Secured Repositories
The Oracle ATG Web Commerce secured repository system works in conjunction with the Oracle ATG Web Commerce Security System to provide fine-grained access control to repository item descriptors, individual repository items, and individual properties through Access Control List (ACL) settings.
Features:
• Control access to repository item descriptors: Control who can create, add, remove, and query items defined by an item descriptor; similar to controlling access to a whole database table.
• Control access to individual repository items: Control who can read, write, destroy, and query a repository item.; similar to controlling access to a single database row.
• Control access to properties of all repository items in a repository item descriptor: Control who can read or write a property in any repository item defined by an item descriptor; similar to controlling access to a database table column.
• Control access to properties of an individual repository item: Control who can read or write a particular property in a repository item; similar to controlling the field of a database table row.
• Limit query results: Control who can receive repository items that are returned by a repository query.
• Set ownership of a repository item: At creation time, the current user is assigned as the owner of the new repository item. The owner can query a repository item and modify its ACL; otherwise this is simply an association of an identity to an Item.
• Automatically generate ACLs for new repository items: When a repository item is created, it is assigned an ACL that is constructed out of an ACL fragment and a template for the creator/owner (creator) and each group the owner belongs to.
Creating a Secured Repository
1. Modify the Underlying Repository:
Add properties to the repository definition as follows
<item-descriptor name=”my”……………. >
….
<property name="item_owner" column-names="item_owner" data-type="string"/>
<property name="item_acl" column-names="item_acl" data-type="string"/>
<property name="secured_property_acl" column-names="secured_property_acl" data-type="string"/>
</item- descriptor>
2. Configure the Secured Repository Adapter Component:
File name: SecuredMyRepository.properties
# SecuredMyRepository.properties
$class=atg.adapter.secure.GenericSecuredMutableRepository
$scope=global
name=My repository for the secured repository implementation
repositoryName=SecuredMyRepository
# the repository that we're wrapping
repository=MyRepository
# The template file that configures the repository
configurationFile=secured-My-repository.xml
# The security configuration component used by the repository
securityConfiguration=/atg/dynamo/security/SecuredRepositorySecurityConfiguration
# Various Dynamo services we need
XMLToolsFactory=/atg/dynamo/service/xml/XMLToolsFactory
transactionManager=/atg/dynamo/transaction/TransactionManager
3. Register the Secured Repository Adapter Component:
/atg/registry/ContentRepositories
initialRepositories+=/MyRepository,/SecuredMyRepository
4. Create the Secured Repository Definition File:
<!-- secured-my-repository.xml -->
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE secured-repository-template
PUBLIC "-//Art Technology Group, Inc.//DTD Dynamo Security//EN"
"http://www.atg.com/dtds/security/secured_repository_template_1.1.dtd">
<secured-repository-template>
<item-descriptor name="my">
<!-- The ACL that applies to the item view/descriptor -->
<descriptor-acl value="Admin$role$administrators-group:
read,write,create,delete;Admin$role$everyone-group:read"/>
<!-- The property where the ownership is stored -->
<owner-property name="item_owner"/>
<!-- The property where ACL is stored in -->
<acl-property name="item_acl"/>
<!-- An ACL fragment that is assigned to all new items -->
<creation-base-acl value="Admin$role$administrators-group:
read,write,list,destroy,read_owner,write_owner,read_acl,write_acl;
Admin$role$everyone-group:read,list"/>
<!-- Access rights assigned to the owner when an item is created -->
<creation-owner-acl-template value="$:read,write,list,destroy"/>
<!-- Access rights assigned to all owner groups when an item is created.
WARNING: This feature can be dangerous. -->
<creation-group-acl-template value="$:read,list"/>
<property name="secured_property">
<!-- The ACL that applies to this property across all repository items -->
<descriptor-acl value="Admin$role$administrators-group:
read,write;Admin$role$everyone-group:read"/>
<!-- The name of the item property where this property's ACL is stored. -->
<acl-property name="secured_property_acl"/>
<!-- An ACL fragment assigned to this property when an item is created. -->
<creation-base-acl value="Admin$role$administrators-group:read,write"/>
<!-- Access rights assigned to the owner when an item is created -->
<creation-owner-acl-template value="$:read,write"/>
<!-- Access rights assigned to all owner groups when an item is created.
WARNING: This feature can be dangerous. -->
<creation-group-acl-template value="$:read,write"/>
</property>
</item-descriptor>
</secured-repository-template>
5. Modify the SQL for the Repository Data Store:
Add following columns to table.
item_owner varchar,
item_acl varchar,
secured_property_acl varchar
6. Rebuild your EAR.
7. Modify the Repository Mapping in Admin/Console to map SecuredMyRepository to both MyRepository_staging and MyRepository_production.