The first contact that a user has with the security system is usually a user authority object, which determines who the user is. At its most basic, the user authority object simply provides a persona object for a user with a particular name.
Oracle ATG Web Commerce’s central user authority object is in Nucleus at /atg/dynamo/security/UserAuthority
and is an instance of the UserDirectoryUserAuthority
class. This class takes the account information from one or more user directories and exposes it through the UserAuthority
interface. In the standard configuration, both the ATG Control Center and Profile account information are exposed.
The user authority object also can be responsible for authenticating a user. How it does so depends on the implementation. Typically, a user authority authenticates users through name/password verification, but any sort of identification system is possible, including smart cards, certificates, biometrics, or even profiling—for example, a user can be granted or denied access based on responses to a questionnaire.
There are three user authorities that use the name/password verification approach:
XmlAccountManager: This read-only implementation derives user information from an XML file. The implementation is intended for prototyping, although it can be useful in a production environment if the set of accounts and identities is not expected to change often or is expected to remain static. Oracle ATG Web Commerce uses an instance of the
XmlAccountManager
to provide a template for the ATG Control Center account information.RepositoryAccountManager: This implementation derives user information from an Oracle ATG Web Commerce repository. The repository can be any type of repository, including XML, SQL, and Profile Repositories. This implementation is for production applications, which typically use a repository-based user authority in conjunction with the Generic SQL Adapter (GSA) connector, which interfaces the Repository API to an SQL database. Oracle ATG Web Commerce uses an instance of the
RepositoryAccountManager
to manage the ATG Control Center accounts.UserDirectoryLoginUserAuthority: Because
UserDirectoryUserAuthority
can merge multiple account databases, theUserDirectoryLoginUserAuthority
is used to expose the login functionality for only a single database (and, thus, account namespace). There are two such authorities:/atg/dynamo/security/AdminUserAuthority
(for ATG Control Center account information) and/atg/userprofiling/ProfileUserAuthority
(for profile accounts). Oracle ATG Web Commerce does not yet implement authentication mechanisms other than name/password verification, although it is easy to extend theUserAuthority
interface as necessary to provide new authentication mechanisms.
All other security objects refer to the user authority to provide namespace separation between different authentication schemes. Two users with the same name (such as peterk
) have two different identities to an Oracle ATG Web Commerce application if they are authenticated by two different user authorities. A single user authority often is shared by multiple security objects to obtain single-log-on functionality.
For more information about configuring the ATG User Directory, see the ATG Personalization Programming Guide.