The objective here is to delegate the authorization to another process, external to GeneXus Access Manager.
The delegation of the authorization is specified for each GAM Application using the following method of the GAMApplication object:
&Application.IsAuthorizationDelegated = TRUE
For the application delegating the authorization to an external program, we must specify the following data:
- (Required) ClassName of the program implementing the authorization. For example, if the Genexus procedure is called "testdelegateauthorization2_v10", then the ClassName would be "atestdelegateauthorization2_v10".
- (Optional) FileName of the program implementing the authorization (dll/jar/class/rb) For example: "atestdelegateauthorization2_v10.class" or "atestdelegateauthorization2_v10.dll". It´s optional for java.
- (Optional) Package which corresponds to the external program. For the case of java, it is the value specified in Java Package Name Property; for NET models it is the value of .Net Application namespace property; and for Ruby, the Code Namespace. This property is optional and depends on whether the external program has a package or not.
- Method. Here we specify the method to be executed. For Genexus programs it is always the "execute" method.
- Version of the external program. Currently, the supported version is 1.0.
Then the code would be the following:
&Application.IsAuthorizationDelegated = TRUE //&Application is GAMApplication data type.
&Application.DelegateAuthorization.ClassName = &GAMApplicationClassName
&Application.DelegateAuthorization.FileName = &GAMApplicationFileName
&Application.DelegateAuthorization.Method = &GAMApplicationMethod
&Application.DelegateAuthorization.Version = &GAMApplicationVersion //&GAMApplicationVersion is GAMExternalAuthorizationVersions data type.
Sample of authorization delegation configuration
Note that the GAM Examples do not include a web panel with this code, so you need to implement it.
The external program may be generated with or without Genexus. The program receives a string parameter, in json format, and it must return a string parameter in json format or void.
The composition of the in parameter must be:
The composition of the out parameter must be:
Changing the GAM as the authorization manager to delegate the authorization to external programs is very simple and needs no programming.
The Automatic Permissions generated by GeneXus and the Permissions Created by the User (X Evolution 3) are all checked against the external program.
User data, roles, the application id, and the permission required for executing the object is passed automatically to the external program.
Download sample here.