Navigation:
Documentation
Archive
Page Tree:
This wiki space contains archival documentation of Project Bamboo, April 2008 - March 2013.
The Protected Resource service enables a Bamboo Person to extend access to resources they own to other Bamboo Persons, groups, or institutions. The information maintained by the Protected Resource service is used by BSP as part of the authorization process for a request.
This page describes the Protected Resource service API, v. 0.9.
To discover the version and other metadata about deployed service code that fulfills this API, please utilize the Service Catalog Service.
The Protected Resource service provides two APIs:
Terms:
${REPOSITORY_ROOT} is http://svn.code.sf.net/p/projectbamboo/code/
n/a
It is assumed in this documentation that no centrally-run instances of the Bamboo Services Platform will be running after the project ends on 31 March 2013. Therefore, base URLs are assumed to be on a developer's machine, localhost. The base URL with a port number assumes that the BSP is running unsecured; the URL without a port number assumes that security is enforced and Apache Web Server is intercepting and redirecting service calls. Please see the page Identity and Access Management - Authentication and Authorization for context, as well as links to installation and configuration instructions for secured instances of BSP.
Note that ONLY services at v0.9 or greater will run properly in a secured instance of the BSP.
Currently available base URLs:
This section of the Service API documentation describes a client application's responsibilities when making requests to secured Web Services hosted on the Bamboo Services Platform (including this service). A secured instance of the Bamboo Services Platform (BSP) implies a significant set of installation and configuration tasks for which the operator of the BSP is responsible. These are described in overview on the wiki page Identity and Access Management - Authentication and Authorization, and in detail on pages linked from that one. A client application – whether a web app or a simple testing client such as Firefox Poster or curl – may make requests anonymously or as a "Trusted Application." Only a Trusted Application may assert the identity of a user on behalf of whom the request is made, and scoped roles to be assigned to that user; Bamboo Services trust such clients to assert the identity and assigned-roles only of users who have authenticated in the current session of application activity. (A special-case type of client application, termed Innovation Licensed applications, are trusted to assert the identity of and roles assigned to a fixed set of special-case users without those users having to authenticate in the current session.) Configuration of client applications are described in detail in this wiki page: Configure Apache Web Server for Client Auth. It is assumed in #2, below, that this configuration has been performed. A client application that is Trusted in the security context of the Bamboo Trust Federation (cf. Identity and Access Management - Authentication and Authorization) must augment each request to a service hosted by a secured instance of the Bamboo Services Platform (BSP) with a set of HTTP headers, as follows: X-Bamboo-AppID: A UUID that identifies the client research environment, application, tool, or service; this UUID is issued as part of the process of registering a trusted client in the Bamboo Trust Federation as described in overview on the page Identity and Access Management - Authentication and Authorization; and in detail with respect to physical establishment of trust on the page Configure Apache Web Server for Client Auth. The value of this header is linked to the X.509 certificate by which the application establishes an SSL connection to the BSP host in the registration process, and a match between this Application ID and the linked X.509 certificate is checked by the BSP on receipt of every request. [†] The value of X-Bamboo-BPID is set to the identifier for the application itself (X-Bamboo-AppID) when a client application calls the Person Service to create a new Bamboo Person Identifier; or to retrieve the BPId for a user based on the identifier of the IdP with which she has logged in and an SHA-256 hash of that IdP's user identifier for the logged-in person. [‡] Policies and policy evaluation are described on the page Authorization and Policy. Also see Conventions for representing Identity Providers in the Bamboo Trust Federation.(1) A client must be configured as a Trusted Application if requests are to be treated other than as Anonymous
(2) A Trusted client is expected to pass HTTP Request Headers to identify itself and an authenticated user
${REPOSITORY_ROOT} is http://svn.code.sf.net/p/projectbamboo/code/
A Protected Resource is a resource to which access has been granted by the owner to other Bamboo Persons. Access is determined by the policy applicable to the service by which the resource is being accessed.
The creation of a Protected Resource is usually performed by the service responsible for creating the resource itself (see SOA API). In the event that the service in question did not create the Protected Resource, or in the case where there is no service that is responsible for creating the desired resource (e.g. if the resource is itself a service), an authenticated user can use this method to create a Protected Resource.
Invoked as an HTTP POST method. Send an HTTP request of the form:
POST /etc/etc/{Param1},{Param2},{Param3} HTTP/1.1
Parameter | Meaning |
---|---|
HTTP Body | An instance of a urn:mace:projectbamboo.org:schema:protected-resource:1.0 ProtectedResource XML document containing valid Requests data |
POST <url root>/bsp/protectedresources
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <resource:protectedResource xmlns:resource="urn:mace:projectbamboo.org:schema:protected-resource:1.0" xmlns:request="urn:mace:projectbamboo.org:schema:request:1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <request:resourceId AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <request:resourceIdValue>urn:uuid:dec36b3a-60f8-448c-b1bd-7793a22098b9</request:resourceIdValue> </request:resourceId> <resource:resourceOwner AttributeId="urn:mace:projectbamboo.org:attribute:1.0:resourceOwner" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <resource:resourceOwnerAttributeValue>urn:uuid:c00f294d-651b-495b-9633-a900dd1a7418</resource:resourceOwnerAttributeValue> </resource:resourceOwner> </resource:protectedResource>
On success, a response with a "201 Created" HTTP status code will be returned.
Parameter | Meaning |
---|---|
HTTP Header Location | A URL of the form "/bsp/protectedresources/{resourceid}" where "resourceid" is the resource identifier |
Example Location Header:
<url root>/bsp/protectedresources/urn:uuid:dec36b3a-60f8-448c-b1bd-7793a22098b9
If an error occurred, some non-2xx code will be returned. Check the HTTP Status Code that is returned in the response's HTTP headers for the specific error. The following errors may be returned in response to the request:
Error (Status Code) | Meaning | Returned When |
---|---|---|
400 | Bad Request | The XML document was invalid |
401 | Unauthorized | The user is not the owner of the resource |
500 | Internal Server Error | A service error prevented the resource from being returned |
An authenticated user can read a protected resource.
Invoked as an HTTP GET method. Send an HTTPS request of the form:
GET <url root>/bsp/protectedresources/{resourceid} HTTP/1.1
Example:
GET <url root>/bsp/protectedresources/urn:uuid:dec36b3a-60f8-448c-b1bd-7793a22098b9
Response
On success, a response with a "200 OK" HTTP status code will be returned.
Example HTTP Body:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <resource:protectedResource xmlns:request="urn:mace:projectbamboo.org:schema:request:1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:foaf="http://xmlns.com/foaf/0.1/" xmlns:bsp="http://projectbamboo.org/bsp/resource" xmlns:xacml="urn:oasis:names:tc:xacml:1.0:policy" xmlns:resource="urn:mace:projectbamboo.org:schema:protected-resource:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <dcterms:subject/> <dcterms:creator xsi:type="dcterms:URI">urn:uuid:c00f294d-651b-495b-9633-a900dd1a7418</dcterms:creator> <dcterms:created xsi:type="dcterms:W3CDTF">2013-02-22T16:26:12.627-05:00</dcterms:created> <bsp:modifier>urn:uuid:c00f294d-651b-495b-9633-a900dd1a7418</bsp:modifier> <dcterms:modified xsi:type="dcterms:W3CDTF">2013-02-22T16:37:25.564-05:00</dcterms:modified> <request:resourceId AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <request:resourceIdValue>urn:uuid:dec36b3a-60f8-448c-b1bd-7793a22098b9</request:resourceIdValue> </request:resourceId> <resource:resourceOwner AttributeId="urn:mace:projectbamboo.org:attribute:1.0:resourceOwner" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <resource:resourceOwnerAttributeValue>urn:uuid:c00f294d-651b-495b-9633-a900dd1a7418</resource:resourceOwnerAttributeValue> </resource:resourceOwner> <resource:scopedRolesWithViewhAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:scoped-role-has-view-access-rights" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> <resource:roleAttributeValue>student@berkeley.edu</resource:roleAttributeValue> </resource:scopedRolesWithViewhAccessRights> <resource:scopedRolesWithUpdateAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:scoped-role-has-update-access-rights" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> <resource:roleAttributeValue>member@folgerlibrary.org</resource:roleAttributeValue> </resource:scopedRolesWithUpdateAccessRights> <resource:groupsWithViewhAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:group-has-view-access-rights" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <resource:IsMemberOfAttributeValue>urn:uuid:d67b9bfd-8033-4082-851c-7fa464f552ac</resource:IsMemberOfAttributeValue> </resource:groupsWithViewhAccessRights> <resource:GroupsWithUpdateAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:group-has-update-access-rights" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <resource:IsMemberOfAttributeValue>urn:uuid:51e99f86-844d-4dc7-a4c6-8ae85d38d3ab</resource:IsMemberOfAttributeValue> </resource:GroupsWithUpdateAccessRights> </resource:protectedResource>
If an error occurred, some non-2xx code will be returned. Check the HTTP Status Code that is returned in the response's HTTP headers for the specific error. The following errors may be returned in response to the Get request:
Error (Status Code) | Meaning | Returned When |
---|---|---|
404 | Not Found | If the protected resource does not exist |
401 | Unauthorized | The client submitting the request is not a member of the Bamboo Trust Federation group or is not the owner of the protected resource |
500 | Internal Server Error | A service error prevented the resource from being returned |
An authenticated user can update a protected resource.
Invoked as an HTTP PUT method. Send an HTTPS request of the form:
PUT <url root>/bsp/protectedresources/{resourceid} HTTP/1.1
Example:
PUT <url root>/bsp/protectedresources/urn:uuid:dec36b3a-60f8-448c-b1bd-7793a22098b9
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <resource:protectedResource xmlns:resource="urn:mace:projectbamboo.org:schema:protected-resource:1.0" xmlns:request="urn:mace:projectbamboo.org:schema:request:1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <request:resourceId AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <request:resourceIdValue>urn:uuid:dec36b3a-60f8-448c-b1bd-7793a22098b9</request:resourceIdValue> </request:resourceId> <resource:scopedRolesWithViewhAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:scoped-role-has-view-access-rights" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> <resource:roleAttributeValue>student@berkeley.edu</resource:roleAttributeValue> </resource:scopedRolesWithViewhAccessRights> <resource:scopedRolesWithUpdateAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:scoped-role-has-update-access-rights" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> <resource:roleAttributeValue>member@folgerlibrary.org</resource:roleAttributeValue> </resource:scopedRolesWithUpdateAccessRights> <resource:groupsWithViewhAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:group-has-view-access-rights" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <resource:IsMemberOfAttributeValue>urn:uuid:d67b9bfd-8033-4082-851c-7fa464f552ac</resource:IsMemberOfAttributeValue> </resource:groupsWithViewhAccessRights> <resource:GroupsWithUpdateAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:group-has-update-access-rights" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <resource:IsMemberOfAttributeValue>urn:uuid:51e99f86-844d-4dc7-a4c6-8ae85d38d3ab</resource:IsMemberOfAttributeValue> </resource:GroupsWithUpdateAccessRights> </resource:protectedResource>
On success, a response with a "200 OK" HTTP status code will be returned.
If an error occurred, some non-2xx code will be returned. Check the HTTP Status Code that is returned in the response's HTTP headers for the specific error. The following errors may be returned in response to the Get request:
Error (Status Code) | Meaning | Returned When |
---|---|---|
404 | Not Found | If the protected resource does not exist |
401 | Unauthorized | The client submitting the request is not a member of the Bamboo Trust Federation group or is not the owner of the protected resource |
500 | Internal Server Error | A service error prevented the resource from being returned |
Also see generated Javadoc for this service. Packages are org.projectbamboo.bsp.services.utility.protectedresource.*.
/** * Indicates that the existing resource can have attributes that can be used during access authorization * * @param resourceId - the unique identifier for the resource * @param owner - unique identifier for the Bamboo Person who owns the resource * * @throws <tt>IllegalArgumentException</tt> if the owner is anonymous * */ void protectResource(URI resourceId, URI owner);
/** * Creates a <tt>ProtectedResource</tt>. * * @param resource - <tt>ProtectedResource</tt> * * @return <tt>URI</tt> * */ URI create(ProtectedResource resource);
/** * Returns a <tt>ProtectedResource</tt>. * * @param resourceId - the Protected-Resource's identifier * * @return <tt>ProtectedResource</tt> * * @throws <tt>FileNotFoundException</tt> if the resource does not exist */ ProtectedResource read(URI resourceId) throws FileNotFoundException;
/** * Updates a <tt>ProtectedResource</tt>. * * @param resource - <tt>ProtectedResource</tt> * * @throws * <ul> * <li><tt>FileNotFoundException</tt> if the resource does not exist</li> * <ul> */ void update(ProtectedResource resource) throws FileNotFoundException;
/** * Deletes a <tt>ProtectedResource</tt>. * * @param resourceId - the Protected-Resource's identifier * * @throws <tt>FileNotFoundException</tt> if the resource does not exist */ void delete(URI resourceId) throws FileNotFoundException;