| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> |
| <head> |
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
| <meta name="keywords" content="SMILA/Documentation/Security,SMILA/Documentation/Bundle org.eclipse.smila.security.processing,SMILA/Documentation/LDAPSecurityResolver" /> |
| <link rel="shortcut icon" href="http://wiki.eclipse.org/SMILA/Documentation/favicon.ico" /> |
| <link rel="search" type="application/opensearchdescription+xml" href="http://wiki.eclipse.org/opensearch_desc.php" title="Eclipsepedia (English)" /> |
| <link rel="alternate" type="application/rss+xml" title="Eclipsepedia RSS Feed" href="http://wiki.eclipse.org/index.php?title=Special:Recentchanges&feed=rss" /> |
| <link rel="alternate" type="application/atom+xml" title="Eclipsepedia Atom Feed" href="http://wiki.eclipse.org/index.php?title=Special:Recentchanges&feed=atom" /> |
| |
| |
| <title>SMILA/Documentation/Security - Eclipsepedia</title> |
| |
| <style type="text/css" media="screen,projection">/*<![CDATA[*/ @import "http://wiki.eclipse.org/skins/eclipsenova/novaWide.css?116"; /*]]>*/</style> |
| <link rel="stylesheet" type="text/css" media="print" href="http://wiki.eclipse.org/skins/eclipsenova/eclipsenovaPrint.css?116" /> |
| <link rel="stylesheet" type="text/css" media="handheld" href="http://wiki.eclipse.org/skins/eclipsenova/handheld.css?116" /> |
| <link rel="stylesheet" type="text/css" href="http://wiki.eclipse.org/skins/eclipsenova/Nova/css/header.css" media="screen" /> |
| <link rel="stylesheet" type="text/css" href="http://wiki.eclipse.org/skins/eclipsenova/tabs.css" media="screen" /> |
| <link rel="stylesheet" type="text/css" href="http://wiki.eclipse.org/skins/eclipsenova/Nova/css/visual.css" media="screen" /> |
| <link rel="stylesheet" type="text/css" href="http://wiki.eclipse.org/skins/eclipsenova/Nova/css/layout.css" media="screen" /> |
| <link rel="stylesheet" type="text/css" href="http://wiki.eclipse.org/skins/eclipsenova/Nova/css/footer.css" media="screen" /> |
| <!--[if IE]><link rel="stylesheet" type="text/css" href="/skins/eclipsenova/IEpngfix.css" media="screen" /><![endif]--> |
| <!--[if lt IE 5.5000]><style type="text/css">@import "/skins/eclipsenova/IE50Fixes.css?116";</style> <![endif]--> |
| <!--[if IE 5.5000]><style type="text/css">@import "/skins/eclipsenova/IE55Fixes.css?116";</style><![endif]--> |
| <!--[if IE 6]><style type="text/css">@import "/skins/eclipsenova/IE60Fixes.css?116";</style><![endif]--> |
| <!--[if IE 7]><style type="text/css">@import "/skins/eclipsenova/IE70Fixes.css?116";</style><![endif]--> |
| <!--[if lt IE 7]><script type="text/javascript" src="/skins/common/IEFixes.js?116"></script> |
| <meta http-equiv="imagetoolbar" content="no" /><![endif]--> |
| <script type= "text/javascript">/*<![CDATA[*/ |
| var skin = "eclipsenova"; |
| var stylepath = "/skins"; |
| var wgArticlePath = "/$1"; |
| var wgScriptPath = ""; |
| var wgScript = "/index.php"; |
| var wgServer = "http://wiki.eclipse.org"; |
| var wgCanonicalNamespace = ""; |
| var wgCanonicalSpecialPageName = false; |
| var wgNamespaceNumber = 0; |
| var wgPageName = "SMILA/Documentation/Security"; |
| var wgTitle = "SMILA/Documentation/Security"; |
| var wgAction = "view"; |
| var wgRestrictionEdit = []; |
| var wgRestrictionMove = []; |
| var wgArticleId = "18770"; |
| var wgIsArticle = true; |
| var wgUserName = null; |
| var wgUserGroups = null; |
| var wgUserLanguage = "en"; |
| var wgContentLanguage = "en"; |
| var wgBreakFrames = false; |
| var wgCurRevisionId = "284638"; |
| var wgVersion = "1.12.0"; |
| var wgEnableAPI = true; |
| var wgEnableWriteAPI = false; |
| /*]]>*/</script> |
| |
| <script type="text/javascript" src="http://wiki.eclipse.org/skins/common/wikibits.js?116"><!-- wikibits js --></script> |
| |
| <!-- Performance mods similar to those for bug 166401 --> |
| <script type="text/javascript" src="http://wiki.eclipse.org/index.php?title=-&action=raw&gen=js&useskin=eclipsenova"><!-- site js --></script> |
| |
| <!-- Head Scripts --> |
| <script type="text/javascript" src="http://wiki.eclipse.org/skins/common/ajax.js?116"></script> |
| <style type="text/css">/*<![CDATA[*/ |
| .source-xml {line-height: normal; font-size: medium;} |
| .source-xml li {line-height: normal;} |
| /** |
| * GeSHi Dynamically Generated Stylesheet |
| * -------------------------------------- |
| * Dynamically generated stylesheet for xml |
| * CSS class: source-xml, CSS id: |
| * GeSHi (C) 2004 - 2007 Nigel McNie (http://qbnz.com/highlighter) |
| */ |
| .source-xml .de1, .source-xml .de2 {font-family: 'Courier New', Courier, monospace; font-weight: normal;} |
| .source-xml {} |
| .source-xml .head {} |
| .source-xml .foot {} |
| .source-xml .imp {font-weight: bold; color: red;} |
| .source-xml .ln-xtra {color: #cc0; background-color: #ffc;} |
| .source-xml li {font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;} |
| .source-xml li.li2 {font-weight: bold;} |
| .source-xml .coMULTI {color: #808080; font-style: italic;} |
| .source-xml .es0 {color: #000099; font-weight: bold;} |
| .source-xml .br0 {color: #66cc66;} |
| .source-xml .st0 {color: #ff0000;} |
| .source-xml .nu0 {color: #cc66cc;} |
| .source-xml .sc0 {color: #00bbdd;} |
| .source-xml .sc1 {color: #ddbb00;} |
| .source-xml .sc2 {color: #339933;} |
| .source-xml .sc3 {color: #009900;} |
| .source-xml .re0 {color: #000066;} |
| .source-xml .re1 {font-weight: bold; color: black;} |
| .source-xml .re2 {font-weight: bold; color: black;} |
| |
| /*]]>*/ |
| </style> |
| <style type="text/css">/*<![CDATA[*/ |
| @import "http://wiki.eclipse.org/index.php?title=MediaWiki:Geshi.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000"; |
| /*]]>*/ |
| </style><style type="text/css">/*<![CDATA[*/ |
| .source-java {line-height: normal; font-size: medium;} |
| .source-java li {line-height: normal;} |
| /** |
| * GeSHi Dynamically Generated Stylesheet |
| * -------------------------------------- |
| * Dynamically generated stylesheet for java |
| * CSS class: source-java, CSS id: |
| * GeSHi (C) 2004 - 2007 Nigel McNie (http://qbnz.com/highlighter) |
| */ |
| .source-java .de1, .source-java .de2 {font-family: 'Courier New', Courier, monospace; font-weight: normal;} |
| .source-java {} |
| .source-java .head {} |
| .source-java .foot {} |
| .source-java .imp {font-weight: bold; color: red;} |
| .source-java .ln-xtra {color: #cc0; background-color: #ffc;} |
| .source-java li {font-family: 'Courier New', Courier, monospace; color: black; font-weight: normal; font-style: normal;} |
| .source-java li.li2 {font-weight: bold;} |
| .source-java .kw1 {color: #7F0055; font-weight: bold;} |
| .source-java .kw2 {color: #7F0055; font-weight: bold;} |
| .source-java .kw3 {color: #000000; font-weight: normal} |
| .source-java .kw4 {color: #7F0055; font-weight: bold;} |
| .source-java .co1 {color: #3F7F5F; font-style: italic;} |
| .source-java .co2 {color: #3F7F5F;} |
| .source-java .co3 {color: #3F7F5F; font-style: italic; font-weight: bold;} |
| .source-java .coMULTI {color: #3F5FBF; font-style: italic;} |
| .source-java .es0 {color: #000000;} |
| .source-java .br0 {color: #000000;} |
| .source-java .st0 {color: #2A00ff;} |
| .source-java .nu0 {color: #000000;} |
| .source-java .me1 {color: #000000;} |
| .source-java .me2 {color: #000000;} |
| |
| /*]]>*/ |
| </style> |
| <style type="text/css">/*<![CDATA[*/ |
| @import "http://wiki.eclipse.org/index.php?title=MediaWiki:Geshi.css&usemsgcache=yes&action=raw&ctype=text/css&smaxage=18000"; |
| /*]]>*/ |
| </style><link rel="stylesheet" type="text/css" href="Security.html" /> </head> |
| <body class="mediawiki ns-0 ltr page-SMILA_Documentation_Security"> |
| <div id="globalWrapper"> |
| |
| |
| <div id="column-one"> |
| <!-- Eclipse Additions for the Top Nav start here M. Ward--> |
| |
| <div id="header"> |
| <div id="header-graphic"> |
| <img src="http://wiki.eclipse.org/skins/eclipsenova/eclipse.png" alt="Eclipse Wiki"> |
| </div> |
| <!-- Pulled 101409 Mward --> |
| |
| <div class="portlet" id="p-personal"> |
| <div class="pBody"> |
| <ul> |
| <li id="pt-login"><a href="http://wiki.eclipse.org/index.php?title=Special:Userlogin&returnto=SMILA/Documentation/Security">Log in</a></li> |
| </ul> |
| </div> |
| </div> |
| |
| <div id="header-icons"> |
| <div id="sites"> |
| <ul id="sitesUL"> |
| <li><a href="http://www.eclipse.org"><img src="http://dev.eclipse.org/custom_icons/eclipseIcon.png" width="28" height="28" alt="Eclipse Foundation" title="Eclipse Foundation" /><div>Eclipse Foundation</div></a></li> |
| <li><a href="http://marketplace.eclipse.org"><img src="http://dev.eclipse.org/custom_icons/marketplace.png" width="28" height="28" alt="Eclipse Marketplace" title="Eclipse Marketplace" /><div>Eclipse Marketplace</div></a></li> |
| <li><a href="https://bugs.eclipse.org/bugs"><img src="http://dev.eclipse.org/custom_icons/system-search-bw.png" width="28" height="28" alt="Bugzilla" title="Bugzilla" /><div>Bugzilla</div></a></li> |
| <li><a href="http://live.eclipse.org"><img src="http://dev.eclipse.org/custom_icons/audio-input-microphone-bw.png" width="28" height="28" alt="Live" title="Live" /><div>Eclipse Live</div></a></li> |
| <li><a href="http://planeteclipse.org"><img src="http://dev.eclipse.org/large_icons/devices/audio-card.png" width="28" height="28" alt="PlanetEclipse" title="Planet" /><div>Planet Eclipse</div></a></li> |
| <li><a href="http://portal.eclipse.org"><img src="http://dev.eclipse.org/custom_icons/preferences-system-network-proxy-bw.png" width="28" height="28" alt="Portal" title="Portal" /><div>My Foundation Portal</div></a></li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <!-- NEW HEADER STUFF HERE --> |
| <div id="header-menu"> |
| <div id="header-nav"> |
| <ul> <li><a class="first_one" href="http://wiki.eclipse.org/" target="_self">Home</a></li> <li><a href="http://www.eclipse.org/downloads/" target="_self">Downloads</a></li> |
| <li><a href="http://www.eclipse.org/users/" target="_self">Users</a></li> |
| <li><a href="http://www.eclipse.org/membership/" target="_self">Members</a></li> |
| <li><a href="http://wiki.eclipse.org/index.php/Development_Resources" target="_self">Committers</a></li> |
| <li><a href="http://www.eclipse.org/resources/" target="_self">Resources</a></li> |
| <li><a href="http://www.eclipse.org/projects/" target="_self">Projects</a></li> |
| <li><a href="http://www.eclipse.org/org/" target="_self">About Us</a></li> |
| </ul> |
| </div> |
| <div id="header-utils"> |
| <!-- moved the search window here --> |
| <form action="http://wiki.eclipse.org/Special:Search" > |
| <input class="input" name="search" type="text" accesskey="f" value="" /> |
| <input type='submit' onclick="this.submit();" name="go" id="searchGoButton" class="button" title="Go to a page with this exact name if one exists" value="Go" /> |
| <input type='submit' onclick="this.submit();" name="fulltext" class="button" id="mw-searchButton" title="Search Eclipsepedia for this text" value="Search" /> |
| </form> |
| </div> |
| </div> |
| |
| |
| <!-- Eclipse Additions for the Header stop here --> |
| <!-- Additions and mods for leftside nav Start here --> |
| |
| <!--Started nav rip here--> |
| <!-- these are the nav controls main page, changes etc --> |
| <div id="novaContent" class="faux"> |
| <div id="leftcol"> |
| <ul id="leftnav"> |
| <!-- these are the page controls, edit history etc --> |
| <li class="separator"><a class="separator">Navigation   </li> |
| <li id="n-mainpage"><a href="http://wiki.eclipse.org/Main_Page">Main Page</a></li> |
| <li id="n-portal"><a href="http://wiki.eclipse.org/Eclipsepedia:Community_Portal">Community portal</a></li> |
| <li id="n-currentevents"><a href="http://wiki.eclipse.org/Eclipsepedia:Current_events">Current events</a></li> |
| <li id="n-recentchanges"><a href="http://wiki.eclipse.org/Special:Recentchanges">Recent changes</a></li> |
| <li id="n-randompage"><a href="http://wiki.eclipse.org/Special:Random">Random page</a></li> |
| <li id="n-help"><a href="http://wiki.eclipse.org/Help:Contents">Help</a></li> |
| <li class="separator"><a class="separator">Toolbox   </a></li> |
| |
| <li id="t-whatlinkshere"><a href="http://wiki.eclipse.org/Special:Whatlinkshere/SMILA/Documentation/Security">What links here</a></li> |
| <li id="t-recentchangeslinked"><a href="http://wiki.eclipse.org/Special:Recentchangeslinked/SMILA/Documentation/Security">Related changes</a></li> |
| <!-- This is the toolbox section --> |
| <li id="t-upload"><a href="http://wiki.eclipse.org/Special:Upload">Upload file</a></li> |
| <li id="t-specialpages"><a href="http://wiki.eclipse.org/Special:Specialpages">Special pages</a></li> |
| <li id="t-print"><a href="http://wiki.eclipse.org/index.php?title=SMILA/Documentation/Security&printable=yes">Printable version</a></li> <li id="t-permalink"><a href="http://wiki.eclipse.org/index.php?title=SMILA/Documentation/Security&oldid=284638">Permanent link</a></li> </ul> |
| </div> |
| |
| |
| <!-- Additions and mods for leftside nav End here --> |
| |
| |
| <div id="column-content"> |
| <div id="content"> |
| <a name="top" id="top"></a> |
| |
| <div id="tabs"> |
| <ul class="primary"> |
| <li class="active"><a href="Security.html"><span class="tab">Page</span></a></li> |
| <li><a href="http://wiki.eclipse.org/index.php?title=Talk:SMILA/Documentation/Security&action=edit"><span class="tab">Discussion</span></a></li> |
| <li><a href="http://wiki.eclipse.org/index.php?title=SMILA/Documentation/Security&action=edit"><span class="tab">View source</span></a></li> |
| <li><a href="http://wiki.eclipse.org/index.php?title=SMILA/Documentation/Security&action=history"><span class="tab">History</span></a></li> |
| <li><a href="http://wiki.eclipse.org/index.php?title=Special:Userlogin&returnto=SMILA/Documentation/Security"><span class="tab">Edit</span></a></li> |
| </ul> |
| </div> |
| |
| |
| <script type="text/javascript"> if (window.isMSIE55) fixalpha(); </script> |
| <h1 class="firstHeading">SMILA/Documentation/Security</h1> |
| <div id="bodyContent"> |
| <h3 id="siteSub">From Eclipsepedia</h3> |
| <div id="contentSub"><span class="subpages">< <a href="../../SMILA.html" title="SMILA">SMILA</a> | <a href="../Documentation.1.html" title="SMILA/Documentation">Documentation</a></span></div> |
| <div id="jump-to-nav">Jump to: <a href="Security.html#column-one">navigation</a>, <a href="Security.html#searchInput">search</a></div> <!-- start content --> |
| <table id="toc" class="toc" summary="Contents"><tr><td><div id="toctitle"><h2>Contents</h2></div> |
| <ul> |
| <li class="toclevel-1"><a href="Security.html#Description"><span class="tocnumber">1</span> <span class="toctext">Description</span></a></li> |
| <li class="toclevel-1"><a href="Security.html#Datamodel"><span class="tocnumber">2</span> <span class="toctext">Datamodel</span></a></li> |
| <li class="toclevel-1"><a href="Security.html#Processing_of_Security_Annotations"><span class="tocnumber">3</span> <span class="toctext">Processing of Security Annotations</span></a> |
| <ul> |
| <li class="toclevel-2"><a href="Security.html#Indexing"><span class="tocnumber">3.1</span> <span class="toctext">Indexing</span></a></li> |
| <li class="toclevel-2"><a href="Security.html#Search"><span class="tocnumber">3.2</span> <span class="toctext">Search</span></a></li> |
| </ul> |
| </li> |
| </ul> |
| </td></tr></table><script type="text/javascript"> if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } </script> |
| <a name="Description"></a><h1> <span class="mw-headline">Description</span></h1> |
| <p>This page is about Security in SMILA (Authorization). Records may be associated with security information, services may use security information to restrict/grant access on data (records). The best known use case is indexing of documents with restricted access rights and filtering search results for users that have access rights on those documents. The basic idea is that a record created by either an Agent/Crawler or via the Search API can optionally contain "raw" security information. This "raw" security information is processed by special Pipelets in the executed pipeline that prepare the security information to be useable by some service (e.g. for the former mentioned use case the security information is stored with the record's metadata in a search index or a filter is created to restrict search results to those documents the user has access to). |
| </p><p>Authentication (e.g. login to a SMILA based web application) is not in the scope of this document. |
| </p> |
| <a name="Datamodel"></a><h1> <span class="mw-headline">Datamodel</span></h1> |
| <p>The datamodel is designed to be flexible by simply using record metadata, allowing many kinds of access rights types (e.g. Read, Write) for any kind of security principal (e.g. users, groups, roles). The name of the base metadata attribute containing security information is <tt>ACCESS_RIGHTS</tt>. It contains sub-elements for the various access right types. Currently the predefined types <tt>READ</tt> and <tt>WRITE</tt> are defined. These in turn contain sub-elements for entities for which these access right type apply. There are two entity types defined: <tt>PRINCIPALS</tt> and <tt>GROUPS</tt>. The elements contain the entity names as values. Here is the XML representation of the security metadata: |
| </p> |
| <div dir="ltr" style="text-align: left;"><pre class="source-xml"><span class="sc3"><span class="re1"><Map</span> <span class="re0">key</span>=<span class="st0">"ACCESS_RIGHTS"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Map</span> <span class="re0">key</span>=<span class="st0">"%ACCESS_RIGHT_TYPE%"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Seq</span> <span class="re0">key</span>=<span class="st0">"%ENTITY_TYPE%"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>%VALUE%<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> |
| ... |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span> |
| ... |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span> |
| ... |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span></pre></div> |
| <p>For example |
| </p> |
| <div dir="ltr" style="text-align: left;"><pre class="source-xml"><span class="sc3"><span class="re1"><Map</span> <span class="re0">key</span>=<span class="st0">"ACCESS_RIGHTS"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Map</span> <span class="re0">key</span>=<span class="st0">"READ"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Seq</span> <span class="re0">key</span>=<span class="st0">"PRINCIPALS"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>0815<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"><Seq</span> <span class="re0">n</span>=<span class="st0">"GROUPS"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>4711<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>2525<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"><Map</span> <span class="re0">key</span>=<span class="st0">"WRITE"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Seq</span> key?<span class="st0">"PRINCIPALS"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>0815<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span></pre></div> |
| <p><br /> |
| There are utility classes in bundle <tt>org.eclipse.smila.security</tt> that contain constant definitions for the metadata elements (class <tt>SecurityAnnotations</tt>) and a helper to create and access the security metadata (class <tt>SecurityAnnotation</tt>). |
| </p><p><br /> |
| </p> |
| <a name="Processing_of_Security_Annotations"></a><h1> <span class="mw-headline">Processing of Security Annotations</span></h1> |
| <p>During processing of records the security metadata has to be processed, too. In most cases the security information needs to be passed to other Pipelets and therefore the security information has to be converted. We distinguish between real conversion and resolving of security information (this list may not be complete): |
| </p> |
| <ul><li>Converters |
| <ul><li>preparations for Search Index (e.g. converting to an appropriate attribute representation) |
| </li><li>combining data source and security information (like adding a domain or data source Id prefix to the security information) |
| </li></ul> |
| </li><li>Resolvers |
| <ul><li>resolve a Principals Sub-Principals (e.g. members of a group, subgroups of a group) |
| </li><li>resolve a Principals Membership (e.g. get all groups the user is a member of) |
| </li><li>resolve properties of a Principal (e.g. human readable names of Principal IDs) |
| </li></ul> |
| </li></ul> |
| <p>Converters are implemented as Pipelets. They may be either generic or specific, usable in only indexing pipelines, search pipelines or both. There is a sample Converter <tt>SampleSecurityConverterPipelet</tt> available in bundle <tt>org.eclipse.smila.security.processing</tt> that is usable for indexing and search. It either converts security information into one attribute so that it's indexable by Solr or into a filter for search. For more information check out the bundle <a href="Bundle_org.eclipse.smila.security.processing.html" class="mw-redirect" title="SMILA/Documentation/Bundle org.eclipse.smila.security.processing">documentation</a>. |
| </p><p>Resolvers are implemented as OSGi servces. They can be used by Converters or any other SMILA component (e.g. by some login component of a search application). Bundle <tt>org.eclipse.smila.security.ldap</tt> contains an <tt>LDAPSecurityResolver</tt> that offers the functionality to resolve principals against an LDAP directory. For more information see <a href="LDAPSecurityResolver.html" title="SMILA/Documentation/LDAPSecurityResolver">LDAPSecurityResolver</a>. |
| </p><p>Here is an illustration of the architecture of security resolvers and converters. Note that the usage of Converters and/or Resolvers is optional: |
| <a href="http://wiki.eclipse.org/Image:SecurityConverterResolver.png" class="image" title="architecture of security resolvers and converters"><img alt="architecture of security resolvers and converters" src="http://wiki.eclipse.org/images/9/9f/SecurityConverterResolver.png" width="960" height="720" border="0" /></a> |
| </p><p><br /> |
| The interface for SecurityResolvers is also located in bunlde <tt>org.eclipse.smila.security</tt>. |
| </p> |
| <div dir="ltr" style="text-align: left;"><pre class="source-java"><span class="kw1">public</span> <span class="kw1">interface</span> SecurityResolver <span class="br0">{</span> |
| |
| <span class="coMULTI">/** |
| * Resolves a given name to a full form principal (e.g. a distinguished name). |
| * @param name the name of the principal |
| * @return the full form principal |
| * @throws SecurityException if any error occurs |
| */</span> |
| <span class="kw3">String</span> resolvePrincipal<span class="br0">(</span><span class="kw3">String</span> name<span class="br0">)</span> <span class="kw1">throws</span> <span class="kw3">SecurityException</span>; |
| |
| <span class="coMULTI">/** |
| * Returns all properties of the given principal. The properties are a map of attribute names (String) and attribute |
| * values (Collection of Strings). |
| * |
| * @param principal |
| * the principal |
| * @return all properties if the principal |
| * @throws SecurityException |
| * if any error occurs |
| */</span> |
| Map<String, Collection<String>> getProperties<span class="br0">(</span><span class="kw3">String</span> principal<span class="br0">)</span> <span class="kw1">throws</span> <span class="kw3">SecurityException</span>; |
| |
| <span class="coMULTI">/** |
| * Returns all principals that are member to the given group, including any subgroups. |
| * |
| * @param group |
| * the group principal |
| * @return a set of all principals that are members of this group |
| * @throws SecurityException |
| * if any error occurs |
| */</span> |
| Set<String> resolveGroupMembers<span class="br0">(</span><span class="kw3">String</span> group<span class="br0">)</span> <span class="kw1">throws</span> <span class="kw3">SecurityException</span>; |
| |
| <span class="coMULTI">/** |
| * Returns all groups the given principal is member of. |
| * |
| * @param principal |
| * the principal |
| * @return a set of group principals the principal is member of |
| * @throws SecurityException |
| * if any error occurs |
| */</span> |
| Set<String> resolveMembership<span class="br0">(</span><span class="kw3">String</span> principal<span class="br0">)</span> <span class="kw1">throws</span> <span class="kw3">SecurityException</span>; |
| |
| <span class="coMULTI">/** |
| * Checks if the given principal is a group. |
| * |
| * @param principal |
| * the principal |
| * @return true if the principal is a group, false otherwise |
| * @throws SecurityException |
| * if any error occurs |
| */</span> |
| <span class="kw4">boolean</span> isGroup<span class="br0">(</span><span class="kw3">String</span> principal<span class="br0">)</span> <span class="kw1">throws</span> <span class="kw3">SecurityException</span>; |
| <span class="br0">}</span></pre></div> |
| <p><br /> |
| Here is a more detailed description of the security annotation processing for the use cases Indexing and Search. The samples make use the SampleSecurityProvider and LDAPSecurityResolver: |
| </p> |
| <a name="Indexing"></a><h2> <span class="mw-headline">Indexing</span></h2> |
| <p>During Indexing the security information for a record is read from the datasource by Crawlers/Agents, which create the ACCESS_RIGHTS metadata and store them in the record. Crawlers/Agents pass the security information as provided by the data source (at the moment no Crawler/Agent implementation supports this feature). All further processing of the security information is done by the Security Converters/Resolvers. Here is an example for the ACCESS_RIGHTS record metadata provided by a windows filesystem crawler: |
| </p> |
| <div dir="ltr" style="text-align: left;"><pre class="source-xml"><span class="sc3"><span class="re1"><Map</span> <span class="re0">key</span>=<span class="st0">"ACCESS_RIGHTS"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Map</span> <span class="re0">key</span>=<span class="st0">"READ"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Map</span> <span class="re0">key</span>=<span class="st0">"PRINCIPALS"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>0815<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an unmodified user id --></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"><Map</span> <span class="re0">n</span>=<span class="st0">"GROUPS"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>4711<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an unmodified group id --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>2525<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an unmodified group id --></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span></pre></div> |
| <p><br /> |
| Before storing a record in a search index, the security metadata has to be converted to metadata attributes that are indexable. The SampleSecurityConverterPipelet (used in index mode) will do this transformation. The basic result is just a conversion of the READ PRINCIPALS: |
| </p> |
| <div dir="ltr" style="text-align: left;"><pre class="source-xml"><span class="sc3"><span class="re1"><Seq</span> <span class="re0">n</span>=<span class="st0">"ReadUsers"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>0815<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an unmodified user id --></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span></pre></div> |
| <p>By using the LDAPSecurityResolver we could also resolve the group members, leading to a result like this: |
| </p> |
| <div dir="ltr" style="text-align: left;"><pre class="source-xml"><span class="sc3"><span class="re1"><Seq</span> <span class="re0">n</span>=<span class="st0">"ReadUsers"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>0815<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an unmodified user id --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>666<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an resolved user id, member of group 4711 --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>999<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an resolved user id, member of group 4711 --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>1234<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an resolved user id, member of group 2525 --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>6789<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an resolved user id, member of group 2525 --></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span></pre></div> |
| <p>In addition the LDAPSecurityResolver could also replace the user ids with some human readable display name |
| </p> |
| <div dir="ltr" style="text-align: left;"><pre class="source-xml"><span class="sc3"><span class="re1"><Seq</span> <span class="re0">n</span>=<span class="st0">"ReadUsers"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>Doe, John<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- a user id resolved to a a human readable display name --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>Regular, John<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- a user id resolved to a a human readable display name --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>Becker, Heinz<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- a user id resolved to a a human readable display name --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>Napp, Karl<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- a user id resolved to a a human readable display name --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>Heinz, Karl<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- a user id resolved to a a human readable display name --></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span></pre></div> |
| <p><br /> |
| </p> |
| <a name="Search"></a><h2> <span class="mw-headline">Search</span></h2> |
| <p>A search client also provides security informations for the query record. This is most likely just the user id of the user executing the search. |
| </p> |
| <div dir="ltr" style="text-align: left;"><pre class="source-xml"><span class="sc3"><span class="re1"><Map</span> <span class="re0">key</span>=<span class="st0">"ACCESS_RIGHTS"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Map</span> <span class="re0">key</span>=<span class="st0">"READ"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Seq</span> <span class="re0">key</span>=<span class="st0">"PRINCIPALS"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>0815<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an unmodified user id provided by a search client --></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span></pre></div> |
| <p><br /> |
| The security metadata is processed by the SampleSecurityConverterPipelet (now in search mode) that transforms the security metadata into a filter for the security attributes in the Solr core. |
| </p> |
| <div dir="ltr" style="text-align: left;"><pre class="source-xml"><span class="sc3"><span class="re1"><Seq</span> <span class="re0">key</span>=<span class="st0">"filter"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"><Val</span> <span class="re0">key</span>=<span class="st0">"attribute"</span><span class="re2">></span></span>ReadUsers<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"><Seq</span> <span class="re0">key</span>=<span class="st0">"oneOf"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>0815<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an unmodified user id provided by a search client --></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span></pre></div> |
| <p><br /> |
| If the LDAPSecurityResolver was used during indexing it must be used during search, too, resolving the display name for the user id: |
| </p> |
| <div dir="ltr" style="text-align: left;"><pre class="source-xml"><span class="sc3"><span class="re1"><Seq</span> <span class="re0">key</span>=<span class="st0">"filter"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"><Val</span> <span class="re0">key</span>=<span class="st0">"attribute"</span><span class="re2">></span></span>ReadUsers<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"><Seq</span> <span class="re0">key</span>=<span class="st0">"oneOf"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>Doe, John<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- a user id resolved to a a human readable display name --></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span></pre></div> |
| <p><br /> |
| It would also be possible to pass in just group ids |
| </p> |
| <div dir="ltr" style="text-align: left;"><pre class="source-xml"><span class="sc3"><span class="re1"><Map</span> <span class="re0">key</span>=<span class="st0">"ACCESS_RIGHTS"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Map</span> <span class="re0">key</span>=<span class="st0">"READ"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Seq</span> <span class="re0">key</span>=<span class="st0">"GROUPS"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>4711<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an unmodified group id --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>2525<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- an unmodified group id --></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span></pre></div> |
| <p>and resolve their member user ids and display names for them: |
| </p> |
| <div dir="ltr" style="text-align: left;"><pre class="source-xml"><span class="sc3"><span class="re1"><Seq</span> <span class="re0">key</span>=<span class="st0">"filter"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"><Val</span> <span class="re0">key</span>=<span class="st0">"attribute"</span><span class="re2">></span></span>ReadUsers<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"><Seq</span> <span class="re0">key</span>=<span class="st0">"oneOf"</span><span class="re2">></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>Regular, John<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- a user id resolved to a a human readable display name --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>Becker, Heinz<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- a user id resolved to a a human readable display name --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>Napp, Karl<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- a user id resolved to a a human readable display name --></span></span> |
| <span class="sc3"><span class="re1"><Val<span class="re2">></span></span></span>Heinz, Karl<span class="sc3"><span class="re1"></Val<span class="re2">></span></span></span> <span class="sc3"><span class="coMULTI"><!-- a user id resolved to a a human readable display name --></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Map<span class="re2">></span></span></span> |
| <span class="sc3"><span class="re1"></Seq<span class="re2">></span></span></span></pre></div> |
| |
| <!-- |
| NewPP limit report |
| Preprocessor node count: 55/1000000 |
| Post-expand include size: 0/2097152 bytes |
| Template argument size: 0/2097152 bytes |
| #ifexist count: 0/100 |
| --> |
| |
| <!-- Saved in parser cache with key wikidb:pcache:idhash:18770-0!1!0!!en!2!edit=0 and timestamp 20120710093522 --> |
| <div class="printfooter"> |
| Retrieved from "<a href="Security.html">http://wiki.eclipse.org/SMILA/Documentation/Security</a>"</div> |
| <!-- end content --> |
| <div class="visualClear"></div> |
| </div> |
| </div> |
| |
| |
| </div> |
| |
| |
| <!-- Yoink of toolbox for phoenix moved up --> |
| |
| |
| </div> |
| </div> |
| <div id="clearFooter"/> |
| <div id="footer" > |
| <ul id="footernav"> |
| <li class="first"><a href="http://www.eclipse.org/">Home</a></li> |
| <li><a href="http://www.eclipse.org/legal/privacy.php">Privacy Policy</a></li> |
| <li><a href="http://www.eclipse.org/legal/termsofuse.php">Terms of Use</a></li> |
| <li><a href="http://www.eclipse.org/legal/copyright.php">Copyright Agent</a></li> |
| <li><a href="http://www.eclipse.org/org/foundation/contact.php">Contact</a></li> |
| <li><a href="http://wiki.eclipse.org/Eclipsepedia:About" title="Eclipsepedia:About">About Eclipsepedia</a></li> |
| </ul> |
| <span id="copyright">Copyright © 2012 The Eclipse Foundation. All Rights Reserved</span> |
| <p id="footercredit">This page was last modified 09:09, 16 January 2012 by <a href="http://wiki.eclipse.org/index.php?title=User:Daniel.stucky.attensity.com&action=edit" class="new" title="User:Daniel.stucky.attensity.com">Daniel Stucky</a>. Based on work by <a href="http://wiki.eclipse.org/User:Drazen.cindric.attensity.com" title="User:Drazen.cindric.attensity.com">Drazen Cindric</a>, <a href="http://wiki.eclipse.org/User:Igor.novakovic.empolis.com" title="User:Igor.novakovic.empolis.com">Igor Novakovic</a> and <a href="http://wiki.eclipse.org/User:Juergen.schumacher.empolis.com" title="User:Juergen.schumacher.empolis.com">Juergen Schumacher</a> and <a href="http://wiki.eclipse.org/index.php?title=SMILA/Documentation/Security&action=credits" title="SMILA/Documentation/Security">others</a>.</p> |
| <p id="footerviews">This page has been accessed 2,488 times.</p> |
| </div> |
| |
| <script type="text/javascript"> |
| var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); |
| document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); |
| </script> |
| <script type="text/javascript"> |
| var pageTracker = _gat._getTracker("UA-910670-4"); |
| pageTracker._trackPageview(); |
| </script> |
| |
| |
| |
| |
| |
| |
| |
| <!-- <div class="visualClear"></div> --> |
| |
| <script type="text/javascript">if (window.runOnloadHook) runOnloadHook();</script> |
| </div> |
| |
| <!-- Served in 0.051 secs. --></body></html> |
