Version 4
Created by sgwood on Apr 21, 2004 12:05 PM. Last modified by sgwood on Apr 30, 2004 1:23 PM.

    Security is defined for each component. As each component is an MBean, the security is defined in a Security attribute and the class of that object is org.jboss.nukes.security.SecurityMetaData. Fortunately it is possible to customize the security at runtime using the Permission module.

     

    Using the permission editor, you can define the security for a component. Actually the first page of the permission editor asks you to choose a component.

     

    -

     

    Once you have chosen a component, you can modify the set of security rules that defines its security. The order of the rules is important and you can move the rules. Each rule is made of :

     

    • A group which can be : the Anonymous , All, or an existing group.

    • A pattern which is a regular expression.

    • A level which defines the security level that rules grants.

     

    -

     

    When a component need to verify a security level, it will use the security api to check the current level for the current user.

     

    For instance with the HTML module, in its code we find :

     

    Level level = secGetLevel(fileId + '::');
if (level.greaterOrEquals(Level.ACCESS_EDIT)
{
   // do something granted for edit level
}

     

    The code 

    fileId + '::'
    is called the test string and this string will be matched against the pattern defined in the rules. When this call is made, the security manager will go through the rules defined on the HTML module component will do :

     

    for each rules :

     

       if the current rule applies and if the patterns matches the test string, return the level

     

    current rule applies means :

    • if the user is anonymous it applies only if the group is anonynous or all

    • otherwise it applies if the group on the rule belongs to one of the user's groups

     

    patterns matches means : if the pattern matches the test string according to the regular expression rule

     

    -

     

    Here are some examples of security rules settings, the format is the one you can find in the XML configuration

    of a component, it is the same you will find in the Permission editor, the format is only different :

     

    • <permission group='Editors' pattern='/edit/.*::' level='EDIT'></permission>
    • <permission group='Admins' pattern='.*:.*:.*' level='ADMIN'></permission>

     

    the first rule will give the level edit on each file that is prefixed by 

    '/edit/'

    and the second one will give full power to users of the administrator group.

     

    -

     

    In the future the security is likely to change. We want to keep the same concepts which are good but use something closer to the java security JAAS model.

     

    -

     

    Look at NukesSecurity for background on security concepts.

     

    2918 Views Categories: Tags: