Tree Security Examples

Creating a Security Authority

    The internal's of how your PermissionsAuthority object works is defined by the programmer; as long as it implements the PermissionsAuthority interface. The PermissionsAuthority interface is extremely easy, there is a method hasFQUIDPermission(String). When a request is passed to the PageManager, the PageManager will query a PermissionsAuthority object passing the requested FQUID into the hasFQUIDPermissions method. If that method returns false, the FQUIDPermissionDenied exception will be thrown, if that method returns true, routing will be completed.

 

For example:

 

    If a request comes in for FQUID Admin.AddUser, the PageManager will pass a request to a PermissionsAuthority asking if "Admin.AddUser" access is allowed. How the PermissionsAuthoirty determines this, is entirely up to the programmer.

    The second part of understanding how the PageManager uses a PermissionsAuthority object is understanding how the PageManager chooses what PermissionsAuthority to query. There is a method on the PageManager, setPermissionsAuthorityName(String), which allows you to set the name under which the PermissionsAuthority Object in the current request session object is stored. For example, you may add a PermissionsAuthority object to users's Sessions when they log into your application under the name "PA". In this case, the PageManager will pull the PermissionsAuthority from the WebSession by the name "PA" and query it. If the "PA" object does not exist in the current WebSession, the PageManager has a default PermissionsAuthority it queries. This is set by the PageManager, setDefaultPermissionsAuthority method. Even if you always use a PermissionsAuthority you should set a defaultPermissionsAuthority. If somebody who does not have a PermissionsAuthority should only access the login page; then set a defaultPermissionsAuthority which can only access the login page.

 

    If you don't want the PageManager to query the WebSession for the PermissionsAuthority, you can just set a defaultPermissionsAuthority.

 

    In the case that you do not set a permissionsAuthorityName, or defaultPermissionsAuthority the PageManager will use the DunceFQUIDPermissionsAuthority object for security checks. The DunceFQUIDPermissionsAuthority always returns true; allowing access to all parts of the Page Node Tree for all users at all times.