Access request from tml / standard servlet api role support

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Access request from tml / standard servlet api role support

larzeni
Hi,
I'm using tapestry5.4 with java 8.

I am using the standard servlet API to check if a user is in role or not, to hide or show buttons, links, and so on.

For example, I need to show a button to the user only if the user has been granted a role.

My usual way to to this is:

1) create a method in the page, for example:

@Inject
RequestGlobals m_requestGlobals;

public boolean isUserAdmin() {
        if (m_requestGlobals == null) {
                return false;
        }
        return m_requestGlobals.isUserInRole("ADMIN");
}

2) then, in the tml, check the method using a t:if component, for example:

<t:if test="userAdmin">
                <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
</t:if>

This is not so good, since I must reimplement the same method in many pages.

Is there any way could I access the requestGlobals directly from tml?

My goql would be to write, directly in the tml, something like:


<t:if test="request.isuserInRole('ADMIN')">
        <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
</t:if>


Is it possible to do this with tapestry5?

Thanks in advance,
larzeni

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Access request from tml / standard servlet api role support

pico.dev
Hi,

Maybe you can implement a new conditional component that checks the role
and render or not its body. Something like this:

<t:isUserInRole role="ADMIN">
    <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
</t:isuserInRole>

See https://tapestry.apache.org/component-rendering.html

Regards,

El sáb., 28 abr. 2018 a las 0:12, Luca Arzeni (<[hidden email]>)
escribió:

> Hi,
> I'm using tapestry5.4 with java 8.
>
> I am using the standard servlet API to check if a user is in role or not,
> to hide or show buttons, links, and so on.
>
> For example, I need to show a button to the user only if the user has been
> granted a role.
>
> My usual way to to this is:
>
> 1) create a method in the page, for example:
>
> @Inject
> RequestGlobals m_requestGlobals;
>
> public boolean isUserAdmin() {
>         if (m_requestGlobals == null) {
>                 return false;
>         }
>         return m_requestGlobals.isUserInRole("ADMIN");
> }
>
> 2) then, in the tml, check the method using a t:if component, for example:
>
> <t:if test="userAdmin">
>                 <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> </t:if>
>
> This is not so good, since I must reimplement the same method in many
> pages.
>
> Is there any way could I access the requestGlobals directly from tml?
>
> My goql would be to write, directly in the tml, something like:
>
>
> <t:if test="request.isuserInRole('ADMIN')">
>         <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> </t:if>
>
>
> Is it possible to do this with tapestry5?
>
> Thanks in advance,
> larzeni
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Access request from tml / standard servlet api role support

pico.dev
Maybe other alternative is create a base page class that has this and
some/all application pages extends

@Inject
RequestGlobals m_requestGlobals;

public boolean isUserAdmin()

El sáb., 28 abr. 2018 a las 0:41, pico.dev (<[hidden email]>) escribió:

> Hi,
>
> Maybe you can implement a new conditional component that checks the role
> and render or not its body. Something like this:
>
> <t:isUserInRole role="ADMIN">
>     <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> </t:isuserInRole>
>
> See https://tapestry.apache.org/component-rendering.html
>
> Regards,
>
> El sáb., 28 abr. 2018 a las 0:12, Luca Arzeni (<[hidden email]>)
> escribió:
>
>> Hi,
>> I'm using tapestry5.4 with java 8.
>>
>> I am using the standard servlet API to check if a user is in role or not,
>> to hide or show buttons, links, and so on.
>>
>> For example, I need to show a button to the user only if the user has
>> been granted a role.
>>
>> My usual way to to this is:
>>
>> 1) create a method in the page, for example:
>>
>> @Inject
>> RequestGlobals m_requestGlobals;
>>
>> public boolean isUserAdmin() {
>>         if (m_requestGlobals == null) {
>>                 return false;
>>         }
>>         return m_requestGlobals.isUserInRole("ADMIN");
>> }
>>
>> 2) then, in the tml, check the method using a t:if component, for example:
>>
>> <t:if test="userAdmin">
>>                 <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
>> </t:if>
>>
>> This is not so good, since I must reimplement the same method in many
>> pages.
>>
>> Is there any way could I access the requestGlobals directly from tml?
>>
>> My goql would be to write, directly in the tml, something like:
>>
>>
>> <t:if test="request.isuserInRole('ADMIN')">
>>         <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
>> </t:if>
>>
>>
>> Is it possible to do this with tapestry5?
>>
>> Thanks in advance,
>> larzeni
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
Reply | Threaded
Open this post in threaded view
|

Re: Access request from tml / standard servlet api role support

Kalle Korhonen-2
In reply to this post by pico.dev
Tapestry-security (http://www.tynamo.org/tapestry-security+guide/) supports
request.isuserInRole and provides components similar to the one suggested,
i.e.

<t:security.hasRole role="admin">
    <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
</t:security.hasRole>

Kalle




On Fri, Apr 27, 2018 at 3:41 PM, pico.dev <[hidden email]> wrote:

> Hi,
>
> Maybe you can implement a new conditional component that checks the role
> and render or not its body. Something like this:
>
> <t:isUserInRole role="ADMIN">
>     <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> </t:isuserInRole>
>
> See https://tapestry.apache.org/component-rendering.html
>
> Regards,
>
> El sáb., 28 abr. 2018 a las 0:12, Luca Arzeni (<[hidden email]>)
> escribió:
>
> > Hi,
> > I'm using tapestry5.4 with java 8.
> >
> > I am using the standard servlet API to check if a user is in role or not,
> > to hide or show buttons, links, and so on.
> >
> > For example, I need to show a button to the user only if the user has
> been
> > granted a role.
> >
> > My usual way to to this is:
> >
> > 1) create a method in the page, for example:
> >
> > @Inject
> > RequestGlobals m_requestGlobals;
> >
> > public boolean isUserAdmin() {
> >         if (m_requestGlobals == null) {
> >                 return false;
> >         }
> >         return m_requestGlobals.isUserInRole("ADMIN");
> > }
> >
> > 2) then, in the tml, check the method using a t:if component, for
> example:
> >
> > <t:if test="userAdmin">
> >                 <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > </t:if>
> >
> > This is not so good, since I must reimplement the same method in many
> > pages.
> >
> > Is there any way could I access the requestGlobals directly from tml?
> >
> > My goql would be to write, directly in the tml, something like:
> >
> >
> > <t:if test="request.isuserInRole('ADMIN')">
> >         <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > </t:if>
> >
> >
> > Is it possible to do this with tapestry5?
> >
> > Thanks in advance,
> > larzeni
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Access request from tml / standard servlet api role support

larzeni
In reply to this post by pico.dev
Hi,
this is an idea, but I was hoping to have direct access to the request.
In tapestry3 there was a direct way to access the Visit Object, and the ognl was well documented, but it seems that there is no more similar in tapestry5.

Thank you,
larzeni


> Sent: Saturday, April 28, 2018 at 12:41 AM
> From: "pico.dev" <[hidden email]>
> To: "Tapestry users" <[hidden email]>
> Subject: Re: Access request from tml / standard servlet api role support
>
> Hi,
>
> Maybe you can implement a new conditional component that checks the role
> and render or not its body. Something like this:
>
> <t:isUserInRole role="ADMIN">
>     <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> </t:isuserInRole>
>
> See https://tapestry.apache.org/component-rendering.html
>
> Regards,
>
> El sáb., 28 abr. 2018 a las 0:12, Luca Arzeni (<[hidden email]>)
> escribió:
>
> > Hi,
> > I'm using tapestry5.4 with java 8.
> >
> > I am using the standard servlet API to check if a user is in role or not,
> > to hide or show buttons, links, and so on.
> >
> > For example, I need to show a button to the user only if the user has been
> > granted a role.
> >
> > My usual way to to this is:
> >
> > 1) create a method in the page, for example:
> >
> > @Inject
> > RequestGlobals m_requestGlobals;
> >
> > public boolean isUserAdmin() {
> >         if (m_requestGlobals == null) {
> >                 return false;
> >         }
> >         return m_requestGlobals.isUserInRole("ADMIN");
> > }
> >
> > 2) then, in the tml, check the method using a t:if component, for example:
> >
> > <t:if test="userAdmin">
> >                 <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > </t:if>
> >
> > This is not so good, since I must reimplement the same method in many
> > pages.
> >
> > Is there any way could I access the requestGlobals directly from tml?
> >
> > My goql would be to write, directly in the tml, something like:
> >
> >
> > <t:if test="request.isuserInRole('ADMIN')">
> >         <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > </t:if>
> >
> >
> > Is it possible to do this with tapestry5?
> >
> > Thanks in advance,
> > larzeni
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Access request from tml / standard servlet api role support

larzeni
In reply to this post by pico.dev
Yeah, that was my old way of doing this thing, but it ties classes too much, so I discarded that code.
Thank you,
larzeni

> Sent: Saturday, April 28, 2018 at 12:49 AM
> From: "pico.dev" <[hidden email]>
> To: "Tapestry users" <[hidden email]>
> Subject: Re: Access request from tml / standard servlet api role support
>
> Maybe other alternative is create a base page class that has this and
> some/all application pages extends
>
> @Inject
> RequestGlobals m_requestGlobals;
>
> public boolean isUserAdmin()
>
> El sáb., 28 abr. 2018 a las 0:41, pico.dev (<[hidden email]>) escribió:
>
> > Hi,
> >
> > Maybe you can implement a new conditional component that checks the role
> > and render or not its body. Something like this:
> >
> > <t:isUserInRole role="ADMIN">
> >     <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > </t:isuserInRole>
> >
> > See https://tapestry.apache.org/component-rendering.html
> >
> > Regards,
> >
> > El sáb., 28 abr. 2018 a las 0:12, Luca Arzeni (<[hidden email]>)
> > escribió:
> >
> >> Hi,
> >> I'm using tapestry5.4 with java 8.
> >>
> >> I am using the standard servlet API to check if a user is in role or not,
> >> to hide or show buttons, links, and so on.
> >>
> >> For example, I need to show a button to the user only if the user has
> >> been granted a role.
> >>
> >> My usual way to to this is:
> >>
> >> 1) create a method in the page, for example:
> >>
> >> @Inject
> >> RequestGlobals m_requestGlobals;
> >>
> >> public boolean isUserAdmin() {
> >>         if (m_requestGlobals == null) {
> >>                 return false;
> >>         }
> >>         return m_requestGlobals.isUserInRole("ADMIN");
> >> }
> >>
> >> 2) then, in the tml, check the method using a t:if component, for example:
> >>
> >> <t:if test="userAdmin">
> >>                 <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> >> </t:if>
> >>
> >> This is not so good, since I must reimplement the same method in many
> >> pages.
> >>
> >> Is there any way could I access the requestGlobals directly from tml?
> >>
> >> My goql would be to write, directly in the tml, something like:
> >>
> >>
> >> <t:if test="request.isuserInRole('ADMIN')">
> >>         <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> >> </t:if>
> >>
> >>
> >> Is it possible to do this with tapestry5?
> >>
> >> Thanks in advance,
> >> larzeni
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [hidden email]
> >> For additional commands, e-mail: [hidden email]
> >>
> >>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Access request from tml / standard servlet api role support

larzeni
In reply to this post by Kalle Korhonen-2
Hi Kalle,
we are forced to use spring security, and cannot migrate to shiro.
Beside it, I don't like the idea to glue my code to external libraries, using annotations or other code that may have a different lifecycle.

I can wait as I want to update my code, but, if there is a security issue, I must be immediately able to update my security libs.
I like much more to declare security constraint outside my app (spring allows to do this with an xml file inside the WEB_INF folder) and use the standard servlet api, so I can migrate to a new version whenever I need.

I will take a look at the code. I guess I will need to create a custom component, but, in my humble opinion, it's a too big effort to write a component simply to access access the request object from a tml.

Anyway, thanks for your hint,
larzeni

> Sent: Saturday, April 28, 2018 at 12:52 AM
> From: "Kalle Korhonen" <[hidden email]>
> To: "Tapestry users" <[hidden email]>
> Subject: Re: Access request from tml / standard servlet api role support
>
> Tapestry-security (http://www.tynamo.org/tapestry-security+guide/) supports
> request.isuserInRole and provides components similar to the one suggested,
> i.e.
>
> <t:security.hasRole role="admin">
>     <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> </t:security.hasRole>
>
> Kalle
>
>
>
>
> On Fri, Apr 27, 2018 at 3:41 PM, pico.dev <[hidden email]> wrote:
>
> > Hi,
> >
> > Maybe you can implement a new conditional component that checks the role
> > and render or not its body. Something like this:
> >
> > <t:isUserInRole role="ADMIN">
> >     <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > </t:isuserInRole>
> >
> > See https://tapestry.apache.org/component-rendering.html
> >
> > Regards,
> >
> > El sáb., 28 abr. 2018 a las 0:12, Luca Arzeni (<[hidden email]>)
> > escribió:
> >
> > > Hi,
> > > I'm using tapestry5.4 with java 8.
> > >
> > > I am using the standard servlet API to check if a user is in role or not,
> > > to hide or show buttons, links, and so on.
> > >
> > > For example, I need to show a button to the user only if the user has
> > been
> > > granted a role.
> > >
> > > My usual way to to this is:
> > >
> > > 1) create a method in the page, for example:
> > >
> > > @Inject
> > > RequestGlobals m_requestGlobals;
> > >
> > > public boolean isUserAdmin() {
> > >         if (m_requestGlobals == null) {
> > >                 return false;
> > >         }
> > >         return m_requestGlobals.isUserInRole("ADMIN");
> > > }
> > >
> > > 2) then, in the tml, check the method using a t:if component, for
> > example:
> > >
> > > <t:if test="userAdmin">
> > >                 <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > > </t:if>
> > >
> > > This is not so good, since I must reimplement the same method in many
> > > pages.
> > >
> > > Is there any way could I access the requestGlobals directly from tml?
> > >
> > > My goql would be to write, directly in the tml, something like:
> > >
> > >
> > > <t:if test="request.isuserInRole('ADMIN')">
> > >         <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > > </t:if>
> > >
> > >
> > > Is it possible to do this with tapestry5?
> > >
> > > Thanks in advance,
> > > larzeni
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [hidden email]
> > > For additional commands, e-mail: [hidden email]
> > >
> > >
> >
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Access request from tml / standard servlet api role support

Dmitry Gusev
In reply to this post by larzeni
Hi Luca,

Component parameters syntax is built about binding expressions [1], i.e.
"prefix:expression".

By default the prefix is "prop:", unless explicitly overridden for specific
parameter [2].

You can find detailed explanation for property expressions, including its
BNF grammar, in official Tapestry documentation [3].

Property expressions are always evaluated in the context of current
page/component.

It's called "property" expression, because it uses JavaBean-notation
properties (@Property annotation can generate get/set methods around field
at runtime).

So in order for your expression `request.isUserInRole("ADMIN")` to work,
the `request` must be a @Property (or has `getRequest()` method) in your
page/component, i.e.:

@Inject
@Property
Request request;

There are no special cases for the built-in services in the BNF
for property expressions [3].

As others pointed in this thread, the Tapestry way of dealing with your
requirement is to create a new component,
similar to `t:If`, that would accept a role name as it's parameter so you
could render it's body conditionally if user is in role, i.e.:

public class HasRole extends
org.apache.tapestry5.corelib.base.AbstractConditional
{
    @Inject RequestGlobals requestGlobals;
    @Parameter(required=true, defaultPrefix=BindingConstants.LITERAL)
String role;

    @Override
    protected boolean test()
    {
        return requestGlobals.getHTTPServletRequest().isUserInRole(role);
    }
}

Above code is almost a copy-paste of tapestry-security's HasRole component
[4].

The only difference is this component uses servlet API directly for role
checking,
while is tapestry-security is built around Apache Shiro [5],
and provides more advanced security model than simple role model of the
servlet API.

I highly recommend tapestry-security if you need anything more than
built-in servlet API role model.

[1]
http://tapestry.apache.org/component-parameters.html#ComponentParameters-BindingExpressions
[2]
https://tapestry.apache.org/5.3/apidocs/org/apache/tapestry5/annotations/Parameter.html#defaultPrefix()
[3] http://tapestry.apache.org/property-expressions.html
[4] http://www.tynamo.org/tapestry-security+guide/
[5] https://shiro.apache.org

On Sat, Apr 28, 2018 at 1:12 AM, Luca Arzeni <[hidden email]> wrote:

> Hi,
> I'm using tapestry5.4 with java 8.
>
> I am using the standard servlet API to check if a user is in role or not,
> to hide or show buttons, links, and so on.
>
> For example, I need to show a button to the user only if the user has been
> granted a role.
>
> My usual way to to this is:
>
> 1) create a method in the page, for example:
>
> @Inject
> RequestGlobals m_requestGlobals;
>
> public boolean isUserAdmin() {
>         if (m_requestGlobals == null) {
>                 return false;
>         }
>         return m_requestGlobals.isUserInRole("ADMIN");
> }
>
> 2) then, in the tml, check the method using a t:if component, for example:
>
> <t:if test="userAdmin">
>                 <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> </t:if>
>
> This is not so good, since I must reimplement the same method in many
> pages.
>
> Is there any way could I access the requestGlobals directly from tml?
>
> My goql would be to write, directly in the tml, something like:
>
>
> <t:if test="request.isuserInRole('ADMIN')">
>         <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> </t:if>
>
>
> Is it possible to do this with tapestry5?
>
> Thanks in advance,
> larzeni
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


--
Dmitry Gusev

AnjLab Team
http://anjlab.com
Reply | Threaded
Open this post in threaded view
|

Re: Access request from tml / standard servlet api role support

Thiago H de Paula Figueiredo
In reply to this post by larzeni
On Sat, Apr 28, 2018 at 7:51 AM, Luca Arzeni <[hidden email]> wrote:

> Hi,
>

Hello, Luca! (Ciao? :D )


> this is an idea, but I was hoping to have direct access to the request.
> In tapestry3 there was a direct way to access the Visit Object, and the
> ognl was well documented, but it seems that there is no more similar in
> tapestry5.
>

There isn't and that's by design. The Tapestry 5 philosophy, at least the
internal one, is to have the least code in templates possible, so
ressurecting Tapestry 4-'s direct access to the request object wouldn't
make sense, IMHO. You can always create your own binding prefixes, though,
so you can do basically everything with Tapestry expressions as long as
you're willing to implement a binding prefix.


>
> Thank you,
> larzeni
>
>
> > Sent: Saturday, April 28, 2018 at 12:41 AM
> > From: "pico.dev" <[hidden email]>
> > To: "Tapestry users" <[hidden email]>
> > Subject: Re: Access request from tml / standard servlet api role support
> >
> > Hi,
> >
> > Maybe you can implement a new conditional component that checks the role
> > and render or not its body. Something like this:
> >
> > <t:isUserInRole role="ADMIN">
> >     <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > </t:isuserInRole>
> >
> > See https://tapestry.apache.org/component-rendering.html
> >
> > Regards,
> >
> > El sáb., 28 abr. 2018 a las 0:12, Luca Arzeni (<[hidden email]>)
> > escribió:
> >
> > > Hi,
> > > I'm using tapestry5.4 with java 8.
> > >
> > > I am using the standard servlet API to check if a user is in role or
> not,
> > > to hide or show buttons, links, and so on.
> > >
> > > For example, I need to show a button to the user only if the user has
> been
> > > granted a role.
> > >
> > > My usual way to to this is:
> > >
> > > 1) create a method in the page, for example:
> > >
> > > @Inject
> > > RequestGlobals m_requestGlobals;
> > >
> > > public boolean isUserAdmin() {
> > >         if (m_requestGlobals == null) {
> > >                 return false;
> > >         }
> > >         return m_requestGlobals.isUserInRole("ADMIN");
> > > }
> > >
> > > 2) then, in the tml, check the method using a t:if component, for
> example:
> > >
> > > <t:if test="userAdmin">
> > >                 <a t:id="saveButton" type="button" href="#">SAVE
> DATA</a>
> > > </t:if>
> > >
> > > This is not so good, since I must reimplement the same method in many
> > > pages.
> > >
> > > Is there any way could I access the requestGlobals directly from tml?
> > >
> > > My goql would be to write, directly in the tml, something like:
> > >
> > >
> > > <t:if test="request.isuserInRole('ADMIN')">
> > >         <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > > </t:if>
> > >
> > >
> > > Is it possible to do this with tapestry5?
> > >
> > > Thanks in advance,
> > > larzeni
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [hidden email]
> > > For additional commands, e-mail: [hidden email]
> > >
> > >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


--
Thiago
Reply | Threaded
Open this post in threaded view
|

Re: Access request from tml / standard servlet api role support

Thiago H de Paula Figueiredo
In reply to this post by Dmitry Gusev
Hello, everyone!

On Sat, Apr 28, 2018 at 8:45 AM, Dmitry Gusev <[hidden email]>
wrote:

> As others pointed in this thread, the Tapestry way of dealing with your
> requirement is to create a new component,
> similar to `t:If`, that would accept a role name as it's parameter so you
> could render it's body conditionally if user is in role, i.e.:
>
> public class HasRole extends
> org.apache.tapestry5.corelib.base.AbstractConditional
> {
>     @Inject RequestGlobals requestGlobals;
>     @Parameter(required=true, defaultPrefix=BindingConstants.LITERAL)
> String role;
>
>     @Override
>     protected boolean test()
>     {
>         return requestGlobals.getHTTPServletRequest().isUserInRole(role);
>     }
> }
>
> Above code is almost a copy-paste of tapestry-security's HasRole component
> [4].
>

I believe that, for the context of the question (i.e. not being able to use
tapestry-security), that's the Right Way of doing this. You want something
code encapsulated so it can be easily reused in Tapestry? Put it in a
component (or a mixin in some cases), and Tapestry makes it very simple to
do it. It may be possible to plug authentication and authorization logic
from Spring Security into Shiro, which is incredibly well-architected and
flexible, but I guess it's overkill here.

I'd just make a little change: @Inject HttpServletRequest directly instead
of getting it through RequestGlobals.

--
Thiago
Reply | Threaded
Open this post in threaded view
|

Re: Access request from tml / standard servlet api role support

larzeni
In reply to this post by Dmitry Gusev
Hi Dmitry,
I ended up doing a component as you suggested.
I will take a look at tapestry-security when I have a little more time.
Thanks again,
larzeni


> Sent: Saturday, April 28, 2018 at 1:45 PM
> From: "Dmitry Gusev" <[hidden email]>
> To: "Tapestry users" <[hidden email]>
> Subject: Re: Access request from tml / standard servlet api role support
>
> Hi Luca,
>
> Component parameters syntax is built about binding expressions [1], i.e.
> "prefix:expression".
>
> By default the prefix is "prop:", unless explicitly overridden for specific
> parameter [2].
>
> You can find detailed explanation for property expressions, including its
> BNF grammar, in official Tapestry documentation [3].
>
> Property expressions are always evaluated in the context of current
> page/component.
>
> It's called "property" expression, because it uses JavaBean-notation
> properties (@Property annotation can generate get/set methods around field
> at runtime).
>
> So in order for your expression `request.isUserInRole("ADMIN")` to work,
> the `request` must be a @Property (or has `getRequest()` method) in your
> page/component, i.e.:
>
> @Inject
> @Property
> Request request;
>
> There are no special cases for the built-in services in the BNF
> for property expressions [3].
>
> As others pointed in this thread, the Tapestry way of dealing with your
> requirement is to create a new component,
> similar to `t:If`, that would accept a role name as it's parameter so you
> could render it's body conditionally if user is in role, i.e.:
>
> public class HasRole extends
> org.apache.tapestry5.corelib.base.AbstractConditional
> {
>     @Inject RequestGlobals requestGlobals;
>     @Parameter(required=true, defaultPrefix=BindingConstants.LITERAL)
> String role;
>
>     @Override
>     protected boolean test()
>     {
>         return requestGlobals.getHTTPServletRequest().isUserInRole(role);
>     }
> }
>
> Above code is almost a copy-paste of tapestry-security's HasRole component
> [4].
>
> The only difference is this component uses servlet API directly for role
> checking,
> while is tapestry-security is built around Apache Shiro [5],
> and provides more advanced security model than simple role model of the
> servlet API.
>
> I highly recommend tapestry-security if you need anything more than
> built-in servlet API role model.
>
> [1]
> http://tapestry.apache.org/component-parameters.html#ComponentParameters-BindingExpressions
> [2]
> https://tapestry.apache.org/5.3/apidocs/org/apache/tapestry5/annotations/Parameter.html#defaultPrefix()
> [3] http://tapestry.apache.org/property-expressions.html
> [4] http://www.tynamo.org/tapestry-security+guide/
> [5] https://shiro.apache.org
>
> On Sat, Apr 28, 2018 at 1:12 AM, Luca Arzeni <[hidden email]> wrote:
>
> > Hi,
> > I'm using tapestry5.4 with java 8.
> >
> > I am using the standard servlet API to check if a user is in role or not,
> > to hide or show buttons, links, and so on.
> >
> > For example, I need to show a button to the user only if the user has been
> > granted a role.
> >
> > My usual way to to this is:
> >
> > 1) create a method in the page, for example:
> >
> > @Inject
> > RequestGlobals m_requestGlobals;
> >
> > public boolean isUserAdmin() {
> >         if (m_requestGlobals == null) {
> >                 return false;
> >         }
> >         return m_requestGlobals.isUserInRole("ADMIN");
> > }
> >
> > 2) then, in the tml, check the method using a t:if component, for example:
> >
> > <t:if test="userAdmin">
> >                 <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > </t:if>
> >
> > This is not so good, since I must reimplement the same method in many
> > pages.
> >
> > Is there any way could I access the requestGlobals directly from tml?
> >
> > My goql would be to write, directly in the tml, something like:
> >
> >
> > <t:if test="request.isuserInRole('ADMIN')">
> >         <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > </t:if>
> >
> >
> > Is it possible to do this with tapestry5?
> >
> > Thanks in advance,
> > larzeni
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
>
> --
> Dmitry Gusev
>
> AnjLab Team
> http://anjlab.com
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Access request from tml / standard servlet api role support

larzeni
In reply to this post by Thiago H de Paula Figueiredo
Hello Thiago,
ciao is fine, you are right!

The idea of binding prefix is interesting, I never thought of using it this way!
Thanks again,
Luca


> Sent: Saturday, April 28, 2018 at 8:55 PM
> From: "Thiago H. de Paula Figueiredo" <[hidden email]>
> To: "Tapestry users" <[hidden email]>
> Subject: Re: Access request from tml / standard servlet api role support
>
> On Sat, Apr 28, 2018 at 7:51 AM, Luca Arzeni <[hidden email]> wrote:
>
> > Hi,
> >
>
> Hello, Luca! (Ciao? :D )
>
>
> > this is an idea, but I was hoping to have direct access to the request.
> > In tapestry3 there was a direct way to access the Visit Object, and the
> > ognl was well documented, but it seems that there is no more similar in
> > tapestry5.
> >
>
> There isn't and that's by design. The Tapestry 5 philosophy, at least the
> internal one, is to have the least code in templates possible, so
> ressurecting Tapestry 4-'s direct access to the request object wouldn't
> make sense, IMHO. You can always create your own binding prefixes, though,
> so you can do basically everything with Tapestry expressions as long as
> you're willing to implement a binding prefix.
>
>
> >
> > Thank you,
> > larzeni
> >
> >
> > > Sent: Saturday, April 28, 2018 at 12:41 AM
> > > From: "pico.dev" <[hidden email]>
> > > To: "Tapestry users" <[hidden email]>
> > > Subject: Re: Access request from tml / standard servlet api role support
> > >
> > > Hi,
> > >
> > > Maybe you can implement a new conditional component that checks the role
> > > and render or not its body. Something like this:
> > >
> > > <t:isUserInRole role="ADMIN">
> > >     <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > > </t:isuserInRole>
> > >
> > > See https://tapestry.apache.org/component-rendering.html
> > >
> > > Regards,
> > >
> > > El sáb., 28 abr. 2018 a las 0:12, Luca Arzeni (<[hidden email]>)
> > > escribió:
> > >
> > > > Hi,
> > > > I'm using tapestry5.4 with java 8.
> > > >
> > > > I am using the standard servlet API to check if a user is in role or
> > not,
> > > > to hide or show buttons, links, and so on.
> > > >
> > > > For example, I need to show a button to the user only if the user has
> > been
> > > > granted a role.
> > > >
> > > > My usual way to to this is:
> > > >
> > > > 1) create a method in the page, for example:
> > > >
> > > > @Inject
> > > > RequestGlobals m_requestGlobals;
> > > >
> > > > public boolean isUserAdmin() {
> > > >         if (m_requestGlobals == null) {
> > > >                 return false;
> > > >         }
> > > >         return m_requestGlobals.isUserInRole("ADMIN");
> > > > }
> > > >
> > > > 2) then, in the tml, check the method using a t:if component, for
> > example:
> > > >
> > > > <t:if test="userAdmin">
> > > >                 <a t:id="saveButton" type="button" href="#">SAVE
> > DATA</a>
> > > > </t:if>
> > > >
> > > > This is not so good, since I must reimplement the same method in many
> > > > pages.
> > > >
> > > > Is there any way could I access the requestGlobals directly from tml?
> > > >
> > > > My goql would be to write, directly in the tml, something like:
> > > >
> > > >
> > > > <t:if test="request.isuserInRole('ADMIN')">
> > > >         <a t:id="saveButton" type="button" href="#">SAVE DATA</a>
> > > > </t:if>
> > > >
> > > >
> > > > Is it possible to do this with tapestry5?
> > > >
> > > > Thanks in advance,
> > > > larzeni
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: [hidden email]
> > > > For additional commands, e-mail: [hidden email]
> > > >
> > > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
>
> --
> Thiago
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Access request from tml / standard servlet api role support

larzeni
In reply to this post by Thiago H de Paula Figueiredo
Hi Thiago,
thanks for the hint, I didn't knew that I can @Inject HttpServletRequest!

One never stops learning...

Thanks, Luca

> Sent: Saturday, April 28, 2018 at 8:55 PM
> From: "Thiago H. de Paula Figueiredo" <[hidden email]>
> To: "Tapestry users" <[hidden email]>
> Subject: Re: Access request from tml / standard servlet api role support
>
> Hello, everyone!
>
> On Sat, Apr 28, 2018 at 8:45 AM, Dmitry Gusev <[hidden email]>
> wrote:
>
> > As others pointed in this thread, the Tapestry way of dealing with your
> > requirement is to create a new component,
> > similar to `t:If`, that would accept a role name as it's parameter so you
> > could render it's body conditionally if user is in role, i.e.:
> >
> > public class HasRole extends
> > org.apache.tapestry5.corelib.base.AbstractConditional
> > {
> >     @Inject RequestGlobals requestGlobals;
> >     @Parameter(required=true, defaultPrefix=BindingConstants.LITERAL)
> > String role;
> >
> >     @Override
> >     protected boolean test()
> >     {
> >         return requestGlobals.getHTTPServletRequest().isUserInRole(role);
> >     }
> > }
> >
> > Above code is almost a copy-paste of tapestry-security's HasRole component
> > [4].
> >
>
> I believe that, for the context of the question (i.e. not being able to use
> tapestry-security), that's the Right Way of doing this. You want something
> code encapsulated so it can be easily reused in Tapestry? Put it in a
> component (or a mixin in some cases), and Tapestry makes it very simple to
> do it. It may be possible to plug authentication and authorization logic
> from Spring Security into Shiro, which is incredibly well-architected and
> flexible, but I guess it's overkill here.
>
> I'd just make a little change: @Inject HttpServletRequest directly instead
> of getting it through RequestGlobals.
>
> --
> Thiago
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]