Implementing authorization
When you implement authorization, you must first decide if you want to customize or use the default implementation of authorization provided by the application.
IBM® recommends that permissions for users be cached.
Customizing authorization
The custom authorization mechanism for the application consists of the AuthorizationProvider class that implements the ISCUIAuthorizationProvider interface and ResourcePermission that implements the ISCUIResourcePermission interface. ResourcePermission is returned by the AuthorizationProvider class after the authorization. AuthorizationProvider is plugged in using the context parameter in web.xml as shown in the following example:
<context-param>
<param-name>scui-authorization-provider</param-name>
<param-value>com.app.MyAppAuthorizationProvider</param-value>
</context-param>
You can generate resource permission code using the resource permission template of the Code Template Generator.
The following shows an example of a custom AuthorizationProvider that uses the provider specified in the web.xml example:
public class MyAppAuthorizationProvider implements
ISCUIAuthorizationProvider
{
....
public boolean hasPermission(SCUIContext uiContext, String resourceId)
{
ISCUIResourcePermission getPermission(uiContext, resourceId);
....
}
public ISCUIResourcePermission getPermission(SCUIContext uiContext,
String resourceId)
{
//authorize the user from the SCUISecurityContext
...
}
public void init()
{
// initialize the authorization mechanism.
...
}
public void sessionDestroyed(HttpSessionEvent sessionEvent)
{
//close the connection and release it back into the pool ...
}
}