Step-by-Step Guide: Updating Demo API to Use Security Common SDK for Authorization

1. Cloning the Repository:

Purpose: To get the Demo API code on your local machine so you can work on it.
Detailed Steps:
- Open your terminal or command prompt:
- On Windows, you can use Command Prompt, PowerShell, or Git Bash.
- On Mac or Linux, you can use Terminal.
- Run the following command to clone the repository:
git clone https://github.com/Optuminsight-Platform/lam-core-authorization-
demo-api.git
- Navigate into the project directory:
cd lam-core-authorization-demo-api

2. Setting Up Your Development Environment:

Purpose: To ensure your project has everything it needs to work, especially the
Security Common SDK.
Detailed Steps:
- Open the project in your IDE:
- If you're using IntelliJ IDEA, VS Code, or Eclipse, you can open the
project by selecting "Open" and then navigating to the `lam-core-authorization-
demo-api` directory.
- Find the dependency file:
- If the project uses Maven, look for a file named `pom.xml` in the root
directory.
- If it uses Gradle, look for a file named `build.gradle`.
- Add the Security Common SDK dependency:
- For Maven (pom.xml):
- Find the <dependencies> section in `pom.xml`.
- Add this code inside the <dependencies> section:
<dependency>
<groupId>com.optum.security</groupId>
<artifactId>security-common-sdk</artifactId>
<version>1.0.0</version>
</dependency>
- For Gradle (build.gradle):
- Find the `dependencies` section in `build.gradle`.
- Add this code inside the `dependencies` section:
implementation 'com.optum.security:security-common-sdk:1.0.0'
- Build the project to download dependencies:
- For Maven:
- Run the following command in your terminal:
mvn clean install
- For Gradle:
- Run the following command:
gradle build

3. Implementing Authorization:
Purpose: To add code that checks if a user is allowed to access certain parts of
the API.
Detailed Steps:
- Open the main code file for the API endpoint:
- Look for files with names like `Controller.java`, `Resource.java`, or
anything that handles requests (usually inside a `src/main/java` directory).
- Import the Security Common SDK in your Java class:
- At the top of the file (usually under other `import` statements), add:
import com.optum.security.common.AuthorizationService;
- Add the `AuthorizationService` to your class:
 - Inside the class (after the `public class YourClassName {` line), add:
@Autowired
private AuthorizationService authorizationService;
- Implement the authorization check in your API method:
- Find the method that handles the request (e.g., `public ResponseEntity<?>
getResource()`).
- Modify it to include the `isAuthorized` check:
public ResponseEntity<?> getResource() {
String resource = "v1/eob";
String action = "READ";

if (authorizationService.isAuthorized(resource, action)) {
// This is where your original code goes to return the resource
return ResponseEntity.ok().body("Access granted to resource");
} else {
// If the user is not authorized, deny access
return ResponseEntity.status(HttpStatus.FORBIDDEN).body("Access
denied");
}
}

4. Setting Up the Role in the Database:

Purpose: To create a role in the database that has permissions to access the
specific resource.
Detailed Steps:
- Access the database:
- Use a tool like MySQL Workbench (for MySQL), pgAdmin (for PostgreSQL), or
any other database client you use.
- Run the SQL commands to set up the role and permissions:
- Open a SQL query window in your database client.
- Copy and paste the following SQL commands:
-- Create a new role called 'Authz-Demo-User'
INSERT INTO roles (name) VALUES ('Authz-Demo-User');

-- Assign permissions to this role for the 'v1/eob' resource

INSERT INTO permissions (role_id, resource, action) VALUES
((SELECT id FROM roles WHERE name = 'Authz-Demo-User'), 'v1/eob',
'CREATE'),
((SELECT id FROM roles WHERE name = 'Authz-Demo-User'), 'v1/eob', 'READ'),
((SELECT id FROM roles WHERE name = 'Authz-Demo-User'), 'v1/eob',
'UPDATE'),
((SELECT id FROM roles WHERE name = 'Authz-Demo-User'), 'v1/eob',
'DELETE');
- Execute these commands to create the role and set its permissions.

5. Testing Your Work:

Purpose: To ensure that the authorization works correctly.
Detailed Steps:
- Start the API server:
- Run the project. In most IDEs, you can click a "Run" button, or use a
terminal command like:
mvn spring-boot:run
- This will start the API so you can test it.
- Use an API testing tool:
- Download and open **Postman** (a popular API testing tool) or use `curl`
from the command line.
- Make requests to the API:
- Test authorized access: Send a request to the API endpoint with a user
that has the `Authz-Demo-User` role.
 - Test unauthorized access: Send a request to the API with a user that does
not have the role.
- Check the responses:
- If everything is set up correctly:
- Users with the role should see a successful response (200 OK).
- Users without the role should see a "403 Forbidden" response.

6. Finalizing Your Changes:

Purpose: To save and share your changes with your team.
Detailed Steps:
- Commit your changes:
- Save all your files and run:
git add .
git commit -m "Added authorization using Security Common SDK"
- This saves your changes to the Git history.
- Push your changes to GitHub:
- Push your changes to the repository:
git push origin <your-branch-name>
- Replace `<your-branch-name>` with the name of your working branch.
- Create a Pull Request:
- Go to GitHub and create a pull request to merge your changes into the main
branch.

7. Review and Merge:

Purpose: To ensure everything is correct and finalize the process.
Detailed Steps:
- Request a code review: Ask your teammates or lead to review your pull
request.
- Address feedback: If they suggest changes, make them.
- Merge the pull request: Once approved, merge your changes.

8. Deploy (If Required):

Purpose: To make the changes live if needed.
Detailed Steps:
- Deploy to a staging environment: Test everything in a staging environment
first.
- Deploy to production: If all tests pass, deploy the changes to production.