Protecting data beans

Data beans contain information about business objects and are used to display object information about a Web page. Dynamic Web pages are usually mapped to views within WebSphere Commerce, and these views are protected by role-based policies. It is sometimes necessary to further protect the content of the Web page by protecting its data beans, if they exist.

About this task

When data beans are populated using the DataBeanManager.activate(..) method, the data bean managers enforce access control on them. Data beans can be protected directly or indirectly, using the Delegator interface. Directly protected data beans also implement the com.ibm.commerce.security.Protectable interface. If an indirectly protected data bean does not implement the Delegator interface, or returns a null value for the getDelegate() method, it is not protected and can be displayed by anyone.

The following is an example of a resource-level policy for a data bean:

<Policy Name="AllUsersDisplayOrderDataBeanResourceGroup"
        OwnerID="RootOrganization"
        UserGroup="AllUsers"
        ActionGroupName="DisplayDatabeanActionGroup"
        ResourceGroupName="OrderDataBeanResourceGroup"
        RelationName="creator"
        PolicyType="groupableStandard">
</Policy>

The ActionGroupName, DisplayDatabeanActionGroup, indicates that this policy is a policy for data beans. This action group includes one Display action.

where:

Name: The name of this policy.
UserGroup: The access group that contains the users to whom the policy applies. In this case, it includes all users.
ActionGroupName: The value DisplayDatabeanActionGroup indicates that it is a resource-level policy for data beans.
ResourceGroupName: The name of the resource group that contains the data beans to be protected.
RelationName: The relationship that must be fulfilled between a user and the resource. In this case, the user must be the creator of the business Order resource.

The OrderDataBeanResourceGroup is defined as follows:


<ResourceGroup Name="OrderDataBeanResourceGroup"
OwnerID="RootOrganization">
        <ResourceGroupResource
Name="com.ibm.commerce.order.beans.OrderListDataBeanResourceCategory"/>
        <ResourceGroupResource
Name="com.ibm.commerce.order.beans.OrderDataBeanResourceCategory"/>
</ResourceGroup>

The OrderDataBeanResourceGroup consists of two resources. The following is a sample resource definition for a data bean:


<ResourceCategory
Name="com.ibm.commerce.order.beans.OrderDataBeanResourceCategory"
ResourceBeanClass="com.ibm.commerce.order.beans.OrderDataBean">
        <ResourceAction Name="DisplayDataBean"/>
</ResourceCategory>

where:

Name: A tag used to refer to this resource in the XML file.
ResourceBeanClass: The class name of the data bean that is being directly protected. This class must implement the com.ibm.commerce.security.Protectable interface.
ResourceAction: An element needed for policy editing in the Administration Console. In this case, this element indicates that Display is the valid action to be performed on this resource.