mmbase logo

Context Security Configuration

Introduction

Central notions in the context security model

An extended example

MMBase

home

Context Security Configuration

Authors: Eduard Witteveen, Sjoerd de Heer, Henk Hangyi, Pierre van Rooden
Date: 2003-02-12

This software is OSI Certified Open Source Software. OSI Certified is a certification mark of the Open Source Initiative.

The license (Mozilla version 1.0) can be read at the MMBase site. See http://www.mmbase.org/license

Table of Contents

1. Introduction
1.1. A security implementation with contexts
1.2. Users
1.3. Groups
1.4. Contexts
2. Central notions in the context security model
2.1. Contexts, Groups and Users
2.1.1. Reference field
2.1.2. Contexts
2.1.3. Groups
2.1.4. Users
2.1.5. Overview picture of the security model
2.2. Operations on objects
2.2.1. Read, Write and Delete
2.2.2. Making a reference to.
2.2.3. Create
2.2.4. Change
2.3. Rights
2.3.1. Create a new object
2.3.2. Creating a new relation
2.3.3. Altering an object
2.3.4. Changing rights in contexts
2.3.5. Deleting objects
3. An extended example
3.1. <loginmodules />
3.2. <accounts />
3.3. <user> <identify /> </user>
3.4. <group> <contains /> </group>
3.5. <contexts> <context /> </contexts>
3.6. The DTD of context.xml

A context exists of a set of rights which describe what you can do within this context with an object of MMBase. For example you define read access to a the context which is used by anonymous visitors of your site and you can define a context with edit rights for registered users of your site. The main parts of the security framework are:

The users of MMBase can have different levels anonymous or registered users. The anonymous users are the normal page viewers. There rights are being served through the anonymous module of MMBase. Registered users are being served through the user/password module, this are the users that can alter data within MMBase.

For registered users there is also an extra level called rank. The default ranks are 'Basic user' and 'Administrator'. These ranks can denote extra rights within MMBase. The anonymous users can only have the rank 'Anonymous'.

A Group can exist of users and/ or groups. In this way you can define a structure which inherits rights from lower levels. For example the office-sweeper group may read the newspaper. The office-clerk group is member of the office-sweeper group but may also use the toilet. So a member of the office-clerk may read the newspaper and go to the toilet, even at the same time. While a office-sweeper can only read the paper and work fast to get home in time to use the bathroom. As you probably noticed a stupid example which might help to understand the framework.

A user can be member of more than one group within MMBase.

Each object within MMBase has a context. Which context is associated with an object can be seen in the owner field of that object. The name found there is the name first used as context before fallback on the default context. In the context is defined which rights are granted to a user or group. The following rights are available.

Of each context is also know to which context it may change. An admin may change to a user but a user may not change to an admin.

Within MMBase each object has a field called 'owner'. The value of this field is used by the security system to specify the context of an object. If an object is accessed and the name of its context does not exist a warning will be issued in the logs and the default context will be selected.

A context defines which rights a group has on a object. Also is defined within this context to which contexts you can change to assume there rights.

A group is a collection of users and groups. In this way you can represent your organization in the security system. If used properly in combination with contexts for each group.

Anonymous users: These users get there rights from the module called anonymous. They are considered the normal page viewers. There rank will always be 'ANONYMOUS'.

Logged in users: These users are validated through the user/password module of the context security. They are the users which can change your data in MMBase. The rank of these users is normally 'Basic users' but can also be 'Administrator' which is a rank that grants more rights within MMBase.

Note that the context to which a user belongs, is stored in the owner field of the user.

To be able to read or write or delete an object in MMBase a user needs the right 'read' or 'write' or 'delete' for this object.

The right 'link' give a user the possibility to create relations between objects in MMBase. The user needs create rights on the relation builder for this to work!

The right 'create' is only used for builders. It gives the specified user the right to create objects in this selected builder.

The right 'change context' gives a users the right to alter the rights defined in the selected context.

To be able to create an object the user needs 'create' rights on the node that represents the node-type within MMBase, see the typedef table.

To create a new relation your users needs 'create' rights on the insrel table and 'link' rights between the objects where he or she wants to create a relation in-between.

To be able to change an object the user needs the 'change' right for that object.

When you want a user to be able to change the rights of a context then that user needs 'change context' rights for that selected context.

To remove an object the user needs 'delete' rights.

The following XML will be used to provide some explanation on the context security configuration

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE contextconfig PUBLIC "//MMBase - contextconfig//" "http://www.mmbase.org/dtd/securitycontextconfig.dtd">
<contextconfig>
  <loginmodules>
    <module name="anonymous" class="org.mmbase.security.implementation.context.AnonymousLogin" />
    <module name="name/password" class="org.mmbase.security.implementation.context.PasswordLogin" />
  </loginmodules>
  <accounts>
    <user name="anonymous" context="default" />
    <user name="admin" context="admin">
      <identify type="name/password" rank="administrator">admin2k</identify>
    </user>
    <user name="foo" context="default" >
      <identify type="name/password" rank="basic user">bar</identify>
    </user>
  </accounts>
  <groups>
    <group name="everyone">
      <contains type="group" named="users" />
      <contains type="user" named="anonymous" />
    </group>
    <group name="users">
      <contains type="user" named="foo" />
      <contains type="group" named="administrators" />
    </group>
    <group name="administrators">
      <contains type="user" named="admin" />
    </group>
  </groups>
  <contexts default="default">
    <context name="default">
      <operation type="create">
        <grant group="users" />
      </operation>
      <operation type="read">
        <grant group="everyone" />
      </operation>
      <operation type="write">
        <grant group="users" />
      </operation>
      <operation type="link">
        <grant group="users" />
      </operation>
      <operation type="delete">
        <grant group="users" />
      </operation>
      <operation type="change context">
        <grant group="administrators" />
      </operation>
      <possible context="default" />
    </context>
  </contexts>
</contextconfig>

This is the module that takes care of the login process within MMBase. There are no changes needed to this field so it will not be described any further.

This are the accounts of the users which are know to the system. It is advised to also create a user called anonymous since it does not exists anywhere else.

The following values can be given to the elements of user.

This defines groups within the context security. The following structure applies:

<group name="%name%">
  <contains type="user" named="%username%" />
  <contains type="user" named="%username%" />
  <contains type="group" named="%groupname%" />
  <contains type="group" named="%groupname%" />
</group>

The following values can be given to the elements of group:

The following values can be given to the elements of contexts.

For completeness this is the full DTD used for context.xml:

<!ELEMENT contextconfig ( loginmodules, accounts, groups, contexts ) >

<!ELEMENT loginmodules ( module+ ) >

<!ELEMENT module ( property* ) >
<!ATTLIST module class NMTOKEN #REQUIRED >
<!ATTLIST module name CDATA #REQUIRED >

<!ELEMENT property ( #PCDATA ) >
<!ATTLIST property name NMTOKEN #REQUIRED >

<!ELEMENT accounts ( user+ ) >

<!ELEMENT user ( identify* ) >
<!ATTLIST user context NMTOKEN #REQUIRED >
<!ATTLIST user name NMTOKEN #REQUIRED >

<!ELEMENT identify ( #PCDATA ) >
<!ATTLIST identify rank (administrator | basic user) #REQUIRED >
<!ATTLIST identify type CDATA #REQUIRED >

<!ELEMENT groups ( group+ ) >

<!ELEMENT group ( contains+ ) >
<!ATTLIST group name NMTOKEN #REQUIRED >

<!ELEMENT contains EMPTY >
<!ATTLIST contains named NMTOKEN #REQUIRED >
<!ATTLIST contains type NMTOKEN #REQUIRED >

<!ELEMENT contexts ( context+ ) >
<!ATTLIST contexts default NMTOKEN #REQUIRED >

<!ELEMENT context ( operation*, possible* ) >
<!ATTLIST context name NMTOKEN #REQUIRED >

<!ELEMENT operation ( grant* ) >
<!ATTLIST operation type (read | write | link | delete | change context) #REQUIRED >

<!ELEMENT grant EMPTY >
<!ATTLIST grant group NMTOKEN #REQUIRED >

<!ELEMENT possible EMPTY >
<!ATTLIST possible context NMTOKEN #REQUIRED >

This is part of the MMBase documentation.

For questions and remarks about this documentation mail to: documentation@mmbase.org