Authorization with OpenSSO’s Identity Services

less than 1 minute read

One new area of work in OpenSSO is Identity Services, allowing a developer to easily write code to authenticate users, check if those users are authorized to access resources, retrieve those users’ attributes etc. While all of this functionality has long been available in different forms, the new Identity Services work collects common identity tasks into an easy-to-use set of web services accessible via SOAP and REST. Now developers working in just about any language can join the identity party

Last month, Aravindan and Marina published a Sun Developer Network article showing how to use OpenSSO’s identity services for authentication. This month, Lakshman Abburi joins them to cover authorization with identity services. The identity services client from part 1 is extended to check whether the authenticated user should be allowed access to a given resource, in this example, a URL. Although the article focuses on Java and NetBeans, as I mention above, you can invoke identity services from just about anywhere. Go read the articles, have a play, and leave a comment here or there if you do something really cool.




how do we define authorization policies for webservices? i have webservice & wsclient deployed on diff tomcat instances. my opensso runs on another tomcat instance. i use jax-ws handlers to enforce authentication. how do i enforce authorization?


It seems like OpenSSO allows for developers to authorize users only by utilizing the attributes residing in the token that was created after OpenSSO has authenticated a user. Am I correct to assume that OpenSSO doesn't allow for a developer to access a different attribute authority after authentication has occurred to obtain attributes that way?

Pradeep Balachandran


I have been able to integrate Liferay and OpenSSO, with respect to authentication. However I have been struggling with the integration aspect relating to authorization. I am not sure if it is even reasonable to assume that Liferay can be integrated with an external "authorization" data store. The questions that invariable arise when you talk about integrating a portal to an external authorization data store are:

a. Can you setup communities and pages dynamically for a user, with information retrieved from OpenSSO's policies (authorization). Is this even realistic?

b. Can you selectively show pages and portlets based on policies in OpenSSO for that user.

I would appreciate your thoughts on this topic and if you can share some documents on if/how this can be done, that would be even better.

Leave a Comment

Your email address will not be published. Required fields are marked *