Implementing access control

Resources that web services act upon are actually nouns that are represented by generated SDOs. This lesson contains a brief overview of how access control policy works for BOD service modules.

About this task

For Get requests, you can run the XPath search expression that returns data for a particular access profile using an action, an action group, and a policy. An access profile is defined by an action:
<Action Name="GetProject.MyCompany_Admin_Summary"
	CommandName="GetProject.MyCompany_Admin_Summary" />
<Action Name="GetProject.MyCompany_Store_Summary"
	CommandName="GetProject.MyCompany_Store_Summary" />
An action group contains all the access profiles the group can use:
<ActionGroup Name="Project-Project-AllUsers-AccessProfileActionGroup"
	OwnerID="RootOrganization">
	<ActionGroupAction Name="GetProject.MyCompany_Store_Summary" />

</ActionGroup>
<ActionGroup
	Name="Project-Project-ProjectManagers-AccessProfileActionGroup"
	OwnerID="RootOrganization">

	<ActionGroupAction Name="GetProject.MyCompany_Admin_Summary" />

</ActionGroup>
Finally, define a policy using the action group:
<!--  the all users access profile access control policy -->
<Policy Name="Project-Project-AllUsers-AccessProfilePolicy"
	OwnerID="RootOrganization" UserGroup="AllUsers"
	ActionGroupName="Project-Project-AllUsers-AccessProfileActionGroup"
	ResourceGroupName="AccessProfileResourceGroup"
	PolicyType="groupableStandard" />
<!-- the project manager access profile access policy -->
<Policy Name="Project-Project-ProjectManagers-AccessProfilePolicy"
	OwnerID="RootOrganization" UserGroup="RecipeManagers"
	ActionGroupName="Project-Project-ProjectManagers-AccessProfileActionGroup"
	ResourceGroupName="AccessProfileResourceGroup"
	PolicyType="groupableTemplate" />
To display the returned nouns from the Get request, a check is performed after the nouns are retrieved by the access control filter.
<!--  all user action group which contains read and change actions -->
<ActionGroup Name="Project-Project-AllUsers-ActionGroup" OwnerID="RootOrganization">
  <ActionGroupAction Name="DisplayResourceAction"/>
  <ActionGroupAction Name="ChangeResourceAction"/>
</ActionGroup> 
For Change, Sync, and Process requests, you can perform an action on the specified noun using an action, an action group, and a policy. An access profile is defined by an action:
<!--  read action (Get request) -->
	<Action Name="DisplayResourceAction" CommandName="Display"/>
	<!--  change action (Change request) -->
	<Action Name="ChangeResourceAction"	CommandName="Change"/>
	<!--  process actions (Process request) -->
	<Action Name="AddResourceAction" CommandName="Add"/>
	<Action Name="DeleteResourceAction"	CommandName="Delete"/>
	<Action Name="CreateResourceAction" CommandName="Create"/>
An action group contains all the access profiles that the group can use:
<!-- all project managers action group process action -->
<ActionGroup Name="Project-Project-ProjectManagers-ActionGroup" OwnerID="RootOrganization">
    <ActionGroupAction Name="AddResourceAction"/>
		<ActionGroupAction Name="DeleteResourceAction"/>
		<ActionGroupAction Name="CreateResourceAction"/>
</ActionGroup>
Finally, define a policy using the action group:
<!-- the project manager creator policy -->
<Policy Name="Project-Project-ProjectManagers-CreatorPolicy"
	OwnerID="RootOrganization" UserGroup="RecipeManagers"
	ActionGroupName="Project-Project-ProjectManagers-ActionGroup"
	ResourceGroupName="Project-Project-ResourceGroup"
	RelationName="creator" PolicyType="groupableTemplate" />
Note: For more information, see Access control in the BOD command framework.

Procedure

  1. Review the access control policy concepts provided in this lesson.
  2. On the Server page, right-click the WebSphere Commerce Test Server and select Publish.
  3. Create a role "Recipe Manager" through Organization Administration Console.
  4. Add the Recipe Manager role to the following organizations:
    • Extended Sites Organization
    • Asset Store Organization (Parent is Extended Sites Organization)
    • Extended Sites Organization Sample Store (Recipe Tutorial)
  5. Load the access control policy:
    1. Stop the WebSphere Commerce test server.
    2. Go to the temporary directory where you extracted the RecipeServices.zip file. Copy all the files in the policies\xml folder to the WCDE_installdir\xml\policies\xml\ folder.
    3. In a command prompt, go to WCDE_installdir\bin.
    4. Run the following commands:
      Apache Derby
      acugload Project-UserGroup.xml
      acpload Project-access-control.xml
      DB2
      acugload development_db db_user db_password Project-UserGroup.xml db_schema
      acpload development_db db_user db_password Project-access-control.xml db_schema
  6. Import the provided ProtectableProxy class that contains the authorization methods:
    1. In the Enterprise Explorer view, expand Project-Server/ejbModule. Right-click the com.mycompany.commerce.project.facade.server.authorization package.
    2. Click Import. Expand General and select File System. Click Next.
    3. Browse to the temporary location where you extracted the RecipeServices.zip file. Browse to the com.mycompany.commerce.project.facade.server.authorization folder.
    4. Select all files. Click Finish.
    5. Click Yes to All to overwrite the existing files.

Results

In this lesson you reviewed how access control policies are defined for the BOD programming model, and loaded a sample access control policy XML file.