The following permissions are defined for the Nemo release:
| Symbolic Name | Description |
|---|---|
| org.ziptie.configs.view | Permission to view device configurations. |
| org.ziptie.credentials.administer | Permission to administer credentials and protocols. |
| org.ziptie.devices.administer | Permission to create/update/delete device information in the inventory. |
| org.ziptie.devices.tag | Permission to tag/untag devices in the inventory. |
| org.ziptie.filters.administer | Permission to administer scheduler filters. |
| org.ziptie.job.backup.cudPermission | Permission to create/update/delete a backup job. |
| org.ziptie.job.backup.runPermission | Permission to execute a backup job. |
| org.ziptie.job.discovery.cudPermission | Permission to schedule device discovery. |
| org.ziptie.job.discovery.runPermission | Permission to execute device discovery. |
| org.ziptie.job.plugin.cudPermission | Permission to schedule a report or tool. |
| org.ziptie.job.plugin.runPermission | Permission to run a report or tool. |
| org.ziptie.job.restore.cudPermission | Permission to schedule a restore job. |
| org.ziptie.job.restore.runPermission | Permission to run a restore job. |
| org.ziptie.launchers.administer | Permission to create/update/delete URL launchers |
| org.ziptie.networks.administer | Permission to create/update/delete managed networks (unused). |
| org.ziptie.plugin.operation.write | Permission to execute a tool which changes a device configuration. |
| org.ziptie.security.administer | Permission to administer ZipTie security settings. |
| org.ziptie.tags.administer | Permission to create/update/delete inventory tags. |
Follow these steps to enable security on a ZipTie SOAP Provider. New permissions can be added to the system via the SecurityPermissions Extension.
In the bundle MANIFEST.MF add a dependency on org.ziptie.zap.security and org.ziptie.server.security.
The Provider Delegate getProvider() method should wrap the Provider in a Security Proxy. Here is an example using a hypothetical IYourProvider interface and YourProviderDelegate.
public class YourProviderDelegate implements IYourProvider { // delegate methods that call getProvider() ... private IYourProvider getProvider() { IYourProvider provider = YourProviderActivator.getYourProvider(); if (provider == null) { throw new RuntimeException(Messages.YourProviderDelegate_yourProviderUnavailable); } return (IYourProvider) SecurityHandler.newProxy(provider); } }
New permissions are added to the system via the SecurityPermissions extension point defined by the org.ziptie.zap.security bundle. This section documents how to add new permissions using this extension point.
The SecurityPermissions extension point contains a sequence of 1 or more permissions. Each permission contains two attributes:
id - The internal identifier of the permission. Should be descriptive and follow a Java package name-like convention. For example, org.ziptie.job.backup.create or org.ziptie.credentials.administer.
display - The descriptive display string shown to the user who is creating new roles containing this permission. The current convention (in English) is to start the display description with the words “Permission to”. For example, “Permission to administer credentials”. As you will see next, this display string should be externalized to enable i18n translation into other languages.
The extension point should be defined in your bundle's plugin.xml. Here is an example.
<extension point="org.ziptie.zap.security.SecurityPermissions">
<permission
display="%org.ziptie.launchers.administer"
id="org.ziptie.launchers.administer">
</permission>
</extension>
In order to enable translation of display strings into other languages these steps (and conventions) should be followed:
plugin.properties file in the root of the bundle. In this file are properties that map the display string (%org.ziptie.credentials.administer) to the real description (for example, “Permission to administer credentials.”). Like so: org.ziptie.credentials.administer=Permission to administer credentials.MANIFEST.MF file: Bundle-Localization: pluginplugin.properties to the distribution on the Build tab of the plugin.xml editor.Finally, add invocation security annotations to your Provider interface methods using the ZInvocationSecurity annotation. The ZInvocationSecurity annotation contains a single property defining the permission required to invoke the provider method. These permissions should match the permission id(s) that you defined in the SecurityPermissions extension point.
Again, using our hypothetical IYourProvider interface the annotations might look like this:
public interface IYourProvider { @ZInvocationSecurity(perm = "org.ziptie.provider.your.dance") void dance(int wildnessLevel); @ZInvocationSecurity(perm = "org.ziptie.provider.your.sing") void sing(boolean loudly); }
The build.xml file in your Provider needs to contain an additional classpath entry to allow WSDL generation to occur without error. Add the following to your invocation of BuildCG.xml:
<property name="genwsdl.additional.classpath" value="../org.ziptie.zap.security/bin" />