Implementing access control in enterprise beans

If you create new enterprise beans that require protection by access control policies, there are several steps you must follow.

Procedure

  1. Create a new enterprise bean, ensuring that it extends from com.ibm.commerce.base.objects.ECEntityBean.
  2. Ensure that the remote interface of the bean extends the com.ibm.commerce.security.Protectable interface.
  3. If a resource is going to be grouped by an attribute other than its Java class name for the purpose of applying access control policies, the remote interface of the bean must also extend the com.ibm.commerce.grouping.Groupable interface.
  4. The enterprise bean class inherits default implementations for the following methods from com.ibm.commerce.base.objects.ECEntityBean:
    • getOwner
    • fulfills
    • getGroupingAttributeValue

    Override any methods that you need. At a minimum, you must override the getOwner method.

    The fulfills method must be implemented if there is an access control policy that includes this resource in its resource group, and also specifies a relationship or relationship group. The getGroupingAttributeValue method must be implemented if there is an access control policy with an implicit resource group that includes certain instances of this resource, based on specific attribute values (for example, if there were an access control policy that pertains only pertains to Orders with status = 'P' (pending)).

    Note that if the only relationship needed is "owner", then you do not need to override the fulfills method. In this case, the policy manager will make use of the result of the getOwner() method.

    The default implementations of these methods are shown in the following code snippets. These implementations come from the ECEntityBean class.

    
    ************************************************************************
    public Long getOwner() throws Exception 
    { 
       return null; 
    }
    ************************************************************************
    
    
    ************************************************************************
    public boolean fulfills(Long member, String relationship) 
       throws Exception
    { 
          return false; 
    }
    ************************************************************************
    
    
    ************************************************************************
    public Object getGroupingAttributeValue(String attributeName, 
       GroupingContext context) throws Exception 
    { 
          return null; 
    }
    ************************************************************************
    
    The following are sample implementations of these methods based on the implementations used in the OrderBean bean:
    • For the getOwner method, the logic of the provided method is:
      
      *********************************************************************** 
         com.ibm.commerce.common.objects.StoreEntityAccessBean storeEntAB = 
            new com.ibm.commerce.common.objects.StoreEntityAccessBean(); 
         storeEntAB.setInitKey_storeEntityId(getStoreEntityId().toString()); 
         return storeEntAB.getMemberIdInEJBType(); 
      ***********************************************************************
      
    • For the fulfills method, the logic of the provided method is:
      
      ************************************************************************
      if ("creator".equalsIgnoreCase(relationship))
      {
         return member.equals(bean.getMemberId());
      }
      else if ("BuyingOrganizationalEntity".equalsIgnoreCase(relationship))
      {
         return (member.equals(bean.getOrganizationId()));
      }
      else if ("sameOrganizationalEntityAsCreator".
         equalsIgnoreCase(relationship))
      {
         com.ibm.commerce.user.objects.UserAccessBean creator = 
            new com.ibm.commerce.user.objects.UserAccessBean();
         creator.setInitKey_MemberId(bean.getMemberId().toString());
         com.ibm.commerce.user.objects.UserAccessBean ab = 
            new com.ibm.commerce.user.objects.UserAccessBean();
         ab.setInitKey_MemberId(member.toString());
         if (ab.getParentMemberId().equals(creator.getParentMemberId()))
            return true;
      }
      return false; 
      ************************************************************************
      
    • For the getGroupingAttributeValue method, the logic of the provided method is:
      
      ************************************************************************
         if (attributeName.equalsIgnoreCase("Status")) 
             return getStatus(); 
         return null; 
       ************************************************************************
      
  5. Create (or recreate) the enterprise bean's access bean and generated code.

Results

Note that if you examine other HCL Commerce public entity beans to understand how the getOwner, fulfills and getGroupingAttributeValue methods are implemented, you will notice that these methods are implemented in the access helper class for the beans. As a result of the fact that the methods are implemented in the access helper classes instead of directly in the bean class, the method signatures are slightly different. In particular, for the methods take an extra input parameter for the object itself to be passed into the access helper.

You must ensure that when you create new beans, you implement these methods directly in the bean class. Additionally, you must not modify any of those methods in the access helper classes of the HCL Commerce public entity beans.