Skip to content

Shield

Jump to bottom
Zoltan Tarcsay edited this page Oct 10, 2015 · 14 revisions

Classes

Shield
CookieShield
OAuth2Shield
BasicAuthShield
PolicyShield
## *Shield* **Kind**: global abstract class

new Shield()

Abstract Shield class

Example

var util = require('util'),
openamAgent = require('openam-agent');

function MyShield(options) {
   this.options = options;
}

util.inherits(MyShield, Shield);

MyShield.prototype.evaluate = function (req, success, fail) {
   var sessionKey, sessionData;
   if (this.options.foo) {
       // do something
       sessionKey = 'foo';
       sessionData = 'bar';
       success(sessionKey, sessionData);
   } else {
       // failure
       fail(401, 'Unauthorized', 'Missing Foo...');
   }
};

// including it in the express app

app.use(agent.shield(new MyShield({foo: 'bar'})));

shield.init(agent)

Initializes the shield (used by PolicyAgent#shield()

Kind: instance method of Shield

Param Type
agent PolicyAgent

shield.evaluate(req, success, fail) ⇒ Promise

Main shield logic; override this method. Calls fail() or success().

Kind: instance method of Shield

Param Type
req Request
success function
fail function

CookieShield

Kind: global class

new CookieShield()

Shield implementation for validating session cookies. This shield checks if the request contains a session cookie and validates it against OpenAM. The session is cached if notifications are enabled, otherwise it's re-validated for every request.

Param Type Default Description
[options.cookieName] string overrides the cookie name that was retrieved from OpenAM with PolicyAgent#getServerInfo()
[options.noRedirect] boolean if {true}, the agent will not redirect to OpenAM's login page for authentication, only return a 401 response
[options.getProfiles] boolean false If {true}, the agent will fetch and cache the user's profile when validating the session
[options.passThrough] boolean false If {true}, the shield will not enforce valid sessions. This is useful in conjunction with {getProfiles:true} when a route is public but you want fetch identity information for any logged in users.

cookieShield.evaluate(req, success, fail) ⇒ Promise

Main shield logic; override this method. Calls fail() or success().

Kind: instance method of CookieShield

Param Type
req Request
success function
fail function

OAuth2Shield

Kind: global class

new OAuth2Shield()

Shield implementation for enforcing Oauth2 access_tokens. This Shield implementation validates an OAuth2 access_token issued by OpenAM, using OpenAM's /oauth2/tokeninfo service. The access_token must be sent in an Authorization header:

Authorization: Bearer 0b79bab50daca910b000d4f1a2b675d604257e42

Example

curl -H 'Authorization Bearer 2dcaac7a-8ce1-4e62-8b3a-0d0b9949cc98' http://app.example.com:8080/mobile

oAuth2Shield.evaluate(req, success, fail) ⇒ Promise

Main shield logic; override this method. Calls fail() or success().

Kind: instance method of OAuth2Shield

Param Type
req Request
success function
fail function

BasicAuthShield

Kind: global class

new BasicAuthShield()

Shield implementation for enforcing a basic auth header. The credentials in the Authorization will be sent to OpenAM. No session will be created.

Param Type Default Description
[options.realm] string "/" Name of the realm in OpenAM to which the suer should be authenticated
[options.service] string Name of the service (i.e. chain) used for authentication
[options.module] string Name of the module used for authentication (overrides {service})

basicAuthShield.evaluate(req, success, fail) ⇒ Promise

Main shield logic; override this method. Calls fail() or success().

Kind: instance method of BasicAuthShield

Param Type
req Request
success function
fail function

PolicyShield

Kind: global class

new PolicyShield([applicationName])

Shield implementation for enforcing policy decisions. This shield fetches policy decisions from OpenAM for the requested path, specified application name and current user. It requires a valid session cookie. Typically used in a chain with CookieShield

Param Type Default Description
[applicationName] string "iPlanetAMWebAgentService" Name of the entitlement application in OpenAM

Example

var cookieShield = new openam.CookieShield();
var policyShield = new openam.PolicyShield('my-app');

app.use('/some/protected/route', agent.shield(cookieShield), agent.shield(policyShield), function (req, res, next) {
   // your route handler code here
});

policyShield.evaluate(req, success, fail) ⇒ Promise

Main shield logic; override this method. Calls fail() or success().

Kind: instance method of PolicyShield

Param Type
req Request
success function
fail function
Clone this wiki locally