it can be called standalone as well, see the Example as follows\r
-package org.onap.aaf.example;\r
-\r
- .. code:: bash\r
- \r
- import java.util.ArrayList;\r
- import java.util.List;\r
- import java.util.Properties;\r
-\r
- import org.onap.aaf.cadi.Access;\r
- import org.onap.aaf.cadi.Permission;\r
- import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;\r
- import org.onap.aaf.cadi.aaf.v2_0.AAFCon;\r
- import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;\r
- import org.onap.aaf.cadi.config.Config;\r
- import org.onap.aaf.cadi.lur.aaf.AAFPermission;\r
- import org.onap.aaf.cadi.lur.aaf.test.TestAccess;\r
-\r
- public class ExamplePerm2_0 {\r
- public static void main(String args[]) {\r
- // Normally, these should be set in environment. Setting here for clarity\r
- Properties props = System.getProperties();\r
- props.setProperty("AFT_LATITUDE", "32.780140");\r
- props.setProperty("AFT_LONGITUDE", "-96.800451");\r
- props.setProperty("AFT_ENVIRONMENT", "AFTUAT");\r
- props.setProperty(Config.AAF_URL,\r
- "https://DME2RESOLVE/service=org.onap.aaf.authz.AuthorizationService/version=2.0/envContext=TEST/routeOffer=BAU_SE"\r
- );\r
- props.setProperty(Config.AAF_USER_EXPIRES,Integer.toString(5*60000)); // 5 minutes for found items to live in cache\r
- props.setProperty(Config.AAF_HIGH_COUNT,Integer.toString(400)); // Maximum number of items in Cache);\r
- props.setProperty(Config.CADI_KEYFILE,"keyfile"); //Note: Be sure to generate with java -jar <cadi_path>/lib/cadi-core*.jar keygen keyfile\r
- // props.setProperty("DME2_EP_REGISTRY_CLASS","DME2FS");\r
- // props.setProperty("AFT_DME2_EP_REGISTRY_FS_DIR","../../authz/dme2reg");\r
-\r
- \r
- // Link or reuse to your Logging mechanism\r
- Access myAccess = new TestAccess(); // \r
- \r
- // \r
- try {\r
- AAFCon<?> con = new AAFConDME2(myAccess);\r
- \r
- // AAFLur has pool of DME clients as needed, and Caches Client lookups\r
- AAFLurPerm aafLur = con.newLur();\r
- // Note: If you need both Authn and Authz construct the following:\r
- AAFAuthn<?> aafAuthn = con.newAuthn(aafLur);\r
-\r
- // Do not set Mech ID until after you construct AAFAuthn,\r
- // because we initiate "401" info to determine the Realm of \r
- // of the service we're after.\r
- con.basicAuth("xxxx@aaf.abc.com", "XXXXXX");\r
-\r
- try {\r
- \r
- // Normally, you obtain Principal from Authentication System.\r
- // For J2EE, you can ask the HttpServletRequest for getUserPrincipal()\r
- // If you use CADI as Authenticator, it will get you these Principals from\r
- // CSP or BasicAuth mechanisms.\r
- String id = "xxxx@aaf.abc.com"; //"cluster_admin@gridcore.abc.com";\r
-\r
- // If Validate succeeds, you will get a Null, otherwise, you will a String for the reason.\r
- String ok = aafAuthn.validate(id, "XXXXXX");\r
- if(ok!=null)System.out.println(ok);\r
- \r
- ok = aafAuthn.validate(id, "wrongPass");\r
- if(ok!=null)System.out.println(ok);\r
-\r
-\r
- // AAF Style permissions are in the form\r
- // Type, Instance, Action \r
- AAFPermission perm = new AAFPermission("org.onap.aaf.grid.core.coh",":dev_cluster", "WRITE");\r
- \r
- // Now you can ask the LUR (Local Representative of the User Repository about Authorization\r
- // With CADI, in J2EE, you can call isUserInRole("org.onap.aaf.mygroup|mytype|write") on the Request Object \r
- // instead of creating your own LUR\r
- System.out.println("Does " + id + " have " + perm);\r
- if(aafLur.fish(id, perm)) {\r
- System.out.println("Yes, you have permission");\r
- } else {\r
- System.out.println("No, you don't have permission");\r
- }\r
-\r
- System.out.println("Does Bogus have " + perm);\r
- if(aafLur.fish("Bogus", perm)) {\r
- System.out.println("Yes, you have permission");\r
- } else {\r
- System.out.println("No, you don't have permission");\r
- }\r
-\r
- // Or you can all for all the Permissions available\r
- List<Permission> perms = new ArrayList<Permission>();\r
- \r
- aafLur.fishAll(id,perms);\r
- for(Permission prm : perms) {\r
- System.out.println(prm.getKey());\r
- }\r
- \r
- // It might be helpful in some cases to clear the User's identity from the Cache\r
- aafLur.remove(id);\r
- } finally {\r
- aafLur.destroy();\r
- }\r
- } catch (Exception e) {\r
- e.printStackTrace();\r
- }\r
-\r
- }\r
- }\r
-\r
-There are two current AAF Lurs which you can utilize:\r
-- Org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm is the default, and will fish based on the Three-fold "Permission" standard in AAF\r
-To run this code, you will need from a SWM deployment (org.onap.aaf.cadi:cadi, then soft link to jars needed):\r
-- cadi-core-<version>.jar\r
-- cadi-aaf-<version>-full.jar\r
- or by Maven\r
-<dependency>\r
-<groupId>org.onap.aaf.cadi</groupId>\r
-<artifactId>cadi-aaf</artifactId>\r
-<version>THE_LATEST_VERSION</version>\r
-<classifier>full</classifier> \r
-</dependency>\r
- If you need the Java Client definitions only, \r
- \r
- Also needed are the DME2 Client libraries:\r
-- dme2-<version>.jar\r
-- discovery-clt-<version>.jar\r
-\r
+=================
+Connecting to AAF
+=================
+
+Methods to Connect
+==================
+
+- If you are a Servlet in a Container, use CADI Framework with AAF Plugin. It's very easy, and includes BasicAuth for Services.
+- Java Technologies
+- Technologies using Servlet Filters
+- DME2 (and other Servlet Containers) can use Servlet Filters
+- Any WebApp can plug in CADI as a Servlet Filter
+- Jetty can attach a Servlet Filter with Code, or as WebApp
+- Tomcat 7 has a "Valve" plugin, which is similar and supported
+- Use the AAFLur Code directly (shown)
+- All Java Technologies utilize Configuration to set what Security elements are required
+- example: Global Login can be turned on/off, AAF Client needs information to connect to AAF Service
+- There are several specialty cases, which AAF can work with, including embedding all properties in a Web.xml, but the essentials needed are:
+- CADI Jars
+- cadi.properties file (configured the same for all technologies)
+- Encrypt passwords with included CADI technology, so that there are no Clear Text Passwords in Config Files (ASPR)
+- See CADI Deployment on how to perform this with several different technologies.
+- AAF Restfully (see RESTFul APIS)
+
+IMPORTANT: If Direct RESTFul API is used, then it is the Client's responsibility to Cache and avoid making an AAF Service Calls too often
+Example: A Tool like Cassandra will ask for Authentication hundreds of times a second for the same identity during a transaction. Calling the AAF Service for each would be slow for the client, and wasteful of Network and AAF Service Capacities.
+Rogue Clients can and will be denied access to AAF.
+
+
+J2EE (Servlet Filter) Method
+============================
+
+1. Per J2EE design, the Filter will deny any unauthenticated HTTP/S call; the Servlet will not even be invoked.
+a. Therefore, the Servlet can depend on any transaction making it to their code set is Authenticated.
+b. Identity can be viewed based on the HttpServletRequest Object (request.getUserPrincipal() )
+2. Per J2EE design, AAF Filter overloads the HttpServletRequest for a String related to "Role". (request.isUserInRole("...") )
+a. For AAF, do not put in "Role", but the three parts of requested "Permission", separated by "|", i.e. "org.onap.aaf.myapp.myperm|myInstance|myAction".
+3. NOT REQUIRED: An added benefit, but not required, is a JASPI like interface, where you can add an Annotation to your Servlet.
+a. When used, no transaction will come into your code if the listed Permissions are not Granted to the Incoming Transaction.
+b. This might be helpful for covering separate Management Servlet implementations.
+
+
+
+Servlet Code Snippet
+=========================
+
+ .. code:: bash
+
+ public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
+ HttpServletRequest request;
+ try {
+ request = (HttpServletRequest)req;
+ } catch (ClassCastException e) {
+ throw new ServletException("Only serving HTTP today",e);
+ }
+
+ // Note: CADI is OVERLOADING the concept of "isUserInRole".. You need to think "doesUserHavePermssion()"
+ // Assume that you have CREATED and GRANTED An AAF Permission in YOUR Namespace
+ // Example Permission: "org.onap.aaf.myapp.myPerm * write"
+
+ // Think in your head, "Does user have write permission on any instance of org.onap.aaf.myapp.myPerm
+ if(request.isUserInRole("org.onap.aaf.myapp.myPerm|*|write")) {
+ // *** Do something here that someone with "myPerm write" permissions is allowed to do ***
+ } else {
+ // *** Do something reasonable if user is denied, like an Error Message ***
+ }
+
+ }
+
+Here is a working TestServlet, where you can play with different Permissions that you own on the URL, i.e.:
+https://<your machine:port>/caditest/testme?PERM=org.onap.aaf.myapp.myPerm|*|write
+
+Sample Servlet (Working example)
+================================
+
+ .. code:: java
+
+ package org.onap.aaf.cadi.debug;
+ import java.io.FileInputStream;
+ import java.io.IOException;
+ import java.net.InetAddress;
+ import java.net.UnknownHostException;
+ import java.util.HashMap;
+ import java.util.Map;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+ import javax.servlet.Servlet;
+ import javax.servlet.ServletConfig;
+ import javax.servlet.ServletException;
+ import javax.servlet.ServletRequest;
+ import javax.servlet.ServletResponse;
+ import javax.servlet.http.HttpServletRequest;
+ import org.eclipse.jetty.server.Server;
+ import org.eclipse.jetty.server.ServerConnector;
+ import org.eclipse.jetty.server.handler.ContextHandler;
+ import org.eclipse.jetty.servlet.FilterHolder;
+ import org.eclipse.jetty.servlet.FilterMapping;
+ import org.eclipse.jetty.servlet.ServletContextHandler;
+ import org.eclipse.jetty.servlet.ServletHandler;
+ import org.onap.aaf.cadi.filter.CadiFilter;
+ import org.onap.aaf.cadi.filter.RolesAllowed;
+ import org.onap.aaf.cadi.jetty.MiniJASPIWrap;
+
+ public class CSPServletTest {
+ public static void main(String[] args) {
+ // Go ahead and print Test reports in cadi-core first
+ Test.main(args);
+ String hostname=null;
+ try {
+ hostname = InetAddress.getLocalHost().getHostName();
+ } catch (UnknownHostException e) {
+ e.printStackTrace();
+ System.exit(1);
+ }
+ Properties props = new Properties();
+ Map<String,String> map = new HashMap<String,String>();
+ try {
+ FileInputStream fis = new FileInputStream("run/cadi.properties");
+ try {
+ props.load(fis);
+ String key,value;
+ for( Entry<Object, Object> es : props.entrySet()) {
+ key = es.getKey().toString();
+ value = es.getValue().toString();
+ map.put(key,value);
+ if(key.startsWith("AFT_") || key.startsWith("DME2")) {
+ System.setProperty(key,value);
+ }
+ }
+ } finally {
+ fis.close();
+ }
+ } catch(IOException e) {
+ System.err.println("Cannot load run/cadi.properties");
+ System.exit(1);
+ }
+ String portStr = System.getProperty("port");
+ int port = portStr==null?8080:Integer.parseInt(portStr);
+ try {
+ // Add ServletHolder(s) and Filter(s) to a ServletHandler
+ ServletHandler shand = new ServletHandler();
+
+ FilterHolder cfh = new FilterHolder(CadiFilter.class);
+ cfh.setInitParameters(map);
+
+ shand.addFilterWithMapping(cfh, "/*", FilterMapping.ALL);
+ shand.addServletWithMapping(new MiniJASPIWrap(MyServlet.class),"/*");
+ // call initialize after start
+
+ ContextHandler ch = new ServletContextHandler();
+ ch.setContextPath("/caditest");
+ ch.setHandler(shand);
+ for( Entry<Object,Object> es : props.entrySet()) {
+ ch.getInitParams().put(es.getKey().toString(), es.getValue().toString());
+ }
+ //ch.setErrorHandler(new MyErrorHandler());
+
+ // Create Server and Add Context Handler
+ final Server server = new Server();
+ ServerConnector http = new ServerConnector(server);
+ http.setPort(port);
+ server.addConnector(http);
+ server.setHandler(ch);
+
+ // Start
+ server.start();
+ shand.initialize();
+
+ System.out.println("To test, put http://"+ hostname + ':' + port + "/caditest/testme in a browser or 'curl'");
+ // if we were really a server, we'd block the main thread with this join...
+ // server.join();
+ // But... since we're a test service, we'll block on StdIn
+ System.out.println("Press <Return> to end service...");
+ System.in.read();
+ server.stop();
+ System.out.println("All done, have a good day!");
+ } catch (Exception e) {
+ e.printStackTrace();
+ System.exit(1);
+ }
+ }
+ @RolesAllowed({"org.onap.aaf.myapp.myPerm|myInstance|myAction"})
+ public static class MyServlet implements Servlet {
+ private ServletConfig servletConfig;
+
+ public void init(ServletConfig config) throws ServletException {
+ servletConfig = config;
+ }
+
+ public ServletConfig getServletConfig() {
+ return servletConfig;
+ }
+
+ public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
+ HttpServletRequest request;
+ try {
+ request = (HttpServletRequest)req;
+ } catch (ClassCastException e) {
+ throw new ServletException("Only serving HTTP today",e);
+ }
+
+ res.getOutputStream().print("<html><header><title>CSP Servlet Test</title></header><body><h1>You're good to go!</h1><pre>" +
+ request.getUserPrincipal());
+
+ String perm = request.getParameter("PERM");
+ if(perm!=null)
+ if(request.isUserInRole(perm)) {
+ if(perm.indexOf('|')<0)
+ res.getOutputStream().print("\nCongrats!, You are in Role " + perm);
+ else
+ res.getOutputStream().print("\nCongrats!, You have Permission " + perm);
+ } else {
+ if(perm.indexOf('|')<0)
+ res.getOutputStream().print("\nSorry, you are NOT in Role " + perm);
+ else
+ res.getOutputStream().print("\nSorry, you do NOT have Permission " + perm);
+ }
+
+ res.getOutputStream().print("</pre></body></html>");
+
+ }
+
+ public String getServletInfo() {
+ return "MyServlet";
+ }
+
+ public void destroy() {
+ }
+ }
+ }
+
+Java Direct (AAFLur) Method
+===========================
+The AAFLur is the exact component used within all the Plugins mentioned above. It is written so that it can be called standalone as well, see the Example as follows
+package org.onap.aaf.example;
+
+ .. code:: bash
+
+ import java.util.ArrayList;
+ import java.util.List;
+ import java.util.Properties;
+
+ import org.onap.aaf.cadi.Access;
+ import org.onap.aaf.cadi.Permission;
+ import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
+ import org.onap.aaf.cadi.aaf.v2_0.AAFCon;
+ import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
+ import org.onap.aaf.cadi.config.Config;
+ import org.onap.aaf.cadi.lur.aaf.AAFPermission;
+ import org.onap.aaf.cadi.lur.aaf.test.TestAccess;
+
+ public class ExamplePerm2_0 {
+ public static void main(String args[]) {
+ // Normally, these should be set in environment. Setting here for clarity
+ Properties props = System.getProperties();
+ props.setProperty("AFT_LATITUDE", "32.780140");
+ props.setProperty("AFT_LONGITUDE", "-96.800451");
+ props.setProperty("AFT_ENVIRONMENT", "AFTUAT");
+ props.setProperty(Config.AAF_URL,
+ "https://DME2RESOLVE/service=org.onap.aaf.authz.AuthorizationService/version=2.0/envContext=TEST/routeOffer=BAU_SE"
+ );
+ props.setProperty(Config.AAF_USER_EXPIRES,Integer.toString(5*60000)); // 5 minutes for found items to live in cache
+ props.setProperty(Config.AAF_HIGH_COUNT,Integer.toString(400)); // Maximum number of items in Cache);
+ props.setProperty(Config.CADI_KEYFILE,"keyfile"); //Note: Be sure to generate with java -jar <cadi_path>/lib/cadi-core*.jar keygen keyfile
+ // props.setProperty("DME2_EP_REGISTRY_CLASS","DME2FS");
+ // props.setProperty("AFT_DME2_EP_REGISTRY_FS_DIR","../../authz/dme2reg");
+
+
+ // Link or reuse to your Logging mechanism
+ Access myAccess = new TestAccess(); //
+
+ //
+ try {
+ AAFCon<?> con = new AAFConDME2(myAccess);
+
+ // AAFLur has pool of DME clients as needed, and Caches Client lookups
+ AAFLurPerm aafLur = con.newLur();
+ // Note: If you need both Authn and Authz construct the following:
+ AAFAuthn<?> aafAuthn = con.newAuthn(aafLur);
+
+ // Do not set Mech ID until after you construct AAFAuthn,
+ // because we initiate "401" info to determine the Realm of
+ // of the service we're after.
+ con.basicAuth("xxxx@aaf.abc.com", "XXXXXX");
+
+ try {
+
+ // Normally, you obtain Principal from Authentication System.
+ // For J2EE, you can ask the HttpServletRequest for getUserPrincipal()
+ // If you use CADI as Authenticator, it will get you these Principals from
+ // CSP or BasicAuth mechanisms.
+ String id = "xxxx@aaf.abc.com"; //"cluster_admin@gridcore.abc.com";
+
+ // If Validate succeeds, you will get a Null, otherwise, you will a String for the reason.
+ String ok = aafAuthn.validate(id, "XXXXXX");
+ if(ok!=null)System.out.println(ok);
+
+ ok = aafAuthn.validate(id, "wrongPass");
+ if(ok!=null)System.out.println(ok);
+
+
+ // AAF Style permissions are in the form
+ // Type, Instance, Action
+ AAFPermission perm = new AAFPermission("org.onap.aaf.grid.core.coh",":dev_cluster", "WRITE");
+
+ // Now you can ask the LUR (Local Representative of the User Repository about Authorization
+ // With CADI, in J2EE, you can call isUserInRole("org.onap.aaf.mygroup|mytype|write") on the Request Object
+ // instead of creating your own LUR
+ System.out.println("Does " + id + " have " + perm);
+ if(aafLur.fish(id, perm)) {
+ System.out.println("Yes, you have permission");
+ } else {
+ System.out.println("No, you don't have permission");
+ }
+
+ System.out.println("Does Bogus have " + perm);
+ if(aafLur.fish("Bogus", perm)) {
+ System.out.println("Yes, you have permission");
+ } else {
+ System.out.println("No, you don't have permission");
+ }
+
+ // Or you can all for all the Permissions available
+ List<Permission> perms = new ArrayList<Permission>();
+
+ aafLur.fishAll(id,perms);
+ for(Permission prm : perms) {
+ System.out.println(prm.getKey());
+ }
+
+ // It might be helpful in some cases to clear the User's identity from the Cache
+ aafLur.remove(id);
+ } finally {
+ aafLur.destroy();
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ }
+ }
+
+There are two current AAF Lurs which you can utilize:
+- Org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm is the default, and will fish based on the Three-fold "Permission" standard in AAF
+To run this code, you will need from a SWM deployment (org.onap.aaf.cadi:cadi, then soft link to jars needed):
+- cadi-core-<version>.jar
+- cadi-aaf-<version>-full.jar
+or by Maven
+<dependency>
+<groupId>org.onap.aaf.cadi</groupId>
+<artifactId>cadi-aaf</artifactId>
+<version>THE_LATEST_VERSION</version>
+<classifier>full</classifier>
+</dependency>
+If you need the Java Client definitions only,
+
+ Also needed are the DME2 Client libraries:
+- dme2-<version>.jar
+- discovery-clt-<version>.jar