Sample XML Rules
IMPORTANT Please remember to white list your main events (implicit), login and logout events if you will be securing the entire application.
First Rule Analysis
As you can see from the sample, the first rule has the following elements
So it will match the incoming event.
This means that the following events will not be verified for security: user.login, user.logout and any event that starts with main will be let through, if they match the secure list pattern.
This means that any event that starts with the word user will be secured and anything that starts with the word admin will also be secured, unless the incoming event matches a pattern in the whitelist element.
This means that only a user with admin role will be allowed to visit the securelist events.
This probably means that I am doing my own security validation and apart from having the user have a role of admin, he/she must also have the read and write permissions. My own validator will validate this logic.
Then if it does not validate it will use this redirect element to relocate via setNextEvent()
Second Rule Analysis
The second rule has the following elements:
So it will match the incoming event.
No white listed events are defined.
This means that any event that starts with the word moderator will be secured and validated against the user's credentials.
This means that users with roles of admin and moderator can execute events that are in the securelist.
This probably means that I am doing my own security validation and apart from having the user have a role of admin or moderator, he/she must also have the read permission. My own validator will validate this logic.
Then if it does not validate it will use this redirect element to relocate via setNextEvent()
Third Rule Analysis
The third rule has the following elements:
So it will match the incoming URL pattern after the domain name and application location.
No white listed events are defined.
It will secure any incoming URI that starts with /secured
This means that users with roles of admin and paid_subscriber can visit URLs with /secured in them
No permissions
Then if it does not validate it will use this redirect element to relocate via setNextEvent()
Last updated