The information in this section describes some of the tasks related to client-side security as you develop your applications.
Performing and using a Java™ Authentication and Authorization (JAAS) login consists of three steps: obtaining a LoginContext object, calling the LoginContext.login method, and impersonating the logged in user to perform the actual work. This section provides some information and a code sample that illustrate how to perform these steps.
Obtaining a LoginContext object requires a tag to indicate some particular configuration in the JAAS login configuration file. If your login configuration file has an entry for "other", then it doesn't matter what tag you use in the call to the constructor of LoginContext, since the call will fall back to the "other" entry in the configuration file. You also need to supply a CallbackHandler to provide the credentials (username and password). If you would like to be prompted for that information, you could just provide a new instance of one of Sun's sample callback handlers, such as com.sun.security.auth.callback.DialogCallbackHandler (as shown in the example below) or TextCallbackHandler.
The login method calls the callback handler, and if this is a Oracle WebLogic or IBM® WebSphere® Application Server, the credentials are authenticated. For JBoss, credentials are not authenticated until they are used in an interaction with the server to fetch, save, or search for objects. Problems with credential authentication, such as an invalid password, can occur in different places depending on the application server you use to perform authentication. A successful call to the login method for JBoss does not mean that the credentials have been authenticated.
A UserContext object is associated with each thread that accesses the Content Engine Java API. A JAAS Subject should be associated with the thread, by calling UserContext.pushSubject, prior to making any calls that will cause the API to access the Content Engine server. Note that the UserContext class provides a helper method that can perform the JAAS login for you in the common username/password case. This approach would typically be taken when using the Content Engine Java API over the web service transport. The example in this section uses the EJB transport for all subsequent Content Engine Java API calls. To instead use the web service transport, change the JAAS configuration stanza name in the UserContext.createSubject call from "FileNetP8" to "FileNetP8WSI".
Java Example
// Perform the login.
static void performLogin(
Connection con,
String userName, // Example: "username@testdom.local"
String passWord) throws Exception
{
// *** Step 1: Obtain login context. ***
// Determine call back handler.
CallbackHandler handler = null;
if (userName != null)
{
// Call user-created class that implements CallbackHandler.
handler = new UserPasswordHandler(userName, passWord);
}
else
{
handler = new DialogCallbackHandler();
}
// Get login context.
LoginContext lc = new LoginContext("mysystem", handler);
// *** Step 2: Call login method. ***
// Attempt to login.
try
{
lc.login();
System.out.println("Login succeeded");
}
catch (Exception exc)
{
System.out.println("Login failed");
throw exc;
}
// *** Step 3: Impersonate logged in user. ***
// Get user context.
UserContext uc = UserContext.get();
// Determine subject.
Subject sub = null;
if (userName != null)
{
// Example for EJB transport. Stanza name is FileNetP8 for EJB and FileNetP8WSI for WSI.
sub = UserContext.createSubject(con, userName, passWord, "FileNetP8");
}
else
{
sub = lc.getSubject();
}
// Associate the JAAS Subject with the UserContext.
uc.pushSubject(sub);
try
{
// do work
}
finally
{
uc.popSubject();
}
}The example code below shows how to set access rights for a new user added to a document's access permission list. An AccessPermission object is created, set with permission information about the new user, and added to the document's access permission list. Constants are used to express the combination of access rights, which are set on the AccessMask property of the AccessPermission object.
Java Example
// Constants specify combination of access rights.
private static final int LOAN_CREATOR = AccessRight.READ_ACL.getValue() | AccessRight.CHANGE_STATE.getValue() | AccessRight.CREATE_INSTANCE.getValue()
| AccessRight.VIEW_CONTENT.getValue() |AccessRight.MINOR_VERSION.getValue() | AccessRight.UNLINK.getValue()
| AccessRight.LINK.getValue() |AccessRight.WRITE.getValue() | AccessRight.READ.getValue();
private static final int LOAN_REVIEWER = AccessRight.VIEW_CONTENT.getValue() | AccessRight.READ_ACL.getValue() | AccessRight.READ.getValue()
| AccessRight.LINK.getValue();
// Adds new user to document's access permission list. Permissions are
// determined by user's group membership.
private AccessPermissionList setPermissions(AccessPermissionList apl, User newUser)
{
AccessPermission ap = Factory.AccessPermission.createInstance();
ap.set_GranteeName(newUser.get_DistinguishedName());
ap.set_AccessType(AccessType.ALLOW);
GroupSet groups = newUser.get_MemberOfGroups();
Iterator iter = groups.iterator();
while (iter.hasNext() == true)
{
Group group = (Group) iter.next();
// Set permissions based on whether user is in one of the following two groups.
if (group.get_DisplayName().equalsIgnoreCase("LoanReviewers") )
{
ap.set_AccessMask(LOAN_REVIEWER);
apl.add(ap);
break;
}
else if (group.get_DisplayName().equalsIgnoreCase("LoanCreators") )
{
ap.set_AccessMask(LOAN_CREATOR);
apl.add(ap);
break;
}
}
return apl;
}C# Example
// Constants specify combination of access rights.
private const int LOAN_CREATOR = (int)AccessRight.READ_ACL | (int)AccessRight.CHANGE_STATE | (int)AccessRight.CREATE_INSTANCE
| (int)AccessRight.VIEW_CONTENT | (int)AccessRight.MINOR_VERSION | (int)AccessRight.UNLINK
| (int)AccessRight.LINK | (int)AccessRight.WRITE | (int)AccessRight.READ;
private const int LOAN_REVIEWER = (int)AccessRight.VIEW_CONTENT |(int)AccessRight.READ_ACL | (int)AccessRight.READ
| (int)AccessRight.LINK;
// Adds new user to document's access permission list. Permissions are
// determined by user's group membership.
private IAccessPermissionList setPermissions(IAccessPermissionList apl, IUser newUser)
{
IAccessPermission ap = Factory.AccessPermission.CreateInstance();
ap.GranteeName = newUser.DistinguishedName;
ap.AccessType = AccessType.ALLOW;
IGroupSet groups = newUser.MemberOfGroups;
foreach (IGroup group in groups)
{
// Set permissions based on whether user is in one of the following two groups.
if (group.DisplayName.Equals("LoanReviewers", StringComparison.OrdinalIgnoreCase))
{
ap.AccessMask = LOAN_REVIEWER;
apl.Add(ap);
break;
}
else if (group.DisplayName.Equals("LoanCreators, StringComparison.OrdinalIgnoreCase))
{
ap.AccessMask = LOAN_CREATOR;
apl.Add(ap);
break;
}
}
return apl;
}The example code below shows how to check a user's permissions on a Document object in order to carry out a particular operation. Note that individual access rights are used to test permissions.
Java Example
private static final PropertyFilter PF;
static
{
PF= new PropertyFilter();
PF.addIncludeProperty(new FilterElement(null, null, null, PropertyNames.ID, null));
}
private static final int ACCESS_REQUIRED = AccessRight.DELETE.getValue() | AccessRight.WRITE.getValue() | AccessRight.MAJOR_VERSION.getValue();
...
Document doc=Factory.Document.fetchInstance(os, new Id("{BBC0B2D5-9850-4F48-9AC9-7DBC38A9C89D}"), PF);
int accessMask = doc.getAccessAllowed();
// Does user have the following rights on the document?
if ( (accessMask & ACCESS_REQUIRED) == ACCESS_REQUIRED)
{
// do something applicable to these rights.
}C# Example
private static readonly PropertyFilter PF;
static checkPermissions()
{
PF = new PropertyFilter();
PF.AddIncludeProperty(new FilterElement(null, null, null, PropertyNames.ID, null));
}
private const int ACCESS_REQUIRED = (int)AccessRight.DELETE | (int)AccessRight.WRITE | (int)AccessRight.MAJOR_VERSION;
...
IDocument doc = Factory.Document.FetchInstance(os, new Id("{BBC0B2D5-9850-4F48-9AC9-7DBC38A9C89D}"), PF);
int accessMask = (int)doc.GetAccessAllowed();
// Does user have the following rights?
if ( (accessMask & ACCESS_REQUIRED) == ACCESS_REQUIRED)
{
// do something applicable to these rights.
}The following examples show how to retrieve access permission descriptions (APDs) to populate a user interface (UI) for selecting permissions (UI code and code for setting permissions is not included). The code creates a collection of APDs from the Folder class description, and then iterates the collection to get descriptive information from each AccessPermissionDescription object. The output listing follows the examples.
Java Example
String apdClass = ClassNames.FOLDER;
ClassDescription cd = Factory.ClassDescription.getInstance(os, apdClass);
cd.fetchProperty(PropertyNames.PERMISSION_DESCRIPTIONS, null);
AccessPermissionDescriptionList apdl = cd.get_PermissionDescriptions();
System.out.println(apdClass + " has this many APDs: " + apdl.size());
for (Iterator it = apdl.iterator(); it.hasNext();)
{
AccessPermissionDescription apd = (AccessPermissionDescription)it.next();
String dn = apd.get_DisplayName();
String dt = apd.get_DescriptiveText();
dt = (dn.equals(dt) ? "" : ": " + dt);
String pt = apd.get_PermissionType().toString();
pt += " ".substring(pt.length());
System.out.println(pt + " " + dn + dt);
}C# Example
String apdClass = ClassNames.FOLDER ;
IClassDescription cd = Factory.ClassDescription.GetInstance(os, apdClass);
cd.FetchProperty(PropertyNames.PERMISSION_DESCRIPTIONS, null);
IAccessPermissionDescriptionList apdl = cd.PermissionDescriptions;
System.Console.WriteLine(apdClass + " has this many APDs: " + apdl.Count);
foreach (IAccessPermissionDescription apd in apdl)
{
String dn = apd.DisplayName;
String dt = apd.DescriptiveText;
dt = (dn.Equals(dt) ? "" : ": " + dt);
String pt = apd.PermissionType.ToString();
pt += " " .Substring(pt.Length);
System.Console.WriteLine(pt + " " + dn + dt);
}Output Listing
Folder has this many APDs: 21
LEVEL Full Control
LEVEL Modify properties
LEVEL Add to Folder
LEVEL_DEFAULT View properties
RIGHT View all properties
RIGHT Modify all properties
RIGHT Reserved12 (Deploy is deprecated)
RIGHT Reserved13 (Archive is deprecated)
RIGHT File in folder / Annotate
RIGHT Unfile from folder
RIGHT Create instance
RIGHT Create subfolder
RIGHT Delete
RIGHT Read permissions
RIGHT Modify permissions
RIGHT Modify owner
RIGHT_INHERIT_ONLY Minor versioning
RIGHT_INHERIT_ONLY Major versioning
RIGHT_INHERIT_ONLY View content
RIGHT_INHERIT_ONLY Change state
RIGHT_INHERIT_ONLY PublishThe following code snippet retrieves all MarkingSet objects from the FileNet® P8 domain.
Java Example
Domain domain = Factory.Domain.fetchInstance(conn, "Domain", null);
domain.get_MarkingSets();This section describes client-side implementation of Kerberos for single sign on (SSO) authentication. For details about any Kerberos-related topic in this section, you can also refer to the Kerberos for Content Engine section of the IBM FileNet P8 Security documentation.
Prerequisites
A number of prerequisites must be met before you can use Kerberos for SSO authentication. They are listed below by system, domain/account, .NET client, and Java server categories.
System Prerequisites
Domain/Account Prerequisites
Standalone .NET Client Prerequisites
Content Engine Java Server Prerequisites
<installation_directory>:\FileNet\Content Engine\Kerberos\AllowTgtSessionKey_fix_for_Krb5LoginModule.reg
RegEdit is invoked to add a new value to the Windows system registry that disables the new security feature. This registry edit can also be used harmlessly on earlier Windows service packs.
Using Kerberos on an API Client
The following is an example illustrating how to use Kerberos authentication with a Content Engine .NET API client:
Java Example
// Java clients currently do not support Kerberos authentication.C# Example
KerberosCredentials creds = new KerberosCredentials();
ClientContext.SetThreadCredentials(creds);
IConnection conn = Factory.Connection.GetConnection(strURI);
IDomain domain = Factory.Domain.GetInstance(conn, strP8Domain);The above example uses the identity of the Windows system logged in user for each Content Engine command.
The Java and C# examples in this section show you how to work with security policies and security templates. In the examples, you will see how to create and assign a security policy. Other examples show you how to apply an application security template to an object, and how to retrieve permission information from a security template. The last example shows you how to remove a security policy from both an object and from an object store.
Creating a Security Policy
The following Java and C# examples show how to create a SecurityPolicy object. To start, three SecurityTemplate objects are created and added to a SecurityTemplateList object. Two of the templates are of type VersioningSecurityTemplate, and one is of type ApplicationSecurityTemplate. The VersioningSecurityTemplate objects are intended to be applied automatically to released and superseded versions of an object. The ApplicationSecurityTemplate object must be applied to an object manually (see Applying an ApplicationSecurityTemplate). For each template, the TemplatePermissions property is set to an AccessPermissionList object, which is returned by the setPermissions method (not shown).
Next, a SecurityPolicy object is created and its SecurityTemplates property is set to the SecurityTemplateList. Note that the security policy's PreserveDirectPermissions property is set to false; therefore, when the security policy is assigned to an object, the object's original direct permissions are replaced by the permissions defined in the security policy's templates.
Java Example
public void createSecurityObject(ObjectStore os)
{
// Access rights for released, superseded, and obsolete objects
int permReleased = AccessRight.READ_ACL_AS_INT | AccessRight.CHANGE_STATE_AS_INT
| AccessRight.CREATE_INSTANCE_AS_INT | AccessRight.VIEW_CONTENT_AS_INT
| AccessRight.MINOR_VERSION_AS_INT | AccessRight.UNLINK_AS_INT
| AccessRight.LINK_AS_INT | AccessRight.MAJOR_VERSION_AS_INT
| AccessRight.WRITE_AS_INT | AccessRight.READ_AS_INT;
int permSuperseded = AccessRight.READ_ACL_AS_INT | AccessRight.VIEW_CONTENT_AS_INT
| AccessRight.READ_AS_INT;
int permObsolete = AccessRight.READ_ACL_AS_INT | AccessRight.READ_AS_INT
| AccessRight.DELETE_AS_INT;
// Create security templates.
VersioningSecurityTemplate vst1 = Factory.VersioningSecurityTemplate.createInstance(os);
VersioningSecurityTemplate vst2 = Factory.VersioningSecurityTemplate.createInstance(os);
ApplicationSecurityTemplate vst3 = Factory.ApplicationSecurityTemplate.createInstance(os);
SecurityTemplateList stl = Factory.SecurityTemplate.createList();
vst1.set_ApplyStateID(VersionStatusId.RELEASED);
vst1.set_TemplatePermissions( setPermissions("#AUTHENTICATED-USERS", permReleased) );
vst1.set_DisplayName("Version Template for Released Object");
vst1.set_IsEnabled(Boolean.TRUE);
stl.add(vst1);
vst2.set_ApplyStateID(VersionStatusId.SUPERSEDED);
vst2.set_TemplatePermissions( setPermissions("#AUTHENTICATED-USERS", permSuperseded) );
vst2.set_DisplayName("Version Template for Superseded Object");
vst2.set_IsEnabled(Boolean.TRUE);
stl.add(vst2);
vst3.set_ApplyStateID(new Id("{21a47705-d20a-4b65-938e-2ddcefa45927}") );
vst3.set_TemplatePermissions( setPermissions("#AUTHENTICATED-USERS", permObsolete) );
vst3.set_DisplayName("Application Template for Obsolete Objects");
vst3.set_IsEnabled(Boolean.TRUE);
stl.add(vst3);
// Create the security policy.
SecurityPolicy sp = Factory.SecurityPolicy.createInstance(os, ClassNames.SECURITY_POLICY);
sp.set_SecurityTemplates(stl);
sp.set_DisplayName("Security Policy with Version and Application Templates");
sp.set_PreserveDirectPermissions(Boolean.FALSE);
sp.save(RefreshMode.REFRESH);
}C# Example
public void createSecurityObject(IObjectStore os)
{
// Access rights for released, superseded, and obsolete objects
int permReleased = (int)AccessRight.READ_ACL | (int)AccessRight.CHANGE_STATE
| (int)AccessRight.CREATE_INSTANCE | (int)AccessRight.VIEW_CONTENT
| (int)AccessRight.MINOR_VERSION | (int)AccessRight.UNLINK
| (int)AccessRight.LINK | (int)AccessRight.MAJOR_VERSION
| (int)AccessRight.WRITE | (int)AccessRight.READ;
int permSuperseded = (int)AccessRight.READ_ACL | (int)AccessRight.VIEW_CONTENT
| (int)AccessRight.READ;
int permObsolete = (int)AccessRight.READ_ACL| (int)AccessRight.READ
| (int)AccessRight.DELETE;
// Create security templates.
IVersioningSecurityTemplate vst1 = Factory.VersioningSecurityTemplate.CreateInstance(os);
IVersioningSecurityTemplate vst2 = Factory.VersioningSecurityTemplate.CreateInstance(os);
IApplicationSecurityTemplate vst3 = Factory.ApplicationSecurityTemplate.CreateInstance(os);
ISecurityTemplateList stl = Factory.SecurityTemplate.CreateList();
vst1.ApplyStateID = VersionStatusId.RELEASED;
vst1.TemplatePermissions = setPermissions("#AUTHENTICATED-USERS", permReleased);
vst1.DisplayName = "Version Template for Released Object";
vst1.IsEnabled = true;
stl.Add(vst1);
vst2.ApplyStateID = VersionStatusId.SUPERSEDED;
vst2.TemplatePermissions = setPermissions("#AUTHENTICATED-USERS", permSuperseded);
vst2.DisplayName = "Version Template for Superseded Object";
vst2.IsEnabled = true;
stl.Add(vst2);
vst3.ApplyStateID = new Id("{21a47705-d20a-4b65-938e-2ddcefa45927}");
vst3.TemplatePermissions = setPermissions("#AUTHENTICATED-USERS", permObsolete);
vst3.DisplayName = "Application Template for Obsolete Objects";
vst3.IsEnabled = true;
stl.Add(vst3);
// Create the security policy.
ISecurityPolicy sp = Factory.SecurityPolicy.CreateInstance(os, ClassNames.SECURITY_POLICY);
sp.SecurityTemplates = stl;
sp.DisplayName = "Security Policy with Version and Application Templates";
sp.PreserveDirectPermissions = false;
sp.Save(RefreshMode.REFRESH);
}Assigning a Security Policy
The following Java and C# examples show how to assign a security policy to a class. The Id objects for the ClassDefinition and the SecurityPolicy are passed to the method, which creates the ClassDefinition and the SecurityPolicy objects. Using the helper method getPropertyDefinition (not shown), the code retrieves the class's PropertyDefinition object for SecurityPolicy, then sets it to the SecurityPolicy object.
Note that the security policy will automatically be applied to new object instances of the class, but not to existing object instances of the class. You must explicitly set the security policy on the existing object instances of the class.
Java Example
public void assignSecurityPolicy(ObjectStore os, Id classId, Id securityPolicyId)
{
ClassDefinition cd = Factory.ClassDefinition.fetchInstance(os, classId, null);
SecurityPolicy sp = Factory.SecurityPolicy.getInstance(os, ClassNames.SECURITY_POLICY, securityPolicyId);
PropertyDefinition pd = getPropertyDefinition(cd.get_PropertyDefinitions(), ClassNames.SECURITY_POLICY);
(pd.getProperties().get(PropertyNames.PROPERTY_DEFAULT_OBJECT)).setObjectValue(sp);
cd.save(RefreshMode.REFRESH);
}C# Example
public void assignSecurityPolicy(IObjectStore os, Id classId, Id securityPolicyId)
{
IClassDefinition cd = Factory.ClassDefinition.FetchInstance(os, classId, null);
ISecurityPolicy sp = Factory.SecurityPolicy.GetInstance(os, ClassNames.SECURITY_POLICY, securityPolicyId);
IPropertyDefinition pd = getPropertyDefinition(cd.PropertyDefinitions, ClassNames.SECURITY_POLICY);
(pd.Properties.GetProperty(PropertyNames.PROPERTY_DEFAULT_OBJECT)).SetObjectValue(sp);
cd.Save(RefreshMode.REFRESH);
}Applying an Application Security Template
The following Java and C# examples show how to apply an ApplicationSecurityTemplate to an object. The examples iterate a Folder object, filtering all documents that have not been modified for over one year. For the documents that meet the criterion, an application security template with delete permission is applied. The examples assume that the documents in the folder were previously assigned a SecurityPolicy containing the application security template with delete permission.
Java Example
public void applyApplicationSecurityTemplate(ObjectStore os, Id folderId)
{
// Create a folder object.
Folder folder = Factory.Folder.fetchInstance(os, folderId, null);
// Get all documents in folder
DocumentSet ds = folder.get_ContainedDocuments();
// Get current date to compare against dates of documents.
Calendar cal = new GregorianCalendar();
int currYear = cal.get(Calendar.YEAR);
int currMonth = cal.get(Calendar.MONTH);
// Iterate folder documents and check last modification date.
// If over one year, apply ApplicationSecurityTemplate with delete permission.
Iterator iter = ds.iterator();
while (iter.hasNext())
{
Document doc = (Document) iter.next();
Date docDate = doc.get_DateLastModified();
cal.setTime(docDate);
if (cal.get(Calendar.YEAR) < currYear && cal.get(Calendar.MONTH) < currMonth )
{
doc.applySecurityTemplate(new Id("{21a47705-d20a-4b65-938e-2ddcefa45927}") );
doc.save(RefreshMode.REFRESH);
}
}
}C# Example
public void applyApplicationSecurityTemplate(IObjectStore os, Id folderId)
{
// Create a folder object.
IFolder folder = Factory.Folder.FetchInstance(os, folderId, null);
// Get all documents in folder
IDocumentSet ds = folder.ContainedDocuments;
// Get current date to compare against dates of documents.
int currYear = DateTime.Now.Year;
int currMonth = DateTime.Now.Month;
// Iterate folder documents and check last modification date.
// If over one year, apply ApplicationSecurityTemplate with delete permission.
System.Collections.IEnumerator iter = ds.GetEnumerator();
while (iter.MoveNext())
{
IDocument doc = (IDocument) iter.Current;
DateTime docDate = (DateTime) doc.DateLastModified;
if (docDate.Year < currYear+1 && docDate.Month < currMonth+1)
{
doc.ApplySecurityTemplate(new Id("{21a47705-d20a-4b65-938e-2ddcefa45927}") );
doc.Save(RefreshMode.REFRESH);
}
}
}Getting Security Template Information
You can get descriptive permission information from a security template. A SecurityTemplate object includes the TemplatePermissionDescriptions property, which contains a list of AccessPermissionDescription objects, from which you can get information about access rights.
The following Java and C# examples get permission descriptions for every SecurityTemplate object contained in a SecurityPolicy object passed to the method. Iterating the list of security templates (SecurityTemplateList), the method retrieves the TemplatePermissionDescriptions property from a security template. It then iterates the AccessPermissionDescriptionList and prints out information from each AccessPermissionDescription object.
Java Example
public void getSecurityTemplateInformation(ObjectStore os, Id secPolicyId)
{
SecurityPolicy sp = Factory.SecurityPolicy.fetchInstance(os, secPolicyId, null );
SecurityTemplateList stl = sp.get_SecurityTemplates();
Iterator outerIter = stl.iterator();
while (outerIter.hasNext())
{
SecurityTemplate st = (SecurityTemplate) outerIter.next();
AccessPermissionDescriptionList apdl = st.get_TemplatePermissionDescriptions();
Iterator innerIter = apdl.iterator();
System.out.println("Security template is " + st.get_DisplayName());
while (innerIter.hasNext())
{
AccessPermissionDescription apd = (AccessPermissionDescription) innerIter.next();
System.out.println("Permission is " + apd.get_DescriptiveText() + "\n" +
"Permission type is " + apd.get_PermissionType().toString() + "\n" +
"Access mask is " + apd.get_AccessMask()
);
}
System.out.println("=============================\n");
}
}C# Example
public void getSecurityTemplateInformation(IObjectStore os, Id secPolicyId)
{
ISecurityPolicy sp = Factory.SecurityPolicy.FetchInstance(os, secPolicyId, null);
ISecurityTemplateList stl = sp.SecurityTemplates;
System.Collections.IEnumerator outerIter = stl.GetEnumerator();
while (outerIter.MoveNext())
{
ISecurityTemplate st = (ISecurityTemplate) outerIter.Current;
IAccessPermissionDescriptionList apdl = st.TemplatePermissionDescriptions;
System.Collections.IEnumerator innerIter = apdl.GetEnumerator();
System.Console.WriteLine("Security template is " + st.DisplayName);
while (innerIter.MoveNext())
{
IAccessPermissionDescription apd = (IAccessPermissionDescription) innerIter.Current;
System.Console.WriteLine("Permission is " + apd.DescriptiveText + "\n" +
"Permission type is " + apd.PermissionType.ToString() + "\n" +
"Access mask is " + apd.AccessMask
);
}
System.Console.WriteLine("=============================\n");
}
}Removing a Security Policy
You can remove a security policy from an object by setting the object's SecurityPolicy property to null. If the object is a class, you set the class's PropertyDefinition object for SecurityPolicy to null. You can also remove a security policy from an object store but only if no objects hold a reference to it.
The following Java and C# examples first show how to remove a security policy from a class, and then how to delete the security policy from an object store. Note that removing a security policy from a class does not remove the security policy from objects based on that class. Before you can delete a security policy from an object store, you must explicitly remove the security policy from every object that holds a reference to it.
Java Example
public void removeSecurityObject(Id classId, ObjectStore os)
{
// Get the class from which the security object will be removed.
ClassDefinition cd = Factory.ClassDefinition.fetchInstance(os, classId, null);
// Get the property definition for SecurityPolicy.
// Helper method getPropertyDefinition not shown.
PropertyDefinition pd = getPropertyDefinition(cd.get_PropertyDefinitions(), ClassNames.SECURITY_POLICY);
// Get the Id of the SecurityObject to be removed.
SecurityPolicy spTarget = (SecurityPolicy) (pd.getProperties().get(PropertyNames.PROPERTY_DEFAULT_OBJECT)).getObjectValue();
Id spTargetId = spTarget.get_Id();
// Remove SecurityObject from the class.
(pd.getProperties().get(PropertyNames.PROPERTY_DEFAULT_OBJECT)).setObjectValue(null);
cd.save(RefreshMode.REFRESH);
// Delete SecurityObject from the object store.
SecurityPolicySet sps = os.get_SecurityPolicies();
Iterator outerIter = sps.iterator();
while (outerIter.hasNext())
{
SecurityPolicy sp = (SecurityPolicy) outerIter.next();
if (sp.get_Id().equals(spTargetId) )
{
sp.delete();
sp.save(RefreshMode.REFRESH);
}
}
}C# Example
public void removeSecurityObject(Id classId, IObjectStore os)
{
// Get the class from which the security object will be removed.
IClassDefinition cd = Factory.ClassDefinition.FetchInstance(os, classId, null);
// Get the property definition for SecurityPolicy.
// Helper method getPropertyDefinition not shown.
IPropertyDefinition pd = getPropertyDefinition(cd.PropertyDefinitions, ClassNames.SECURITY_POLICY);
// Get the Id of the SecurityObject to be removed.
ISecurityPolicy spTarget = (ISecurityPolicy)(pd.Properties.GetProperty(PropertyNames.PROPERTY_DEFAULT_OBJECT)).GetObjectValue();
Id spTargetId = spTarget.Id;
// Remove SecurityObject from the class.
(pd.Properties.GetProperty(PropertyNames.PROPERTY_DEFAULT_OBJECT)).SetObjectValue(null);
cd.Save(RefreshMode.REFRESH);
// Delete SecurityObject from the object store.
ISecurityPolicySet sps = os.SecurityPolicies;
System.Collections.IEnumerator outerIter = sps.GetEnumerator();
while (outerIter.MoveNext())
{
ISecurityPolicy sp = (ISecurityPolicy)outerIter.Current;
if (sp.Id.Equals(spTargetId))
{
sp.Delete();
sp.Save(RefreshMode.REFRESH);
}
}
}