Ryerson's Identity and Resource Management

namibiancurrishInternet and Web Development

Nov 12, 2013 (3 years and 4 months ago)

75 views

Presented by Jonathan Sammy and Hongbo He on May 28, 2007

Ryerson’s Identity and

Resource Management System

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Good, Old Fashioned Ice Breaker

Who are we?


Competitive runners who like to
program on the side

Who do we represent?


Our team is made up of 6 Java
specialists and an SQL guru

What do we want?


An all
-
encompassing identity
management solution

How did we get here?


Task
: Conduct research both
inside and outside of IT


Result
: Identity Management is
not only a concern in Canadian
Higher Education

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

What’s on the Morning Menu?

Introduction to RMS

Overview

The Architecture


How does it all fit together?

The Tools


What technologies were used?

The Future


Where do we go from here?

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

What is this “RMS”?

RMS

is Ryerson’s in
-
house developed Identity and
Resource Management System


Manages identities and provisions IT resources

Why a central repository of identity information?


Redundancy is bad

An excuse to learn Spring


Learning is good

One person = One identity for life


CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Life Before RMS: The Dark Side

Max 8 characters username per person, per role



Username starvation, cryptic usernames, lacked freedom
of choice









UIDN less than 65,536

Separate GUIs for account management


No central place to perform related tasks

Lack of self service


Overhead in determining resource eligibility

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Laying the Foundation

Where do we get the
data from?

How do we resolve
differences from
multiple sources?

Provisioning multiple
resources

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Laying the Foundation

How Does Our Data Model Represent Users?

OWNERS
PK
ID

OWNERTYPE

FIRSTNAME

LASTNAME

NAME

CONTACTID

CHANGESTATUS

DATASOURCE
OWNERROLES
PK
ID
FK
1
OWNERID

OWNERROLENUMBER
FK
2
USERNAMEID

PROGRAMID

ROLESTATUS

DATASOURCE
OWNERRESOURCES
PK
ID

RESOURCENAME

RESOURCETYPE

USERNAME
FK
2
USERNAMEID

RESOURCESTATUS

GECOS
FK
1
OWNERID

ELIGIBLE

REQUESTSTATUS
USERNAMES
PK
ID
FK
1
OWNERID

SUSERNAME

LUSERNAME

PASSWORD

PORTALID

POSFTID

UIDN

REQUESTSTATUS
CLASSES
PK
ID

CLASSNAME
OWNERROLES
_
CLASSES
PK
,
FK
1
ID
PK
,
FK
2
CLASSID
CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Laying the Foundation

What’s in a name?


How many identities could/should a student have?

How are resources allocated?


Based on Roles, Classes and Courses

How “real” is “real time”?


As real as our dependent systems allows us to be

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Bringing it All Together:

RMS Architecture

Web


3 web modules:


Activation


Self Service


Administration

Server


Provides service methods exposed through RMI


Performs business logic


CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Activation: User Name Selection



CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Self Service: Manage Resources

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Administration: Owner Information

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Administration: Owner Roles

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Administration: Owner Resources

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Bringing it All Together:

RMS Architecture

Database


Stores data presented by RMS


Stored Procedures


Calculate resources and quotas


Refresh tables based on feed data


Automated Aging Module


Dynamic UIDN switching


Maintain master username list

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Bringing it All Together:

RMS Architecture

Archiver


Archives server and web logs, and database requests

Scheduler


A more intelligent “CRON”


Runs scheduled jobs: synchronization, pushes request
files, sends aging message and more

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

The Spring Framework

Dependency Injection

System for wiring components via configuration files

<bean id="
adsDirectoryDAO
" class="
...
">


<property name="
roomMap
">


<map>


<entry key="
khw257
" value="
cn=KHW257,ou=AcLabs
"/>


<entry key="
khw71a
" value="
cn=KHW71A,ou=AcLabs
"/>


</map>


</property>

</bean>


<bean id="
directoryReqDispatcher
" abstract="
true
" class="
...
"/>


<bean id="
adsDirectoryReqDispatcher
" parent="
directoryReqDispatcher
">


<property name="
directoryDAO
" ref="
adsDirectoryDAO
"/>

</bean>

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

The Spring Framework (Cont’d)

package

ca.ryerson.rms.request
;


public class
DirectoryDispatcherImpl

implements
RequestDispatcher

{


private
DirectoryDAO

directoryDAO
;



protected void
dispatchMethod(String action, Resource resource) {


...


method.invoke(directoryDAO, {resource});


...


}



public void
sendRequest(String action, RequestIF request)


throws
Exception

{


Resource resource = (Resource) request;


dispatchMethod(action, resource);


}

}

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

ACEGI Security

Provides authentication, authorization, instance
-
based access control and channel security

<bean id="
filterInvocationInterceptor
">


<property name="
objectDefinitionSource
">


<value>


CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON


PATTERN_TYPE_APACHE_ANT


/mainmenu.html*
=ROLE_REGULAR


/index.html*
=ROLE_REGULAR


/shellmenu.html*
=ROLE_INSTRUCTOR,ROLE_GUESTINSTRUCTOR,ROLE_STAFF


/templateshellagreement.html*
=ROLE_INSTRUCTOR,ROLE_STAFF


/ryelogin.jsp*
=ROLE_PRIVATE_ANONYMOUS,ROLE_REGULAR


/**
=ROLE_ANONYMOUS,ROLE_PRIVATE_ANONYMOUS,ROLE_REGULAR


</value>


</property>

</bean>

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

ACEGI Security (Cont’d)

<%@ taglib prefix="
authz
" uri="
http://acegisecurity.org/authz
" %>


<html><body>


<authz:authorize ifNotGranted="
ROLE_NETENG,ROLE_BB
">


Show if user has none of the listed roles

</authz:authorize>


<authz:authorize ifAnyGranted="
ROLE_ROOT,ROLE_ACS,ROLE_BB,ROLE_HELPDESK
">


Show if user has any of the listed roles

</authz:authorize>


<authz:authorize ifAllGranted="
ROLE_ROOT,ROLE_ACS,ROLE_BB,ROLE_HELPDESK
">


Show if user has all of the listed roles

</authz:authorize>


</body></html>

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

iBatis

package

ca.ryerson.rms.model;


public

class

UserNameSet
extends

BaseObject {



private

String susername;


private

String lusername;


private

String password;


private

Integer uidn;


private

Owner owner;



public

UserNameSet() {


super
();


}



/* getter and setter methods */

}

Data mapping framework


CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

iBatis (Cont’d)

package

ca.ryerson.rms.dao.ibatis;

import

org.springframework.orm.ibatis.support.SqlMapClientDaoSupport;

import

ca.ryerson.exception.StoredProcedureAbortedException;


public class

UserNameSetDAOiBatis


extends

SqlMapClientDaoSupport
implements

UserNameSetDAO {



public

UserNameSet getUserNameSetById(Long id) {


if

(id == null)
return

null;


Object ret = getSqlMapClientTemplate()


.queryForObject("getUserNameSetById", id);


return

(UserNameSet) ret;


}

}

Data mapping framework


CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

iBatis (Cont’d)

<resultMap id="
UserNameSetResult
" class="
UserNameSet
">


<result property="
susername
" column="
susername
"/>


<result property="
lusername
" column="
lusername
"/>


<result property="
password
" column="
password
"/>


<result property="
uidn
" column="
uidn
"/>


<result property="
owner
" column="
ownerId
" select="
getOwnerById
"/>

</resultMap>


<select id="
getUserNameSetById
" resultMap="
UserNameSetResult
">


SELECT * FROM usernames WHERE id = #id#

</select>



<select id="
getOwnerById
" resultMap="
ownerResult
">


SELECT * from owners WHERE id = #id#

</select>

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Other Tools

Struts


MVC Framework for building servlet/JSP based web
applications

Sitemesh


Web
-
page layout and decoration framework

AJAX


Development technique for creating interactive web
applications

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

The Future: To Infinity and Beyond

Web Services Capable:

SOA Ready



BPEL unified self serve services

SSO via CAS

uPortal as the Gateway

Workflow Engine: OSWorkflow

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

RMS on the Big Screen

Activation


https://rms
-
web.ryerson.ca/activation

Self Service


https://my.ryerson.ca

Administration


https://tiger.ryerson.ca:9090/rms
-
admin

CANHEIT


May 28, 2007



Ryerson’s Identity and Resource Management System

Question & Answer Period

Contact Information:

Hongbo He
,
hongbo@ryerson.ca

Jonathan Sammy
,
jsammy@ryerson.ca