Using the Security Filter and security Publication Resource
To use the security module, you have to add the filter com.ndc.auth.filter.SecurityFilter
to
your web application's web.xml
file:
<filter> <filter-name>securityFilter</filter-name> <filter-class>com.ndc.auth.filter.SecurityFilter</filter-class> <init-param> <param-name>login</param-name> <param-value>/login.jsp</param-value> </init-param> <init-param> <param-name>error</param-name> <param-value>/error.jsp</param-value> </init-param> <init-param> <param-name>unauthorized</param-name> <param-value>/unauthorized.jsp</param-value> </init-param> </filter>
The security filter checks the logged in user's privileges or permissions on content items and sections based on the parameters found in the HTTP request.
The security rules can be configured in /escenic/plugin/community/security
resource.
You can find a working example of the security
resource here:
$VCE_HOME/misc/contrib/publication/META-INF/escenic/publication-resources/escenic/plugin/community/security
.
It is a good starting point for building your own configuration.
Here is an example of a security
element inside security
resource file:
<security> <action pattern="message/text/add"/> <action pattern="group/membership/request" user="true"/> <action pattern="blog/save" author="true"/> </security>
The child elements of the security
element are action
and ajax
.
Both of these accept a pattern
element. Each action
element describes
one rule for security checking. The value of the pattern
attribute is an Ant
like pattern string which will match the last part of the request URI (for Struts actions, this is the action name).
Here are some examples of how to use asterisk (*) in pattern strings for wildcard matching.
Pattern | Matched Action Name |
---|---|
|
delete |
|
delete deleteBlog |
|
createBlog deleteBlog |
|
deleteImage deleteAllImage deleteAlbumImage |
The action
elements can also have user
and author
attributes.
It can also contain permission
elements.
See details on the syntax of the
security
resource in community-security. You can validate your
security
resource with the RELAX NG schema file
$VCE_HOME/documentation/schemas/community-security.rng
.
Here are some examples of security rule definitions in the security
resource:
Description | Required Request Parameter | Action Tag Syntax | Fails If |
---|---|---|---|
To check whether a logged in user is performing the action |
(none) |
|
No user object could be found in the session, no user is logged in |
To check whether the user himself is performing the action that deals with the user's personal state. This type
of configuration can be used for requests where the action is performed on the user with ID specified
by the |
|
|
The value of the request parameter |
Check whether the logged in user is the author of the article which is dealt with in the action. |
|
|
The logged in user is not the author of the article found by the value of the request parameter
|
Check whether the logged in user has a certain permission on a section |
|
|
The logged in user does not have the permission (required for this action) on the section specified
by the request parameter |
Check whether the logged in user has permission on the article |
|
|
The logged in user does not have the permission (required for this action) on the home section of
the article specified by the request parameter |