Authorization

AidasOzelis

How does authorization work within Lightstreamer?

Is it possible to restrict a client's access to certain item names within a subscrition? For example, we would like to prevent client A from seeing information pertaining to client B.

Many thanks.

Dario Crivelli

All authorization stuff is performed by the Metadata Adapter.

In particular, client requests for items are managed, first of all, by getItems, which interprets the request and can leverage the knowledge of the user name. Only the item names returned by getItems are attached to the session.

Alternatively, if getItemsonly performs interpretation of the request at a syntax level, authorization can be delegated to notifyNewTables (see the caveats in the docs), which can veto an incoming request and send an error notification to the client.

hungtt

@DarioCrivelli, Wrote: All authorization stuff is performed by the Metadata Adapter.

In particular, client requests for items are managed, first of all, by getItems, which interprets the request and can leverage the knowledge of the user name. Only the item names returned by getItems are attached to the session.

Alternatively, if getItemsonly performs interpretation of the request at a syntax level, authorization can be delegated to notifyNewTables (see the caveats in the docs), which can veto an incoming request and send an error notification to the client.

Could you post an example code?

Dario Crivelli

There are no examples of authorization checks in the available demos.

The following example code shows the use of notifyNewTables to check subscription requests and refuse them if needed.
The methods shown should be added to the Metadata Adapter class.

[SYNTAX=JAVA]
public boolean wantsTablesNotification(String user) {
return true;
}

public void notifyNewTables(String user, String session, TableInfo[] tables)
throws CreditsException, NotificationException {
for (TableInfo ti : tables) {
String[] items;
try {
items = this.getItems(user, session, ti.getId());
} catch (ItemsException e) {
// we don't expect this at this stage
throw new NotificationException(e.getMessage());
}
for (String item : items) {
if (! isAllowed(item, user)) {
throw new CreditsException(-1, "subscription not allowed");
}
}
}
}

private boolean isAllowed(String item, String user) {
// TODO check the allowance
return false;
}
[/SYNTAX]