<AccessControlProvider> element configures a custom access control plugin that can be attached to content using the RequestMapper component.
- Plugin type name.
type="XML", this is an example plugin that implements a simple access control language using XML. It supports combining rules with boolean operators.
The plugin is implemented as a reloadable resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly. The root of the XML instance MUST be an
Inherits attributes supported by reloadable resources.
- Root element of access control policy, can be supplied inline as a child element, or as the root of a reloadable resource in an external file.
Chaining AccessControl (Version 2.2 and Above)
type="Chaining", allows different types of plugins to run in combination.
- Must be set to one of "AND" or "OR", this controls the evaluation of the child plugins in the expected fashion. If set to "AND", the first plugin to return a non-true result ends the evaluation. If set to "OR", the first plugin to return a true result ends the evaluation.
<AccessControlProvider>(one or more)
- The plugins to chain together.
Time AccessControl (Version 2.5 and Above)
type="Time", supports time-based access control policies.
Simple booleans are supported natively but complex logic will usually require combining this with the Chaining plugin.
operator(string) (defaults to "AND")
- Must be set to one of "AND" or "OR", this controls the evaluation of the various rules embedded in the element. If set to "AND", the first rule to return a non-true result ends the evaluation. If set to "OR", the first rule to return a true result ends the evaluation.
<TimeSinceAuthn>(zero or more) (ISO 8601 duration, e.g., "PT1H" = 1 hour)
- The content of this element is an duration value, and the rule evaluates to "true" iff the time between now and the time of authentication for a session does not exceed the duration.
For the remainder of the rules supported, one of a set of relational operators must be supplied, followed by a value to test, separated by whitespace. The operators supported are
GT, representing "less than", "less than or equal", etc.
<Time>(zero or more) (operator followed by ISO 8601 time string)
- Performs an absolute comparison between the present time and the time specified in the rule using the supplied operator. For example, "LE 2012-05-24T10:00:00Z" means "less than or equal to May 24, 2012 at 10:00AM UTC time". Time values can be specified in local or UTC time in standard ISO 8601 fashion.
<DayOfWeek>(zero or more) (operator followed by numeric value)
- Performs a comparison between a particular portion of the current time and the value specified in the rule using the supplied operator. Months are numbered from 1-12, hours from 0-23, and days of the week from 0-6 (Sunday being 0).