...
urn:com.cohga.server.acl#1.0
Tags
acl
Properties
Name | Type | Required | Description |
id | string | yes | unique identifier |
Sub-tags
Name | Type | Cardinality |
entry | urn:com.cohga.server.acl#1.0:entry | 1..n |
Content
None
entry
Properties
Name | Type | Required | Description |
type | 'allow', 'deny' or 'acl' | yes | decides if this entry should allow or deny access or is a reference to another ACL |
Sub-tags
None
Content
The name of a group that the user belongs to, *
to match any group, or a reference to another urn:com.cohga.server.acl#1.0:acl
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!-- Allow access to anyone as default, then restrict the important stuff --> <!-- If no ACL is specified or none of the specified ACL's produce a match --> <!-- then acl.default will be used --> <acl:acl id="acl.default"> <entry type="allow">*</entry> </acl:acl> <!-- Only users with the ROLE_ADMINISTRATOR role get access to 'private' stuff --> <!-- everyone else is explicitly denied --> <acl:acl id="private"> <entry type="allow">ROLE_ADMINISTRATOR</entry> <entry type="deny">*</entry> </acl:acl> <!-- ROLE_ADMINISTRATOR and ROLE_USER get access to 'internal' stuff --> <!-- everyone else is explicitly denied --><acl> <acl:acl id="internal"> <entry type="allow">ROLE_ADMINISTRATOR</entry> <entry type="allow">ROLE_USER</entry> <entry type="deny">*</entry> </acl:acl> <!-- everyone gets access to roads and property --> <entity:entity id="road"> <label>Road</label> </entity:entity> <entity:entity id="property"> <label>Property</label> </entity:entity> <!-- users matching the 'internal' acl get access to rates --> <entity:entity id="rates"> <label>Rates</label> <acl:acl id="internal"/> </entity:entity> <!-- users matching the 'private' acl get access to uers --> <entity:entity id="users"> <label>Users</label> <acl:acl id="private"/> </entity:entity> |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!-- Set deny as default, but now we have to make sure we set access explicitly for everything -->
<!-- we don't really need to do this since it happens as soon as we create an ACL, but for completeness... -->
<acl:acl id="acl.default">
<entry type="deny">*</entry>
</acl:acl>
<!-- Create a private ACL, but fall back to acl.default -->
<!-- ROLE_ADMINISTRATOR will be allowed -->
<!-- anyone else will fall back to acl.default -->
<acl:acl id="private">
<entry type="allow">ROLE_ADMINISTRATOR</entry>
</acl:acl>
<!-- Create an internal ACL, but fall back to acl.default -->
<!-- ROLE_ADMINISTRATOR and ROLE_USER will be allowed -->
<!-- anyone else will fall back to acl.default -->
<acl:acl id="internal">
<entry type="allow">ROLE_ADMINISTRATOR</entry>
<entry type="allow">ROLE_USER</entry>
</acl:acl>
<acl:acl id="anyone">
<entry type="allow">*</entry>
</acl:acl>
<!-- now we have to explicitly grant access to roads and property -->
<entity:entity id="road">
<label>Road</label>
<acl:acl id="anyone"/>
</entity:entity>
<entity:entity id="property">
<label>Property</label>
<acl:acl id="anyone"/>
</entity:entity>
<entity:entity id="rates">
<label>Rates</label>
<acl:acl id="internal"/>
</entity:entity>
<entity:entity id="users">
<label>Users</label>
<acl:acl id="private"/>
</entity:entity>
|
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<acl:acl id="acl.default">
<!-- Setup the default acl so that users have to be logged in before they can access the system by denying access to anonymous users -->
<entry type="deny">anonymous</entry>
<!-- but still provide access to everything that hasn't explicitly been denied with other acl's -->
<entry type="allow">*</entry>
</acl:acl>
<!-- Attach this acl to items that only planners should have access to -->
<acl:acl id="planners">
<entry type="allow">ROLE_PLANNERS</entry>
<entry type="deny">*</entry>
</acl:acl>
<!-- Attach this acl to items that only engineers should have access to -->
<acl:acl id="engineers">
<entry type="allow">ROLE_ENGINEERS</entry>
<entry type="deny">*</entry>
</acl:acl>
|