Defining IDs and Policies

File Format for Functions and Identities

The file format contains the following parts:

• header – the first comment lines, starting with #<STATEMENT>
• comments – any other comment line, following the header and starting with #
• body – any line, that doesn't start with #

The following statements are supported:

• ID – the ID of the element. The ID is optional, if you don't specify it, the name of the file will be used as ID
• TYPE – the function or identity type. This is mandatory statement.
• NAME – user-friendly name of the element. If the value starts with '%' symbol, the value is localized and the string following the '%' is the localization key.
• DESCRIPTION – user-friendly description of the element. Just like the NAME this statement can be localized.
• MEMBERS – used only for identity groups. It contains comma-separated list of IDs of other groups or users, having the same TYPE of the current one.
• PERMS – list of permissions, specified using the Conditional Permission Info Class defined by the OSGi Core specification. There can be multiple entries, separated either with or without comas.
• CONDS – list of permissions, specified using the Conditional Permission Info Class defined by the OSGi Core specification. There can be multiple entries, separated either with or without comas. This statement is used only when defining Conditional Type IDs.

  #ID: powerusers
  #NAME: %powerusers.name
  #DESCR: %powerusers.descr
  #TYPE: useradmin
  #MEMBERS: john
  group_key=value1
  overridable=value2

File Format for Defining Policies

The policy is defined in a plain properties file.

The key format is: <identityId@identityType>

The value format is: [!][+][*]<functionId@functionType>

Here is the meaning of the special symbols in the value:

• ! is used to negate the function. E.g it maps to PolicyElement.accessDecision(). The default value is not to negate.
• + defines that the policy is mutable. It maps to PolicyElement.isMutable() method. The default value is mutable = false.
• * defines that the policy is member mutable. It maps to PolicyElement.isMemberMutable() method. The default value is memberMutable = false.

Example:

ivan@useradmin=!Network@perms
john@useradmin=+*Network@perms

File Locations

• OSGI-INF/policy/functions/ – this folder contains security functions encoded in their file format. Every file in that directory defines exactly 1 function.
• OSGI-INF/policy/groups/ – this folder contains identity groups encoded in their file format. Every file in that directory defines exactly 1 group identity.
• OSGI-INF/policy/ID's – this folder contains identity encoded in their file format. Every file in that directory defines exactly 1 identity.
• OSGI-INF/policy/policy.properties – defines the policy, e.g. the linkage between identity(identity group) and a function.

Order of Processing

The policy providers are processed according to their start order, the one that starts first, will be processed first. In the scope of a single policy provider the following operations are performed in sequence:

• the functions, groups and identities are loaded and created in policy admin
• associated users with groups (setting group members)
• creating the policy elements