Using the Security Filter and security Publication Resource

To use the security module, you have to add the filter com.ndc.auth.filter.SecurityFilter to your web application's web.xml file:

<filter>
  <filter-name>securityFilter</filter-name>
  <filter-class>com.ndc.auth.filter.SecurityFilter</filter-class>
  <init-param>
    <param-name>login</param-name>
    <param-value>/login.jsp</param-value>
  </init-param>
  <init-param>
    <param-name>error</param-name>
    <param-value>/error.jsp</param-value>
  </init-param>
  <init-param>
    <param-name>unauthorized</param-name>
    <param-value>/unauthorized.jsp</param-value>
  </init-param>
</filter>

The security filter checks the logged in user's privileges or permissions on content items and sections based on the parameters found in the HTTP request.

The security rules can be configured in /escenic/plugin/community/security resource. You can find a working example of the security resource here: $VCE_HOME/misc/contrib/publication/META-INF/escenic/publication-resources/escenic/plugin/community/security. It is a good starting point for building your own configuration. Here is an example of a security element inside security resource file:

<security>
  <action pattern="message/text/add"/>
  <action pattern="group/membership/request" user="true"/>
  <action pattern="blog/save" author="true"/>
</security>

The child elements of the security element are action and ajax. Both of these accept a pattern element. Each action element describes one rule for security checking. The value of the pattern attribute is an Ant like pattern string which will match the last part of the request URI (for Struts actions, this is the action name). Here are some examples of how to use asterisk (*) in pattern strings for wildcard matching.

Pattern	Matched Action Name
`delete`	delete
`delete*`	delete deleteBlog
`*Blog`	createBlog deleteBlog
`delete*Image`	deleteImage deleteAllImage deleteAlbumImage

The action elements can also have user and author attributes. It can also contain permission elements.

See details on the syntax of the security resource in community-security. You can validate your security resource with the RELAX NG schema file $VCE_HOME/documentation/schemas/community-security.rng. Here are some examples of security rule definitions in the security resource:

Description	Required Request Parameter	Action Tag Syntax	Fails If
To check whether a logged in user is performing the action	(none)	`<action pattern="message/text/add"/>`	No user object could be found in the session, no user is logged in
To check whether the user himself is performing the action that deals with the user's personal state. This type of configuration can be used for requests where the action is performed on the user with ID specified by the `userId` request parameter. Only this user should be able to perform the action.	`userId`	`<action pattern="group/membership/request" user="true"/>`	The value of the request parameter `userId` is the same as the ID of the logged in user
Check whether the logged in user is the author of the article which is dealt with in the action.	`articleId`	`<action pattern="blog/save" author="true"/>`	The logged in user is not the author of the article found by the value of the request parameter `articleId`
Check whether the logged in user has a certain permission on a section	`sectionId`, `homeSectionId`	`<action pattern="/blog/add" author="true"> <permission>addContent</permission> </action>`	The logged in user does not have the permission (required for this action) on the section specified by the request parameter `sectionId` or `homeSectionId`
Check whether the logged in user has permission on the article	`articleId`	`<action pattern="ReportArticle"> <permission>report</permission> </action>`	The logged in user does not have the permission (required for this action) on the home section of the article specified by the request parameter `articleId`.