...
Allow access to everything then remove access, this is the easiest setup but a mistake could allow access to restricted information
| Code Block |
|---|
|
<!-- Allow access to anyone as default, then restrict the important stuff -->
<!-- If no ACL is specified or none of the specified ACL's produce a match -->
<!-- then acl.default will be used -->
<acl:acl id="acl.default">
<entry type="allow">*</entry>
</acl:acl>
<!-- Only users with the ROLE_ADMINISTRATOR role get access to 'private' stuff -->
<!-- everyone else is explicitly denied -->
<acl:acl id="private">
<entry type="allow">ROLE_ADMINISTRATOR</entry>
<entry type="deny">*</entry>
</acl:acl>
<!-- ROLE_ADMINISTRATOR and ROLE_USER get access to 'internal' stuff -->
<!-- everyone else is explicitly denied --><acl:acl id="internal">
<entry type="allow">ROLE_ADMINISTRATOR</entry>
<entry type="allow">ROLE_USER</entry>
<entry type="deny">*</entry>
</acl:acl>
<!-- everyone gets access to roads and property -->
<entity:entity id="road">
<label>Road</label>
</entity:entity>
<entity:entity id="property">
<label>Property</label>
</entity:entity>
<!-- users matching the 'internal' acl get access to rates -->
<entity:entity id="rates">
<label>Rates</label>
<acl:acl id="internal"/>
</entity:entity>
<!-- users matching the 'private' acl get access to uers -->
<entity:entity id="users">
<label>Users</label>
<acl:acl id="private"/>
</entity:entity>
|
Deny access to everything then add access, most secure option, but a lot of work to ensure you attach an ACL to everything
| Code Block |
|---|
xml |
|---|
|
<!-- Set deny as default, but now we have to make sure we set access explicitly for everything -->
<!-- we don't really need to do this since it happens as soon as we create an ACL, but for completeness... -->
<acl:acl id="acl.default">
<entry type="deny">*</entry>
</acl:acl>
<!-- Create a private ACL, but fall back to acl.default -->
<!-- ROLE_ADMINISTRATOR will be allowed -->
<!-- anyone else will fall back to acl.default -->
<acl:acl id="private">
<entry type="allow">ROLE_ADMINISTRATOR</entry>
</acl:acl>
<!-- Create an internal ACL, but fall back to acl.default -->
<!-- ROLE_ADMINISTRATOR and ROLE_USER will be allowed -->
<!-- anyone else will fall back to acl.default -->
<acl:acl id="internal">
<entry type="allow">ROLE_ADMINISTRATOR</entry>
<entry type="allow">ROLE_USER</entry>
</acl:acl>
<acl:acl id="anyone">
<entry type="allow">*</entry>
</acl:acl>
<!-- now we have to explicitly grant access to roads and property -->
<entity:entity id="road">
<label>Road</label>
<acl:acl id="anyone"/>
</entity:entity>
<entity:entity id="property">
<label>Property</label>
<acl:acl id="anyone"/>
</entity:entity>
<entity:entity id="rates">
<label>Rates</label>
<acl:acl id="internal"/>
</entity:entity>
<entity:entity id="users">
<label>Users</label>
<acl:acl id="private"/>
</entity:entity>
|
Recommended default acl usage example for internal Weave instance
| Code Block |
|---|
xml |
|---|
|
<acl:acl id="acl.default">
<!-- Setup the default acl so that users have to be logged in before they can access the system by denying access to anonymous users -->
<entry type="deny">anonymous</entry>
<!-- but still provide access to everything that hasn't explicitly been denied with other acl's -->
<entry type="allow">*</entry>
</acl:acl>
<!-- Attach this acl to items that only planners should have access to -->
<acl:acl id="planners">
<entry type="allow">ROLE_PLANNERS</entry>
<entry type="deny">*</entry>
</acl:acl>
<!-- Attach this acl to items that only engineers should have access to -->
<acl:acl id="engineers">
<entry type="allow">ROLE_ENGINEERS</entry>
<entry type="deny">*</entry>
</acl:acl>
|