> Samples Tutorial > CreatingXQueryFilters to Implement Conditional Logic Security

Samples Tutorial

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

CreatingXQueryFilters to Implement Conditional Logic Security

Data Services Platform can enable security based on the results of conditional logic.

 

Objectives

After completing this lesson, you will be able to:

 

Overview

Conditional logic can be used to establish very specific security restrictions. For example, access to a social security number can be restricted to managers, as is illustrated in Exercise 30.2 Writing the XQuery Security Function. Security restrictions at the element level are set through the ALDSP Console.

 

30.1 Creating User Groups

The first step in setting conditional-logic security is establishing security groups.

Objectives

In this exercise, you will:

Instructions

  1. Login to the WebLogic Server Console (http://localhost:7001/console/), using the following credentials:
    • User Name = weblogic
    • Password = weblogic
  2. Create two new user groups by completing the following steps:
    1. Choose Security Arrow symbol Realms Arrow symbol myrealm Arrow symbol Groups.
    2. Select Configure a New Group.
    3. Enter LD_Emp in the Name field.
    4. (Optional) Enter "Employee Group" in the Description field.
    5. Click Apply.
    6. Repeat steps 2b through 2e to create a new group for LD_Mgr.
      7. Figure 30-1 Configuring a New User Group


      Configuring a New User Group

  3. Assign the user Bob to the LD_Emp group, by completing the following steps:
    1. Choose Security Arrow symbol Realms Arrow symbol myrealm Arrow symbol Users.
    2. Click Bob in the User column. The User page for Bob opens.
      3. Figure 30-2 User Page for Bob


      User Page for Bob

    3. Click the Groups tab. The Groups page opens.
    4. Select LD_Emp from the Possible Groups pane.
    5. Click the arrow ( Arrow symbol ) to add the group to the Current Groups pane.
    6. Click Apply.
      7. Figure 30-3 Group Assignment Page for Bob


      Group Assignment Page for Bob

  4. Assign the user Joe in the LD_Mgr group, by completing the following steps:
    1. Choose Security Arrow symbol Realms Arrow symbol myrealm Arrow symbol users.
    2. Click Joe in the User column. The User page for Joe opens.
    3. Click the Groups tab. The Groups page opens.
    4. Select LD_Mgr from the Possible Groups pane.
    5. Click the arrow ( Arrow symbol ) to add the group to the Current Groups pane.
    6. Click Apply.

 

30.2 Writing the XQuery Security Function

You can specify a security function using XQuery syntax. In this example, access to social security numbers is restricted to managers.

Objectives

In this exercise, you will:

Instructions

  1. Login to the ALDSP Console (http://localhost:7001/ldconsole/), using the following credentials:
    • User Name = weblogic
    • Password = weblogic
  2. Using the plus ( + ) icon, expand the ldplatform directory.
    3. Note: If you click the ldplatform name, the Application List page opens. You do not want this page for this lesson.
  3. Click Evaluation. The Administration Control's General page opens.
  4. Select Check Access Control.
  5. Select Allow Default Anonymous Access.
    6. Figure 30-4 Setting Access Control


    Setting Access Control

  6. Select Xquery Functions for Security and enter the following function:
    7. Note: Namespaces may be different for your application. 
    declare namespace demo="lib:mydemo";
    declare namespace items="http://temp.openuri.org/DataServices/schemas/CustomerProfile.xsd" ;
    declare function demo:secureCustomer($ssn as xs:string) as xs:boolean {
    if (fn-bea:is-user-in-group("LD_Mgr")) then fn:true()
    else fn:false()
    };
  7. Click Apply.
  8. Click Apply again. You should now have the following:
    9. Figure 30-5 Specifying Security XQuery Function Code


    Specifying Security XQuery Function Code

 

30.3 Activating the XQuery Function for Security

The next step in setting an XQuery security function is to set security at the element level.

Objectives

In this exercise, you will:

Instructions

  1. In the ALDSP Console expand the Evaluation folder and navigate to the CustomerProfile data service, located in DataServices\CustomerManagement.
  2. Navigate to the Security Policy dialog (Admin Arrow symbol Security Arrow symbol Security Policy).
  3. Click the icon in the XQuery Function for Security column for the CustomerProfile/customer/ssn resource. The Assign XQuery Functions window opens.
  4. Click on Apply. The icon in the Security Policy tab will appear.
  5. Set the Namespace URI and Local Name, by completing the following steps:
    1. Click Add and enter the following values:
      • Namespace URI: lib:mydemo
      • Local Name: secureCustomer
    2. Click Submit.
    3. Click Close.
      4. Figure 30-6 QName Information


      QName Information

 

30.4 Testing the XQuery Security Function

Using the security credentials for Bob and Joe, you can now test the XQuery security function.

Objectives

In this exercise, you will:

Instructions

  1. Set the login properties to Bob and run a test, by completing the following steps:
    1. In the ALDSP-enabled Workshop application, choose Tools Arrow symbol Application Properties Arrow symbol WebLogic Server.
    2. Select Use Credentials Below.
    3. Enter "Bob" and "password" in the Use Credentials Below fields.
    4. Click OK.
    5. Open CustomerProfile.ds in Test View. (The file is located in the CustomerManagement folder.)
    6. Select getAllCustomers() from the function drop-down list.
    7. Click Execute. All customer data, except SSNs, should be returned.
      8. Note: In order to deploy from WorkShop User/Group you should have permission to deploy applications.
  2. Change the login properties to Joe and run a test. All customer data, including SSNs, should be returned.
  3. In the ALDSP Console expand the Evaluation folder and navigate to the CustomerProfile data service, located in DataServices\CustomerManagement.
  4. Click Security Policy.
  5. Click the icon in the XQuery Function for Security column for the CustomerProfile/customer/ssn resource. The QName window opens.
  6. Click Remove, click Submit, and then click Close to remove the following:
    • Namespace URI: lib:mydemo;
    • Local Name: secureCustomer
      • WARNING: You must remove the Namespace/Local Name information before you can proceed with the following lessons.
  7. Click ToolsArrow symbolApplication Properties.
  8. Use the following credentials:
    • User name = weblogic
    • Password = weblogic

 

Lesson Summary

In this lesson, you learned how to:


  Back to Top       Previous  Next