Soiree Security Manager – Refining the user validation

In this Lesson

In this lesson you will learn how the Soiree Security Manager can be used to provide a deeper level of validation for a user.

Concepts

In the previous lesson you had created the OUTCAST user id which had no authority to access the Party Pool solution. The following error was produced when the OUTCAST user attempted to sign on.



This error, while accurate, is a bit harsh. It would be nice to provide a softer message such as ‘You are not allowed to use the Party Pool’ so you don’t shock the user into thinking they just blew a hole through the side of your Party Pool.

If the Signon agent could obtain more information about the user attempting to sign on then it could provide a better user experience.

The com.seronix.pump.SoireeSecurityManager class provides methods which allow for a deeper inspection of user security. You will be using a couple of these methods in this lesson.

  • getGroupsForUser(Conversation conv, Integer tenantId, String userId)
    This method returns a list of the groups assigned to the user.
    Tip 1
    If you have a SoireeUser you can obtain the groups it has been granted. An agent can do this

    getConversation().getConnection().getUser().getGroupList()

    Tip 2
    If you have a SoireeUser you can determine if it has been granted a specific group. An agent can do this

    getConversation().getConnection().getUser().hasGroup(“some.group.id”)

  • getRightsForUser(Conversation conv, Integer tenantId, String userId)
    This method returns the rights granted to a user.
    Tip 3
    If you have a SoireeUser you can determine if it has been granted a specific right. An agent can do this

    getConversation().getConnection().getUser().hasRight(“some.right.id”)

  • isUserProvisionedToSolution(DBConnectionProvider connectionProvider, String solutionId, SoireeUser user)
    This method determines if the specified user is authorized to a specific solution. This method returns true if the user is able to access at least one scene in the solution.
  • isSceneAuthorized(Conversation conv, String sceneId)
    This method determines if the connection’s user is allowed to access the specified scene.

Exercise 1 – Solution Access

In this exercise you will provide a softer error message if the user does not have access to the solution.

  1. Open the Signon agent



  2. Copy and paste the following code into your agent at the location shown below
    if (!SoireeSecurityManager.isUserProvisionedToSolution(getDBConnectionProvider(), getConversation().getConnection().getSolutionId(), getConversation().getConnection().getUser()))
    	scheme.getUserIdNode().setMessage(error("You are not allowed to use the Party Pool"));
    else
    



  3. Save the Signon agent
  4. Restart the server
  5. Attempt to sign into the PartyPool solution
    User Id = outcast
    Password = outcast

    A softer message is presented to the user



Exercise 2 – Home Scene Access

In this exercise you will provide an error message if the user does not have access to the solution’s home scene.

This is a bit more appropriate for this solution because the PartyPool solution is configured to the show the home scene immediately after someone signs on. It resolves a flaw in the technique used in exercise 1 which is: a user may have access to some scene in the solution but not to the home scene. If that were the case they would blow a hole in the side of your pool when they sign on.

  1. Copy the following code and paste it into the agent – replacing the code from exercise 1
    SolutionRes solt = SolutionBroker.getSolution("com.example.party.solution.PartyPool");
    if (!SoireeSecurityManager.isSceneAuthorized(getConversation(), solt.getHomeScene()))
    	scheme.getUserIdNode().setMessage(error("You are not allowed to use the Party Pool"));
    else
    

    The code should now look like this



  2. Restart the server
  3. Attempt to sign into the PartyPool solution
    User Id = outcast
    Password = outcast

    A softer message is presented to the user



Ensure other users can access the solution

  1. Attempt to sign into the PartyPool solution
    User Id = editor
    Password = editor

    You should be allowed into the solution.

That concludes this lesson.