Context Security Configuration
Central notions in the context security model
This software is OSI Certified Open Source Software. OSI Certified is a certification mark of the Open Source Initiative.
The license (Mozilla version 1.0) can be read at the MMBase site. See http://www.mmbase.org/license
Table of Contents
A context exists of a set of rights which describe what you can do within this context with an object of MMBase. For example you define read access to a the context which is used by anonymous visitors of your site and you can define a context with edit rights for registered users of your site. The main parts of the security framework are:
Single users (users)
Groups (users)
Contexts
The users of MMBase can have different levels anonymous or registered users. The anonymous users are the normal page viewers. There rights are being served through the anonymous module of MMBase. Registered users are being served through the user/password module, this are the users that can alter data within MMBase.
For registered users there is also an extra level called rank. The default ranks are 'Basic user' and 'Administrator'. These ranks can denote extra rights within MMBase. The anonymous users can only have the rank 'Anonymous'.
A Group can exist of users and/ or groups. In this way you can define a structure which inherits rights from lower levels. For example the office-sweeper group may read the newspaper. The office-clerk group is member of the office-sweeper group but may also use the toilet. So a member of the office-clerk may read the newspaper and go to the toilet, even at the same time. While a office-sweeper can only read the paper and work fast to get home in time to use the bathroom. As you probably noticed a stupid example which might help to understand the framework.
A user can be member of more than one group within MMBase.
Each object within MMBase has a context. Which context is associated with an object can be seen in the owner field of that object. The name found there is the name first used as context before fallback on the default context. In the context is defined which rights are granted to a user or group. The following rights are available.
read, read the content of an object.
write, write content to an object.
link, making a relation between two objects.
delete, remove an object.
create, create a new object of the type typedef. The so called editors.
change, changing of context.
Of each context is also know to which context it may change. An admin may change to a user but a user may not change to an admin.
Within MMBase each object has a field called 'owner'. The value of this field is used by the security system to specify the context of an object. If an object is accessed and the name of its context does not exist a warning will be issued in the logs and the default context will be selected.
A context defines which rights a group has on a object. Also is defined within this context to which contexts you can change to assume there rights.
A group is a collection of users and groups. In this way you can represent your organization in the security system. If used properly in combination with contexts for each group.
Anonymous users: These users get there rights from the module called anonymous. They are considered the normal page viewers. There rank will always be 'ANONYMOUS'.
Logged in users: These users are validated through the user/password module of the context security. They are the users which can change your data in MMBase. The rank of these users is normally 'Basic users' but can also be 'Administrator' which is a rank that grants more rights within MMBase.
To be able to read or write or delete an object in MMBase a user needs the right 'read' or 'write' or 'delete' for this object.
The right 'link' give a user the possibility to create relations between objects in MMBase. The user needs create rights on the relation builder for this to work!
The right 'create' is only used for builders. It gives the specified user the right to create objects in this selected builder.
To be able to create an object the user needs 'create' rights on the node that represents the node-type within MMBase, see the typedef table.
To create a new relation your users needs 'create' rights on the insrel table and 'link' rights between the objects where he or she wants to create a relation in-between.
To be able to change an object the user needs the 'change' right for that object.
When you want a user to be able to change the rights of a context then that user needs 'change context' rights for that selected context.
The following XML will be used to provide some explanation on the context security configuration
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE contextconfig PUBLIC "//MMBase - contextconfig//" "http://www.mmbase.org/dtd/securitycontextconfig.dtd">
<contextconfig>
<loginmodules>
<module name="anonymous" class="org.mmbase.security.implementation.context.AnonymousLogin" />
<module name="name/password" class="org.mmbase.security.implementation.context.PasswordLogin" />
</loginmodules>
<accounts>
<user name="anonymous" context="default" />
<user name="admin" context="admin">
<identify type="name/password" rank="administrator">admin2k</identify>
</user>
<user name="foo" context="default" >
<identify type="name/password" rank="basic user">bar</identify>
</user>
</accounts>
<groups>
<group name="everyone">
<contains type="group" named="users" />
<contains type="user" named="anonymous" />
</group>
<group name="users">
<contains type="user" named="foo" />
<contains type="group" named="administrators" />
</group>
<group name="administrators">
<contains type="user" named="admin" />
</group>
</groups>
<contexts default="default">
<context name="default">
<operation type="create">
<grant group="users" />
</operation>
<operation type="read">
<grant group="everyone" />
</operation>
<operation type="write">
<grant group="users" />
</operation>
<operation type="link">
<grant group="users" />
</operation>
<operation type="delete">
<grant group="users" />
</operation>
<operation type="change context">
<grant group="administrators" />
</operation>
<possible context="default" />
</context>
</contexts>
</contextconfig>
This is the module that takes care of the login process within MMBase. There are no changes needed to this field so it will not be described any further.
This are the accounts of the users which are know to the system. It is advised to also create a user called anonymous since it does not exists anywhere else.
The following values can be given to the elements of user.
name="..." : The name of the user
context="..." : The context that objects get when created through this user
<identify type="..." > : The login type refers to /contextconfig/loginmodules/module[@name] , this shall always be "name/password"
<identify rank="..." > : This is the rank of the user after login. The default is 'basic user' unless a person is administrator then the rank will be 'administrator'. Anonymous users always get the rank 'anonymous'
<identify > ... </identify > : The password for this user
This defines groups within the context security. The following structure applies:
<group name="%name%">
<contains type="user" named="%username%" />
<contains type="user" named="%username%" />
<contains type="group" named="%groupname%" />
<contains type="group" named="%groupname%" />
</group>
The following values can be given to the elements of group:
name="..." : The name of the group.
<contains type="..." > : The type of of the element 'named' valid values are 'user' and 'group'.
<contains named="..." > : The group or user that is member of this group. The element 'type' determines of this is a user or a group member. If you specify the wrong type then the correct entry cannot be found.
The following values can be given to the elements of contexts.
<contexts> ... </contexts> : This is a list of contexts that can be used within the context system.
<contexts default="..." > : This field refers to a context that should be used when the owner field of an object refers to an context that cannot be found. So the value should be named in one of the <contexts> <context name="..." > </contexts> elements.
Within these <contexts> ... </contexts> is it possible to create new contexts which use the following structure:
<context name="%contextname%">
<operation type="%operation%" />
<operation type="%operation%">
<grant group="%groupname%" />
<grant group="%groupname%" />
</operation>
<possible context="%contextname%" />
<possible context="%contextname%" />
</context>
The following values can be given to the elements:
<context name="..." > : The name of the context.
<context> <operation type="..." /> </context> : The type of operation where rights are granted to. Valid values are 'read', 'write', 'link', 'delete' and 'change context'
<context> <operation > <grant group="..." /> </operation> </context> : The group which receives the rights within this context. Off course the group should be found in a <groups> <group name="..." /> </groups> element.
<context> <possible context="..." /> </context> context/possible[@context] : When the context of object van be changed, it can only be changed into the values specified in this element. Which should be found in an element called <contexts> <context name="..." /> </contexts>.
For completeness this is the full DTD used for context.xml:
<!ELEMENT contextconfig ( loginmodules, accounts, groups, contexts ) >
<!ELEMENT loginmodules ( module+ ) >
<!ELEMENT module ( property* ) >
<!ATTLIST module class NMTOKEN #REQUIRED >
<!ATTLIST module name CDATA #REQUIRED >
<!ELEMENT property ( #PCDATA ) >
<!ATTLIST property name NMTOKEN #REQUIRED >
<!ELEMENT accounts ( user+ ) >
<!ELEMENT user ( identify* ) >
<!ATTLIST user context NMTOKEN #REQUIRED >
<!ATTLIST user name NMTOKEN #REQUIRED >
<!ELEMENT identify ( #PCDATA ) >
<!ATTLIST identify rank (administrator | basic user) #REQUIRED >
<!ATTLIST identify type CDATA #REQUIRED >
<!ELEMENT groups ( group+ ) >
<!ELEMENT group ( contains+ ) >
<!ATTLIST group name NMTOKEN #REQUIRED >
<!ELEMENT contains EMPTY >
<!ATTLIST contains named NMTOKEN #REQUIRED >
<!ATTLIST contains type NMTOKEN #REQUIRED >
<!ELEMENT contexts ( context+ ) >
<!ATTLIST contexts default NMTOKEN #REQUIRED >
<!ELEMENT context ( operation*, possible* ) >
<!ATTLIST context name NMTOKEN #REQUIRED >
<!ELEMENT operation ( grant* ) >
<!ATTLIST operation type (read | write | link | delete | change context) #REQUIRED >
<!ELEMENT grant EMPTY >
<!ATTLIST grant group NMTOKEN #REQUIRED >
<!ELEMENT possible EMPTY >
<!ATTLIST possible context NMTOKEN #REQUIRED >
This is part of the MMBase documentation.
For questions and remarks about this documentation mail to: [email protected]