Securing The Functions In Pages

 Top  Previous 

Security component is not only about login, logout or page protection. We can implement sophisticated, yet easily manageable, check points inside the application pages.

We already know that we can control the accessing to the pages by defining check points in the "Access Control" properties of the pages. But that would not be sufficient if we want to let the users to see the page but not all functions provided in the page are available to everyone.

Example:

We have a page where we list the existing orders in the database. We want the users who have CAN_SEE_ORDERS checkpoint be able to see the page. One of the functions provided on the page is deleting the selected orders. We do not want that all the users that can see the page can do that. Therefore we want to protect this function with CAN_DELETE_ORDERS checkpoint.

Protecting the "Orders" Page

So we want to let only the users that have CAN_SEE_ORDERS check point to see the "Orders" page. All we have to do is to specify it in the "Access Control" property of the page "Orders".

The "Access Control" property accepts additional parameters other that the check point name.

Example:

CAN_SEE_ORDERS,LoginPage,ErrorPage

 

The first parameter is the name of the check point. A user can access this page only if he is logged on to the security system and has the authority to pass through the CAN_SEE_ORDERS checkpoint.

If the user is not yet logged in at the time he tries to see the page, he will be redirected to the page named "LoginPage" by the MoreMotion.

If the user is logged in but does not have authority for CAN_SEE_ORDERS he will be displayed with the page named "ErrorPage".

Protecting the "Delete Orders" Function in "Orders" Page

Assume that the "Delete Orders" function is triggered by a Button on the page. To let only the users that have CAN_DELETE_ORDERS authority to use this function, we can either make the button invisible or disabled for the users that do not have this authority.

"mor_security_userinfo_??" component data source

After a user logs in to the system, the security component prepares a data source called "mor_security_userinfo_??". The "??" characters are replaced with the security domain name.

This data source contains all the information about the current user.

Example:

 

  <mor_security_userinfo_main>

    <username>john</username>

    <fullname>John Doe</fullname>

    <email>john@hiscompany.com</email>

    <loggedin>true</loggedin>

    <checkpoints>

      <CAN_SEE_ORDERS>true</CAN_SEE_ORDERS>

      <CAN_DELETE_ORDERS>true</CAN_DELETE_ORDERS>

    </checkpoints>

  </mor_security_userinfo_main>

 

 
The data source name includes the security domain name at the end. The data source above is named as "mor_security_userinfo_main" because the security domain name is "main".

 

By referring the XML nodes under the checkpoints node we can dynamically make any element on the page invisible or disabled.

Making a Button Invisible

Define the following in the "Display If" property of a Button:

boolean(/mor_security_userinfo_main.checkpoints.CAN_DELETE_ORDERS)

 

 

Making a Button Disabled

Define the following in the "Disabled" property of a Button:

$vof(not(boolean(/mor_security_userinfo_main.checkpoints.CAN_DELETE_ORDERS)))