Secured Repository Example

For example, let’s start with a very simple repository defined by the following SQL, repository definition file and Nucleus properties file. This repository defines a field for identifying the repository item, and two properties - one of which we intend to have its own ACL.

First, the SQL:

 -- test-repository.ddl
create table test_items (
 -- the ID of this item
 id varchar,
 -- a secured property of this item
 secured_property varchar,
 -- an unsecured property
 unsecured_property varchar,
)

Next, the repository definition file:

# test-repository.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE gsa-template
       PUBLIC "-//Art Technology Group, Inc.//DTD Dynamo Security//EN"
       "http://www.atg.com/dtds/gsa/gsa_1.0.dtd">
<gsa-template>
 <header>
   <name>Test Repository</name>
 </header>
 <item-descriptor name="test_items" default="true">
   <table name="test_items" type="primary" id-column-names="id">
     <property name="secured_property" column-names="secured_property"
               data-type="string"/>
     <property name="unsecured_property" column-names="unsecured_property"
               data-type="string"/>
   </table>
 </item-descriptor>
</gsa-template>

Finally, the GSARepository component’s properties file:

# TestRepository.properties Configuration File
$class=atg.adapter.gsa.GSARepository
definitionFiles=test-repository.xml
repositoryName=TestRepository
XMLToolsFactory=/atg/dynamo/service/xml/XMLToolsFactory
transactionManager=/atg/dynamo/transaction/TransactionManager
dataSource=/atg/dynamo/service/jdbc/JTDataSource
idGenerator=/atg/dynamo/service/IdGenerator
lockManager=/atg/dynamo/service/ClientLockManager

We need to add fields to the SQL and the repository definition to provide storage space for security information, one each for storing the owner, repository item ACL, and repository item property ACL. The following files show these changes. The SQL now looks like this:

 --  Modified test-repository.ddl
create table test_items (
 -- the ID of this item
 id varchar,
 -- a secured property of this item
 secured_property varchar,
 -- an unsecured property
 unsecured_property varchar,
 -- the owner of this item
 item_owner varchar,
 -- the ACL that applies to this item
 item_acl varchar,
 -- the ACL that applies to this item's secured value
 secured_property_acl varchar
)

The SQL repository definition file looks like this:

<!--  Modified test-repository.xml -->
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE gsa-template
       PUBLIC "-//Art Technology Group, Inc.//DTD Dynamo Security//EN"
       "http://www.atg.com/dtds/gsa/gsa_1.0.dtd">
<gsa-template>
 <header>
   <name>Test Repository</name>
 </header>
 <item-descriptor name="test_items" default="true">
   <table name="test_items" type="primary" id-column-names="id">
     <property name="secured_property" column-names="secured_property"
               data-type="string"/>
     <property name="unsecured_property" column-names="unsecured_property"
               data-type="string"/>
     <property name="item_owner" column-names="item_owner" data-type="string"/>
     <property name="item_acl" column-names="item_acl" data-type="string"/>     <property name="secured_property_acl" column-names="secured_property_acl"
               data-type="string"/>
   </table>
 </item-descriptor>
</gsa-template>

The properties file for the GSARepository component can remain as it was.

The next step is to create the secured repository layer over this SQL repository. The secured repository has an XML definition file, which would look like this:

<!-- secured-test-repository.xml -->
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE secured-repository-template
 PUBLIC "-//Art Technology Group, Inc.//DTD Dynamo Security//EN"
 "http://www.atg.com/dtds/security/secured_repository_template_1.1.dtd">
<secured-repository-template>
 <item-descriptor name="test_items">
   <!-- The ACL that applies to the item view/descriptor -->
   <descriptor-acl value="Admin$role$administrators-group:
     read,write,create,delete;Admin$role$everyone-group:read"/>
   <!-- The property that the ownership will be stored in -->
   <owner-property name="item_owner"/>
   <!-- The property that the ACL will be stored in -->
   <acl-property name="item_acl"/>
   <!-- An ACL fragment that is assigned to all new items -->
   <creation-base-acl value="Admin$role$administrators-group:
read,write,list,destroy,read_owner,write_owner,read_acl,write_acl;
Admin$role$everyone-group:read,list"/>
   <!-- Access rights that are assigned to the owner when an
        item is created -->
   <creation-owner-acl-template value="$:read,write,list,destroy"/>
   <!-- Access rights that are assigned to all of the owner's
        groups when an item is created.  WARNING: This feature
        is potentially dangerous. -->
   <creation-group-acl-template value="$:read,list"/>
   <property name="secured_property">
     <!-- The ACL that applies to this property across all items
          in the repository -->
     <descriptor-acl value="Admin$role$administrators-group:
read,write;Admin$role$everyone-group:read"/>
     <!-- The name of the property in the item where the ACL for this
          property is stored. -->
     <acl-property name="secured_property_acl"/>
     <!-- An ACL fragment that is assigned to this property
          whenever a new item is created. -->
     <creation-base-acl value="Admin$role$administrators-group:read,write"/>
     <!-- Access rights that are assigned to the owner when an
          item is created -->
     <creation-owner-acl-template value="$:read,write"/>
     <!-- Access rights that are assigned to all of the owner's
          groups when an item is created.  WARNING: This feature
          is potentially dangerous. -->
     <creation-group-acl-template value="$:read,write"/>
   </property>
 </item-descriptor>
</secured-repository-template>

The Secured Repository Adapter component’s class is atg.adapter.secure.GenericSecuredMutableRepository. It can be configured as in this example:

# SecuredTestRepository.properties
$class=atg.adapter.secure.GenericSecuredMutableRepository
$scope=global
name=Test repository for the secured repository implementation
repositoryName=SecuredTestRepository
# the repository that we're wrapping
repository=TestRepository
# The template file that configures the repository
configurationFile=secured-test-repository.xml
# The security configuration component used by the repository
securityConfiguration=/atg/dynamo/security/SecuredRepositorySecurityConfiguration
# Various Dynamo services we need
XMLToolsFactory=/atg/dynamo/service/xml/XMLToolsFactory
transactionManager=/atg/dynamo/transaction/TransactionManager

WARNING: In the above example we make use of the creation-group-acl-template feature for both repository items and the secured property. This setting should generally be removed if you are setting up a repository based on this code. The reason for this is explained at creation-group-acl-template Tag.

Finally, in order to expose these repositories to the ATG Control Center Repository Editor, and to start them up when your application is started, you must add each of them to the initialRepositories property of the /atg/registry/ContentRepositories component:

initialRepositories+=/TestRepository,/SecuredTestRepository
 
loading table of contents...