Requirements

In order to implement extensible permissions, you must write a Permissions Module implementing the JACI interface.

There are some requirements for a Permissions Module that will run in the EMS server:

  • The Permissions Module must implement the JACI Authorizer interface, which accepts information about the operation to be authorized.
  • The Permissions Module must return a permission result, by way of the AuthorizationResult class. Permission results contain:
    • An allowed parameter, where true means that the request is allowed and false means the request is denied.
    • A timeout, which determines how long the permission result will be cached. Results can be cached for a time of up to 24 hours, or not at all.
    • The destination on which the user is authorized to perform the action. The destination returned can be more inclusive than the request. For example, if the user requested to subscribe to the topic foo.bar, the permission result can allow the user to subscribe to foo.*. If a destination is not included in the permission result, then the allow or deny response is limited to the originally requested destination.
    • The action type that the permission result replies to. For example, authorization to publish to the destination, or authorization to receive messages from a queue. Permissions can be granted to multiple action types, for example permission to publish and subscribe on foo.>. Note that the EMS server creates one cache entry for each action specified in the result.
  • The Permissions Module must be thread-safe. That is, the Permissions Module must be able to function both in a multi-threaded environment and in a single-threaded environment.
  • The Permissions Module, like the LoginModule, should not employ long operations, and should return values quickly. As these modules become part of the EMS server’s message handling process, slow operations can have a severe effect on performance.

Documentation of JACI classes and interfaces is available through the com.tibco.tibems.tibemsd.security package.