AuthorizationPlugin Schema

Schema definition for the Authorization Plugin, which provides role-based access control and path-based authorization rules.

Schema Information

Property	Value
Schema URL	`https://rustybeam.net/schema/AuthorizationPlugin`
Parent Schema	https://rustybeam.net/schema/AuthPlugin
Description	Role-based access control with path-specific authorization rules

Properties

Property	Type	Cardinality	Description
authfile	https://rustybeam.net/schema/URL	0..1	Path to HTML file containing user and authorization rule definitions. Supports file:// URLs. Contains User and AuthorizationRule microdata.
name	https://rustybeam.net/schema/Text	0..1	Plugin instance name for logging and identification. Defaults to "authorization" if not specified.

Usage Examples

Basic Authorization Configuration

<tr itemscope itemtype="https://rustybeam.net/schema/AuthorizationPlugin">
    <span itemprop="library">file://./plugins/librusty_beam_authorization.so</span>
    <span itemprop="authfile">file://./auth/users.html</span>
</tr>

Named Authorization Instance

<tr itemscope itemtype="https://rustybeam.net/schema/AuthorizationPlugin">
    <span itemprop="library">file://./plugins/librusty_beam_authorization.so</span>
    <span itemprop="authfile">file://./examples/guestbook/auth/index.html</span>
    <span itemprop="name">guestbook_authz</span>
</tr>

Authorization File Format

The authorization file referenced by authfile should contain User and AuthorizationRule microdata:

<!-- Users with roles -->
<div itemscope itemtype="https://rustybeam.net/schema/Credential">
    <span itemprop="username">admin</span>
    <span itemprop="role">administrator</span>
    <span itemprop="role">user</span>
</div>

<!-- Authorization rules -->
<div itemscope itemtype="https://rustybeam.net/schema/AuthorizationRule">
    <span itemprop="username">admin</span>
    <span itemprop="path">/admin/*</span>
    <span itemprop="action">allow</span>
    <span itemprop="method">GET</span>
    <span itemprop="method">POST</span>
</div>

Security Design
The Authorization Plugin works in conjunction with authentication plugins. It expects users to already be authenticated and checks their permissions against the configured authorization rules. Place authentication plugins before authorization in the plugin pipeline.

Schema Inheritance

This schema inherits from the AuthPlugin schema, which provides:

authfile - Authentication/authorization file path
realm - Authentication realm name

And ultimately from the base Plugin schema, which provides:

library - Plugin library path
plugin - Base plugin reference property

Validation Rules

The authfile property should be a valid file path or file:// URL
Authorization file must contain valid User and AuthorizationRule microdata
The referenced authorization file must be readable by the server
Path patterns in authorization rules support wildcards (*) and regex patterns
The name property should be unique if multiple authorization plugins are used

Plugin Pipeline Placement
The Authorization Plugin should be placed after authentication plugins (like BasicAuth or OAuth2) in the plugin pipeline. It requires users to be already authenticated to determine their permissions.

Access Control Features

Role-Based Access Control: Users can have multiple roles for flexible permission management
Path-Based Rules: Authorization rules can target specific paths with wildcard support
HTTP Method Controls: Different permissions for GET, POST, PUT, DELETE, etc.
CSS Selector Rules: Fine-grained control over specific page elements
Allow/Deny Actions: Explicit permission granting or denial
Dynamic Reloading: Authorization rules can be updated without server restart

Integration with Other Plugins

Basic Auth Plugin: Provides user authentication before authorization checks
Google OAuth2 Plugin: Modern authentication integration with authorization
Redirect Plugin: Can redirect unauthorized users to login pages
File Handler Plugin: Usually placed after authorization to serve authorized content