Protecting data beans
Data beans contain information about business objects and are used to display object information about a Web page. Dynamic Web pages are usually mapped to views within WebSphere Commerce, and these views are protected by role-based policies. It is sometimes necessary to further protect the content of the Web page by protecting its data beans, if they exist.
About this task
DataBeanManager.activate(..)
method,
the data bean managers enforce access control on them. Data beans
can be protected directly or indirectly, using the Delegator interface.
Directly protected data beans also implement the com.ibm.commerce.security.Protectable
interface.
If an indirectly protected data bean does not implement the Delegator
interface, or returns a null value for the getDelegate()
method
, it is not protected and can be displayed by anyone.The
following is an example of a resource-level policy for a data bean:
<Policy Name="AllUsersDisplayOrderDataBeanResourceGroup"
OwnerID="RootOrganization"
UserGroup="AllUsers"
ActionGroupName="DisplayDatabeanActionGroup"
ResourceGroupName="OrderDataBeanResourceGroup"
RelationName="creator"
PolicyType="groupableStandard">
</Policy>
The ActionGroupName, DisplayDatabeanActionGroup
,
indicates that this policy is a policy for data beans. This action
group includes one Display
action.
Where:
- Name
- The name of this policy.
- UserGroup
- The access group that contains the users to whom the policy applies. In this case, it includes all users.
- ActionGroupName
- The value
DisplayDatabeanActionGroup
indicates that it is a resource-level policy for data beans. - ResourceGroupName
- The name of the resource group that contains the data beans to be protected.
- RelationName
- The relationship that must be fulfilled between a user and the
resource. In this case, the user must be the creator of the business
Order
resource.
The
OrderDataBeanResourceGroup
is
defined as follows:
<ResourceGroup Name="OrderDataBeanResourceGroup"
OwnerID="RootOrganization">
<ResourceGroupResource
Name="com.ibm.commerce.order.beans.OrderListDataBeanResourceCategory"/>
<ResourceGroupResource
Name="com.ibm.commerce.order.beans.OrderDataBeanResourceCategory"/>
</ResourceGroup>
The
OrderDataBeanResourceGroup
consists
of two resources. The following is a sample resource definition for
a data bean:
<ResourceCategory
Name="com.ibm.commerce.order.beans.OrderDataBeanResourceCategory"
ResourceBeanClass="com.ibm.commerce.order.beans.OrderDataBean">
<ResourceAction Name="DisplayDataBean"/>
</ResourceCategory>
Where:
- Name
- A tag used to refer to this resource in the XML file.
- ResourceBeanClass
- The class name of the data bean that is being directly protected.
This class must implement the
com.ibm.commerce.security.Protectable
interface. - ResourceAction
- An element needed for policy editing in the Administration Console. In this case, this element indicates that Display is the valid action to be performed on this resource.