Topic
  • 2 replies
  • Latest Post - ‏2013-04-18T09:38:31Z by vzlomanov
vzlomanov
vzlomanov
2 Posts

Pinned topic ICA 3.0 provide document access-level with Rest API and access control list

‏2013-04-03T10:37:21Z |

Prehistory:
We are trying to migrate from Omnifind 8.4 to ICA 3.0.
For Omnifind we have custom crawlers, which uses SIAPI to add files to Omnifind.
For document access level we use ACL as following:

Custom crawler code-snippet:



// contains user groups separeted by comma, e.g. 
// group1,group2,group3 String acl = getDocumentAcl();   com.ibm.siapi.index.IndexFactory indexFactory = getIndexFactory(); com.ibm.siapi.index.Document document = indexFactory.createDocument(...); ... document.setACL(

new String[] 
{ acl 
});   
// store document in Omnifind this.indexRef.addOrReplaceDocument(document, fieldMapping);

 


For custom search application we use ESSearchServer ofsearch web-service (<OF_host>/ESSearchServer/services/ofsearchBinding/wsdl/ofsearch.wsdl):

Here is code-snippet:

 

 


com.ibm.www.SearchRequest searchRequest = 

new SearchRequest(); searchRequest.setQueryText(finalSearchString); ... 
// contains user groups separeted by |, e.g. 
// group1 | group2 String acl = getUserAcl(); searchRequest.setAclConstraints(acl);   com.ibm.www.SearchResponse searchResponse = ofSearchWS.search(searchRequest);



Now we are trying to migrate to REST API provided by ICA.
For adding document we are using document API and add method (/document?method=add) and for getting search results - search API (/search)
This document/add has acl parameter with the String[] value.
And search API has no acl parameter, but securityConstraint.

For document/add we provide the next value to acl:



 

 



// array of groups, e.g. 
// {"group1", "group2", "group3"} String[] groups = getGroups();



For getting search results:



 

 


securityConstraint = 
"group1 | group2";


also tried

 

 


"@SecurityConstraint::'(group1 | group2)'"


and

 

 



"@SecurityConstraint::'" + context.serialize(

true) + 
"'";


where context is (according to documentation):

 

 


SecurityContext context = 

new SecurityContext(); context.setUserID(
"user_name"); Identity[] identities = 

new Identity[1]; identities[0] = 

new Identity(); identities[0].setDomain(
"ica.domain.com"); 
// don't know how exactly use it identities[0].setType(
"RestAPI");
// don't know how exactly use it identities[0].setUsername(
"cn=user_name,ou=default organization"); String[] groups = 

new String[5]; groups[0] = 
"uid=wpsadmin,o=default organization"; groups[1] = 
"all authenticated portal users"; groups[2] = 
"wpsadmins"; groups[3] = 
"group1"; groups[4] = 
"group2"; identities[0].setGroups(groups); identities[0].setProperties(

new Properties()); context.setIdentities(identities);



So we have no results with these ACLs.

Document level security settings for collection is next:



 

 

  • Pre-filtering enabled
  • Post-filtering disabled


So the question
How can we implement document access level with REST API?
All we need is provide list of groups which have access to document at crawling time and get results according user groups.

 

Updated on 2013-04-18T09:42:03Z at 2013-04-18T09:42:03Z by vzlomanov
  • SystemAdmin
    SystemAdmin
    197 Posts
    ACCEPTED ANSWER

    Re: ICA 3.0 provide document access-level with Rest API and access control list

    ‏2013-04-03T11:22:59Z  
    Your third approach using the SecurityContext object should return you the corrent constraint, but you have to use

    
    context.setNativeTokens(groups)
    


    to set your custom ACL groups. AFAIK the context must contain at least one dummy identity, so just keep the one you already have created.
  • SystemAdmin
    SystemAdmin
    197 Posts

    Re: ICA 3.0 provide document access-level with Rest API and access control list

    ‏2013-04-03T11:22:59Z  
    Your third approach using the SecurityContext object should return you the corrent constraint, but you have to use

    
    context.setNativeTokens(groups)
    


    to set your custom ACL groups. AFAIK the context must contain at least one dummy identity, so just keep the one you already have created.
  • vzlomanov
    vzlomanov
    2 Posts

    Re: ICA 3.0 provide document access-level with Rest API and access control list

    ‏2013-04-18T09:38:31Z  
    Your third approach using the SecurityContext object should return you the corrent constraint, but you have to use

    <pre class="jive-pre"> context.setNativeTokens(groups) </pre>

    to set your custom ACL groups. AFAIK the context must contain at least one dummy identity, so just keep the one you already have created.

    Thanks! That's exactly what I need.

    I set securityConstraint parameter in the next way:

    @SecurityContext::'<security_xml>'where <security_xml> is:
    
    <!-- Base64-encoded userName -->
    <identities id="dXNlcl9uYW1l">
        <nativeTokens>
            <!-- Base64-encoded user's groups -->
            <nativeToken>Z3JvdXAz</nativeToken>
            <nativeToken>Z3JvdXA0</nativeToken>
        </nativeTokens>
    </identities>
    

    It's all working now.

    Updated on 2013-04-18T09:40:28Z at 2013-04-18T09:40:28Z by vzlomanov