This example uses the Barracuda authentication and authorization classes, a user database, and a security realm to protect a photo album. The security realm implements the SecurityRealmIntf interface and maps principals to roles.
A principal identifies an entity that can perform actions in the system. In many applications, a principal is a user, but it can also represent a process, service, company, or another application-defined identity.
Roles group permissions. A principal can belong to one or more roles, and the role membership determines which operations are allowed. This is similar to users and groups in a UNIX system.
This example creates four users and a security realm that restricts what each user can do. The following roles are configured:
| roles | principals |
|---|---|
| guest | guest, mom, dad, kids |
| family | mom, dad, kids |
| dad | dad |
| mom | mom |
The security realm grants read and write access as follows:
| Directory | Roles: read access | Roles: write access |
|---|---|---|
+---album
+---family
+---dad
+---mom
+---kids
|
guest family mom, dad mom, dad mom, dad, family |
mom, dad mom, dad dad mom family |
The HTTP GET method is used for reading the photo album. HTTP POST simulates an upload or modification. POST access is intentionally more restricted than GET access.
Directory constraints apply to subdirectories unless a deeper rule overrides them. For example, album/noSuchDir inherits the access rights configured for album.