The Secure Photo Album

This example uses the Barracuda authentication and authorization classes, a user database, and a security realm to protect a photo album. The security realm implements the SecurityRealmIntf interface and maps principals to roles.

A principal identifies an entity that can perform actions in the system. In many applications, a principal is a user, but it can also represent a process, service, company, or another application-defined identity.

Roles group permissions. A principal can belong to one or more roles, and the role membership determines which operations are allowed. This is similar to users and groups in a UNIX system.

This example creates four users and a security realm that restricts what each user can do. The following roles are configured:

rolesprincipals
guestguest, mom, dad, kids
familymom, dad, kids
daddad
mommom

The security realm grants read and write access as follows:

DirectoryRoles: read accessRoles: write access
+---album                 
    +---family            
        +---dad           
        +---mom           
        +---kids          
guest
family
mom, dad
mom, dad
mom, dad, family
mom, dad
mom, dad
dad
mom
family

The HTTP GET method is used for reading the photo album. HTTP POST simulates an upload or modification. POST access is intentionally more restricted than GET access.

Directory constraints apply to subdirectories unless a deeper rule overrides them. For example, album/noSuchDir inherits the access rights configured for album.