The first contact that a user has with the security system is usually a user authority object, which determines who the user is. At its most basic, the user authority object simply provides a persona object for a user with a particular name.
Dynamo’s central user authority object is in Nucleus at /atg/dynamo/security/UserAuthority
and is an instance of the UserDirectoryUserAuthority
class. This class takes the account information from one or more user directories and exposes it through the UserAuthority
interface. In the standard configuration, both the ATG Control Center and Profile account information are exposed.
The user authority object also can be responsible for authenticating a user. How it does so depends on the implementation. Typically, a user authority authenticates users through name/password verification, but any sort of identification system is possible, including smart cards, certificates, biometrics, or even profiling (for example, a user can be granted or denied access based on responses to a questionnaire).
There are three user authorities that use the name/password verification approach:
XmlAccountManager: This read-only implementation derives user information from an XML file. The implementation is intended for prototyping, although it may be useful in a production environment if the set of accounts and identities is not expected to change often or is expected to remain static. Dynamo uses an instance of the
XmlAccountManager
to provide a template for the ATG Control Center account information.RepositoryAccountManager: This implementation derives user information from a Dynamo repository. The repository can be any type of repository, including XML, SQL, and Profile Repositories. This implementation is for production applications, which typically use a repository-based user authority in conjunction with the Generic SQL Adapter (GSA) connector, which interfaces the Repository API to a SQL database. Dynamo uses an instance of the
RepositoryAccountManager
to manage the ATG Control Center accounts.UserDirectoryLoginUserAuthority: Because
UserDirectoryUserAuthority
can merge multiple account databases, theUserDirectoryLoginUserAuthority
is used to expose the login functionality for only a single database (and, thus, account namespace). There are two such authorities:/atg/dynamo/security/AdminUserAuthority
(for ATG Control Center account information) and/atg/userprofiling/ProfileUserAuthority
(for profile accounts). Dynamo does not yet implement authentication mechanisms other than name/password verification, although it is easy to extend theUserAuthority
interface as necessary to provide new authentication mechanisms.
All other security objects refer to the user authority to provide namespace separation between different authentication schemes. Two users with the same name (such as “peterk”) have two different identities to Dynamo if they are authenticated by two different user authorities. A single user authority often is shared by multiple security objects to obtain single-log-on functionality.
For more information about configuring the Dynamo User Directory, see the ATG Personalization Programming Guide.