Tree Security Examples
Creating a Security Authority
- The internal's of how your PermissionsAuthority object works is defined by the programmer;
as long as it implements the PermissionsAuthority interface. The PermissionsAuthority interface
is extremely easy, there is a method hasFQUIDPermission(String). When a request is passed to
the PageManager, the PageManager will query a PermissionsAuthority object passing the
requested FQUID into the hasFQUIDPermissions method. If that method returns false, the
FQUIDPermissionDenied exception will be thrown, if that method returns true, routing
will be completed.
- For example:
- If a request comes in for FQUID Admin.AddUser, the PageManager will pass a request
to a PermissionsAuthority asking if "Admin.AddUser" access is allowed. How the PermissionsAuthoirty
determines this, is entirely up to the programmer.
- The second part of understanding how the PageManager uses a PermissionsAuthority object is
understanding how the PageManager chooses what PermissionsAuthority to query. There is a method
on the PageManager, setPermissionsAuthorityName(String), which allows you to set the name
under which the PermissionsAuthority Object in the current request session object is stored.
For example, you may add a PermissionsAuthority object to users's Sessions when they log
into your application under the name "PA". In this case, the PageManager will pull the
PermissionsAuthority from the WebSession by the name "PA" and query it. If the "PA" object
does not exist in the current WebSession, the PageManager has a default PermissionsAuthority
it queries. This is set by the PageManager, setDefaultPermissionsAuthority method. Even if you
always use a PermissionsAuthority you should set a defaultPermissionsAuthority. If somebody
who does not have a PermissionsAuthority should only access the login page; then set a
defaultPermissionsAuthority which can only access the login page.
- If you don't
want the PageManager to query the WebSession for the PermissionsAuthority, you can just set
- In the case that you do not set a permissionsAuthorityName, or defaultPermissionsAuthority
the PageManager will use the DunceFQUIDPermissionsAuthority object for security checks. The
DunceFQUIDPermissionsAuthority always returns true; allowing access to all parts of the
Page Node Tree for all users at all times.