You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Richard Frovarp <rf...@apache.org> on 2013/05/30 18:29:36 UTC
Tapestry Security / page instance / invocation question
I'm using the Tynamo tapestry-security library to great success. I've
been progressing through the instance level pieces and things are going
well.
I've ran into a bit of a problem however. I can do the instance level
checks with @RequiresPermissions on functions just fine. That is
populating the Environment service with the MethodInvocation. All is
well. I can either get the method, or the instance, and proceed to do my
security checks.
The problem I'm running into is with the soft checks, in particular
<t:security.hasPermission permission="some:permission"> where I want to
decide if a link should be shown or not.
That will trigger the checks, however, that doesn't populate the
Environment with the MethodInvocation. So I have no way of telling what
is being checked.
Is there a way to get the current invocation without going through the
environment service? Or should I come up with my own annotation, turn
the security annotation into if checks, and use the advise pieces to put
the invocation into the environment?
This section of Tapestry is still confusing to me, so I hope that my
question makes sense.
Thanks,
Richard
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry Security / page instance / invocation question
Posted by Richard Frovarp <rf...@apache.org>.
On 06/04/2013 11:03 AM, Dmitry Gusev wrote:
> Just a note that you always can write your own component like this if you
> want:
>
> <t:hasPermission2 permission="some:permission" instance="myInstance">
>
That's probably the better long term solution for my environment.
> On Tue, Jun 4, 2013 at 7:50 PM, Richard Frovarp <rf...@apache.org> wrote:
>
>> That would work. The trick is that I need to compute the permissions
>> dynamically. I'll have to add in more code to handle those types of
>> wildcard permissions. I was hoping for something much more similar to what
>> I can use with the @RequiresPermissions check. But since I don't have an
>> invocation, that looks like what I'll have to do.
>
>
> I'm not sure I understand you, how would this differ from the case with
> MethodInvoication?
> Isn't the same AuthorizingRealm will check permissions for you?
> Just check if your permission has targets set and if it has - you can just
> peek instance from them.
> If not - try to get if from MethodInvoication.
>
> Anyway, if you need that invocation - you can create one - just call some
> method from your new component newPermission2 and intercept that call with
> @RequiresPermissions. But you can't declare dynamic permission in the
> annotation, you do understand this, right?
>
>
By using the MethodInvocation (and perhaps actually getting the
instance), I get the object to inspect directly, instead of having to
get Cayenne to retrieve it for me via the object id.
What I've done is to create a realm that uses reflection / introspection
to find methods annotated with a special annotation. The string in that
annotation matches exactly with the permission being checked. When
permission checks come in, they are dispatched to the method marked as
being responsible for that permission.
So this:
@RequiresPermissions(ILACAuth.SERVICE_MANAGE_VIEW_INSTANCE)
public void onActivate(Service service) {
ends up getting processed by this:
@InstanceAccessMethod(ILACAuth.SERVICE_MANAGE_VIEW_INSTANCE)
public boolean isPermittedViewService() {
MethodInvocation methodInvocation = getInvocation();
if (methodInvocation == null) {
return false;
}
Object instance = methodInvocation.getInstance();
...
}
Where the permission is: servicemanager:view:instance.
This idea works everywhere, except for template rendering. I do support
passing in the permission being checked when dispatching the call. I
just need to get around the exact string matching I'm doing. This will
probably require a locally reserved word in the permission to make it work.
So to handle the template scenario, I probably need to do something
like: servicemanager:view:instance:key:265 and then know to chop :key on
to dispatch to the correct check, and pass the permission in so it can
have Cayenne retrieve the correct record if necessary. My method would
have to change as well. It's not insurmountable, it just requires more
work to set everything up.
The key thing is I now understand that I can't get what I need via
MethodInvocation when rendering, so I don't bang my head against that wall.
Thanks,
Richard
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry Security / page instance / invocation question
Posted by Dmitry Gusev <dm...@gmail.com>.
Just a note that you always can write your own component like this if you
want:
<t:hasPermission2 permission="some:permission" instance="myInstance">
On Tue, Jun 4, 2013 at 7:50 PM, Richard Frovarp <rf...@apache.org> wrote:
> That would work. The trick is that I need to compute the permissions
> dynamically. I'll have to add in more code to handle those types of
> wildcard permissions. I was hoping for something much more similar to what
> I can use with the @RequiresPermissions check. But since I don't have an
> invocation, that looks like what I'll have to do.
I'm not sure I understand you, how would this differ from the case with
MethodInvoication?
Isn't the same AuthorizingRealm will check permissions for you?
Just check if your permission has targets set and if it has - you can just
peek instance from them.
If not - try to get if from MethodInvoication.
Anyway, if you need that invocation - you can create one - just call some
method from your new component newPermission2 and intercept that call with
@RequiresPermissions. But you can't declare dynamic permission in the
annotation, you do understand this, right?
>
> On 05/30/2013 11:34 AM, Dmitry Gusev wrote:
>
>> You don't have invocation here, because you're rendering.
>> And you should know what you're rendering, so you should be able to do
>> this:
>>
>> <t:security.hasPermission permission="${myPermission}">
>>
>> and in Java:
>>
>> public String getMyPermission()
>> {
>> return "some:permission:" + instance.getId();
>> }
>>
>> will this work?
>>
>> On Thu, May 30, 2013 at 8:29 PM, Richard Frovarp <rfrovarp@apache.org
>> >wrote:
>>
>> I'm using the Tynamo tapestry-security library to great success. I've
>>> been
>>> progressing through the instance level pieces and things are going well.
>>>
>>> I've ran into a bit of a problem however. I can do the instance level
>>> checks with @RequiresPermissions on functions just fine. That is
>>> populating
>>> the Environment service with the MethodInvocation. All is well. I can
>>> either get the method, or the instance, and proceed to do my security
>>> checks.
>>>
>>> The problem I'm running into is with the soft checks, in particular
>>> <t:security.hasPermission permission="some:permission"> where I want to
>>> decide if a link should be shown or not.
>>>
>>> That will trigger the checks, however, that doesn't populate the
>>> Environment with the MethodInvocation. So I have no way of telling what
>>> is
>>> being checked.
>>>
>>> Is there a way to get the current invocation without going through the
>>> environment service? Or should I come up with my own annotation, turn the
>>> security annotation into if checks, and use the advise pieces to put the
>>> invocation into the environment?
>>>
>>> This section of Tapestry is still confusing to me, so I hope that my
>>> question makes sense.
>>>
>>> Thanks,
>>> Richard
>>>
>>> ------------------------------****----------------------------**
>>> --**---------
>>> To unsubscribe, e-mail: users-unsubscribe@tapestry.**a**pache.org<http://apache.org>
>>> <us...@tapestry.apache.org>
>>> >
>>>
>>> For additional commands, e-mail: users-help@tapestry.apache.org
>>>
>>>
>>>
>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.**apache.org<us...@tapestry.apache.org>
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
Dmitry Gusev
AnjLab Team
http://anjlab.com
Re: Tapestry Security / page instance / invocation question
Posted by Richard Frovarp <rf...@apache.org>.
That would work. The trick is that I need to compute the permissions
dynamically. I'll have to add in more code to handle those types of
wildcard permissions. I was hoping for something much more similar to
what I can use with the @RequiresPermissions check. But since I don't
have an invocation, that looks like what I'll have to do.
On 05/30/2013 11:34 AM, Dmitry Gusev wrote:
> You don't have invocation here, because you're rendering.
> And you should know what you're rendering, so you should be able to do this:
>
> <t:security.hasPermission permission="${myPermission}">
>
> and in Java:
>
> public String getMyPermission()
> {
> return "some:permission:" + instance.getId();
> }
>
> will this work?
>
> On Thu, May 30, 2013 at 8:29 PM, Richard Frovarp <rf...@apache.org>wrote:
>
>> I'm using the Tynamo tapestry-security library to great success. I've been
>> progressing through the instance level pieces and things are going well.
>>
>> I've ran into a bit of a problem however. I can do the instance level
>> checks with @RequiresPermissions on functions just fine. That is populating
>> the Environment service with the MethodInvocation. All is well. I can
>> either get the method, or the instance, and proceed to do my security
>> checks.
>>
>> The problem I'm running into is with the soft checks, in particular
>> <t:security.hasPermission permission="some:permission"> where I want to
>> decide if a link should be shown or not.
>>
>> That will trigger the checks, however, that doesn't populate the
>> Environment with the MethodInvocation. So I have no way of telling what is
>> being checked.
>>
>> Is there a way to get the current invocation without going through the
>> environment service? Or should I come up with my own annotation, turn the
>> security annotation into if checks, and use the advise pieces to put the
>> invocation into the environment?
>>
>> This section of Tapestry is still confusing to me, so I hope that my
>> question makes sense.
>>
>> Thanks,
>> Richard
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.**apache.org<us...@tapestry.apache.org>
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry Security / page instance / invocation question
Posted by Dmitry Gusev <dm...@gmail.com>.
You don't have invocation here, because you're rendering.
And you should know what you're rendering, so you should be able to do this:
<t:security.hasPermission permission="${myPermission}">
and in Java:
public String getMyPermission()
{
return "some:permission:" + instance.getId();
}
will this work?
On Thu, May 30, 2013 at 8:29 PM, Richard Frovarp <rf...@apache.org>wrote:
> I'm using the Tynamo tapestry-security library to great success. I've been
> progressing through the instance level pieces and things are going well.
>
> I've ran into a bit of a problem however. I can do the instance level
> checks with @RequiresPermissions on functions just fine. That is populating
> the Environment service with the MethodInvocation. All is well. I can
> either get the method, or the instance, and proceed to do my security
> checks.
>
> The problem I'm running into is with the soft checks, in particular
> <t:security.hasPermission permission="some:permission"> where I want to
> decide if a link should be shown or not.
>
> That will trigger the checks, however, that doesn't populate the
> Environment with the MethodInvocation. So I have no way of telling what is
> being checked.
>
> Is there a way to get the current invocation without going through the
> environment service? Or should I come up with my own annotation, turn the
> security annotation into if checks, and use the advise pieces to put the
> invocation into the environment?
>
> This section of Tapestry is still confusing to me, so I hope that my
> question makes sense.
>
> Thanks,
> Richard
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.**apache.org<us...@tapestry.apache.org>
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
Dmitry Gusev
AnjLab Team
http://anjlab.com