The configuration files of Security Objects Access (DAO) are different for XML DAO and Database DAO.
▪ Configuration for XML DAO
This configuration is based on UDTT elementary. The fileDirectory field is the path of the four XML files which are necessary for XML DAO. The following is the sample code for configuring XML DAO. It should be configured according to the real environment.
This configuration is based on UDTT elementary. It uses com.ibm.btt.bc.common.pool.ConnectionPool to manage the database connection. There are two types of connection pool configurations. One uses the datasource which is defined in web container, and the other uses the conventional DBDriver definition. To use the datasource, you should disable the connection pool first, and then provide the jndi datasource for it. To use the DBDriver, you should provide the dbDriverName, dbUrl, dbUserName, dbPassword for the connection pool.
If the schema that is specified by dbSchema does not exist in the database, you can create one by using the following schema definition files according to the type of the database:
The ISecurityObjectManager interface provides all necessary methods. You must manage the security objects in the system with the ISecurityObjectManager interface. Refer to its Java document for details about this interface.
The usage of the ISecurityObjectManager interface is the same as the XML DAO and Database DAO except for its configuration. The following is the sample code for the configuration:
BasicElementFactory factory = new //using xml DAO BasicElementFactory("jar:///file/test/branch001.xml"); //using database DAO //BasicElementFactory("jar:///config/branch001_db.xml");
You can also use this interface on the client side on UDTT Service Connector. Using the interface on the client side is the same as using it on the server side.
There are three methods in the IBTTSecurityManager interface.
public interface IBTTSecurityManager { public boolean validateUserByPassword(String userId, String password) throws BTTSecurityException; public boolean checkAccess(String nameOfService, String userId) throws BTTSecurityException; public List<String> checkAvailableServices(String userId, List<String> serviceList) throws BTTSecurityException;}
▪ validateUserByPassword(...)
Used to authenticate a user based on the password, and check whether the user is active.
▪ checkAccess(...)
Used to check if the user that is specified by the userId value is authorized to access the service which is specified by the nameOfService value.
▪ checkAvailableServices(...)
Used to filter the service list based on the authorization of the user that is specified by the userId value and return the filtered list.
The following is the sample code for using the IBTTSecurityManager interface on the server side.
BasicElementFactory factory = new BasicElementFactory("jar:///config/ branch001.xml"); ISecurityObjectManager securitymanager = (BTTSecurityManager) factory.getElement("securityManager"); if (securitymanager.validateUserByPassword(“userId”, “password”)){ if (securitymanager.checkAccess("service01", "user01")){ // access or execute "service01" } List<String> serviceList = new ArrayList<String>(); serviceList.add("service01"); serviceList.add("service02"); List<String>alist = securitymanager.checkAvailableServices("user01", serviceList); // access or execute the Services in the alist. }
You can also use the interface on the client side on the UDTT Service Connector. The usage on the client side is the same as that on the server side.
The policy for password creation and encryption is defined in the IPasswordPolicy interface. A default implementation is provided by the UDTT Access Control to demonstrate the usage of this interface. You can find the implementation at com.ibm.btt.bc.ac.DefaultPasswordPolicy in bttbcacconmmon.jar. The end user should customize this interface to meet the business policy of the password management.
There are two methods in the IPasswordPolicy interface.
public interface IPasswordPolicy { public String generatePassword(String userid) throws BTTSecurityException; public String encryptPassword(Serializable info) throws BTTSecurityException; }
▪ generatePassword(...)
Used to define how to generate a password for the user that is specified by the userid value and return the password
▪ encryptPassword(...)
Use info as the key to encode the password, and return the encrypted password
After you customize the IPasswordPolicy interface, you need to inject your implementation to the configuation of the IBTTSecurityManager interface. The following is the sample code for customizing the IPasswordPolicy interface.
<branch 001.xml> <com.ibm.btt.bc.ac.DefaultPasswordPolicy id="passwordPolicy" /> <com.ibm.btt.bc.ac.impl.BTTSecurityManager id="securityManager"> <ref Injection="securityObjectManager" refId="securityObjectManager" /> </com.ibm.btt.bc.ac.impl.BTTSecurityManager> <!—— the configuration for IBTTSecurityObjectManager --> </branch001.xml>
UNICOM® Digital Transformation Toolkit (UDTT™) allows users to grant Execute permission on an operation or flow to a specific user by providing an empty function checkExecutePermission and let users to override it.
1 Before any execution in an operation or flow, UDTT would check the Execute permission inside HtmRequestHandler. So the first step is to derive a class from HtmRequestHandler called MyHtmRequestHandler and register MyHtmRequestHandler in btt.xml as request handler for html channel.
public class MyHtmRequestHandler extends HtmlRequestHandler { //This API is empty and expected to be overriden protected Object executeProcessorRequest(ChannelContext channelContext)
▪ Set the Execute Permission by using the following API to access SessionContext which includes the detailed information, such as user ID and operation/flow ID.
▪ Define the throwing exception ACLException to deal with the exceptions or errors. For more information, see Using custom exception in HTML channel. In this case, to be specific, users could create an error page named ACLException.jsp and add the following code into preProcessException():
To use the Administration UI in Rich Client, perform the following procedure:
1 Configure the IBTTSecurityObjectManager interface on the server side.
2 Configure the UDTT Service Connector on the server side. Deploy the com.ibm.btt.webapp.BTTServerStarter and com.ibm.btt.remote.BTTRemoteConnector classes to the server.
Here's the sample code for configuring the UDTT Service Connector on the server side.
where, AccessControlClientConfig is a help class for Administration UI configuration; serviceUrl is the URL of the BTTRemoteConnector servlet which you have deployed to the server.
4 Configure the Administration UI in Rich Client.
The Administration UI of UDTT Access Control is an Eclipse plug-in which is designed as a UDTT Business Component Activity (com.ibm.btt.bc.common.activity.BCActivity). The definition of this activity is different from other activity definitions. You need to specify not only the composite class, but also the initialized object ID for the UI. The initialized object ID is located in the definition file of the element factory.
The following figure illustrates of how to define a business component activity for the user management. The definitions of service, right, and role management is similar to the user management in the figure, except for the parameter field.
▪ User Management parameter: com.ibm.btt.bc.ac.rcp.factory.QueryUserCompositeFactory;clientConfig
▪ Service Management parameter: com.ibm.btt.bc.ac.rcp.factory.QueryServiceCompositeFactory;clientConfig
▪ Right Management parameter: com.ibm.btt.bc.ac.rcp.factory.QueryRightCompositeFactory;clientConfig
▪ Role Management parameter: com.ibm.btt.bc.ac.rcp.factory.QueryRoleCompositeFactory;clientConfig
The following figure is the first page for managing the security user.
▪ To search for a user:
Fill in the search conditions and click Search. The user that meets the search condition is listed in the table on the same page. Use the following figure for reference.
Note The wildcard (_) can be used only once in the string to substitute any character, and the wildcard (%) can be used one than once.
▪ To create a user:
Click New User on the first page. The Create User page is displayed as shown in the following figure. Provide the necessary user information and user roles, and then click Save User.
Note You can also set the start date and the end date for the user or the role to specify when the user or the role is valid.
The password for the newly created user is generated by the com.ibm.btt.bc.ac. IPasswordPolicy.generatePassword(…) function. By default, the password is the same as the user ID. You can change this behavior by customizing the IPasswordPolicy interface.
▪ To update a user:
Select the user item that you want to update in the table on the first page and click Update User. The Update User page is displayed as shown in the following figure. Modify the user information or the user roles as you requires, and then click Save User.
▪ To delete a user:
Select the user item that you want to delete in the table on the first page and then click Delete User.
Security Service Management
The following figure is the first page for managing the security service.
▪ To search for a service
Fill in the search conditions and click Search. The service that meets the search condition is listed in the table on the same page. See the following figure for example.
Note The wildcard (_) can be used only once in the string to substitute any character, and the wildcard (%) can be used one than once.
▪ To create a service:
Click New Service on the first page. The Create Service page is displayed as shown in the following figure. Provide the necessary service information and required rights, and then click Save Service.
▪ To update a service:
Select the service item that you want to update in the table on the first page and click Update Service. The Update Service page is displayed. Modify the service information or the required rights, and then click Save Service.
▪ To delete a service
Select the service item that you want to delete in the table on the first page and then click Delete Service.
Security Role Management
The following figure is the first page for managing the security role.
▪ To search for a role:
Fill in the search conditions and click Search. The role that meets the search condition is listed in the table on the same page. See the following figure for example.
Note The wildcard (_) can be used only once in the string to substitute any character, and the wildcard (%) can be used one than once.
▪ To create a role:
Click New Role on the first page. The Create Role page is displayed as shown in the following figure. Provide the necessary role information, assign the right to the role, set the subrole of this new role, and then click Save Role.
Note If a role has the subrole, the role is capable of all the rights of its subroles.
▪ To update a role:
Select the role item that you want to update in the table on the first page and click Update Role. The Update Role page is displayed as shown in the following figure. Modify the role information, the right list or the subrole list, and then click Save Role.
▪ To delete a role:
Select the role item that you want to delete in the table on the first page and then click Delete Role.
Security Right Management
The following figure is the first page for managing the security right.
▪ To search for a right:
Fill in the search conditions and click Search. The right that meets the search condition is listed in the table on the same page. See the following figure for example.
Note The wildcard (_) can be used only once in the string to substitute any character, and the wildcard (%) can be used one than once.
▪ To create a right:
Click New Right on the first page. The Create Right page is displayed as shown in the following figure. Provide the necessary right information, and then click Save Right.
▪ To update a right
Select the right item that you want to update in the table on the first page and click Update Right. The Update Right page is displayed as displayed in the following figure. Modify the role information, and then click Save Right.
▪ To delete a right:
Select the right item that you want to delete in the table on the first page and then click Delete Right.
You can customize the Administration UI by perform the following operations.
▪ Customize the password generation policy for the newly created user
The password for the newly created user is generated by the com.ibm.btt.bc.ac. IPasswordPolicy.generatePassword(…) function. By default, the password is the same as the user ID. You can change this behavior by customizing the IPasswordPolicy interface.
▪ Internationalize the Administration UI
Multiply languages are supported by the Administration UI of UDTT Access Control. All the message information used by the Administration UI is defined in the messages.properties file at the com.ibm.btt.bc.ac.rcp package. English is the default language.
Perform the following steps to use other language:
▪ Translate the messages.properties file into the required language.
▪ Issue the native2ascii command of JDK at the command line.
