For example, let’s start with a very simple repository defined by the following SQL, repository definition file and Nucleus properties file. This repository defines a field for identifying the repository item, and two properties - one of which we intend to have its own ACL.
First, the SQL:
-- test-repository.ddl create table test_items ( -- the ID of this item id varchar, -- a secured property of this item secured_property varchar, -- an unsecured property unsecured_property varchar, )
Next, the repository definition file:
# test-repository.xml <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE gsa-template PUBLIC "-//Art Technology Group, Inc.//DTD Dynamo Security//EN" "http://www.atg.com/dtds/gsa/gsa_1.0.dtd"> <gsa-template> <header> <name>Test Repository</name> </header> <item-descriptor name="test_items" default="true"> <table name="test_items" type="primary" id-column-names="id"> <property name="secured_property" column-names="secured_property" data-type="string"/> <property name="unsecured_property" column-names="unsecured_property" data-type="string"/> </table> </item-descriptor> </gsa-template>
Finally, the GSARepository
component’s properties file:
# TestRepository.properties Configuration File $class=atg.adapter.gsa.GSARepository definitionFiles=test-repository.xml repositoryName=TestRepository XMLToolsFactory=/atg/dynamo/service/xml/XMLToolsFactory transactionManager=/atg/dynamo/transaction/TransactionManager dataSource=/atg/dynamo/service/jdbc/JTDataSource idGenerator=/atg/dynamo/service/IdGenerator lockManager=/atg/dynamo/service/ClientLockManager
We need to add fields to the SQL and the repository definition to provide storage space for security information, one each for storing the owner, repository item ACL, and repository item property ACL. The following files show these changes. The SQL now looks like this:
-- Modified test-repository.ddl create table test_items ( -- the ID of this item id varchar, -- a secured property of this item secured_property varchar, -- an unsecured property unsecured_property varchar, -- the owner of this item item_owner varchar, -- the ACL that applies to this item item_acl varchar, -- the ACL that applies to this item's secured value secured_property_acl varchar )
The SQL repository definition file looks like this:
<!-- Modified test-repository.xml --> <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE gsa-template PUBLIC "-//Art Technology Group, Inc.//DTD Dynamo Security//EN" "http://www.atg.com/dtds/gsa/gsa_1.0.dtd"> <gsa-template> <header> <name>Test Repository</name> </header> <item-descriptor name="test_items" default="true"> <table name="test_items" type="primary" id-column-names="id"> <property name="secured_property" column-names="secured_property" data-type="string"/> <property name="unsecured_property" column-names="unsecured_property" data-type="string"/> <property name="item_owner" column-names="item_owner" data-type="string"/> <property name="item_acl" column-names="item_acl" data-type="string"/> <property name="secured_property_acl" column-names="secured_property_acl" data-type="string"/> </table> </item-descriptor> </gsa-template>
The properties file for the GSARepository
component can remain as it was.
The next step is to create the secured repository layer over this SQL repository. The secured repository has an XML definition file, which would look like this:
<!-- secured-test-repository.xml --> <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE secured-repository-template PUBLIC "-//Art Technology Group, Inc.//DTD Dynamo Security//EN" "http://www.atg.com/dtds/security/secured_repository_template_1.1.dtd"> <secured-repository-template> <item-descriptor name="test_items"> <!-- The ACL that applies to the item view/descriptor --> <descriptor-acl value="Admin$role$administrators-group: read,write,create,delete;Admin$role$everyone-group:read"/> <!-- The property that the ownership will be stored in --> <owner-property name="item_owner"/> <!-- The property that the ACL will be stored in --> <acl-property name="item_acl"/> <!-- An ACL fragment that is assigned to all new items --> <creation-base-acl value="Admin$role$administrators-group: read,write,list,destroy,read_owner,write_owner,read_acl,write_acl; Admin$role$everyone-group:read,list"/> <!-- Access rights that are assigned to the owner when an item is created --> <creation-owner-acl-template value="$:read,write,list,destroy"/> <!-- Access rights that are assigned to all of the owner's groups when an item is created. WARNING: This feature is potentially dangerous. --> <creation-group-acl-template value="$:read,list"/> <property name="secured_property"> <!-- The ACL that applies to this property across all items in the repository --> <descriptor-acl value="Admin$role$administrators-group: read,write;Admin$role$everyone-group:read"/> <!-- The name of the property in the item where the ACL for this property is stored. --> <acl-property name="secured_property_acl"/> <!-- An ACL fragment that is assigned to this property whenever a new item is created. --> <creation-base-acl value="Admin$role$administrators-group:read,write"/> <!-- Access rights that are assigned to the owner when an item is created --> <creation-owner-acl-template value="$:read,write"/> <!-- Access rights that are assigned to all of the owner's groups when an item is created. WARNING: This feature is potentially dangerous. --> <creation-group-acl-template value="$:read,write"/> </property> </item-descriptor> </secured-repository-template>
The Secured Repository Adapter component’s class is atg.adapter.secure.GenericSecuredMutableRepository
. It can be configured as in this example:
# SecuredTestRepository.properties $class=atg.adapter.secure.GenericSecuredMutableRepository $scope=global name=Test repository for the secured repository implementation repositoryName=SecuredTestRepository # the repository that we're wrapping repository=TestRepository # The template file that configures the repository configurationFile=secured-test-repository.xml # The security configuration component used by the repository securityConfiguration=/atg/dynamo/security/SecuredRepositorySecurityConfiguration # Various Dynamo services we need XMLToolsFactory=/atg/dynamo/service/xml/XMLToolsFactory transactionManager=/atg/dynamo/transaction/TransactionManager
WARNING: In the above example we make use of the creation-group-acl-template
feature for both repository items and the secured property. This setting should generally be removed if you are setting up a repository based on this code. The reason for this is explained at creation-group-acl-template Tag.
Finally, in order to expose these repositories to the ATG Control Center Repository Editor, and to start them up when your application is started, you must add each of them to the initialRepositories
property of the /atg/registry/ContentRepositories
component:
initialRepositories+=/TestRepository,/SecuredTestRepository