The Open Service Platform provides some basic support for user authentication and authorization, based on the Poco::OSP::Auth::AuthService interface. The OSP core library itself does not provide an implementation of the AuthService interface. A very simple implementation of the interface is provided by the SimpleAuthService sample, found in the OSP/samples directory.
Poco::OSP::Auth::AuthService only defines two methods, authenticate() and authorize(). The former method is used to authenticate an user based on a user name and credentials/password combination. The latter one is used to verify that a given user has a certain permission.
Authentication in OSP is based on user name and credentials. In the simplest case, the credentials used to authenticate a user consist of a simple password. However, more complex schemes (e.g., based on certificates) are theoretically possible. An implementation of the AuthService normally is based on a database of user names and passwords. The authenticate() member function of a subclass of Poco::OSP::Auth::AuthService has to verify that the given combination of user name and credentials is a valid one. The authenticate() member function is defined as follows:
bool authenticate(const std::string& userName, const std::string& credentials) const;
Authorization in OSP is based on the concept of permissions. In OSP, a permission is a simple string denoting a certain privilege. The authorize() method of Poco::OSP::Auth::AuthService checks whether a user identified by a user name has a certain permission. How user names and permissions are associated is up to the actual implementation of AuthService. The possibilities range from a simple configuration file specifying the permissions for each user name to a sophisticated authorization concept based on user groups and roles. For the most part, OSP does not care about user permissions. For example, the Web bundle allows to specify a required permission for accessing a certain path on the server. How the permission is named is not of interest to the Web library — it simply checks that the user (obtained from HTTP Basic authentication) has the specified permission.
The authorize() member function is defined as follows:
bool authorize(const std::string& userName, const std::string& permission) const;
A very simple implementation of AuthService can be found found in the OSP/samples/SimpleAuthService directory.
The SimpleAuthService only knows two users — "user" and "admin". Any password is valid for "user". The password for "admin" can be set (as clear text) in the global configuration file with the "adminPassword" property, e.g.:
adminPassword = s3cr3t
If no password has been set in the global configuration file, a default password (stored in the bundle's properties) is used. The default password is "admin". The "admin" user has all permissions. The set of permissions for "user" can be set in the global configuration file, using the "userPermissions" property. The permissions are specified as a comma-separated list, e.g.
userPermissions = somePermission, someOtherPermission
The service is registered under the service name "osp.auth".