Protectable interface
A key factor for having a resource protected by the WebSphere Commerce access control policies, is that the resource must implement the com.ibm.commerce.security.Protectable interface. This interface is most commonly used with enterprise beans and data beans, but only those particular beans that require protection need to implement the interface.With the Protectable interface, a resource must provide two key methods: getOwner(), and fulfills(Long member, String relationship).
The getOwner method returns the memberId of the owner of the protectable resource. The owner of the resource is used to determine which policies to apply to the resource. This owner can be a user or an organization. If the owner happens to be a user, the access control policy manager will use that user's parent organization as the basis for determining which policies to apply. If the organization that owns the resource subscribes to one or more policy groups, only the policies in those policy groups will apply to the resource. If the resource is owned by an organization that does not subscribe to any policy groups, the access control policy manager will search up the organization hierarchy until it encounters the closest ancestor organization that subscribes to at least one policy group; once found, the policy manager will apply the policies belonging to those policy groups.
The fulfills(Long member, String relationship)method only returns true if the given member satisfies the required relationship with respect to the resource. Typically the member is a single user, however it can also be an organization. It would be an organization if you are using a relationship group in the access control policy.
By default, the fulfills method on a particular resource can simply return false. A nontrivial implementation of the fulfills method is needed when there are policies for the resource that involve a relationship other than "owner" or when the policies involve a relationship group. For relationship groups, only the last <parameter name="Relationship" value="aValue"/> element in each relationship chain must be handled by the resource's fulfills method. The rest of the relationship chain parameter elements are handled internally by the access control policy manager.
Related concepts
Authorization
Access control implications when a controller command is extendedRelated tasks
Implementing access control