SecurityConfiguration.md

1. Protecting the RESTful Endpoints invoked by eCRNow App using security tokens

There are many instances where eCRNow may call a RESTful endpoint hosted by the EHR vendor to hand-off an eICR for submission or for handling a Reportability Response. In these cases the EHR vendor may require a specific authorization token to invoke the API. In order to embed the required authorization token, the mechanisms identified below be followed.

For Release 2.X of the App:

Step 1. EHR vendor has to develop an implementation of the interface specified in

AuthorizationService in com.drajer.ecrapp.security package.

A sample implementation is provided in SampleAuthorizationServiceImpl.java

Step 2. Specify the implementation class name in the application.properties file so that it can be injected into the workflow.

The property name is : authorization.service.impl.class

Details of how it works:

The eCRNow App invokes the getAuthorizationHeader interface and expects to receive an Authorization Header that carries a token that is issued and can be introspected by your AuthorizationServer. Since the token is generated by your implementation class you will perform the necessary calls to issue the token to the eCRNow App to invoke your RESTful API in a secure manner.

For Release 3.X of the App:

Step 1. EHR vendor has to develop an implementation of the interface specified in

RestApiAuthorizationHeaderIf in com.drajer.bsa.auth

A sample implementation is provided in SampleRestApiAuthorizer.java in com.drajer.bsa.auth.impl

Step 2. Specify the implementation class name in the application.properties file so that it can be injected into the workflow.

The property name is : authorization.service.impl.class

Details of how it works:

The eCRNow App invokes the getAuthorizationHeader interface and expects to receive an Authorization Header that carries a token that is issued and can be introspected by your AuthorizationServer. Since the token is generated by your implementation class you will perform the necessary calls to issue the token to the eCRNow App to invoke your RESTful API in a secure manner.

2. Protecting the eCRNow APIs using security tokens

If you want to protect the eCRNow APIs using security tokens that are sent as part of the HTTP headers when invoking the eCRNow APIs, configure the property token.validator.class in the application.properties file.

This class will be invoked as part of the filter chain and is configured in the WebSecurityConfig.java file in com.drajer.ecrapp.config

A sample implementation of the OncePerRequestFilter is provided for reference in the TokenFilter.java in com.drajer.ecrapp.security package.