Example: Changes to access-control-policy_1_1.dtd to support a new AccessControlRule
- <example:business-hours-acr> element is
registered as a valid child of the <acr ...> element. This
enables you to limit the scope the AccessControlRule to the enclosing AccessControlRuleExpression
(it cannot be referenced using an <acr-ref ...> element).
- <example:business-hours-acr> element is
registered as a valid child of the <acr-lib> element. This
enables you to create a named instance within the AccessControlRuleLibrary
that can be referenced by <acr-ref ...> elements.
- <example:business-hours-acr>
element hierarchy DTD is defined as an XML ENTITY. This enables Cams to
use an EntityResolver to find the corresponding DTD file for the XML parser
when necessary.
<!--
$Id: access-control-policy_1_1_dtd.html,v 1.6 2005/04/28 23:28:50 gary Exp $
Copyright (c) 1996-2005 Cafesoft, LLC. All Rights Reserved.
This software is the confidential and proprietary information of
Cafesoft, LLC. ("Confidential Information"). You shall not disclose
such Confidential Information and shall use it only in accordance
with the terms of the license agreement you entered into with Cafesoft.
CAFESOFT MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY
OF THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT. CAFESOFT SHALL NOT BE LIABLE FOR ANY
DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR
DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES.
-->
<!--
The access-control-policy encapsulates the resources protected within
a security domain and the rules for accessing them.
-->
<!ELEMENT access-control-policy (permission-collection*, acr-lib)>
<!ATTLIST access-control-policy defaultBias (granted|denied) #IMPLIED>
<!ATTLIST access-control-policy debug (true|false) #IMPLIED>
<!--
The permission-collection element is a container for all
permission instances of a given resource "type"
-->
<!ELEMENT permission-collection (permission*)>
<!ATTLIST permission-collection type CDATA #REQUIRED>
<!ATTLIST permission-collection desc CDATA #IMPLIED>
<!ATTLIST permission-collection debug (true|false) #IMPLIED>
<!--
A permission element associates a set of resources/actions
defined by a resource-pattern with an access control rule or
another security domain "owner" to which a access requests
will be delegated. Each permission is unique by combination
of resource-pattern and actions.
-->
<!ELEMENT permission (resource-pattern, (owner | acr-ref))>
<!ATTLIST permission desc CDATA #IMPLIED>
<!ATTLIST permission actions CDATA #IMPLIED>
<!ATTLIST permission debug (true|false) #IMPLIED>
<!--
A resource-pattern defines a set of protected resources via a
pattern of identifiers. The rules for interpreting the pattern
of identifiers is resource-specific.
-->
<!ELEMENT resource-pattern EMPTY>
<!ATTLIST resource-pattern id CDATA #REQUIRED>
<!--
An owner references a security domain that has ownership for a
given permission. If this element exists within a permission,
then access requests matching the permission are delegated to
the specified security domain.
-->
<!ELEMENT owner EMPTY>
<!ATTLIST owner id CDATA #REQUIRED>
<!--
An acr-ref references an access control rule, which is to be
invoked. The access control rule must be intrinsic (provided
by Cams, like "granted" or "denied") or defined within the
access control rule library (see element: "acr-lib")
-->
<!ELEMENT acr-ref EMPTY>
<!ATTLIST acr-ref id CDATA #REQUIRED>
<!--
An acr-type defines type of AccessControlRule within a security
domain's access control rule library. Each AccessControlRule type
is uniquely specified by its implementing Java Class and its name.
In order to be managed by Cams, the type must also provide an
AccessControlRulePersistenceManager implementation, which is
specified by the "acr-persistence-manager" Element.
-->
<!ELEMENT acr-type (acr-persistence-manager)>
<!ATTLIST acr-type name CDATA #REQUIRED>
<!ATTLIST acr-type className CDATA #REQUIRED>
<!ATTLIST acr-type desc CDATA #IMPLIED>
<!--
An acr-persistence-manager defines the Java class responsible
for creating, loading, storing, and removing AccessControlRule
instances for a given type.
-->
<!ELEMENT acr-persistence-manager (param-list?)>
<!ATTLIST acr-persistence-manager className CDATA #REQUIRED>
<!--
The param-list element is a container element for a list of
configuration parameters.
-->
<!ELEMENT param-list (param*)>
<!--
The param element provides an initialization/configuration
parameter as a generic name/value pair.
-->
<!ELEMENT param EMPTY>
<!ATTLIST param name CDATA #REQUIRED>
<!ATTLIST param value CDATA #REQUIRED>
<!--
An acr defines a new AccessControlRule within an
AccessControlRuleLibrary. Each AccessControlRule must be given
a unique identifier by which it can be referenced for invocation.
-->
<!ELEMENT acr (granted | denied | confidential | and | or | not | acr-ref |
auth-rule | remote-host-acr | example:business-hours-acr)*>
<!ATTLIST acr id CDATA #REQUIRED>
<!--
An acr-lib defines an AccessControlRuleLibrary, which contains
SecurityDomain-wide AccessControlRule type definitions and
AccessControlRule instances.
-->
<!ELEMENT acr-lib (acr-type | acr | auth-rule | remote-host-acr | example:business-hours-acr)*>
<!--
Elements "granted", "denied", and "confidential" are intrinsic
AccessControlRules that may be reference via "id" in "acr-ref" elements.
-->
<!ELEMENT granted EMPTY>
<!ELEMENT denied EMPTY>
<!ELEMENT confidential EMPTY>
<!--
Elements "and", "or", and "not" are logical operators that can be used
between any of combination of: access control expressions, access
control rules, true, and false.
-->
<!ELEMENT and EMPTY>
<!ELEMENT or EMPTY>
<!ELEMENT not EMPTY>
<!--
The auth-acr element and child elements are declared in:
auth-acr_1_0.dtd
-->
<!ENTITY % auth-acr-dtd SYSTEM
"http://cafesoft.com/auth-acr_1_0.dtd">
%auth-acr-dtd;
<!--
The host-acr elements are declared in:
host-acr_1_0.dtd
-->
<!ENTITY % host-acr-dtd SYSTEM
"http://cafesoft.com/host-acr_1_0.dtd">
%host-acr-dtd;
<!--
The example:business-hours-acr elements are declared in:
example-business-hours-acr_1_0.dtd
-->
<!ENTITY % example-business-hours-acr-dtd SYSTEM
"http://cafesoft.com/example-business-hours-acr_1_0.dtd">
%example-business-hours-acr-dtd;