Every time the application reaches an important point in the execution where it is required by application logic or security policy to check the user's rights before the application may proceed, we say the application is about to check the user's access right to some resource. Resources exist only because applications name them and want the Security Manager to check if the user has enough rights to continue.
This section of the directory defines what resources are recognized by the FWD security system. Each resource (even the 4 “built-in” resources of FWD) is implemented using a resource plugin, which is listed in the directory in the /security/config/resource-plugins/ path.
The plugin resources can be the following categories:
- Security Resource and Rights Plug-Ins
- Authentication Plug-Ins
- Password Change Plug-In
- User Account Extensions
- Administration User Interface Extensions
Resource Access Rights¶
Resource plugins encapsulate all knowledge about what subjects can do with the resources (actions). The exposed part of this knowledge is a set of methods that the application can call. The hidden part of this knowledge is the encoded access rights. The rules of this encoding are shared between all instances of the resource. In other words, the data structure of access rights is associated with a resource type rather than with a specific instance.
For more details on Access Rights see Access Control Lists chapter
There is no search algorithm used for reading the
resource-plugins directory sections. All configurations are global for the directory and can be found under the /security/config/resource-plugins root node.
The first 4 entries are the standard or built-in FWD resources. The last 2 entries are custom resources.
<node class="container" name="security"> <node class="container" name="config"> <node class="strings" name="resource-plugins"> <node-attribute name="values" value="com.goldencode.p2j.security.SystemResource"/> <node-attribute name="values" value="com.goldencode.p2j.security.AdminResource"/> <node-attribute name="values" value="com.goldencode.p2j.net.NetResource"/> <node-attribute name="values" value="com.goldencode.p2j.directory.DirectoryResource"/> <node-attribute name="values" value="com.acme.myapp.security.MyResource"/> <node-attribute name="values" value="com.bogus.otherapp.AwesomeResource"/> </node> </node> </node>
Implements the "system" abstract resource. Instances of this resource control access to various features of the FWD application.SystemResource recognize a fixed set of resource instances:
- logon - allows logging on to the FWD server
- context - names security context related events for audit
- change - controls access to the batch editing feature
- shutdown - controls access to the server shutdown
- debug - controls access to the debug level change
This can be found under the /security/config/resource-plugins/ with the value com.goldencode.p2j.security.SystemResource .
Implements the "admin" abstract resource. Instances of this resource control access to the named admin functions.
The admin resource implements a hierarchical name space, where the nodes have the well-known names. Instance names are coded in a way the FWD directory nodes or the Unix file system objects are coded:
- "/" designates the root admin permissions
- "/console", "/accounts" etc designate the first level function groups
- "/accounts/users" etc narrow down the scope of the function; it may
or may not take some additional levels
- a regular expression is allowed at the level 1 and below, provided it
does not contain the forward slash and yields at least one match
This can be found under the /security/config/resource-plugins/ with the value com.goldencode.p2j.security.AdminResource.
Implements the "net" abstract resource. Instances of this resource control access to exported server's entry points. They form a two level hierarchy of names, with the top level name being a group name and the bottom level name being a member of the group. The syntax for this composite name is group:api.
There are three access modes for NetResource:
- read - getting routing key from group:api;
- write - add a group:api method to the registry (export);
- execute - call a method
This can be found under the /security/config/resource-plugins/ with the value com.goldencode.p2j.security.NetResource.
Implements the "directory" abstract resource. Instances of this resource control access to the FWD directory objects.
The following are the defined access modes for DirectoryResource:
- enumerate - lists nodes and attributes;
- read - reads nodes and attribute values;
- write - changes nodes and attribute values;
- add - adds new attributes or values to attributes;
- create - creates new nodes and attributes;
- delete - deletes nodes and attributes
This can be found under the /security/config/resource-plugins/ with the value com.goldencode.p2j.security.DirectoryResource.
Custom resource plugin¶
A resource plugin is an implementation of an abstract resource. Methods of the plugin class can be called from the Security Manager and from the application.
When implementing a custom resource the plugin class must extend the
com.goldencode.p2j.security.AbstractResource abstract class.
com.goldencode.p2j.security.AbstractResource class is a partial implementation of the abstract resource, this class implements the
Resource interface. The methods from this interface are called by the
At server startup, the Security Manager reads the resource plugins configuration, instantiates the plugins in turn, and calls
describeRights() methods to create a registry of resource types. This is how the plugins become known components of the security mode.
This can be found under the /security/config/resource-plugins/ having as value the full class name of the custom resource plugin.
The following String values can be specified under /security/config/resource-plugins/:
|Option ID||Data Type||Default Value||Required||Details
|com.goldencode.p2j.security.SystemResource||String||com.goldencode.p2j.security.SystemResource||Yes||Implements the "system" abstract resource
|com.goldencode.p2j.security.AdminResource||String||com.goldencode.p2j.security.AdminResource||Yes||Implements the "admin" abstract resource
|com.goldencode.p2j.security.NetResource||String||com.goldencode.p2j.security.NetResource||Yes||Implements the "net" abstract resource
|com.goldencode.p2j.security.DirectoryResource||String||com.goldencode.p2j.security.DirectoryResource||Yes||Implements the "directory" abstract resource
|<custom_resource_plugin_class>||String||N/A||No||Represents a customer-specific resource plugin
© 2004-2017 Golden Code Development Corporation. ALL RIGHTS RESERVED.