Tuesday, March 25, 2014

Access Control Policies overview !!

There are 2 levels of access controls provided for WebSphere Commerce.
1. WAS protects EJB's and Servlets.
2. WebSphere Commerce provides low level fine grained access control  framework based on access control policies to various types of users (registered/guest/customer service rep/sales managers).
and
3. It is always recommended to guard a WebSphere Commerce Server is always by a Firewall that will help internet clients from not being able to directly access resource in WebSphere Commerce.

WebSphere Application Server layer security and access control: 

1. Servlets and EJB's are configured to be invoked only by a chosen identity through declarative security and hence during EJB creation, we select use identity of EJB server and using identity of EJB server field ensures that all EJB beans run under the same identity for security.
2. WAS provides multiple security features such as 1. Global Security. 2. security domains can be configured with different scope 3. WAS utilizes SSL for secure connection between client and server and hence any third party integration's requires certificates to be installed. 4. In cases where standard authentication is not sufficient, WAS supports JAAS for higher level of security.

WebSphere Commerce Access Control Framework: Authorization model

Info center provides a good read on users/actions/resources//relationships but i am going to start with the practical case. There are always cases when we need to implement a custom access policy but most of the times, when adding access control in *ACP.xml. There are 2 levels of access control
  •    Command Level access control
  •    Resource Level access control
"Access control policies are enforced by the access control Policy Manager. 
In general, when a user attempts to access a protected resource, the access control policy manager first determines what access control policies are applicable for that user 
and then, based upon the applicable access control policies, it determines if the user is allowed to perform the requested operation on the given resource".

Most developers need to get the basic view and command level entries right, which is explained below and only on few times, would get an opportunity to implement custom access policy.


1. We create actions for views and commands
<Action Name="ABCItemExtView" CommandName="ABCItemExtView" />
<Action Name="ABCSyncPersonControllerCmd" CommandName="ABCSyncPersonControllerCmd" />
<Action Name="com.custom.soi.member.commands.ABCSyncPersonControllerCmd" CommandName="com.custom.soi.member.commands.ABCSyncPersonControllerCmd"></Action>
2. Assign actions to action groups as ActionGroupAction for views 
E.g. action groups
<ActionGroup Name="ProductManagersViews" OwnerID="RootOrganization">
<ActionGroup Name="AllSiteUsersViews" OwnerID="RootOrganization">
<ActionGroup Name="RegisteredUserViews" OwnerID="RootOrganization">
<ActionGroup Name="CustomerServiceRepresentativeViews" OwnerID="RootOrganization">
Assignment example:
<ActionGroup Name="ProductManagersViews" OwnerID="RootOrganization">
      <ActionGroupAction Name="ABCItemExtView"/>
     </ActionGroup>

<ActionGroup Name="RegisteredUserViews" OwnerID="RootOrganization">
       <ActionGroupAction Name="ABCSyncPersonControllerCmd" />
</ActionGroup&gt

3. Creating resource categories for commands
ResourceBeanClass="com.custom.soi.member.commands.ABCSyncPersonControllerCmd">

4. Assigning resource category to resource groups for commands as ResourceGroupResource

e.g. Resource groups
<ResourceGroup Name="AllSiteUserCmdResourceGroup" OwnerID="RootOrganization">
<ResourceGroup Name="CustomerServiceRepCmdResourceGroup" OwnerID="RootOrganization">
<ResourceGroup Name="RegisteredUserCmdResourceGroup" OwnerID="RootOrganization">

<ResourceGroup Name="BecomeUserCmdsResourceGroup" OwnerID="RootOrganization">
Assignment example:
<ResourceGroup Name="AllSiteUserCmdResourceGroup" OwnerID="RootOrganization">
<ResourceGroupResource Name="com.custom.soi.member.commands.ABCSyncPersonControllerCmdResourceCategory" />
</ResourceGroup>

Run acpload or in V7, dataloader will take care of it as it would internally run the ACPLoad
CMD:
select * from acresgrp where acresgrp_id in
(
select acresgrp_id from acresgpres where acrescgry_id =
(select acrescgry_id from acrescgry where resclassname like '%ABCSyncPersonControllerCmd%')
)

VIEWS:
select * from acpolicy where acactgrp_id in (select acactgrp_id
from acactactgp where acaction_id
in (select ACACTION_ID from ACACTION where ACTION = 'ABCItemExtView'))

select groupname from ACACTACTGP a, ACACTGRP b where acaction_id = (select acaction_id from ACACTION where action like '%ABCItemExtView%')
and a.acactgrp_id = b.acactgrp_id


Reference:
http://pic.dhe.ibm.com/infocenter/wchelp/v7r0m0/index.jsp?topic=/com.ibm.commerce.data.doc/refs/rdmattrdict.htm

Acronyms:
WAS: WebSphere Application Server
SSL : Secure Socket Layer
JAAS: Java Authenticating and Authorization services