The first contact that a user has with the security system is usually a user authority object, which determines who the user is. At its most basic, the user authority object simply provides a persona object for a user with a particular name.
The Oracle Commerce Platform’s central user authority object is in Nucleus at /atg/dynamo/security/UserAuthority
and is an instance of the UserDirectoryUserAuthority
class. This class takes the account information from one or more user directories and exposes it through the UserAuthority
interface. In the standard configuration, both the ATG Control Center and Profile account information are exposed.
The user authority object also can be responsible for authenticating a user. How it does so depends on the implementation. Typically, a user authority authenticates users through name/password verification, but any sort of identification system is possible, including smart cards, certificates, biometrics, or even profiling—for example, a user can be granted or denied access based on responses to a questionnaire.
There are three user authorities that use the name/password verification approach:
XmlAccountManager
: This read-only implementation derives user information from an XML file. The implementation is intended for prototyping, although it can be useful in a production environment if the set of accounts and identities is not expected to change often or is expected to remain static. The Oracle Commerce Platform uses an instance of theXmlAccountManager
to provide a template for the ATG Control Center account information.RepositoryAccountManager
: This implementation derives user information from an Oracle Commerce Platform repository. The repository can be any type of repository, including XML, SQL, and Profile Repositories. This implementation is for production applications, which typically use a repository-based user authority in conjunction with the Generic SQL Adapter (GSA) connector, which interfaces the Repository API to an SQL database. The Oracle Commerce Platform uses an instance of theRepositoryAccountManager
to manage the ATG Control Center accounts.UserDirectoryLoginUserAuthority
: BecauseUserDirectoryUserAuthority
can merge multiple account databases, theUserDirectoryLoginUserAuthority
is used to expose the login functionality for only a single database (and, thus, account namespace). There are two such authorities:/atg/dynamo/security/AdminUserAuthority
(for ATG Control Center account information) and/atg/userprofiling/ProfileUserAuthority
(for profile accounts). The Oracle Commerce Platform does not yet implement authentication mechanisms other than name/password verification, although it is easy to extend theUserAuthority
interface as necessary to provide new authentication mechanisms.
All other security objects refer to the user authority to provide namespace separation between different authentication schemes. Two users with the same name (such as peterk
) have two different identities to an Oracle Commerce Platform application if they are authenticated by two different user authorities. A single user authority often is shared by multiple security objects to obtain single-log-on functionality.
For more information about configuring the ATG User Directory, see the Personalization Programming Guide.