Thomas Dumont
RBAC Access Control
Table of Contents
Principle
For the Back Office administration features, Lutece offers Role Based Access Control (RBAC) access controls.
The principle can be applied to any type of resource that has been previously defined (example: Page, Document, Document Space, Business Resource, …). It is also possible to define as many permissions as necessary on a resource (example: see, modify, delete, …).
Configuring an RBAC role is a standard function of Lutece. It allows setting permissions to a set of resources. It is possible to associate one, several, or all the permissions to one, several, or all resources of a given type.
User Manual
Definition of the Resource to Control
The resource to be tested must implement the RBACResource interface. This corresponds to defining two methods:
- one to define the name of the type of the resource
- the other must return the identifier of the resource.
In addition, the resource can already expose the constants corresponding to the different managed permissions.
public class MyResource implements RBACResource
{
// RBAC management
public static final String RESOURCE_TYPE = "MY_RESOURCE";
// Permissions
public static final String PERMISSION_VIEW = "VIEW";
public static final String PERMISSION_CREATE = "CREATE";
public static final String PERMISSION_MODIFY = "MODIFY";
public static final String PERMISSION_DELETE = "DELETE";
////////////////////////////////////////////////////////////////////////////
// RBAC Resource implementation
/**
* {@inheritDoc}
*/
@Override
public String getResourceTypeCode()
{
return RESOURCE_TYPE;
}
/**
* {@inheritDoc}
*/
@Override
public String getResourceId()
{
return String.valueOf(_nId); // for example
}
}
Creating the Resource Management Service
This service must extend the ResourceIdService class by defining 3 methods:
- a register method to register this service with the Lutece RBAC service,
- a getResourceIdList method to provide a list of all resource identifiers to check
- a getTitle method to give the name of a given resource by optionally managing the language of the user.
public class MyResourceIdService extends ResourceIdService
{
private static final String PROPERTY_LABEL_RESOURCE_TYPE = "myplugin.rbac.myresource.resourceType";
private static final String PROPERTY_LABEL_VIEW = "myplugin.rbac.myresource.permission.view";
/**
* {@inheritDoc}
*/
@Override
public void register()
{
ResourceType rt = new ResourceType();
rt.setResourceIdServiceClass(MyResourceIdService.class.getName());
rt.setPluginName(Constants.PLUGIN_NAME);
rt.setResourceTypeKey(MyResource.RESOURCE_TYPE);
rt.setResourceTypeLabelKey(PROPERTY_LABEL_RESOURCE_TYPE);
Permission p = new Permission();
p.setPermissionKey(MyResource.PERMISSION_VIEW);
p.setPermissionTitleKey(PROPERTY_LABEL_VIEW);
rt.registerPermission(p);
// ... for all permissions
ResourceTypeManager.registerResourceType(rt);
}
/**
* {@inheritDoc}
*/
@Override
public ReferenceList getResourceIdList(Locale locale)
{
List<MyResource> listMyResources = MyResourceHome.getList();
return ReferenceList.convert(listFeatures, "id", "name", true);
}
/**
* {@inheritDoc}
*/
@Override
public String getTitle(String strId, Locale locale)
{
MyResource myresource = MyResourceHome.findByPrimaryKey(Integer.parseInt(strId));
return myresource.getName();
}
}
Resource Management Service Statement
The resource management service must be declared in the plugin configuration file (plugin-myplugin/webapp/WEB-INF/plugins/myplugin.xml):
<!-- RBAC Resources -->
<rbac-resource-types>
<rbac-resource-type>
<rbac-resource-type-class>fr.paris.lutece.plugins.myplugin.service.MyResourceIdService</rbac-resource-type-class>
</rbac-resource-type>
...
</rbac-resource-types>
Checking a Permission on a Resource
The verification of a permission can be done in the following way:
AdminUser user = getUser();
if (RBACService.isAuthorized(myresource, MyResource.PERMISSION_VIEW, user))
{
...
}