Controlling access to workbench contributions and SWT controls are important in RCP applications. Developers must hide workbench contributions and user controls based on the user's role. However, Eclipse provides relatively little support for security features developers often need. This security framework example will control the functions presented to the user.
Eclipse provides the org.eclipse.ui.activities extension point as a mechanism to control group-related UI functions. An Activity is a logical set of identifiers. Identifiers represent functionality and could represent, for example, a view or editor preference page, among other things. An activity is enabled when its functionality is available to the user. Conversely, an activity is hidden when an identifier is disabled. An activity can require one or more other activities, which means that enabling one activity enables all the activities it depends on. An activity can also be grouped into one or more categories for presentation to the user.
Five functionalities can be filtered in Eclipse:
This article addresses the problem of application-level security by breaking access into two manageable units: Workbench- and Control-level access.
Workbench-level access includes access of workbench contributions, such as editors, views, and perspectives. Control-level access includes access of SWT controls, such as labels, buttons, combo, and others.
Some users play multiple roles in a typical organization, which requires that a good security architecture recognize users with multiple personalities, meaning users who play several simultaneous roles in an organization. Applications require a robust security model to handle likely scenarios. By using the following security model, you will have the right tools in your belt to create a safe application with security in place that isn't cumbersome for users.
The reimbursement application is a sample application that illustrates how to map client-side activities to server-side roles. Before diving into the implementation details, let's look at the application architecture and its functionality. The reimbursement application is a corporate application to track employee expenses. The users of this application are employees, managers, and administrators.
- Employees use the application to record business expenses they may have incurred and to request reimbursement. The application notifies the employee's manager when a request is submitted, and the manager reviews the request and approves or disallows it. An employee uses the application to create and submit expense requests. An employee may also use the application to view and delete previously submitted expense requests. All these activities are based on the roles of the user who logged in.
- Managers are notified when an employee in the group submits an expense request. A manager can then approve or disapprove the expense request.
- Administrators can view the entire report and restore records deleted accidentally.
Managers and administrators have two roles. They are employees who generate expense reports, and they oversee the expense reports created by other employees.
The following use-case diagram illustrates what functions each type of user performs based on roles:
Figure 1. The use-case view
The login screen is the starting screen for the application. This prompts the user for identifier and password. The authenticated user establishes the user's role and work with activities based on their role (employee/manager/administrator), such as viewing or creating expenses.
Employee has three activities:
- Create expenses
- View the expenses
- Delete expenses
Figure 2. Employee view
Manager has approval, plus the normal employee privileges.
Figure 3. Manager view
Administrators have the same access as employees, plus admin access privileges (similar to the UNIX® superuser).
Figure 4. Admin view
- Create a com.examples.reimbursement.demo plug-in project with RCP support
- Create a roles.exsd
Figure 5. Role schema definition
- Add the activities to the "org.eclipse.ui.activities" extension point.
Listing 1. Adding the activities in plug-in
An example of adding activities to the "org.eclipse.ui.activities" extension point: <activity id="com.examples.reimbursement.viewActivity" name="ViewActivity"> <activityPatternBinding activityId="com.examples.reimbursement.viewActivity" pattern=".*/emp\..*">
- Map the activities to roles in the com.examples.authorization.demo.roles extension point.
Listing 2. Mapping the roles to activities in plug-in
<role id="com.examples.reimbursement.demo.employee" label="com.examples.reimbursement.demo.employee" roleId="empRole"> <enabledActivity id="com.examples.reimbursement.viewActivity"> <enabledActivity id="com.examples.reimbursement.createActivity"> <role>
- Read the role extension point with help of
Listing 3. Read the roles from the plug-in
- Run the product by launching an Eclipse application.
In this article, you have developed a security model that is flexible enough to add value to your application. You can also plug-in this security model to any existing application. Widget-level security, although a useful feature in most applications, is not often taken care of because of the effort involved in implementation and the risk it creates on application performance.
"Developing your first RCP application" is a step-by-step guide to creating an RCP application.
Check out the Eclipse Corner Articles for articles, tutorials, and white papers about Eclipse and SWT.
Browse the Eclipse help system for APIs and extension points.
See the Eclipse Foundation PDF "Addressing UI Scalability in Eclipse" to learn what to do if you think your application is too complicated.
Learn more about the Eclipse Foundation and its many projects.
For an excellent introduction to the Eclipse platform, see "Getting started with the Eclipse Platform.
Visit IBM developerWorks' Eclipse project resources to learn more about Eclipse.
Stay current with developerWorks technical events and webcasts.
Check out upcoming conferences, trade shows, webcasts, and other Events around the world that are of interest to IBM open source developers.
Visit the developerWorks Open source zone for extensive how-to information, tools, and project updates to help you develop with open source technologies and use them with IBM's products.
To listen to interesting interviews and discussions for software developers, be sure to check out developerWorks podcasts.
Get products and technologies
See the latest Eclipse technology downloads at IBM alphaWorks.
Innovate your next open source development project with IBM trial software, available for download or on DVD.
Check out Eclipse discussion forums and get involved in the developerWorks community.
The Eclipse newsgroups has many resources for people interested in using and extending Eclipse.
Get involved in the developerWorks community by participating in developerWorks blogs.