Welcome to the jGuard's wiki » jGuard Documentation » Dynamic Role Definition

Dynamic Role Definition

Last modified by RaffaelloPelagalli on 2006/12/29 01:07

Dynamic role definition

jGuard provides a mechanism that allows to automatically __ enable or disable a role based on user credentials. This feature is defined in the attribute __“definition” of “principalRef” tag. This attribute must evaluate “true” or “false”.

For example, we could have in jGuardUsersPrincipals.xml the following:

<user>
    <privateCredentials>
        <credential>
            <id>login</id>
            <value>userA</value>
        </credential>
        <credential>
            <id>password</id>
            <value>userA</value>
        </credential>
    </privateCredentials>
    <publicCredentials>
        <credential>
            <id>firstname</id>
            <value>Rick</value>
        </credential>
        <credential>
            <id>lastname</id>
            <value>Dangerous</value>
        </credential>
        <credential>
            <id>loggedProject</id>
            <value>ProjectA</value>
        </credential>
    </publicCredentials>
    <principalsRef>
          <principalRef name="role1" applicationName="jGuardExample" definition="${subject.publicCredentials.loggedProject.contains('ProjectA')}" active="true"/>
          <principalRef name="role2" applicationName="jGuardExample" definition="${subject.publicCredentials.loggedProject.contains('ProjectB')}" active="true"/>
    </principalsRef>
</user>

The application could provide a way to allow the user to change its credential “loggedProject” between “ProjectA” and “ProjectB”. If the users chooses “ProjectA”, jGuard will automatically enable those roles where attribute “definition” evaluates “true”. You could use more complex expressions using logical operators, for example:

(subject.publicCredentials.loggedProject.contains('ProjectA') || subject.publicCredentials.loggedProject.contains('ProjectB')) && subject.privateCredentials.login.contains('userA')

Syntax

jguard uses the jakarta commons JEXL project expression library to provide expressiveness on contextual variables. this project has got a syntax page: http://jakarta.apache.org/commons/jexl/reference/syntax.html

How to get/set role definition by code

You can get role definition using:

RolePrincipal ppal = (RolePrincipal)AuthenticationManagerFactory.getAuthenticationManager().getRole(subject, role, applicationName);
String roleDefinition = ppal.getDefinition();

And you can set role definition using:

AuthenticationManagerFactory.getAuthenticationManager().updateRoleDefinition(subject, roleName, applicationName, roleDefinition);

Tags:
Created by diabolo512 on 2006/12/16 01:49

jGuard team copyright 2004-2009
3.1.1