The objective here is to delegate the authorization to another process, external to GeneXus Access Manager (GAM).
The delegation of the authorization is specified for each GAM Application using the following method of the GAMApplication object:
&Application.IsAuthorizationDelegated = TRUE
For the application delegating the authorization to an external program, you must specify the following data:
- (Required) ClassName of the program implementing the authorization. For example, if the GeneXus Procedure is called "testdelegateauthorization2_v10", then the ClassName would be "atestdelegateauthorization2_v10".
- (Optional) FileName of the program implementing the authorization (dll/jar/class/rb) For example: "atestdelegateauthorization2_v10.class" or "atestdelegateauthorization2_v10.dll". It’s optional for java.
- (Optional) Package which corresponds to the external program. For the case of java, it is the value specified in Java Package Name Property; for .NET models it is the value of .Net Application namespace property; and for Ruby, the Code Namespace. This property is optional and depends on whether the external program has a package or not.
- Method. Here you need to specify the method to be executed. For GeneXus programs, it is always the "execute" method.
- Version of the external program. Currently, the supported version is 1.0.
Then the code would be the following:
&Application.IsAuthorizationDelegated = TRUE //&Application is GAMApplication data type.
&Application.DelegateAuthorization.ClassName = &GAMApplicationClassName
&Application.DelegateAuthorization.FileName = &GAMApplicationFileName
&Application.DelegateAuthorization.Method = &GAMApplicationMethod
&Application.DelegateAuthorization.Package= &GAMApplicationPackage
&Application.DelegateAuthorization.Version = &GAMApplicationVersion //&GAMApplicationVersion is GAMExternalAuthorizationVersions data type.
Sample of authorization delegation configuration
Note that the GAM - Examples do not include a Web Panel with this code, so you need to implement it.
The external program may be generated with or without GeneXus. The program receives a string parameter, in json format, and it must return a string parameter in json format or void.
The composition of the in parameter must be:
GAMExternalAuthorizationIn
User
GUID GAMGUID
NameSpace GAMRepositoryNameSpace
AuthenticationTypeName GAMDescriptionShort
Name GAMUserIdentification
Login GAMUserLogin
Email GAMEMail
ExternalId GAMUserIdentification
FirstName GAMDescriptionShort
LastName GAMDescriptionShort
Birthday GAMDate
Gender GAMUserGender
Roles [collection]
Id GAMKeyNumLong
ExternalId GAMUserIdentification
Application
Id GAMKeyNumLong
GUID GAMGUID
Name GAMDescriptionLong
Permission
Name GAMDescriptionLong
The composition of the out parameter must be:
GAMExternalAuthorizationOut
Authorized GAMBoolean
Changing the GAM as the authorization manager to delegate the authorization to external programs is very simple and needs no programming.
The Automatic Permissions generated by GeneXus and the Permissions Created by the User are all checked against the external program.
User data, roles, the application Id, and the permission required for executing the object is passed automatically to the external program.
Download sample here.