|
4. XML Security
Overview
To implement
the XML Security, you must:
1. Choose the structure
of the XML Security file
2. Implement the Security API.
This security is provided as a simple example and should not
be used in a production environment.
4.1. Choosing the XML file structure
The XML file provided
as an example contains a DTD that describes the structure of
the file. You can find an example of a security file here.
The different elements are:
XML Element
|
Description
|
| <securityInfo> |
|
| <userList> |
contains the list of allowed users |
| |
<userInfo userid="" password="" role=""
destination="" />
|
describes the user with these attributes:
- userId :
the name of the user
- password :
the password of the user
- role
: the value is one on the XML role defined in the
DTD (admin, developer, power_user, basic_user)
- destination
: default destination allowed for this user.
|
| </userList> |
|
| |
|
<jobList>
|
contains the list of registered reports (jobs).
|
|
<jobInfo jobId="" report=""/>
|
describes the job with these attributes:
- jobId
: name used to reference the report in the authorization
section
- report
: location of the report. The security will use this
string to check the access and should be equal to:
- the
module or report parameter value of the job submission
in the case of paper layout execution. For example
: module=employee.rdf
or report=c:\myReports\dept.rdf
- the
JSP root relative path for a Web layout execution.
For example /reports/employees.jsp or /reports/subdir/dept.jsp
|
| </jobList> |
|
| |
|
<accessList>
|
contains the list of the report and user
associations and the detailed security for each job/user.
|
|
<accessInfo jobname="" >
|
describes
the access info for a job using the attribute:
- jobname
: name of the job from the joblist
element
|
|
<allowedUsers>
|
contains the list of the users allowed to
execute the report specified in the accessInfo element.
|
| |
<user
userId=""> |
describes the user allowed to execute the
report, contains one attribute
- userId
: contains the name of the user
|
| |
|
<allowedDestination> |
contains the list of destinations allowed
for the this report for this user.
|
| |
|
|
<destination>
cache
</destination> |
contains as XML value the destination name,
could be all for all destination or any valid value defined
into the DTD (cache, printer, portal, ...) |
| |
|
</allowedDestination> |
|
| |
|
<allowedTime
start="" end="" /> |
contains a time frame that the user is allowed
to execute the report, the time frame is described in
two attributes:
For example
<allowedTime
start="8:00" end="18:30" />
|
| |
</user> |
|
|
</allowedUsers>
|
|
|
</accessInfo>
|
|
| </accessList> |
|
|
|
| </securityInfo> |
|
|
|
4.2. Implementing the Security API
The following code
handles implementing the Security API.
SecurityPlugin
| Class Name |
oracle.reports.plugin.security.xml.SecurityPlugin |
| Description |
This is the Security implementation for the
XML Security. |
| inherits |
oracle.reports.server.Security |
1. start()
method implementation
This method
is used to start the security system, and it is called during the
startup of the server. The method reads the location of the Security
file from the Properties object received as parameter.
The method also parses the XML, and loads the root Node in a member
of the class. This Node will be used by the security plugin to check
the different authorization rules.
2. authenticate()
method implementation
This method
is used to validate the username and password. The XML Security
class implement a business logic method named checkUserAuth().
This method returns:
- the username as
String if the username and password are correct
- a null object if
the user does not exist or the password is incorrect.
3. getName()
implementation
This method
is used to return the name of the security model to the server.
The implementation of the XML Security returns the location of the
XML Security file.
4. getRole()
implementation
This method
is used to return the role of the user connected.
The XML file supports admin, developer, power_user, basic_user as
role. The Report Server supports ROLE_ADMINISTRATOR, ROLE_DEVELOPER, ROLE_POWER_USER,
ROLE_BASIC_USER.
This method show you how
you can map your own role system to the Reports Server one.
5. jobCommandCheck()
implementation This method
is used to check the security at the job level during the execution.
The implementation navigates in the XML Structure to:
- check if the
report that the authenticated user tries to run is registered
- if the reports
is register, check the Access Control List to check if the
user is
allowed to execute the report
- to the specified
destination
- at this time
using the helper method isBetween()
6. checkUserAuth()
method implementation
This method
is not part of the Security APIs, but a helper method that contains
the logic to check the username and password from the XML file.
This method reads the XML root Node and searches for the XML element
userInfo that contains the correct username and password:
- if the user and
password are correct the method returns the username as String
- if the user does
not exist or if the password is incorrect the method returns
a null object.
7. isBetween()
method implementation
This method is not part
of the Security APIs, but an helper method that contains the logic
to check if the current time is between the start and end time
passed as parameters.
|
Destination
