Secured Repository

03:52  ,  No comments

Secured Repositories


The Oracle ATG Web Commerce secured repository system works in conjunction with the Oracle ATG Web Commerce Security System to provide fine-grained access control to repository item descriptors, individual repository items, and individual properties through Access Control List (ACL) settings.

Features:
•    Control access to repository item descriptors: Control who can create, add, remove, and query items defined by an item descriptor; similar to controlling access to a whole database table.
•    Control access to individual repository items: Control who can read, write, destroy, and query a repository item.; similar to controlling access to a single database row.
•    Control access to properties of all repository items in a repository item descriptor: Control who can read or write a property in any repository item defined by an item descriptor; similar to controlling access to a database table column.
•    Control access to properties of an individual repository item: Control who can read or write a particular property in a repository item; similar to controlling the field of a database table row.
•    Limit query results: Control who can receive repository items that are returned by a repository query.
•    Set ownership of a repository item: At creation time, the current user is assigned as the owner of the new repository item. The owner can query a repository item and modify its ACL; otherwise this is simply an association of an identity to an Item.
•    Automatically generate ACLs for new repository items: When a repository item is created, it is assigned an ACL that is constructed out of an ACL fragment and a template for the creator/owner (creator) and each group the owner belongs to.

Creating a Secured Repository
1.    Modify the Underlying Repository:
Add properties to the repository definition as follows

<item-descriptor name=”my”……………. >
….
<property name="item_owner" column-names="item_owner" data-type="string"/>
<property name="item_acl" column-names="item_acl" data-type="string"/>
<property name="secured_property_acl" column-names="secured_property_acl" data-type="string"/>
</item- descriptor>

2.    Configure the Secured Repository Adapter Component:
File name: SecuredMyRepository.properties
# SecuredMyRepository.properties
$class=atg.adapter.secure.GenericSecuredMutableRepository
$scope=global
name=My repository for the secured repository implementation
repositoryName=SecuredMyRepository
# the repository that we're wrapping
repository=MyRepository
# The template file that configures the repository
configurationFile=secured-My-repository.xml
# The security configuration component used by the repository
securityConfiguration=/atg/dynamo/security/SecuredRepositorySecurityConfiguration
# Various Dynamo services we need
XMLToolsFactory=/atg/dynamo/service/xml/XMLToolsFactory
transactionManager=/atg/dynamo/transaction/TransactionManager


3.    Register the Secured Repository Adapter Component:
/atg/registry/ContentRepositories

initialRepositories+=/MyRepository,/SecuredMyRepository

4.    Create the Secured Repository Definition File:
<!-- secured-my-repository.xml -->
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE secured-repository-template
 PUBLIC "-//Art Technology Group, Inc.//DTD Dynamo Security//EN"
 "http://www.atg.com/dtds/security/secured_repository_template_1.1.dtd">
<secured-repository-template>
 <item-descriptor name="my">

   <!-- The ACL that applies to the item view/descriptor -->
   <descriptor-acl value="Admin$role$administrators-group:
     read,write,create,delete;Admin$role$everyone-group:read"/>

   <!-- The property where the ownership is stored -->
   <owner-property name="item_owner"/>

   <!-- The property where ACL is stored in -->
   <acl-property name="item_acl"/>

   <!-- An ACL fragment that is assigned to all new items -->
   <creation-base-acl value="Admin$role$administrators-group:
      read,write,list,destroy,read_owner,write_owner,read_acl,write_acl;
      Admin$role$everyone-group:read,list"/>

   <!-- Access rights assigned to the owner when an item is created -->
   <creation-owner-acl-template value="$:read,write,list,destroy"/>

   <!-- Access rights assigned to all owner groups when an item is created. 
        WARNING: This feature can be dangerous. -->
   <creation-group-acl-template value="$:read,list"/>

   <property name="secured_property">
     <!-- The ACL that applies to this property across all repository items -->
     <descriptor-acl value="Admin$role$administrators-group:
        read,write;Admin$role$everyone-group:read"/>

     <!-- The name of the item property where this property's ACL is stored. -->
     <acl-property name="secured_property_acl"/>

     <!-- An ACL fragment assigned to this property when an item is created. -->
     <creation-base-acl value="Admin$role$administrators-group:read,write"/>

     <!-- Access rights assigned to the owner when an item is created -->
     <creation-owner-acl-template value="$:read,write"/>

     <!-- Access rights assigned to all owner groups when an item is created. 
          WARNING: This feature can be dangerous. -->
     <creation-group-acl-template value="$:read,write"/>

   </property>
 </item-descriptor>
</secured-repository-template>

5.    Modify the SQL for the Repository Data Store:
Add following columns to table.
item_owner varchar,
item_acl varchar,
secured_property_acl varchar

6.    Rebuild your EAR.

7.    Modify the Repository Mapping in Admin/Console to map SecuredMyRepository to both MyRepository_staging and MyRepository_production.

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)