Authorisation in Tapestry Applications

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Authorisation in Tapestry Applications

Christopher Dodunski-4
Hi All,

The Tapestry Hotel demo app has proven a good lesson in implementing
AUTHENTICATION.  Having developed a multi-user Tapestry app, I now need to
implement AUTHORISATION, but the Hotel demo app is aimed at just one user
type: visitors.

I created a role table in my Tapestry application (screenshot attached).
Permissions are specified in terms of CRUD actions, meaning there are four
columns for each domain (Hibernate) entity: e.g. CAN_CREATE_USER,
CAN_READ_USER, CAN_UPDATE_USER, CAN_DELETE_USER, etc.

The Hotel demo app enforces authentication by including or excluding the
@AnonymousAccess annotation on page classes.  I imagine enforcing page
authorisation could be done similarly, using a single annotation.  This
could prevent users lacking the necessary privilege from accessing certain
pages, for instance 'pages/DeleteUser.java'.  Ideally, though, it would be
desirable to also prevent users from navigating to such pages in the first
place.  Either the PageLink icon is greyed out, or there is no link.

I am seeking some direction - perhaps even some example code - in how to
have my Tapestry application enforce the privileges specified in my role
table.

Thanks & regards,

Chris.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Authorisation in Tapestry Applications

Christopher Dodunski-4
Hi Basile,

Thanks for replying.  Yes, I'd discovered Tynamo, but wondered whether it
might be overkill given that I'd already inherited authentication code
from the Tapestry Hotel demo app.

It wasn't clear on the Tynamo site how Tynamo acquires permissions from my
(attached) 'role' table.  And if I have to write code to do this, then why
I need Tynamo rather than just creating a method in my user entity class
along the lines of...

  if(currentUser.isPermitted("company:create")){

    //Show create company button

  }
  else{

    //Grey out or hide create company button

  }

Regards,

Chris.


> http://www.tynamo.org/tapestry-security+guide/
>
> https://tapestry.apache.org/security.html
>
> Le 26/11/2017 à 05:16, Christopher Dodunski a écrit :
>> Hi All,
>>
>> The Tapestry Hotel demo app has proven a good lesson in implementing
>> AUTHENTICATION.  Having developed a multi-user Tapestry app, I now need
>> to
>> implement AUTHORISATION, but the Hotel demo app is aimed at just one
>> user
>> type: visitors.
>>
>> I created a role table in my Tapestry application (screenshot attached).
>> Permissions are specified in terms of CRUD actions, meaning there are
>> four
>> columns for each domain (Hibernate) entity: e.g. CAN_CREATE_USER,
>> CAN_READ_USER, CAN_UPDATE_USER, CAN_DELETE_USER, etc.
>>
>> The Hotel demo app enforces authentication by including or excluding the
>> @AnonymousAccess annotation on page classes.  I imagine enforcing page
>> authorisation could be done similarly, using a single annotation.  This
>> could prevent users lacking the necessary privilege from accessing
>> certain
>> pages, for instance 'pages/DeleteUser.java'.  Ideally, though, it would
>> be
>> desirable to also prevent users from navigating to such pages in the
>> first
>> place.  Either the PageLink icon is greyed out, or there is no link.
>>
>> I am seeking some direction - perhaps even some example code - in how to
>> have my Tapestry application enforce the privileges specified in my role
>> table.
>>
>> Thanks & regards,
>>
>> Chris.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Authorisation in Tapestry Applications

Kalle Korhonen-2
Attachments don't come through to the mailing list but so you have a table
that describes permissions for all of the entities? Obviously, visually
showing or hiding buttons on the client doesn't really enforce security but
you are right, Tynamo doesn't really offer anything for this case out of
the box. It'd relatively easy to write custom security annotations for your
case though, for example following the source code in tapesty-security-jpa
(see http://www.tynamo.org/tapestry-security-jpa+guide/). On the other
hand, if you used the same CRUD pages for all your entities (similar to
http://www.tynamo.org/tapestry-model+guide/), you'd only need to implement
the security checks in one place, making annotations quite useless. It all
depends on how complex your data is and how customizable you need your
pages to be. If you have a lot of entities but it editing the data is
mainly form-based, I'd almost encourage you to take a look at
tapestry-model and how well that would work for you. There's a fair bit to
learn there if you need to customize the pages heavily but it could give
you a lot for free, including having the security checks all in on page
(both visually and at the data level).

Kalle

On Sun, Nov 26, 2017 at 3:09 PM, Christopher Dodunski <
[hidden email]> wrote:

> Hi Basile,
>
> Thanks for replying.  Yes, I'd discovered Tynamo, but wondered whether it
> might be overkill given that I'd already inherited authentication code
> from the Tapestry Hotel demo app.
>
> It wasn't clear on the Tynamo site how Tynamo acquires permissions from my
> (attached) 'role' table.  And if I have to write code to do this, then why
> I need Tynamo rather than just creating a method in my user entity class
> along the lines of...
>
>   if(currentUser.isPermitted("company:create")){
>
>     //Show create company button
>
>   }
>   else{
>
>     //Grey out or hide create company button
>
>   }
>
> Regards,
>
> Chris.
>
>
> > http://www.tynamo.org/tapestry-security+guide/
> >
> > https://tapestry.apache.org/security.html
> >
> > Le 26/11/2017 à 05:16, Christopher Dodunski a écrit :
> >> Hi All,
> >>
> >> The Tapestry Hotel demo app has proven a good lesson in implementing
> >> AUTHENTICATION.  Having developed a multi-user Tapestry app, I now need
> >> to
> >> implement AUTHORISATION, but the Hotel demo app is aimed at just one
> >> user
> >> type: visitors.
> >>
> >> I created a role table in my Tapestry application (screenshot attached).
> >> Permissions are specified in terms of CRUD actions, meaning there are
> >> four
> >> columns for each domain (Hibernate) entity: e.g. CAN_CREATE_USER,
> >> CAN_READ_USER, CAN_UPDATE_USER, CAN_DELETE_USER, etc.
> >>
> >> The Hotel demo app enforces authentication by including or excluding the
> >> @AnonymousAccess annotation on page classes.  I imagine enforcing page
> >> authorisation could be done similarly, using a single annotation.  This
> >> could prevent users lacking the necessary privilege from accessing
> >> certain
> >> pages, for instance 'pages/DeleteUser.java'.  Ideally, though, it would
> >> be
> >> desirable to also prevent users from navigating to such pages in the
> >> first
> >> place.  Either the PageLink icon is greyed out, or there is no link.
> >>
> >> I am seeking some direction - perhaps even some example code - in how to
> >> have my Tapestry application enforce the privileges specified in my role
> >> table.
> >>
> >> Thanks & regards,
> >>
> >> Chris.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [hidden email]
> >> For additional commands, e-mail: [hidden email]
> >
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
Reply | Threaded
Open this post in threaded view
|

Grid component customization

Ric-01
In reply to this post by Christopher Dodunski-4
Dear all,

I wanted to customize the GridColumns component, which is embedded
inside the Grid component, by trying different approaches.

Finally I failed, because it was neither possible by a request filter
replacing the GridColumns component at runtime with my customized one,
nor did it work to use an own template for the Grid component pointing
to my customized version of GridColumns.

What is the best way to do this? The GridColumns component is a private
component inside the Grid and I wonder how to replace it.

I even tried to put a complete own Grid component in my application, but
this ends up in the exception, that there is no type coercer available
for my own Grid implementation to the original Tapestry Grids bean
model. And even if this had worked, it would not be a nice way.

Your help is appreciated. Thanks in advance.


Greetings, Eric

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Grid component customization

Thiago H de Paula Figueiredo
On Tue, Nov 28, 2017 at 6:33 AM, Erich Gormann <[hidden email]> wrote:

> Dear all,
>

Hi!


> I wanted to customize the GridColumns component, which is embedded inside
> the Grid component, by trying different approaches.
>
> Finally I failed, because it was neither possible by a request filter
> replacing the GridColumns component at runtime with my customized one,


This wasn't expected to work, but I'm curious in how you tried to do it. :)


> nor did it work to use an own template for the Grid component pointing to
> my customized version of GridColumns.
>
> What is the best way to do this? The GridColumns component is a private
> component inside the Grid and I wonder how to replace it.
>

Contribute to the ComponentOverride distributed configuration, which is a
Map<Class, Class>, the key being the component or page or mixin class to be
replaced, the value being the replacement.

Here's an example from Tapestry's test suite:

@Contribute(ComponentReplacer.class)
public static void
overridePageAndComponentAndMixin(MappedConfiguration<Class, Class>
configuration) {
    configuration.add(OverridenPage.class, OverridePage.class);
    configuration.add(OverridenComponent.class, OverrideComponent.class);
    configuration.add(OverridenMixin.class, OverrideMixin.class);
}

--
Thiago
Reply | Threaded
Open this post in threaded view
|

Re: Authorisation in Tapestry Applications

Christopher Dodunski-4
In reply to this post by Christopher Dodunski-4
Hi Kalle,

Thank you for explaining what Tynamo Model has to offer.  It certainly
looks interesting, and promises to save much time in creating CRUD heavy
apps in Tapestry.  I'll give it a go on my next webapp.

For now, I think I'll simply inspect the user's permissions in the
onActivate() method of a CRUD page, and immediately bounce the user back
to the previous page if their permissions disallow that particular CRUD
action (e.g. create a company).

Chris.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]