Presence Server can be configured to work with only one authorization service at a time. Consider the following factors when setting up customized authorization policies.
A proactive authorization is one where the authorization policies have been defined to identify the authorized and unauthorized users to subscribe for a given presence data. Presence Server consults with the stored permission policies, using the authorization API, to determine if the requester, or watcher, is authorized to subscribe on a given presentity. If the watcher is unauthorized to subscribe, Presence Server will notify the watcher with empty presence data. Then, Presence Server indicates that the subscribed presentity is unavailable independently on current presence information.
The combination of watcher information and presence authorization rules enables the use of reactive authorization, where authorization occurs through direct user intervention. A user can subscribe to the watcher information for his or her presentity and thus find out when a new watcher is added who is not covered by the existing authorization rules. The user may then add a new authorization rule for the new watcher.
IBM® WebSphere® Presence Server Component allows an authorization service registration using AuthorizationServiceManager.registerAuthorizationService.
For each new SUBSCRIBE request, Presence Server invokes AuthorizationService.doSubscribeIsAllowedUser. AuthorizationService.doSubscribeIsAllowedUser subscribes a user to the permission notifications for the subscription.
When the subscription expires, IBM WebSphere Presence Server Component uses AuthorizationService.doUnsubscribeIsAllowedUser to stop receiving notifications on permission policies.
While the subscription to the authorization service is active, IBM WebSphere Presence Server Component will receive notifications of the subscription permissions. IBM WebSphere Presence Server Component examines the notifications returned by AuthorizationRulesListener.onSubscriptionIsAllowed.
Using the data in the AuthorizationRules object, AuthorizationRulesListener.onSubscriptionIsAllowed retrieves an authorization flag that indicates the subscription permission. If the subscription is allowed, IBM WebSphere Presence Server Component gets the current presence information from the database and sends it to the subscriber. If the subscription is not allowed, IBM WebSphere Presence Server Component sends an empty NOTIFY response.
The AuthorizationErrorCodes class defines errors to be sent from Presence Server to an authorization service on a failed registration. As long as the subscription is active, Presence Server continues and receives updates of any changes in the permission policy, and thus reflect these changes in the existing subscriptions.