Securing The Functions In Pages

Top  Previous  Next

Security component is not only about login, logout or page protection. We can implement detailed, yet easily manageable, check points inside the application pages.

We already know that we can control the accessing to the pages by defining check points with accessControl element in the page configuration. But that would not be sufficient if we want to let the users to see the page but not all functions provided in the page are available to everyone.

Example:

We have a page where we list the existing orders in the database. We want let the users who have CAN_SEE_ORDERS checkpoint see the page. One of the functions provided on the page is deleting the selected orders. We do not want that all the users that can see the page can do that. Therefore we want to protect this function with CAN_DELETE_ORDERS checkpoint.

Protecting the "Orders" Page

So we want to let only the users that have CAN_SEE_ORDERS check point to see the "Orders" page. All we have to do is to specify it in the accessControl  element of the configuration of the "Orders" page.

Example:
<accessControl securityDomain="main" checkpoint="CAN_SEE_ORDERS" loginPage="LoginPage" failurePage="ErrorPage">

 

A user can access this page only if he is logged in to the security domain "main" and has the authority to pass through the CAN_SEE_ORDERS checkpoint.

If the user is not yet logged in at the time he tries to see the page, he will be redirected to the page named "LoginPage" by the MoreMotion.

If the user is logged in but does not have authority for CAN_SEE_ORDERS he will be displayed with the page named "ErrorPage".

Protecting the "Delete Orders" Function in "Orders" Page

Assume that the "Delete Orders" function is triggered by a Button on the page. To let only the users that have CAN_DELETE_ORDERS authority to use this function, we can either make the button invisible or disabled for the users that do not have this authority.

"mor_security_userinfo" Data Source

After a user logs in to the system, the security component prepares a datasource called "mor_security_userinfo". This datasource contains all the information about the current user.

Example:

   <mor_security_userinfo>
    <username>john</username>
    <fullname>John Doe</fullname>
    <email>john@hiscompany.com</email>
    <loggedin>true</loggedin>
    <checkpoints>
      <CAN_SEE_ORDERS>true</CAN_SEE_ORDERS>
      <CAN_DELETE_ORDERS>true</CAN_DELETE_ORDERS>
    </checkpoints>
  </mor_security_userinfo> 

 
By referring the XML nodes under the checkpoints node we can dynamically make any element on the page invisible or disabled.

Making a Button Invisible

  <xsl:if test="boolean(/mor_security_userinfo/checkpoints/CAN_DELETE_ORDERS)">
    <input type="button" .. />
  </xsl:if>

 

Making a Button Disabled

  <input type="button">
    <xsl:if test="not(boolean(/mor_security_userinfo/checkpoints/CAN_DELETE_ORDERS))">
      <xsl:attribute name="disabled">disabled</xsl:attribute>
    /xsl:if>
  </input>