Protecting data beans

Protecting data beans

Data beans contain information about business objects and are used to display object information about a Web page. Dynamic Web pages are usually mapped to views within WebSphere Commerce, and these views are protected by role-based policies. It is sometimes necessary to further protect the content of the Web page by protecting its data beans, if they exist.

Task info
When data beans are populated using the DataBeanManager.activate(..) method, the data bean managers enforce access control on them. Data beans can be protected directly or indirectly, using the Delegator interface. Directly protected data beans also implement the com.ibm.commerce.security.Protectable interface. If an indirectly protected data bean does not implement the Delegator interface, or returns a null value for the getDelegate() method, it is not protected and can be displayed by anyone.The following is an example of a resource-level policy for a data bean:
<Policy Name="AllUsersDisplayOrderDataBeanResourceGroup"
        OwnerID="RootOrganization"
        UserGroup="AllUsers"
        ActionGroupName="DisplayDatabeanActionGroup"
        ResourceGroupName="OrderDataBeanResourceGroup"
        RelationName="creator"
        PolicyType="groupableStandard">
</Policy>
The ActionGroupName, DisplayDatabeanActionGroup, indicates that this policy is a policy for data beans. This action group includes one Display action. where:
Name

The name of this policy.

UserGroup

The access group containing the users to whom the policy applies. In this case, it includes all users.

ActionGroupName

The value DisplayDatabeanActionGroup indicates that it is a resource-level policy for data beans.

ResourceGroupName

The name of the resource group containing the data beans to be protected.

RelationName

The relationship that must be fulfilled between a user and the resource. In this case, the user must be the creator of the business Order resource.

The OrderDataBeanResourceGroup is defined as follows:
<ResourceGroup Name="OrderDataBeanResourceGroup"
OwnerID="RootOrganization">
        <ResourceGroupResource
Name="com.ibm.commerce.order.beans.OrderListDataBeanResourceCategory"/>
        <ResourceGroupResource
Name="com.ibm.commerce.order.beans.OrderDataBeanResourceCategory"/>
</ResourceGroup>
The OrderDataBeanResourceGroup consists of two resources. The following is a sample resource definition for a data bean:
<ResourceCategory
Name="com.ibm.commerce.order.beans.OrderDataBeanResourceCategory"
ResourceBeanClass="com.ibm.commerce.order.beans.OrderDataBean">
        <ResourceAction Name="DisplayDataBean"/>
</ResourceCategory>
where:
Name

A tag used to refer to this resource in the XML file.

ResourceBeanClass

The class name of the data bean that is being directly protected. This class must implement the com.ibm.commerce.security.Protectable interface.

ResourceAction

An element needed for policy editing in the Administration Console. In this case, this element indicates that Display is the valid action to be performed on this resource.