question

Upvotes
Accepted
1 1 3 7

Incorrect entitlement response returned from Open DACS.

While trying to integrate with Open DACS using the Java API, I am see discrepancy in the entitlement response between Open DACS and TREP. TREP is returning the correct entitlement while Open DACS always return an “allow access” response for all the items (even an invalid RIC) that I pass to the API. Can somebody help?

rfajavaDACSopen-dacs
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

Upvotes
Accepted
45.2k 103 43 60

There are two kinds of entitlements in Open DACS:

1. Content Based Entitlements (CBE)

CBE uses DACS lock to control the permission.Normally, the application gets DACS lock from the refresh message of the subscribed item. Then, the application must pass this DACS lock as a parameter (lockData) to Authorization::checkSubscription() method.

108.            authCheckResult = _agent.checkSubscription(_handle, _usage,
109.            		_reqtype,
110.            		authCheckStatus,
111.            		false,
112.            		_serviceName, _itemName, lockData);

2. Subject Based Entitlements (SBE)

SBE uses the subject names to control the permission. For this reason, DACS lock isn't required by SBE.

275.            AuthorizationCheckResult authCheckResult = _agent
276.                    .checkSubscription(_handle, _usage, reqType,
277.                            authCheckStatus, _serviceName, _itemName);

Typically, a service from Elektron is a content based service which requires DACS lock to perform entitlement check. Therefore, if the application perform SBE check (without providing DACS lock) against a content based service, the result is always ACCESS_ALLOWED.

Moreover, Open DACS API doesn't know which items are valid or invalid. It just performs entitlement checks against rules assigned to the users.

In conclusion, to make it behave like TREP, the application needs to have DACS lock of each item. The application can get DACS locks by sending item requests to TREP. DACS lock is in the item's refresh message. Then, the application must pass DACS lock to Authorization::checkSubscription() method to perform CBE check for an item.

For more information, please refer to Open DACS Java tutorials. Please focus on Tutorial 3, 4, and 5.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.