Incorrect entitlement response returned from Open DACS.

There are two kinds of entitlements in Open DACS:

1. Content Based Entitlements (CBE)

CBE uses DACS lock to control the permission.Normally, the application gets DACS lock from the refresh message of the subscribed item. Then, the application must pass this DACS lock as a parameter (lockData) to Authorization::checkSubscription() method.

108.            authCheckResult = _agent.checkSubscription(_handle, _usage,
109.            		_reqtype,
110.            		authCheckStatus,
111.            		false,
112.            		_serviceName, _itemName, lockData);

2. Subject Based Entitlements (SBE)

SBE uses the subject names to control the permission. For this reason, DACS lock isn't required by SBE.

275.            AuthorizationCheckResult authCheckResult = _agent
276.                    .checkSubscription(_handle, _usage, reqType,
277.                            authCheckStatus, _serviceName, _itemName);

Typically, a service from Elektron is a content based service which requires DACS lock to perform entitlement check. Therefore, if the application perform SBE check (without providing DACS lock) against a content based service, the result is always ACCESS_ALLOWED.

Moreover, Open DACS API doesn't know which items are valid or invalid. It just performs entitlement checks against rules assigned to the users.

In conclusion, to make it behave like TREP, the application needs to have DACS lock of each item. The application can get DACS locks by sending item requests to TREP. DACS lock is in the item's refresh message. Then, the application must pass DACS lock to Authorization::checkSubscription() method to perform CBE check for an item.

For more information, please refer to Open DACS Java tutorials. Please focus on Tutorial 3, 4, and 5.