Nov 9, 2021 3:42:10 PM Thomas Dumont avatar

RBAC Access control

Principle

For the Back Office adminitration features, Lutece offers Role Based Access Control (RBAC) access controls.

The principle can be applied to any type of resource that has been previously defined (example: Page, Document, Document Space, Business Resource, ...). It is also possible to define as many permissions as necessary on a resource (example: see, modify, delete, ...).

Configuring a RBAC role is a standard function of Lutece. It allows to set permissions to a set of resources. It is possible to associate one, several or all the permissions to one, several or all resources of a given type.

User manual

Definition of the resource to control

The resource to be tested must implement the RBACResource interface. This corresponds to defining two methods :

  • one to define the name of the type of the resource
  • the other must return the identifier of the resource.

In addition, the resource can already expose the constants corresponding to the different managed permissions.

public class MyResource implements RBACResource
{
public class MyResource implements RBACResource
{
    // RBAC management
    public static final String RESOURCE_TYPE = "MY_RESOURCE";

    // Perimissions
    public static final String PERMISSION_VIEW = "VIEW";
    public static final String PERMISSION_CREATE = "CREATE";
    public static final String PERMISSION_MODIFY = "MODIFY";
    public static final String PERMISSION_DELETE = "DELETE";


    ////////////////////////////////////////////////////////////////////////////
    // RBAC Resource implementation

    /**
     * {@inheritDoc}
     */
    @Override
    public String getResourceTypeCode(  )
    {
        return RESOURCE_TYPE;
    }

    /**
     * {@inheritDoc }
     */
    @Override
    public String getResourceId(  )
    {
        return String.valueOf( _nId );  // for exemple
    }
}

Creating the resource management service

This service must extend the ResourceIdService class by defining 3 methods :

  • a register method to register this service with the Lutece RBAC service,
  • a getResourceIdList method to provide a list of all resource identifiers to check
  • a getTitle method to give the name of a given resource by optionally managing the language of the user.
public class MyResourceIdService extends ResourceIdService
{
    private static final String PROPERTY_LABEL_RESOURCE_TYPE = "myplugin.rbac.myresource.resourceType";
    private static final String PROPERTY_LABEL_VIEW = "myplugin.rbac.myresource.permission.view";

    /**
     * {@inheritDoc}
     */
    @Override
    public void register(  )
    {
        ResourceType rt = new ResourceType(  );
        rt.setResourceIdServiceClass( MyResourceIdService .class.getName(  ) );
        rt.setPluginName( Constants.PLUGIN_NAME );
        rt.setResourceTypeKey( MyResource.RESOURCE_TYPE );
        rt.setResourceTypeLabelKey( PROPERTY_LABEL_RESOURCE_TYPE );

        Permission p = new Permission(  );
        p.setPermissionKey( MyResource.PERMISSION_VIEW );
        p.setPermissionTitleKey( PROPERTY_LABEL_VIEW );
        rt.registerPermission( p );

        // ...          for all permissions

        ResourceTypeManager.registerResourceType( rt );
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public ReferenceList getResourceIdList( Locale locale )
    {
        List<MyResource  listMyResources = MyResourceHome.getList(  );

        return ReferenceList.convert( listFeatures, "id", "name", true );
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public String getTitle( String strId, Locale locale )
    {
        MyResource myresource= MyResourceHome.findByPrimaryKey( Integer.parseInt( strId ) );

        return myresource.getName(  );
    }
}

Resource Management Service Statement

The resource management service must be declared in the plugin configuration file (plugin-myplugin \ webapp \ WEB-INF \ plugins \ myplugin.xml):

<!-- RBAC Resources -->
<rbac-resource-types>
    <rbac-resource-type>
        <rbac-resource-type-class>fr.paris.lutece.plugins.myplugin.service.MyResourceIdService</rbac-resource-type-class>
    </rbac-resource-type>
    ...
</rbac-resource-types>

Checking a permission on a resource

The verification of a permission can be done in the following way :

AdminUser user = getUser();
if ( RBACService.isAuthorized( myresource, MyResource.PERMISSION_VIEW, user ) )
{
    ...
}