The <AccessControlProvider> element configures a custom access control plugin that can be attached to content using the RequestMapper component.

Common Attributes

• type (string)
  • Plugin type name.

XML AccessControl

Identified by type="XML", this is an example plugin that implements a simple access control language using XML. It supports combining rules with boolean operators.

The plugin is implemented as a reloadable resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly. The root of the XML instance MUST be an <AccessControl> element.

Attributes

Inherits attributes supported by reloadable resources.

Child Elements

• <AccessControl>
  • Root element of access control policy, can be supplied inline as a child element, or as the root of a reloadable resource in an external file.

Chaining AccessControl (Version 2.2 and Above)

Identified by type="Chaining", allows different types of plugins to run in combination.

Attributes

• operator (string) (required)
  • Must be set to one of "AND" or "OR", this controls the evaluation of the child plugins in the expected fashion. If set to "AND", the first plugin to return a non-true result ends the evaluation. If set to "OR", the first plugin to return a true result ends the evaluation.

Child Elements

• <AccessControlProvider> (one or more)
  • The plugins to chain together.

Time AccessControl (Version 2.5 and Above)

Identified by type="Time", supports time-based access control policies.

Simple booleans are supported natively but complex logic will usually require combining this with the Chaining plugin.

<AccessControlProvider type="Chaining" operator="AND">

    <AccessControlProvider type="Chaining" operator="OR">
        <AccessControlProvider type="Time">
            <Hour>GT 6</Hour>
        </AccessControlProvider>
        <AccessControlProvider type="Time">
            <Hour>EQ 6</Hour>
            <Minute>GE 30</Minute>
        </AccessControlProvider>
    </AccessControlProvider>

    <AccessControlProvider type="Time">
        <Hour>LE 17</Hour>
    </AccessControlProvider>

</AccessControlProvider>

Attributes

• operator (string) (defaults to "AND")
  • Must be set to one of "AND" or "OR", this controls the evaluation of the various rules embedded in the element. If set to "AND", the first rule to return a non-true result ends the evaluation. If set to "OR", the first rule to return a true result ends the evaluation.

Child Elements

• <TimeSinceAuthn> (zero or more) (ISO 8601 duration, e.g., "PT1H" = 1 hour)
  • The content of this element is an duration value, and the rule evaluates to "true" iff the time between now and the time of authentication for a session does not exceed the duration.

For the remainder of the rules supported, one of a set of relational operators must be supplied, followed by a value to test, separated by whitespace. The operators supported are LT, LE, EQ, GE, and GT, representing "less than", "less than or equal", etc.

• <Time> (zero or more) (operator followed by ISO 8601 time string)
  • Performs an absolute comparison between the present time and the time specified in the rule using the supplied operator. For example, "LE 2012-05-24T10:00:00Z" means "less than or equal to May 24, 2012 at 10:00AM UTC time". Time values can be specified in local or UTC time in standard ISO 8601 fashion.

• <Year>, <Month>, <Day>, <Hour>, <Minute>, <Second>, <DayOfWeek> (zero or more) (operator followed by numeric value)
  • Performs a comparison between a particular portion of the current time and the value specified in the rule using the supplied operator. Months are numbered from 1-12, hours from 0-23, and days of the week from 0-6 (Sunday being 0).