This is an abstract class that extends the AppendAclPolicy
class. It provides the base implementation for policies that depend on incoming parameter values to determine access rights to the secured object. In the case of Web services, the secured object is always the Web service method. It provides a concrete implementation of getAdditionalACL
that appends all the Personae
returned by the abstract getPersonae
method.
The abstract getPersonae
method takes a map of parameter values created by the getMethodParametersFromSecuredObject
method and the incoming SecuredObject
instance. You can use the incoming parameter values, and the SecuredObject
if necessary, to determine the Personae
that should have access to the SecuredObject
.
For example, a Web service might provide the ability to edit a profile. If you want to allow both the profile owner and users with the Admin
role to make edits, the getPersonae
method could return both Personae
, resulting in an ACL that looks something like the following:
Profile$user$1234:execute;Profile$role$Admin:execute
The access rights for each persona
appended to the ACL are defined in the static variable NEW_PERSONA_RIGHTS
.
Important: If no Personae
are returned from the getPersonae
method, the ACL is appended with deny
access for everyone.
Refer to the ATG Platform API Reference for information on the abstract methods for this class.