|
|
User Management Guide |
This chapter discusses ACL-based authorization, including how it is used in Director software and how it can be used in Web applications. It also provides examples of how to use the Director Security API. This chapter includes the following sections:
For a brief overview of ACL-based authorization, see
ACL-based authorization.
In Director, ACL-based authorization protects subsystem administrative functions and application resource objects that persist across multiple deployments, such as documents, folders, group pages, user pages, and profiles.
The following terms are used in this guide to define Director's ACL-based authorization:
|
Term |
Definition |
|---|---|
|
ACL |
Access Control List. A list of entries that restricts access to a specific element or element type. Each ACL entry associates a principal with a set of permissions. If no ACL is associated with an element or with the element type to which it belongs, access is unrestricted. |
|
Element |
A uniquely identified resource object that is managed by an ACL subsystem and is associated with an element type. |
|
Element type |
A string used to define a group of objects with similar behavior (framework elements such as EbiFolder, EbiDocument, and so on). |
|
Principal |
An authenticated user or group. |
|
Permission |
A type of access to an element, such as READ or WRITE. |
|
ACL subsystem |
A logical unit of security administration. This term can be confusing and is defined in ACLs in the Security subsystem. |
ACLs as provided in the Director Security subsystem are an implementation of the standard Java 1.1 Security interface (java.security.acl.Acl). A quote from the specification is shown below with information regarding negative permissions removed:
In Director, ACLs are stored in a database table.
When a principal tries to access an element, the security manager looks in the ACL associated with the element (or element type) and compares the principal for the session context with the list of authorized principals for the necessary permission.
If there is no ACL entry for a particular permission, the permission is open to all authenticated users. However, if there is at least one ACL entry for a particular permission, the security manager looks for an entry for the principal. If there is no such entry, the security manager denies access to the resource.
This section discusses how ACLs are used in the Director software.
For information about using ACL-based security in other subsystems, including custom subsystems, see
ACLs in your Director applications.
The Security subsystem uses ACLs to define administrative access to the Security service and to each other ACL subsystem. The PAC provides the means to interactively control ACL subsystem administrators.
The Director architecture defines a subsystem as a set of services and APIs that provide some subset of application functionality. However, in the context of ACL-based authorization, the term subsystem has a different meaning. It refers to a method of partitioning ACL-based authorization so that individual subsets of the application resources can be protected separately from the others.
NOTE: To avoid confusion, this chapter refers to subsystems in the context of ACL-based authorization as ACL subsystems.
Some of the default ACL subsystems correspond to Director services, and some do not:
|
Corresponding |
Not corresponding |
|
ContentMgmtService |
General |
|
PortalService |
Locksmith |
|
SearchService |
PortalGroupPages |
|
SecurityService |
User-defined |
|
UserService |
— |
Director includes a set of built-in groups that define administrative access to each ACL subsystem. Here is a general description of access rights for each subsystem administrator group:
The PAC allows you to manage the users in each administrative group by permission.
For more information, see
Using the Security Section of the PAC.
samples\src\com\sssw\portal\pac
under the Director installation directory.
A classic example of how ACLs can be used in Web applications is the Director Content Management subsystem, which uses ACL-based authorization to manage access to directory entries (folders, categories, and documents). The Content Management subsystem interacts with the Security Manager through its own hasAccess method call.
The Content Management subsystem defines five permissions: LIST, PROTECT, READ, WRITE, and PUBLISH but can be modified to use custom ACLs. For example, by subclassing the default Content Manager, you can modify it to call to the Security API, checking for custom permissions such as a CREATE permission that permits or denies the addition of documents to a folder.
The Content Management subsystem allows you to manage its own ACLs through the Portal Management Console (PMC), its Web-based interface. This screen shows ACL-based authorization in the PMC:
For more information, see the chapter on security for the Content Management subsystem" in the Content Management Guide.
The PAC provides the means to interactively control group page element ACLs.
See the section on ACLs for group pages in the Portal Guide.
You can define your own ACLs in your Director application, to protect your own persisted elements. This section discusses some of the concepts.
For a classic example of how ACLs can be used in Web applications, see
ACLs in the Content Management subsystem.
For examples of how to implement your own ACLs, see
Using the Security API.
An element is a uniquely identified resource artifact that is managed by a Director subsystem. Elements persist across the lifetime of the application server — in other words, they are not affected by redeploying the Director EAR. For example, documents and folders in the Content Management subsystem are elements.
Director applications can set and get permissions for securable elements.
An element type is a string used to define a group of objects with similar behavior (framework elements such as EbiFolder, EbiDocument, and so on.) You can apply ACLs to element types as well as to individual elements
Element types are defined as constants in subinterfaces of EbiFrameworkElement. For example, a document in the Content Management subsystem is defined in com.sssw.cm.api.EbiDocument.EL_DOCUMENT. You can use similar constants to define element types for custom subsystems.
The Security subsystem provides a set of built-in element types for each ACL subsystem. Each element type has a set of access rights, which is the list of permissions supported by the element type.
Director includes a set of built-in permissions: CREATE, DELETE, EXECUTE, LIST, PROTECT, PUBLISH, READ, SELECT, UPDATE, and WRITE.
Built-in permissions are hardcoded and cannot be modified using the Security API.
NOTE: Negative permissions are not supported in Director
Each ACL subsystem uses a subset of these built-in permissions. Each permission can have a different meaning in each subsystem.
Director allows you to define your own custom permissions using the Security API. See EbiPermissionMeta in Javadoc.
Custom permissions are stored as XML files in the application database. Do not edit the XML files yourself. Use the Security API.
Custom permissions provide a way to use ACL-based authorization on any level of granularity in your application. For example, you can create a set of custom permissions, each of which permits access to a specific method of a component.
An access right meta object is an API object used to define metadata for associating permissions with a specific element type (or admin type).
This section shows some techniques for using Director's Security API.
This example shows how to get the delegate objects used in the other Security API examples.
For background information on delegates, see the section on accessing subsystem services in the Core Development Guide.
import com.sssw.fw.security.api.*;
//
// Getting delegate objects from a factory must be done within a
// try block.
//
try {
//
// Get a metadata delegate.
//
EbiSecurityMetaDelegate smd =
com.sssw.fw.security.client.EboFactory.getSecurityMetaDelegate();
//
// Get an ACL delegate.
//
EbiSecurityAclDelegate ad =
com.sssw.fw.security.client.EboFactory.getSecurityAclDelegate();
}
//
// Use the delegate objects.
//
}
catch (EboFactoryException e) {
sb.append( e.getMessage() );
}
This example shows how to get an element type and UUID. It is used in the other examples.
// // Get delegates. See "Getting Security API delegates." // // Get the element type metadata from the EbiSecurityMetaDelegate. // EbiElementTypeMeta typeMeta = smd.getElementTypeMeta(context); // // This example uses the PortalAdmin element. // String portalSubSystem = EbiSecurityConstants.SUBSYSTEM_PORTAL_SERVICE; String adminType = typeMeta.getAdminType(portalSubSystem); String adminID = typeMeta.getAdminID(portalSubSystem);
NOTE: Element type names are defined as constants in subinterfaces of EbiFrameworkElement. For example, a document in the Content Management subsystem is defined in com.sssw.cm.api.EbiDocument.EL_DOCUMENT.
This example shows how to get a list of the permissions that can be granted to an element.
// // Get delegates. See "Getting Security API delegates." // // Get the element type. See "Getting an element type and id." // // Get the EbiAccessRightMeta object for the element type. // EbiAccessRightMeta meta = smd.getAccessRightMeta(context, adminType); // // Retrieve the list of permissions. // String[] rights = meta.getPermissionNames(); for (int i = 0; i < rights.length; i++) { sb.append( rights[i] );
This example shows how to get a list of principals that have a specific permission for an element. It gets a list of principals assigned to the PROTECT permission for the PortalAdmin element.
import java.security.*;
//
// Get delegates. See "Getting Security API delegates."
//
// Get the element type. See "Getting an element type and id."
//
// Get the principals for a specific permission type.
//
Principal [] prins = null;
prins = ad.getPrincipalsFromAcl(context, adminID, adminType,
EbiPermission.PROTECT);
for (int i = 0; i < prins.length; i++) {
sb.append( prins[i].toString() );
For other elements, use the appropriate element type field, as described in
Using the Security API.
This code shows how to get the string representation of an ACL:
import java.security.*;
//
// Get delegates. See "Getting Security API delegates."
//
// Get the element type. See "Getting an element type and id."
//
// Get the contents of the ACL in the form of a string
//
Acl adacl = ad.getAcl(context, adminID, adminType);
String adaclcontent = adacl.toString();
sb.append( adaclcontent );
This code shows how to add a principal to an ACL for an Admin element:
import com.sssw.fw.directory.api.*;
import java.security.*;
//
// Get delegates. See "Getting Security API delegates."
//
// Get the element type. See "Getting an element type and id."
//
// Get a Directory delegate.
//
EbiDirectoryDelegate dd =
com.sssw.fw.directory.client.EboFactory.getDirectoryDelegate();
//
// Get a principal. Must be a valid realm user.
//
Principal user = dd.getUser(context,"SomeUser");
//
// Add the principal to the ACL
//
Principal [] prins = new Principal[1];
prins[0] = user;
ad.addPrincipalsToAcl(context, adminID, adminType, EbiPermission.PROTECT,
prins);
sb.append( "Added " + user.toString() + " PROTECT");
NOTE: This example requires your code to handle the following exceptions in addition to EboFactoryException:
catch (EboSecurityException e) {
sb.append( e.getMessage() );
}
catch (EboException e) {
sb.append( e.getMessage() );
}
When a principal attempts to access an element, the Director security manager looks for a corresponding ACL entry. If none is found, access is unrestricted.
More specifically, for all elements the security manager first checks the Security subsystem ACL for a Locksmith or corresponding admin type entry. After that, validation algorithm varies according to the element or element type.
There are three ways to approach the task:
Write a class that extends the EboSecurityManager class to override the runtime ACL validation logic. For example, you could modify the locksmith ACL metadata to allow additional permissions such as PROTECT, READ, and WRITE.
Completely reimplement EbiSecurityManager. Then change services.xml in:
XWB/DirectorTemplate/Director/library/SecurityService/SecurityService-conf
The service definition looks like this:
<service>
<interface>com.sssw.fw.security.api.EbiSecurityManager
</interface>
<impl-class>com.sssw.fw.security.core.EboSecurityManager
</impl-class>
<description>Security manager that provides authentication
and permission validation
</description>
<max-instances>1</max-instances>
<startup>M</startup>
</service>
Replace EboSecurityManager with the name of your own class.
Add a subsystem to provide a different security API, as described below.
Adding a new subsystem might be necessary when you are trying to integrate Director with a third party security service.
NOTE: This topic goes beyond the scope of this guide. The procedure is only outlined in this section. For detailed information, contact Novell Technical Support.
Add metadata information for the subsystem into the existing Subsystem/ElementType metadata.
com.sssw.fw.security.api.EbiElementTypeMeta, singleton
Call Security Meta Delegate to modify the metadata persistently.
com.sssw.fw.security.api.EbiSecurityMetaDelegate
Create a new Access Right Meta for the administrator type and for any element type that is defined in the Subsystem/ElementType metadata.
com.sssw.fw.security.api.EbiAccessRightMeta
Call Security Meta Delegate to store the metadata object(s) persistently.
Write Custom UI to allow setting ACLs based on the newly created Subsystem's AdminType and ElementTypes by calling the Security ACL delegate.
com.sssw.fw.security.api.EbiSecurityAclDelegate
Add run-time ACL validation logic in your new subsystem by calling the Security delegate.
com.sssw.fw.security.api.EbiSecurityDelegate
userHasAccessRight(context, right, adminID, adminType)
(Notice that Locksmith is checked internally.)
Check element level access (if any)
userHasAccessRight(context, right, elementUUID, elementType)
|
|
User Management Guide |
Copyright © 2000, 2001, 2002, 2003 SilverStream Software, LLC, a wholly owned subsidiary of Novell, Inc. All rights reserved.