Overview of Yanel Access Control Components

Each Yanel realm can have its own IdentityManager and PolicyManager. The IdentityManager is responsible for authentication and the PolicyManager for authorization. A Yanel realm can also have its own WebAuthenticator for use with custom HTTP headers such as those found in Single-Sign-On solutions.

Currently, authentication and authorization must be configured in the files:

REALM/ac-identities/users/
REALM/ac-identities/groups/
REALM/ac-policies/

where 'users' and 'groups' define authentication and ac-policies defines authorization.

Authentication Usecases

Yanel currently supports the following authentication usecases:
  • HTTP BASIC and DIGEST
  • Web Forms (XHTML)
  • Neutron
  • OpenID
  • Single-Sign-On through custom HTTP headers
(please get in touch with the developers if you have a need for another usecase)

Other usecases can be easily implemented by introducing a custom WebAuthenticator. The actual authentication is being delegated in most cases (an exception is for instance OpenID) to the IdentityManager, whereas one can also introduce a custom IdentityManager (e.g. LDAP authentication is currently done by a dedicated LDAPIdentityManager.

Authorization

Yanel supports URL based and content based access control. URL based means that with every URL an access control policy can be associated. Content based means that one can associate an access control policy with an arbitrary piece of content within a webpage (e.g. the phone number of a person is only being displayed if one is signed in and has the corresponding rights to see this phone number).

The access control policies are managed by the PolicyManager, whereas each realm can have its own PolicyManager and one can easily introduce a custom PolicyManager for specific requirements.

Your comments are much appreciated

Is the content of this page unclear or you think it could be improved? Please add a comment and we will try to improve it accordingly.