RBAC Access control
Principle
For the Back Office adminitration features, Lutece offers Role Based Access Control (RBAC) access controls.
The principle can be applied to any type of resource that has been previously defined (example: Page, Document, Document Space, Business Resource, ...). It is also possible to define as many permissions as necessary on a resource (example: see, modify, delete, ...).
Configuring a RBAC role is a standard function of Lutece. It allows to set permissions to a set of resources. It is possible to associate one, several or all the permissions to one, several or all resources of a given type.
User manual
Definition of the resource to control
The resource to be tested must implement the RBACResource interface. This corresponds to defining two methods :
- one to define the name of the type of the resource
- the other must return the identifier of the resource.
In addition, the resource can already expose the constants corresponding to the different managed permissions.
public class MyResource implements RBACResource { public class MyResource implements RBACResource { // RBAC management public static final String RESOURCE_TYPE = "MY_RESOURCE"; // Perimissions public static final String PERMISSION_VIEW = "VIEW"; public static final String PERMISSION_CREATE = "CREATE"; public static final String PERMISSION_MODIFY = "MODIFY"; public static final String PERMISSION_DELETE = "DELETE"; //////////////////////////////////////////////////////////////////////////// // RBAC Resource implementation /** * {@inheritDoc} */ @Override public String getResourceTypeCode( ) { return RESOURCE_TYPE; } /** * {@inheritDoc } */ @Override public String getResourceId( ) { return String.valueOf( _nId ); // for exemple } }
Creating the resource management service
This service must extend the ResourceIdService class by defining 3 methods :
- a register method to register this service with the Lutece RBAC service,
- a getResourceIdList method to provide a list of all resource identifiers to check
- a getTitle method to give the name of a given resource by optionally managing the language of the user.
public class MyResourceIdService extends ResourceIdService { private static final String PROPERTY_LABEL_RESOURCE_TYPE = "myplugin.rbac.myresource.resourceType"; private static final String PROPERTY_LABEL_VIEW = "myplugin.rbac.myresource.permission.view"; /** * {@inheritDoc} */ @Override public void register( ) { ResourceType rt = new ResourceType( ); rt.setResourceIdServiceClass( MyResourceIdService .class.getName( ) ); rt.setPluginName( Constants.PLUGIN_NAME ); rt.setResourceTypeKey( MyResource.RESOURCE_TYPE ); rt.setResourceTypeLabelKey( PROPERTY_LABEL_RESOURCE_TYPE ); Permission p = new Permission( ); p.setPermissionKey( MyResource.PERMISSION_VIEW ); p.setPermissionTitleKey( PROPERTY_LABEL_VIEW ); rt.registerPermission( p ); // ... for all permissions ResourceTypeManager.registerResourceType( rt ); } /** * {@inheritDoc} */ @Override public ReferenceList getResourceIdList( Locale locale ) { List<MyResource listMyResources = MyResourceHome.getList( ); return ReferenceList.convert( listFeatures, "id", "name", true ); } /** * {@inheritDoc} */ @Override public String getTitle( String strId, Locale locale ) { MyResource myresource= MyResourceHome.findByPrimaryKey( Integer.parseInt( strId ) ); return myresource.getName( ); } }
Resource Management Service Statement
The resource management service must be declared in the plugin configuration file (plugin-myplugin \ webapp \ WEB-INF \ plugins \ myplugin.xml):
<!-- RBAC Resources --> <rbac-resource-types> <rbac-resource-type> <rbac-resource-type-class>fr.paris.lutece.plugins.myplugin.service.MyResourceIdService</rbac-resource-type-class> </rbac-resource-type> ... </rbac-resource-types>
Checking a permission on a resource
The verification of a permission can be done in the following way :
AdminUser user = getUser(); if ( RBACService.isAuthorized( myresource, MyResource.PERMISSION_VIEW, user ) ) { ... }