In this example, we will utilize the Barracuda authentication and authorization resources along with a user database and a Security Realm to create a secure photo album. The Security Realm, implementing the SecurityRealmIntf interface class, will be configured to use principals and roles.
To effectively customize security, it's crucial to understand principals and roles. A principal essentially identifies an entity capable of interacting or performing tasks within a system. This entity can be a person, company, process, or virtually anything.
Roles group specific actions together, allowing us to assign particular principals to these roles, thereby granting them permissions to perform those actions. This concept is similar to the user and group concept in a UNIX system. Users typically represent individuals who may access the system, while groups denote the positions or categories users can hold. For instance, within a company system, there might be a user named Allen Smith, who belongs to the "human resources" group.
In this example, we will create a user database containing four users: guest, mom, dad, and kids. We will also design a Security Realm that restricts the actions principals can perform. The following roles will be established:
roles | principals |
---|---|
guest | guest, mom, dad, kids |
family | mom, dad, kids |
dad | dad |
mom | mom |
The Security Realm we design in this example will give the following access rights to the roles.
Directory | Roles: read access | Roles: write access |
---|---|---|
+---album +---family +---dad +---mom +---kids |
guest family mom, dad mom, dad mom, dad, family |
mom, dad mom, dad dad mom family |
The HTTP GET command is used for reading the photo album, while the HTTP POST command is employed for simulating uploads, such as when a user wishes to modify the photo album. As indicated in the diagram above, the HTTP POST command has more restricted access compared to the HTTP GET command.
The security constraints are designed so that constraints for a directory apply to any subdirectory unless overridden. For instance, the path 'album/noSuchDir' will have the same access rights as the 'album' path.