Mercurial Mercurial > oss > FCL > sf > os > security / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
authorisation/userpromptservice/examples/integration/readme.txt
author Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
Tue, 31 Aug 2010 17:00:08 +0300
branchRCL_3
changeset 95 641f389e9157
parent 8 35751d3474b7
permissions -rw-r--r--
Revision: 201035 Kit: 201035

//
// Copyright (c) Symbian Software Ltd 2007. All rights reserved.
//


*** Overview ***

This directory contains example code that demonstrates how user permission
prompt support(UPS) may be added to a system server. The example code consists of
three components.

*** Components ***

1) tmsgserver 
A simple server that provides an asynchronous API to send messages. Since this
is example code the messages are displayed to the screen.

2) tmsclient 
The client library for tmsgserver.  
No modifications are necessary in order to support user permission prompts.

3) tmsgapp
An example application that sends a number of messages and also tests cancellation. 

No modification was required as a consequence of the UPS integration. However,
in order to allow the test to be run multiple times the UPS management API is
used to delete old decision records for this application.

*** Integration Overview *** 
Whilst the APIs for the UPS are relatively small the integration is slightly
more complicated than might be expected because existing synchronous security
checks must become asynchronous since interaction with the device user is
inherently an asynchronous operation. For example, it would be undesirable to
block the entire network server whilst waiting for the user to respond to a
dialog.

The second factor that must be considered is that in order to make an informed
security decision the user may need to know data about the request they are
authorizing. Consequently, it may be necessary to extract the parameters from
the client application at the security check stage.

Finally, depending on the service and the security requirements of the
manufacturer an operator user prompts may be in addition to the platform
security (e.g. capabilities) checks. Alternatively, user prompts could be used
to allow applications without capabilities limited access to a protected
service. Since most implementations of the CPolicyServer fail the client
immediately if the platsec check fails these checks may have to be modified.

*** Integration Points *** 
If the system server uses the CPolicyServer framework then there are three
candidates for the main integration point.

1) CPolicyServer::CustomSecurityCheckL
This allows an arbitrary and even asynchronous check to be made instead of using
static security policies.

2) CPolicyServer::CustomFailureActionL
This virtual method is invoked if the client fails the static security checks. The
failure may be overridden or deferred. Asynchronous operations are possible.

3) CSession2::ServiceL
The static policy checks could be deferred until the session is created provided that
the server connection API is not guarded by user prompts.

*** Example integration ***
In the example code a combination of (2) and (3) are used because it involves
minimal changes to the existing security policy checks.

**** Steps **** 

1) An RUpsSession object has been added to the CMsgServer class. This is
initialized at startup.

2) CMsgServer::iPolicyElements was changed to cause CustomFailureActionL to be
invoked if the static security policy check fails instead of failing the
client.

3) CMsgServer::CustomFailureActionL notifies the session object that the
platsec check failed. This is important because RUpsSubsession::Authorise
requires this information in order to allow unconfigured systems to be
compatible with platsec. It also increases the flexibility of the UPS policy
definitions.

4) An RUpsSubsession instance is created for each CSession2 object. i.e.
requests from different clients are authorized independently. This could be
modified so that there is one UPS sub-session for each client process instead
of each connection from a client process.

5) An extra state (iAuthorising) was added at the start of the CMsgProcessor
   state machine.

6) The RMessage2 parameters from the client API are now extracted in the
authorization stage to enable the information to be passed to the UPS.

7) CMsgProcessor::DoCancel was updated to cancel the call to
RUpsSubsession::Authorise if the client cancels the sending of the message or
disconnects.

8) CMsgProcessor::RunL now checks whether the request was authorized before
changing from the authorization to the sending state.
FCL/sf/os/security