The security provider

The security provider controls the access to the external user view and edit form.

The default behaviour

A default security provider is provided and his security rules are as follow:

  • Rules to display the user view and create a new user
    • Access is forbidden to “sysadmin” and “anonymous” users.
    • Access can be allowed only to
    • Access can be allowed only to users
      • member of the Workplace external user administrators whose system name is “WP_EXTERNAL_ADMIN_USERS”.
      • and member of External organization.
      • and with read right on the organization’s users.
  • Rules to edit or delete an existing user
    • The logged on user must be member of the same organization as the targeted user.
    • The logged on user must have read right on the targeted user.

Override the default behaviour

It is possible to override this behaviour with a custom implementation.

Create a custom security provider

The custom class must implement IUserAdminSecurityProvider and implement the following method:

/**
 * Check permission
 * @param user the user to check permission for
 * @param map the map
 * @param target the target object
 * @return true to allow access, false to prevent
 */
boolean checkPermission(User user, Map map, Object target);

The method parameters:

  • The User parameter will be the logged in user.
  • The Map parameter won’t be used.
  • The Object parameter will be the targeted user (edition and deletion situation).

See the following implementation example which allow the user whose login is “John” and deny to all others:

package your.custom.security.provider.implementation;

import com.moovapps.workplace.sdk.navigation.providers.security.IUserAdminSecurityProvider;
import java.util.Map;
import com.axemble.vdoc.directory.domain.User;

public class CustomExternalUserAdminSecurityProvider implements IUserAdminSecurityProvider {
	@Override
	public boolean checkPermission(User user, Map map, Object target) {
		return "John".equals(user.getLogin());
	}
}

Adapt the configuration key

Specify your custom implementation with the configuration key:

workplace.user.admin.security.provider.classname=com.moovapps.sample.navigation.providers.secutiry.SampleExternalAdminSecurityProvider

Specify the custom implementation in the your custom view declaration

<view override="workplaceExternalUserAdmin.view" provider="com.moovapps.sample.navigation.providers.view.SampleExternalUserAdminViewProvider">
    
    <button name="create" label="LG_CREATE">
        <security provider="com.moovapps.sample.navigation.providers.secutiry.SampleExternalAdminSecurityProvider" />
    </button>
    <button name="delete" label="LG_DELETE" style="style2">
        <security provider="com.moovapps.sample.navigation.providers.secutiry.SampleExternalAdminSecurityProvider" />
    </button>
    <image name="delete">
        <security provider="com.moovapps.sample.navigation.providers.secutiry.SampleExternalAdminSecurityProvider" />
    </image>
    <image name="properties">
        <security provider="com.moovapps.sample.navigation.providers.secutiry.SampleExternalAdminSecurityProvider" />
    </image>
    
    <column name="login" label="LG_USER_LOGIN"/>
    <column name="title" label="directory.user.title"/>
    <column name="firstName" label="common.firstname"/>
    <column name="lastName" label="common.lastname"/>
    <column name="email" label="common.email"/>
    <column name="sample" label="LG_SAMPLE"/>
    
</view>
Warning

It is very important to specify both configuration key and to override form provider in order to avoid security leaks !