Project

General

Profile

Wiki » Documentation » Installation Configuration and Administration Guide » Directory Configuration Reference »

Resources

Every time the application reaches an important point in the execution where it is required by application logic or security policy to check the user's rights before the application may proceed, we say the application is about to check the user's access right to some resource. Resources exist only because applications name them and want the Security Manager to check if the user has enough rights to continue.

This section of the directory defines what resources are recognized by the FWD security system. Each resource (even the 4 “built-in” resources of FWD) is implemented using a resource plugin, which is listed in the directory in the /security/config/resource-plugins/ path.

The plugin resources can be the following categories:

  • Security Resource and Rights Plug-Ins
  • Authentication Plug-Ins
  • Password Change Plug-In
  • User Account Extensions
  • Administration User Interface Extensions

Resource Access Rights

Resource plugins encapsulate all knowledge about what subjects can do with the resources (actions). The exposed part of this knowledge is a set of methods that the application can call. The hidden part of this knowledge is the encoded access rights. The rules of this encoding are shared between all instances of the resource. In other words, the data structure of access rights is associated with a resource type rather than with a specific instance.

For more details on Access Rights see Access Control Lists chapter

Search Algorithm

There is no search algorithm used for reading the resource-plugins directory sections. All configurations are global for the directory and can be found under the /security/config/resource-plugins root node.

Example

The first 4 entries are the standard or built-in FWD resources. The last 2 entries are custom resources.

<node class="container" name="security">
   <node class="container" name="config">
     <node class="strings" name="resource-plugins">
       <node-attribute name="values" value="com.goldencode.p2j.security.SystemResource"/>
       <node-attribute name="values" value="com.goldencode.p2j.security.AdminResource"/>
       <node-attribute name="values" value="com.goldencode.p2j.net.NetResource"/>
       <node-attribute name="values" value="com.goldencode.p2j.directory.DirectoryResource"/>
       <node-attribute name="values" value="com.acme.myapp.security.MyResource"/>
       <node-attribute name="values" value="com.bogus.otherapp.AwesomeResource"/>
     </node>
   </node>
</node>

SystemResource

Implements the "system" abstract resource. Instances of this resource control access to various features of the FWD application.SystemResource recognize a fixed set of resource instances:

  • logon - allows logging on to the FWD server
  • context - names security context related events for audit
  • change - controls access to the batch editing feature
  • shutdown - controls access to the server shutdown
  • debug - controls access to the debug level change

This can be found under the /security/config/resource-plugins/ with the value com.goldencode.p2j.security.SystemResource .

AdminResource

Implements the "admin" abstract resource. Instances of this resource control access to the named admin functions.

The admin resource implements a hierarchical name space, where the nodes have the well-known names. Instance names are coded in a way the FWD directory nodes or the Unix file system objects are coded:

  • "/" designates the root admin permissions
  • "/console", "/accounts" etc designate the first level function groups
  • "/accounts/users" etc narrow down the scope of the function; it may
    or may not take some additional levels
  • a regular expression is allowed at the level 1 and below, provided it
    does not contain the forward slash and yields at least one match

This can be found under the /security/config/resource-plugins/ with the value com.goldencode.p2j.security.AdminResource.

NetResource

Implements the "net" abstract resource. Instances of this resource control access to exported server's entry points. They form a two level hierarchy of names, with the top level name being a group name and the bottom level name being a member of the group. The syntax for this composite name is group:api.

There are three access modes for NetResource:

  • read - getting routing key from group:api;
  • write - add a group:api method to the registry (export);
  • execute - call a method

This can be found under the /security/config/resource-plugins/ with the value com.goldencode.p2j.security.NetResource.

DirectoryResource

Implements the "directory" abstract resource. Instances of this resource control access to the FWD directory objects.

The following are the defined access modes for DirectoryResource:

  • enumerate - lists nodes and attributes;
  • read - reads nodes and attribute values;
  • write - changes nodes and attribute values;
  • add - adds new attributes or values to attributes;
  • create - creates new nodes and attributes;
  • delete - deletes nodes and attributes

This can be found under the /security/config/resource-plugins/ with the value com.goldencode.p2j.security.DirectoryResource.

Custom resource plugin

A resource plugin is an implementation of an abstract resource. Methods of the plugin class can be called from the Security Manager and from the application.

When implementing a custom resource the plugin class must extend the com.goldencode.p2j.security.AbstractResource abstract class.

The com.goldencode.p2j.security.AbstractResource class is a partial implementation of the abstract resource, this class implements the Resource interface. The methods from this interface are called by the Security Manager.

At server startup, the Security Manager reads the resource plugins configuration, instantiates the plugins in turn, and calls getTypeName(), getLibrary(), registeredAs(int) and describeRights() methods to create a registry of resource types. This is how the plugins become known components of the security mode.

This can be found under the /security/config/resource-plugins/ having as value the full class name of the custom resource plugin.

For more details on how to create a resource plugin see Runtime Hooks and Plug-Ins chapter of Developer Guide.

Reference

The following String values can be specified under /security/config/resource-plugins/:

Option ID Data Type Default Value Required Details
com.goldencode.p2j.security.SystemResource String com.goldencode.p2j.security.SystemResource Yes Implements the "system" abstract resource
com.goldencode.p2j.security.AdminResource String com.goldencode.p2j.security.AdminResource Yes Implements the "admin" abstract resource
com.goldencode.p2j.security.NetResource String com.goldencode.p2j.security.NetResource Yes Implements the "net" abstract resource
com.goldencode.p2j.security.DirectoryResource String com.goldencode.p2j.security.DirectoryResource Yes Implements the "directory" abstract resource
<custom_resource_plugin_class> String N/A No Represents a customer-specific resource plugin

© 2004-2017 Golden Code Development Corporation. ALL RIGHTS RESERVED.