You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2011/04/27 00:38:19 UTC
svn commit: r1096936 [3/3] - in /incubator/isis/trunk:
core/progmodel/src/main/java/org/apache/isis/core/progmodel/facets/ignore/
core/runtime/
core/runtime/src/main/java/org/apache/isis/core/runtime/logging/
core/src/docbkx/guide/ runtimes/dflt/ runti...
Modified: incubator/isis/trunk/runtimes/dflt/webapp/src/main/java/org/apache/isis/runtimes/dflt/webapp/IsisWebAppBootstrapper.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/runtimes/dflt/webapp/src/main/java/org/apache/isis/runtimes/dflt/webapp/IsisWebAppBootstrapper.java?rev=1096936&r1=1096935&r2=1096936&view=diff
==============================================================================
--- incubator/isis/trunk/runtimes/dflt/webapp/src/main/java/org/apache/isis/runtimes/dflt/webapp/IsisWebAppBootstrapper.java (original)
+++ incubator/isis/trunk/runtimes/dflt/webapp/src/main/java/org/apache/isis/runtimes/dflt/webapp/IsisWebAppBootstrapper.java Tue Apr 26 22:38:18 2011
@@ -36,10 +36,10 @@ import org.apache.isis.core.commons.conf
import org.apache.isis.core.commons.config.IsisConfigurationBuilderResourceStreams;
import org.apache.isis.core.commons.config.NotFoundPolicy;
import org.apache.isis.core.commons.resource.ResourceStreamSourceContextLoaderClassPath;
+import org.apache.isis.core.runtime.logging.IsisLoggingConfigurer;
import org.apache.isis.core.webapp.config.ResourceStreamSourceForWebInf;
import org.apache.isis.runtimes.dflt.runtime.installers.InstallerLookup;
import org.apache.isis.runtimes.dflt.runtime.installers.InstallerLookupDefault;
-import org.apache.isis.runtimes.dflt.runtime.logging.IsisLoggingConfigurer;
import org.apache.isis.runtimes.dflt.runtime.runner.IsisModule;
import org.apache.isis.runtimes.dflt.runtime.system.DeploymentType;
import org.apache.isis.runtimes.dflt.runtime.system.IsisSystem;
Modified: incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authentication/AuthenticatorNoop.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authentication/AuthenticatorNoop.java?rev=1096936&r1=1096935&r2=1096936&view=diff
==============================================================================
--- incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authentication/AuthenticatorNoop.java (original)
+++ incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authentication/AuthenticatorNoop.java Tue Apr 26 22:38:18 2011
@@ -36,7 +36,7 @@ public class AuthenticatorNoop extends A
}
public boolean isValid(AuthenticationRequest request) {
- return false;
+ return true;
}
}
Copied: incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authorization/AuthorizorNoop.java (from r1096322, incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authorization/NoopAuthorizor.java)
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authorization/AuthorizorNoop.java?p2=incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authorization/AuthorizorNoop.java&p1=incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authorization/NoopAuthorizor.java&r1=1096322&r2=1096936&rev=1096936&view=diff
==============================================================================
--- incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authorization/NoopAuthorizor.java (original)
+++ incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authorization/AuthorizorNoop.java Tue Apr 26 22:38:18 2011
@@ -23,7 +23,7 @@ package org.apache.isis.security.dflt.au
import org.apache.isis.applib.Identifier;
import org.apache.isis.core.runtime.authorization.standard.Authorizor;
-public class NoopAuthorizor implements Authorizor {
+public class AuthorizorNoop implements Authorizor {
public void init() {
// does nothing
Modified: incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authorization/NoopAuthorizationManagerInstaller.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authorization/NoopAuthorizationManagerInstaller.java?rev=1096936&r1=1096935&r2=1096936&view=diff
==============================================================================
--- incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authorization/NoopAuthorizationManagerInstaller.java (original)
+++ incubator/isis/trunk/security/dflt/src/main/java/org/apache/isis/security/dflt/authorization/NoopAuthorizationManagerInstaller.java Tue Apr 26 22:38:18 2011
@@ -33,7 +33,7 @@ public class NoopAuthorizationManagerIns
@Override
protected Authorizor createAuthorizor(IsisConfiguration configuration) {
- return new NoopAuthorizor();
+ return new AuthorizorNoop();
}
}
Modified: incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authentication/FileAuthenticator.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authentication/FileAuthenticator.java?rev=1096936&r1=1096935&r2=1096936&view=diff
==============================================================================
--- incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authentication/FileAuthenticator.java (original)
+++ incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authentication/FileAuthenticator.java Tue Apr 26 22:38:18 2011
@@ -36,6 +36,7 @@ import org.apache.isis.core.runtime.auth
import org.apache.isis.core.runtime.authentication.AuthenticationRequestPassword;
import org.apache.isis.core.runtime.authentication.standard.PasswordRequestAuthenticatorAbstract;
+import com.google.common.base.Strings;
import com.google.inject.Inject;
public class FileAuthenticator extends PasswordRequestAuthenticatorAbstract {
@@ -51,7 +52,7 @@ public class FileAuthenticator extends P
public final boolean isValid(final AuthenticationRequest request) {
final AuthenticationRequestPassword passwordRequest = (AuthenticationRequestPassword) request;
final String username = passwordRequest.getName();
- if (username == null || username.equals("")) {
+ if (Strings.isNullOrEmpty(username)) {
return false;
}
final String password = passwordRequest.getPassword();
@@ -79,13 +80,13 @@ public class FileAuthenticator extends P
return isPasswordValidForUser(request, password, line);
}
+ return false;
} catch (final IOException e) {
throw new IsisException("Failed to read password file: " + FileAuthenticationConstants.PASSWORDS_FILE + " from " + resourceStreamSource.getName());
} finally {
IoUtils.closeSafely(reader);
}
- return false;
}
private boolean commentedOutOrEmpty(String line) {
Modified: incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authorization/FileAuthorizationConstants.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authorization/FileAuthorizationConstants.java?rev=1096936&r1=1096935&r2=1096936&view=diff
==============================================================================
--- incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authorization/FileAuthorizationConstants.java (original)
+++ incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authorization/FileAuthorizationConstants.java Tue Apr 26 22:38:18 2011
@@ -32,7 +32,7 @@ public final class FileAuthorizationCons
public static final String WHITELIST_RESOURCE_KEY = ROOT + "whitelist";
public static final String WHITELIST_RESOURCE_DEFAULT = "security_file.allow";
- public static final String BLACKLIST_RESOURCE = ROOT + "blacklist";
+ public static final String BLACKLIST_RESOURCE_KEY = ROOT + "blacklist";
public static final String BLACKLIST_RESOURCE_DEFAULT = "";
public static final String LEARN = AuthorizationConstants.LEARN;
Modified: incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authorization/FileAuthorizor.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authorization/FileAuthorizor.java?rev=1096936&r1=1096935&r2=1096936&view=diff
==============================================================================
--- incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authorization/FileAuthorizor.java (original)
+++ incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authorization/FileAuthorizor.java Tue Apr 26 22:38:18 2011
@@ -45,6 +45,8 @@ import org.apache.isis.core.commons.exce
import org.apache.isis.core.commons.resource.ResourceStreamSource;
import org.apache.isis.core.runtime.authorization.standard.AuthorizorAbstract;
import org.apache.log4j.Logger;
+
+import com.google.common.collect.Maps;
public class FileAuthorizor extends AuthorizorAbstract implements FileAuthorizorMBean {
@@ -52,8 +54,8 @@ public class FileAuthorizor extends Auth
private static final Logger LOG = Logger.getLogger(FileAuthorizor.class);
private static final String NONE = "";
- private static final String RO = "-ro";
- private static final String RW = "-rw";
+ private static final String ACCESS_QUALIFIER_RO = "-ro";
+ private static final String ACCESS_QUALIFIER_RW = "-rw";
private Map<String,List<String>> whiteListMap;
private Map<String,List<String>> blackListMap;
@@ -79,7 +81,7 @@ public class FileAuthorizor extends Auth
this.learn = getConfiguration().getBoolean(FileAuthorizationConstants.LEARN, FileAuthorizationConstants.LEARN_DEFAULT);
whiteListResourceName = getConfiguration().getString(FileAuthorizationConstants.WHITELIST_RESOURCE_KEY,FileAuthorizationConstants.WHITELIST_RESOURCE_DEFAULT);
Assert.assertTrue(whiteListResourceName.length() > 0);
- blackListResourceName = getConfiguration().getString(FileAuthorizationConstants.BLACKLIST_RESOURCE, FileAuthorizationConstants.BLACKLIST_RESOURCE_DEFAULT);
+ blackListResourceName = getConfiguration().getString(FileAuthorizationConstants.BLACKLIST_RESOURCE_KEY, FileAuthorizationConstants.BLACKLIST_RESOURCE_DEFAULT);
findResources();
}
@@ -113,8 +115,8 @@ public class FileAuthorizor extends Auth
if (learn) {
return;
}
- whiteListMap = new HashMap<String,List<String>>();
- blackListMap = new HashMap<String,List<String>>();
+ whiteListMap = Maps.newHashMap();
+ blackListMap = Maps.newHashMap();
cacheAuthorizationDetails(whiteListMap, whiteListInputResource);
if (blackListInputResource != null) {
cacheAuthorizationDetails(blackListMap, blackListInputResource);
@@ -124,8 +126,8 @@ public class FileAuthorizor extends Auth
}
public void reload() {
- Map<String,List<String>> whiteListMap = new HashMap<String,List<String>>();
- Map<String,List<String>> blackListMap = new HashMap<String,List<String>>();
+ Map<String,List<String>> whiteListMap = Maps.newHashMap();
+ Map<String,List<String>> blackListMap = Maps.newHashMap();
findResources();
cacheAuthorizationDetails(whiteListMap, whiteListInputResource);
@@ -198,15 +200,15 @@ public class FileAuthorizor extends Auth
@Override
public boolean isUsableInRole(final String role, final Identifier member) {
- return isAuthorized(role, member, new String[] { NONE, RW });
+ return isAuthorized(role, member, Arrays.asList(NONE, ACCESS_QUALIFIER_RW));
}
@Override
public boolean isVisibleInRole(final String role, final Identifier member) {
- return isAuthorized(role, member, new String[] { NONE, RO, RW });
+ return isAuthorized(role, member, Arrays.asList(NONE, ACCESS_QUALIFIER_RO, ACCESS_QUALIFIER_RW));
}
- private boolean isAuthorized(final String role, final Identifier member, final String[] qualifiers) {
+ private boolean isAuthorized(final String role, final Identifier member, final List<String> qualifiers) {
if (learn) {
return learn(role, member);
}
@@ -214,15 +216,15 @@ public class FileAuthorizor extends Auth
!isBlackListed(role, member, qualifiers);
}
- private boolean isWhiteListed(final String role, final Identifier member, final String[] qualifiers) {
+ private boolean isWhiteListed(final String role, final Identifier member, final List<String> qualifiers) {
return isListed(whiteListMap, role, member, qualifiers);
}
- private boolean isBlackListed(final String role, final Identifier member, final String[] qualifiers) {
+ private boolean isBlackListed(final String role, final Identifier member, final List<String> qualifiers) {
return isListed(blackListMap, role, member, qualifiers);
}
- private boolean isListed(final Map<String,List<String>> map, final String role, final Identifier identifier, final String[] qualifiers) {
+ private boolean isListed(final Map<String,List<String>> map, final String role, final Identifier identifier, final List<String> qualifiers) {
if (map.isEmpty()) {// quick fail
return false;
}
@@ -238,11 +240,11 @@ public class FileAuthorizor extends Auth
return false;
}
- private boolean isQualifiedMatch(final Map<String,List<String>> map, final String role, final String key, final String[] qualifiers) {
+ private boolean isQualifiedMatch(final Map<String,List<String>> map, final String role, final String key, final List<String> qualifiers) {
if (map.containsKey(key)) {
final List<String> roles = map.get(key);
- for (int i = 0; i < qualifiers.length; i++) {
- final String qualifiedRole = role + qualifiers[i];
+ for (final String qualifier: qualifiers) {
+ final String qualifiedRole = role + qualifier;
if (roles.contains(qualifiedRole)) {
return true;
}
Modified: incubator/isis/trunk/security/ldap/src/main/java/org/apache/isis/security/ldap/authorization/LdapAuthorizor.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/ldap/src/main/java/org/apache/isis/security/ldap/authorization/LdapAuthorizor.java?rev=1096936&r1=1096935&r2=1096936&view=diff
==============================================================================
--- incubator/isis/trunk/security/ldap/src/main/java/org/apache/isis/security/ldap/authorization/LdapAuthorizor.java (original)
+++ incubator/isis/trunk/security/ldap/src/main/java/org/apache/isis/security/ldap/authorization/LdapAuthorizor.java Tue Apr 26 22:38:18 2011
@@ -49,7 +49,7 @@ public class LdapAuthorizor extends Auth
private static final Logger LOG = Logger.getLogger(LdapAuthorizor.class);
private static final String FILTER = "(&(uniquemember={0}) (|(cn={1}) (cn={2}) (cn={3})))";
- private static final String RW = "RW";
+ private static final String ACCESS_QUALIFIER_RW = "RW";
private final String ldapProvider;
@SuppressWarnings("unused")
@@ -85,7 +85,7 @@ public class LdapAuthorizor extends Auth
//////////////////////////////////////////////////////////
public boolean isUsableInRole(final String role, final Identifier member) {
- return isAuthorised(role, member, RW);
+ return isAuthorised(role, member, ACCESS_QUALIFIER_RW);
}
public boolean isVisibleInRole(final String role, final Identifier member) {
Modified: incubator/isis/trunk/security/src/docbkx/guide/isis-security.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/src/docbkx/guide/isis-security.xml?rev=1096936&r1=1096935&r2=1096936&view=diff
==============================================================================
--- incubator/isis/trunk/security/src/docbkx/guide/isis-security.xml (original)
+++ incubator/isis/trunk/security/src/docbkx/guide/isis-security.xml Tue Apr 26 22:38:18 2011
@@ -90,8 +90,8 @@
<para>Writing a Custom Implementation</para>
<para>This part of the guide (see <xref
- linkend="prt.WritingACustomImplementation" />) describes how to go
- about writing your own custom implementation of the security
+ linkend="prt.ImplementingACustomImplementation" />) describes how
+ to go about writing your own custom implementation of the security
<acronym>API</acronym>.</para>
</listitem>
@@ -109,124 +109,55 @@
<sect1>
<title>How this Guide relates to other Documentation</title>
- <para>*** todo</para>
-
- <para>*** x-ref the core docs.</para>
-
- <para></para>
+ <para>The <emphasis>core</emphasis> documentation
+ <package>[oai:core]</package> describes the security
+ <acronym>API</acronym> as defined by the <emphasis>core
+ runtime</emphasis> <package>[oai.core:runtime]</package>. The runtime
+ documentation (for example the <emphasis>default runtime</emphasis>
+ module <package>[oai.runtimes:dflt]</package>) will describe how to
+ configure security, but for convenience the configuration information is
+ also provided in this guide also.</para>
</sect1>
</preface>
- <chapter id="chp.SecurityApi">
- <title>*** Introduction</title>
-
- <abstract>
- <para>This chapter covers the authentication and authorization
- APIs</para>
- </abstract>
-
- <para></para>
-
- <para>*** go through these words and move around; get rid of this
- introductory chapter.</para>
-
- <para></para>
-
- <para></para>
-
- <para></para>
-
- <para>Apache Isis supports authentication and role-based authorization.
- Within the framework the user is represented by a
- <classname>Session</classname> object. From the session object you can get
- the name of the user and their roles.</para>
-
- <para>The session is used within the distribution mechanism and the
- security manager. The security manager uses the session to determine if a
- user can access or manipulate an object member. The distribution mechanism
- passes the session to the server so the server knows which user is
- accessing it.</para>
-
- <para></para>
-
- <para></para>
-
- <para></para>
-
- <para></para>
-
- <para>As with authentication, authorization may be executed via a file,
- LDAP, or database. If no authorization mechanism is specified, all domain
- calls, methods and properties will be available to all users.</para>
-
- <para></para>
-
- <para></para>
-
- <note>
- <para>TODO: tidy up the following paras, were just copied/pasted in from
- APT</para>
- </note>
-
- <para><emphasis></emphasis></para>
-
- <para><emphasis>Apache Isis</emphasis> applications support authentication
- ("who are you"?) and authorization ("what can you do?"). This allows the
- set of functionality to be restricted based upon the user's role, with no
- security knowledge needing to be embedded within the domain objects. The
- API is defined in {{{../core/runtime/index.html}runtime}}, along with two
- implementations, one file-based and one using LDAP.</para>
-
- <para></para>
-
- <para></para>
-
- <para>An <classname>Authoriser</classname> processes an
- <classname>AuthorizationRequest</classname> and if granted generates a
- <classname>Session</classname> object to represent the user.</para>
-
- <para></para>
-
- <para></para>
-
- <para>There is an optional capability to authorise the visibility and
- usability of fields independently. Thus a field may be visible to certain
- roles but not editable. In order to configure this against a authorization
- a flag must be added as follows.</para>
-
- <para></para>
-
- <para></para>
-
- <sect1>
- <title>Capturing authorization requirements automatically</title>
-
- <para>As a tool for helping to configure the initial security settings
- there is a 'learn' property.</para>
-
- <programlisting format="linespecific">isis.authorization.learn=true</programlisting>
-
- <para>When this is present and set, all methods will be authorised for
- all roles. However as each method is accessed through the user interface
- authorization will be configured for that method and the current role.
- Configuration will be saved in either the file (saved on shutdown),
- database table or LDAP security settings depending upon the reflector
- setup.</para>
-
- <para>The settings can then be modified to conform to the required
- security settings.</para>
-
- <para></para>
-
- <para></para>
- </sect1>
- </chapter>
-
- <part>
+ <part id="prt.IsisImplementations">
<title>Isis Security Implementations</title>
<partintro>
- <para>***</para>
+ <para><emphasis>Apache Isis</emphasis> applications support
+ authentication ("who are you"?) and authorization ("what can you do?").
+ This allows the set of functionality to be restricted based upon the
+ user's role, with no security knowledge needing to be embedded within
+ the domain objects. </para>
+
+ <para>From the domain objects persepective the user is represented as
+ the <classname>UserMemento</classname> and
+ <classname>RoleMemento</classname> values (in the
+ <package>oai.applib.security</package> package), but within the
+ framework the user is represented by an
+ <classname>AuthenticationSession</classname> object. From this session
+ object can be obtained the name of the user and their roles.</para>
+
+ <para>The security <acronym>API</acronym> is defined in the
+ <emphasis>core runtime</emphasis> module [oai.core:runtime] by the
+ <classname>AuthenticationManager</classname> interface and the
+ <classname>AuthorizationManager</classname> interface. Isis has a number
+ of implementations of both: a default (no-op) implementation, a simple
+ file-based implementation and an <acronym>LDAP</acronym> implementation.
+ The default for the authentication manager depends on the runtime;
+ </para>
+
+ <para>If no authorization manager has been specified, then all domain
+ properties, collections and actions will be available to all users. When
+ an authorization manager is configured, it can be used to authorise the
+ visibility ("can you see it?") and usability ("can you use it?") of
+ properties/collections and actions independently. This is done with
+ respect to the roles that are assigned to the user. Thus an object
+ member may be visible to certain roles but not editable.</para>
+
+ <para>It is possible, if required, to mix-and-match implementations. For
+ example, authentication could be using LDAP, but authorization could be
+ done using file-based implementation or a custom implementation.</para>
</partintro>
<chapter>
@@ -239,7 +170,7 @@
<sect1>
<title>***</title>
- <para><emphasis>*** yada yadat</emphasis></para>
+ <para><emphasis>*** yada yada</emphasis></para>
</sect1>
</chapter>
@@ -247,382 +178,200 @@
<title>File Security Implementation</title>
<abstract>
- <para>*** yada yada</para>
+ <para>A simple file-based security implementation that reads from
+ plain text files that reside in the configuration directory.</para>
</abstract>
<sect1>
- <title>***</title>
-
- <para><emphasis>*** yada yada</emphasis></para>
- </sect1>
-
- <sect1>
- <title>Adding Security (Authentication and Authorization)</title>
+ <title>Authentication</title>
- <para><remark></remark></para>
-
- <para></para>
-
- <para>... also, move into the next chapters</para>
-
- <para></para>
+ <para>Authentication grants access to users, and determines their
+ current roles.</para>
<sect2>
- <title>Authentication using a passwords file</title>
-
- <para>Create a file called <filename class="directory"
- moreinfo="none">password</filename>s, and place into the <filename
- class="directory" moreinfo="none">config</filename> directory as the
- following example shows.</para>
-
- <screen format="linespecific">config/
- passwords
-</screen>
-
- <para>The following example shows how user names (sven and dick) and
- corresponding passwords (passwd1 and passwd2) should be specified in
- the password file.</para>
-
- <programlisting format="linespecific">sven:passwd1
-dick:passwd2</programlisting>
- </sect2>
+ <title>The Passwords File</title>
- <sect2>
- <title>Authentication through a passwords file</title>
+ <para>The file-based authenticator reads the user/passwords and
+ roles from a file called <filename class="directory"
+ moreinfo="none">security_file.password</filename>s. This should
+ reside in the same location as the
+ <emphasis>isis.properties</emphasis> configuration file.</para>
- <para>To explicitly use file-based authentication set the following
- property. (Note, however, that if this property is absent, the
- framework will anyway assume file-based authentication as the
- default).</para>
-
- <programlisting format="linespecific">isis.authentication=file</programlisting>
-
- <para>The location and name of the passwords file may be specified
- explicitly - if not it defaults to the <filename class="directory"
- moreinfo="none">passwords</filename> file, assumed to be in the
- <filename class="directory" moreinfo="none">config</filename>
- directory (or under WEB-INF if running as a web application).</para>
-
- <programlisting format="linespecific">isis.authentication.file.location= passwords </programlisting>
-
- <para>The <filename class="directory"
- moreinfo="none">passwords</filename> file contains users, passwords
- and any roles, as follows.</para>
+ <para>The format of this file is:</para>
<programlisting format="linespecific"><user>:<password>:<role>|<role>|...</programlisting>
-
- <para>For example, user 'sven', with password 'pass' and roles
- 'role1' and 'role2' would be</para>
-
- <programlisting format="linespecific">sven:pass:role1|role2 </programlisting>
</sect2>
<sect2>
- <title>Authorization using Allow and/or Disallow files</title>
+ <title>Example</title>
- <para>Authorization allows access to actions and properties to be
- controlled by configuration. Authorization is entirely optional and
- is disabled by default - in which case every user is given access to
- all actions and properties. A prerequisite for authorization is for
- users to have roles. These should be added to the password file as
- follows.</para>
-
- <programlisting format="linespecific">sven:passwd1:ordinary_user
-dick:passwd2:special_user|admin</programlisting>
-
- <para>Sven has the role 'ordinary_user', dick has the two roles
- 'special_user' and 'admin'.</para>
-
- <para>[[NAME]] needs to be told which actions and properties are
- authorised for which roles. The simplest way to do this is in a file
- i.e. <filename class="directory" moreinfo="none">allow</filename> in
- the config directory.</para>
-
- <screen format="linespecific">config/
- <emphasis role="strong">password</emphasis>
- <emphasis role="strong">allow</emphasis>
- </screen>
-
- <para>Each entry in the <filename class="directory"
- moreinfo="none">allow</filename> file specifies either a class, or a
- particular action or property within a class, together with the
- roles that are allowed to access it. E.g.</para>
-
- <screen format="linespecific">example.dom.PhoneNumber#Number:ordinary_user|special_user
-example.dom.Contact#Phones:ordinary_user|special_user
-example.dom.Contact#FullName:ordinary_user|special_user
-org.apache.isis.nof.core.service.SimpleRepository#FindByTitle(java.lang.String):ordinary_user|special_user
-example.dom.PhoneNumber#Type:ordinary_user|special_user
-example.dom.Contact#KnownAs:ordinary_user|special_user
-org.apache.isis.nof.core.service.SimpleRepository#NewPersistentInstance():ordinary_user|special_user
-example.dom.Contact#CreatePhone():special_user
-org.apache.isis.nof.core.service.SimpleRepository#NewTransientInstance():ordinary_user|special_user
-org.apache.isis.nof.core.service.SimpleRepository#AllInstances():ordinary_user|special_user
-</screen>
-
- <para>The above file allows 'example.dom.Contact#CreatePhone()' only
- for users with role 'special_user' all other actions and properties
- are allowed for roles 'ordinary_user' and 'special_user'. A
- different, terser implementation of this would be to use separate
- <filename class="directory" moreinfo="none">allow</filename> and
- <filename class="directory" moreinfo="none">disallow</filename>
- files, or example, the <filename class="directory"
- moreinfo="none">allow</filename> file:</para>
-
- <screen format="linespecific">example.dom.PhoneNumber:ordinary_user|special_user
-example.dom.Contact:ordinary_user|special_user
-org.apache.isis.nof.core.service.SimpleRepository:ordinary_user|special_user
-</screen>
-
- <para>and the <filename class="directory"
- moreinfo="none">disallow</filename> file:</para>
-
- <screen format="linespecific">example.dom.Contact#CreatePhone():ordinary_user</screen>
-
- <para>For more details, see the section on Managing Security.</para>
-
- <para></para>
-
- <para></para>
+ <para>The following example shows how user names (sven and dick) and
+ corresponding passwords (passwd1 and passwd2) should be specified in
+ the password file.</para>
- <para></para>
+ <programlisting format="linespecific">sven:passwd1:role1|role2
+dick:passwd2:role3</programlisting>
- <para></para>
+ <para>The user 'sven' has roles 'role1' and 'role2', while 'dick'
+ has 'role3'.</para>
</sect2>
+ </sect1>
- <sect2>
- <title>Authentication through a passwords file</title>
-
- <para>from the "managing security" section</para>
-
- <para></para>
-
- <para>To explicitly use file-based authentication set the following
- property. (Note, however, that if this property is absent, the
- framework will anyway assume file-based authentication as the
- default).</para>
-
- <programlisting format="linespecific">isis.authentication=file</programlisting>
-
- <para>The location and name of the passwords file may be specified
- explicitly - if not it defaults to the <filename class="directory"
- moreinfo="none">passwords</filename> file, assumed to be in the
- <filename class="directory" moreinfo="none">config</filename>
- directory (or under WEB-INF if running as a web application).</para>
-
- <programlisting format="linespecific">isis.authentication.file.location= passwords </programlisting>
-
- <para>The <filename class="directory"
- moreinfo="none">passwords</filename> file contains users, passwords
- and any roles, as follows.</para>
-
- <programlisting format="linespecific"><user>:<password>:<role>|<role>|...</programlisting>
-
- <para>For example, user 'sven', with password 'pass' and roles
- 'role1' and 'role2' would be</para>
-
- <programlisting format="linespecific">sven:pass:role1|role2 </programlisting>
-
- <para></para>
-
- <para></para>
-
- <para></para>
+ <sect1>
+ <title>Authorization</title>
- <para></para>
- </sect2>
+ <para>Authorization allows access to actions and properties to be
+ controlled by configuration. </para>
<sect2>
<title>Authorization through 'allow' and 'disallow' files</title>
- <para>To enable authorization by file including the facet and
- specifying the authorization implementation in the settings</para>
-
- <programlisting format="linespecific">isis.reflector.facets.include=\
- org.apache.isis.runtime.authorization.standard.AuthorizationFacetFactoryImpl
-isis.authorization=file</programlisting>
-
<para>With file authorization the current user's role will be
authorised against a white and (optionally) a black list for each
method possibly available to them. The files are identified by
properties, e.g.</para>
- <programlisting format="linespecific">isis.authorization.file.whitelist=allow
-isis.authorization.file.blacklist=disallow </programlisting>
+ <programlisting format="linespecific">isis.authorization.file.whitelist=security_file.allow
+isis.authorization.file.blacklist=security_file.disallow </programlisting>
<para>The white list file is mandatory, if there is no property it
- defaults to 'allow' (picked up from the config directory or from
- WEB-INF if running as a webapp). The black list file is optional.
- The presence of the property indicates it is being used. If the
- white list file default is being used then 'disallow' is suggested
- as a setting for the black list.</para>
-
- <para>Each file contains a signature to match against and a list of
- roles. A match in the white list file permits the method and match
- in the black list forbids it. The black list overrides the white
- list. Matching occurs at three levels class, method (or property)
- and parameters. Property matches are to the bean property name e.g.
- 'phone' for getPhone and setPhone.</para>
-
- <para>Formatted as follows:</para>
-
- <para>If only class is to be matched: <fully qualified class>
- :role1|role2|..</para>
-
- <para>Class and method: <fully qualified
- class>#<method>:role1|role2|..</para>
-
- <para>Class and property: <fully qualified
- class>#<property>:role1|role2|..</para>
-
- <para>Parameters where method takes no parameters: <fully
- qualified class>#<method>():role1|role2|...</para>
-
- <para>Parameters where method takes one parameter: <fully
- qualified class>#<method>(fully qualified parameter
- class):role1|role2|...</para>
-
- <para>Parameters where method takes two or more:</para>
-
- <para><fully qualified class>#<method>(fully qualified
- parameter class1, fully qualified parameter class2,
- ...):role1|role2|...</para>
+ defaults to <filename>security_file.allow</filename>, and is picked
+ up from the same location as the
+ <filename>isis.properties</filename> configuration file.</para>
+
+ <para>The black list file is optional; the presence of the property
+ indicates it is being used. If the white list file default is being
+ used then we recommend <filename>security_file.disallow</filename>
+ as the name of the black list file. Again, it is picked up from the
+ same location as <filename>isis.properties</filename> configuration
+ file.</para>
- <para>Each line in the file is a separate match.</para>
-
- <para>So, for example, in the white list file</para>
-
- <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate:role1 </programlisting>
-
- <para>will permit all actions/properties on <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
- for role1</para>
+ <para>The settings can then be modified to conform to the required
+ security settings.</para>
+ </sect2>
- <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.
- ClaimantRepositoryHibernate#findClaimantByName:role1|role2</programlisting>
+ <sect2>
+ <title>Matching</title>
- <para>will permit all overloaded methods named <literal
- moreinfo="none">findClaimantByName</literal> on <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate</literal>
- for role1 and role2 and</para>
+ <para>Each file contains a signature to match against and a list of
+ roles, which follow the same <itemizedlist>
+ <listitem>
+ <para>A match in the white list file permits the access</para>
+ </listitem>
+
+ <listitem>
+ <para>A match in the black list forbids it the access</para>
+ </listitem>
+
+ <listitem>
+ <para>The black list overrides the white list</para>
+ </listitem>
+ </itemizedlist></para>
- <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate#findClaimantByIdentifier(java.lang.String):role3</programlisting>
+ <para>Matching occurs at three levels class, method (or property)
+ and parameters</para>
- <para>will permit <literal
- moreinfo="none">findClaimantByIdentifier</literal> with parameter
- <literal moreinfo="none">java.lang.String</literal> on <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate</literal>
- for role3. In each case an identical entry in the black list file
- will instead make the action or property unavailable. The
- combination of white and black list allows some economy in the
- settings. For example, if all but one method of a large class is to
- be allowed, that could be configured with one entry per method in
- the white list file or, better, a single entry for the class in the
- white list and a single entry for the unavailable method in the
- black list.</para>
+ <para>Property matches are to the bean property name e.g. 'phone'
+ for getPhone and setPhone.</para>
</sect2>
<sect2>
- <title>Authorization through 'allow' and 'disallow' files</title>
+ <title>File Format</title>
- <para>To enable authorization by file including the facet and
- specifying the authorization implementation in the settings</para>
+ <para>The files are formatted as follows:</para>
- <programlisting format="linespecific">isis.reflector.facets.include=\
- org.apache.isis.runtime.authorization.standard.AuthorizationFacetFactoryImpl
-isis.authorization=file</programlisting>
+ <itemizedlist>
+ <listitem>
+ <para>If only class is to be matched: </para>
- <para>With file authorization the current user's role will be
- authorised against a white and (optionally) a black list for each
- method possibly available to them. The files are identified by
- properties, e.g.</para>
+ <para><programlisting><fully qualified class> :role1|role2|..</programlisting></para>
+ </listitem>
- <programlisting format="linespecific">isis.authorization.file.whitelist=allow
-isis.authorization.file.blacklist=disallow </programlisting>
+ <listitem>
+ <para>If class and method matched: </para>
- <para>The white list file is mandatory, if there is no property it
- defaults to 'allow' (picked up from the config directory or from
- WEB-INF if running as a webapp). The black list file is optional.
- The presence of the property indicates it is being used. If the
- white list file default is being used then 'disallow' is suggested
- as a setting for the black list.</para>
+ <programlisting><fully qualified class>#<method>:role1|role2|..</programlisting>
+ </listitem>
- <para>Each file contains a signature to match against and a list of
- roles. A match in the white list file permits the method and match
- in the black list forbids it. The black list overrides the white
- list. Matching occurs at three levels class, method (or property)
- and parameters. Property matches are to the bean property name e.g.
- 'phone' for getPhone and setPhone.</para>
+ <listitem>
+ <para>If class and property/collection matched:</para>
- <para>Formatted as follows:</para>
+ <programlisting><fully qualified class>#<property>:role1|role2|..</programlisting>
+ </listitem>
- <para>If only class is to be matched: <fully qualified class>
- :role1|role2|..</para>
+ <listitem>
+ <para>If action where method takes no parameters: </para>
- <para>Class and method: <fully qualified
- class>#<method>:role1|role2|..</para>
+ <programlisting><fully qualified class>#<method>():role1|role2|...</programlisting>
+ </listitem>
- <para>Class and property: <fully qualified
- class>#<property>:role1|role2|..</para>
+ <listitem>
+ <para>If action where method takes one parameter: </para>
- <para>Parameters where method takes no parameters: <fully
- qualified class>#<method>():role1|role2|...</para>
+ <programlisting><fully qualified class>#<method>(fully qualified parameter class):role1|role2|...</programlisting>
+ </listitem>
- <para>Parameters where method takes one parameter: <fully
- qualified class>#<method>(fully qualified parameter
- class):role1|role2|...</para>
+ <listitem>
+ <para>If action where method takes two or more
+ parameters:<programlisting><fully qualified class>#<method>(fully qualified parameter class1, fully qualified parameter class2, ...):role1|role2|...</programlisting></para>
+ </listitem>
+ </itemizedlist>
- <para>Parameters where method takes two or more:</para>
+ <para>Each line in the file is a separate match.</para>
- <para><fully qualified class>#<method>(fully qualified
- parameter class1, fully qualified parameter class2,
- ...):role1|role2|...</para>
+ <para>There is an optional capability to authorise the visibility
+ and usability of fields independently. Thus a field may be visible
+ to certain roles but not editable. In order to configure this
+ against a authorization a qualifier is added to the role, either
+ "-ro" for read-only (visible) or "-rw" for read/write (visible and
+ usable). For example:</para>
- <para>Each line in the file is a separate match.</para>
+ <programlisting><fully qualified class> :role1-ro|role2-rw|..</programlisting>
+ </sect2>
- <para>So, for example, in the white list file</para>
+ <sect2>
+ <title>Example</title>
- <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate:role1 </programlisting>
+ <para>For example, if in the white list file we have:</para>
- <para>will permit all actions/properties on <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
- for role1</para>
+ <programlisting format="linespecific">org.apache.isis.expenses.claims.objstoredflt.ClaimRepositoryDflt:role1 </programlisting>
- <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.
- ClaimantRepositoryHibernate#findClaimantByName:role1|role2</programlisting>
+ <para>then this will permit all actions/properties on <literal
+ moreinfo="none">org.apache.isis.expenses.claims.objstoredflt.ClaimRepositoryDflt</literal>
+ for role1 to invoke.</para>
- <para>will permit all overloaded methods named <literal
+ <para>Meanwhile, if we have:</para>
+
+ <programlisting format="linespecific">org.apache.isis.expenses.claims.objstoredflt.ClaimRepositoryDflt#findClaimantByName:role1-ro|role2-rw</programlisting>
+
+ <para>then this will permit all overloaded methods named <literal
moreinfo="none">findClaimantByName</literal> on <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate</literal>
- for role1 and role2 and</para>
+ moreinfo="none">org.apache.isis.expenses.claims.objstoredflt.ClaimRepositoryDflt</literal>
+ for role1 to view, and for role2 to view and also invoke</para>
- <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate#findClaimantByIdentifier(java.lang.String):role3</programlisting>
+ <para>Finally, if we have:</para>
- <para>will permit <literal
+ <programlisting format="linespecific">org.apache.isis.expenses.claims.objstoredflt.ClaimRepositoryDflt#findClaimantByIdentifier(java.lang.String):role3-rw</programlisting>
+
+ <para>then this will permit <literal
moreinfo="none">findClaimantByIdentifier</literal> with parameter
<literal moreinfo="none">java.lang.String</literal> on <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate</literal>
- for role3. In each case an identical entry in the black list file
- will instead make the action or property unavailable. The
- combination of white and black list allows some economy in the
- settings. For example, if all but one method of a large class is to
- be allowed, that could be configured with one entry per method in
+ moreinfo="none">org.apache.isis.expenses.claims.objstoredflt.ClaimRepositoryDflt</literal>
+ for role3 to invoke.</para>
+
+ <para>In each case an identical entry in the black list file will
+ instead make the action or property unavailable. </para>
+
+ <para>The combination of white and black list allows some economy in
+ the settings. For example, if all but one method of a large class is
+ to be allowed, that could be configured with one entry per method in
the white list file or, better, a single entry for the class in the
white list and a single entry for the unavailable method in the
black list.</para>
+ </sect2>
- <para></para>
-
- <para></para>
-
- <para>There is an optional capability to authorise the visibility
- and usability of fields independently. Thus a field may be visible
- to certain roles but not editable. In order to configure this
- against a authorization a flag must be added as follows.</para>
-
- <para></para>
-
- <para></para>
+ <sect2>
+ <title>Auto-learn</title>
<para>As a tool for helping to configure the initial security
settings there is a 'learn' property.</para>
@@ -632,18 +381,8 @@ isis.authorization.file.blacklist=disall
<para>When this is present and set, all methods will be authorised
for all roles. However as each method is accessed through the user
interface authorization will be configured for that method and the
- current role. Configuration will be saved in either the file (saved
- on shutdown), database table or LDAP security settings depending
- upon the reflector setup.</para>
-
- <para>The settings can then be modified to conform to the required
- security settings.</para>
-
- <para></para>
-
- <para></para>
-
- <para></para>
+ current role. The idea is to these files can then be used as the
+ basis for explicit configuration once auto-learn is disabled.</para>
</sect2>
</sect1>
</chapter>
@@ -656,227 +395,216 @@ isis.authorization.file.blacklist=disall
</abstract>
<sect1>
- <title>***</title>
+ <title>Authentication</title>
- <para><emphasis>*** yada yada</emphasis></para>
-
- <sect2>
- <title>Authentication through an LDAP server</title>
+ <para>LDAP needs a URL for the server and a 'dn' of the root of the
+ users on the server. For example,</para>
- <para>To authenticate through LDAP set</para>
+ <programlisting format="linespecific">isis.authentication.ldap.dn= dc=isis, dc=org </programlisting>
- <programlisting format="linespecific">isis.authentication=ldap</programlisting>
+ <programlisting format="linespecific">isis.authentication.ldap.server=ldap://localhost:10389</programlisting>
- <para>LDAP needs a URL for the server and a 'dn' of the root of the
- users on the server. For example,</para>
+ <para>The logon password check will be on uid='username', <dn>
+ -</para>
- <programlisting format="linespecific">isis.authentication.ldap.dn= dc=isis, dc=org </programlisting>
+ <para>For example, attempting to logon with user 'sven' with the above
+ settings will check against the server on localhost, port = 10389,
+ uid=sven, dc=isis, dc=org, using the password in the standard <literal
+ moreinfo="none">userpassword</literal> attribute in that entry. Once
+ logged in, roles will be picked up from cn='rolename' where
+ objectclass =organizationalRole in child entries of the user
+ entry.</para>
+ </sect1>
- <programlisting format="linespecific">isis.authentication.ldap.server=ldap://localhost:10389</programlisting>
+ <sect1>
+ <title>Authorization</title>
- <para>The logon password check will be on uid='username', <dn>
- - For example, attempting to logon with user 'sven' with the above
- settings will check against the server on localhost, port = 10389,
- uid=sven, dc=isis, dc=org, using the password in the standard
- <literal moreinfo="none">userpassword</literal> attribute in that
- entry. Once logged in, roles will be picked up from cn='rolename'
- where objectclass =organizationalRole in child entries of the user
- entry.</para>
- </sect2>
+ <para>With LDAP authorization the current user's role will be
+ authorised against an entry in the LDAP server for each method
+ possibly available to them. The URL of the server is obtained from the
+ same property as for authentication.</para>
- <sect2>
- <title>Authorization through LDAP server</title>
+ <para>The authorization entries should exist under a DN configured in
+ the property file. For example.</para>
- <para>To enable authorization by LDAP server include facet for
- authorization and specifying the <literal
- moreinfo="none">ldap</literal> implementation for
- authorization.</para>
-
- <programlisting format="linespecific">isis.reflector.facets.include=\
- org.apache.isis.runtime.authorization.standard.AuthorizationFacetFactoryImpl
-isis.authorization=ldap</programlisting>
-
- <para>With LDAP authorization the current user's role will be
- authorised against an entry in the LDAP server for each method
- possibly available to them. The URL of the server is obtained from
- the same property as for authentication.</para>
-
- <para>The authorization entries should exist under a DN configured
- in the property file. For example.</para>
-
- <programlisting format="linespecific">isis.authorization.ldap.application.dn= cn=expenses, dc=apps, dc=isis, dc=org </programlisting>
-
- <para>This will be checked anonymously.</para>
-
- <para>Entries to be matched against should exist under this dn.
- Expected configuration is a hierarchy of class, method and
- parameters. The cn of each entry is expected to be the fully
- qualified class name, method or parameter list ('()' for an empty
- parameter list). If an entry has a 'uniquemember' attribute equal to
- 'role' then that entry and all sub-entries are authorised.</para>
-
- <para>For example</para>
-
- <para>DN:
- cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
- cn=expenses, dc=apps, dc=isis, dc=org</para>
-
- <para>with uniquemember = role1 will authorise all members of
- <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
- for users with role1.</para>
-
- <para>DN: cn=(com.isisgroup.expenses.claimant.Claimant,
- java.lang.String),</para>
-
- <para>cn=createNewClaim,
- cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
- cn=expenses, dc=apps, dc=isis, dc=org</para>
-
- <para>with uniquemember = role1 will authorise the <literal
- moreinfo="none">createNewClaim(com.isisgroup.expenses.claimant.Claimant,
- String)</literal> member of <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
- for users with role1.</para>
- </sect2>
+ <programlisting format="linespecific">isis.authorization.ldap.application.dn= cn=expenses, dc=apps, dc=isis, dc=org </programlisting>
- <sect2>
- <title>Authorization through LDAP server</title>
+ <para>This will be checked anonymously.</para>
- <para>To enable authorization by LDAP server include facet for
- authorization and specifying the <literal
- moreinfo="none">ldap</literal> implementation for
- authorization.</para>
+ <para>Entries to be matched against should exist under this dn.
+ Expected configuration is a hierarchy of class, method and parameters.
+ The cn of each entry is expected to be the fully qualified class name,
+ method or parameter list ('()' for an empty parameter list). If an
+ entry has a 'uniquemember' attribute equal to 'role' then that entry
+ and all sub-entries are authorised.</para>
- <programlisting format="linespecific">isis.reflector.facets.include=\
- org.apache.isis.runtime.authorization.standard.AuthorizationFacetFactoryImpl
-isis.authorization=ldap</programlisting>
+ <para>For example:</para>
- <para>With LDAP authorization the current user's role will be
- authorised against an entry in the LDAP server for each method
- possibly available to them. The URL of the server is obtained from
- the same property as for authentication.</para>
+ <itemizedlist>
+ <listitem>
+ <para>DN:
+ cn=org.apache.isis.expenses.claims.objstoredflt.ClaimRepositoryDefault,
+ cn=expenses, dc=apps, dc=isis, dc=org</para>
+
+ <para>with uniquemember = role1</para>
+
+ <para>will authorise all members of <literal
+ moreinfo="none">org.apache.isis.expenses.claims.objstoredflt.ClaimRepositoryDefault</literal>
+ for users with role1.</para>
+ </listitem>
- <para>The authorization entries should exist under a DN configured
- in the property file. For example.</para>
+ <listitem>
+ <para>DN: cn=(org.apache.isis.expenses.claims.Claimant,
+ java.lang.String), cn=createNewClaim,
+ cn=org.apache.isis.expenses.claims.objstoredflt.ClaimRepositoryDefault,
+ cn=expenses, dc=apps, dc=isis, dc=org</para>
+
+ <para>with uniquemember = role1</para>
+
+ <para>will authorise the <literal
+ moreinfo="none">createNewClaim(org.apache.isis.expenses.claims.Claimant,
+ String)</literal> member of <literal
+ moreinfo="none">org.apache.isis.expenses.claims.objstoredflt.ClaimRepositoryDefault</literal>
+ for users with role1.</para>
+ </listitem>
+ </itemizedlist>
- <programlisting format="linespecific">isis.authorization.ldap.application.dn= cn=expenses, dc=apps, dc=isis, dc=org </programlisting>
+ <para>There is an optional capability to authorise the visibility and
+ usability of fields independently. Thus a field may be visible to
+ certain roles but not editable. In order to configure this against a
+ authorization a flag must be added by setting a "flags" attribute to
+ the entry with the role. <itemizedlist>
+ <listitem>
+ <para>If it is set to 'rw' then editing will be allowed,</para>
+ </listitem>
+
+ <listitem>
+ <para>If it is set to any other value (typically 'ro') then
+ editing is disallowed</para>
+ </listitem>
+ </itemizedlist></para>
- <para>This will be checked anonymously.</para>
+ <para>In each case absence of the flag will mean that visibility and
+ usability and are always the same.</para>
+ </sect1>
+ </chapter>
+ </part>
- <para>Entries to be matched against should exist under this dn.
- Expected configuration is a hierarchy of class, method and
- parameters. The cn of each entry is expected to be the fully
- qualified class name, method or parameter list ('()' for an empty
- parameter list). If an entry has a 'uniquemember' attribute equal to
- 'role' then that entry and all sub-entries are authorised.</para>
+ <part id="prt.ConfiguringTheRuntime">
+ <title>Configuring the Runtime</title>
- <para>For example</para>
+ <partintro>
+ <para>***</para>
- <para>DN:
- cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
- cn=expenses, dc=apps, dc=isis, dc=org</para>
+ <para></para>
+ </partintro>
- <para>with uniquemember = role1 will authorise all members of
- <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
- for users with role1.</para>
+ <chapter>
+ <title>Configuring the Default Runtime</title>
- <para>DN: cn=(com.isisgroup.expenses.claimant.Claimant,
- java.lang.String),</para>
+ <abstract>
+ <para>*** yada yada</para>
+ </abstract>
- <para>cn=createNewClaim,
- cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
- cn=expenses, dc=apps, dc=isis, dc=org</para>
+ <para></para>
- <para>with uniquemember = role1 will authorise the <literal
- moreinfo="none">createNewClaim(com.isisgroup.expenses.claimant.Claimant,
- String)</literal> member of <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
- for users with role1.</para>
+ <sect1>
+ <title>Exploration Mode</title>
- <para></para>
+ <para>The list of users that can be switched between during
+ exploration can be listed, separated by commas, using:</para>
- <para></para>
+ <programlisting format="linespecific">isis.exploration.users=sven, dick, bob</programlisting>
- <para>There is an optional capability to authorise the visibility
- and usability of fields independently. Thus a field may be visible
- to certain roles but not editable. In order to configure this
- against a authorization a flag must be added as follows.</para>
+ <para>If no users are specified the default user "exploration" will be
+ used and switching between users will not be possible.</para>
- <para></para>
+ <para><note>
+ <para>The ability to switch between users also depends on the
+ viewer being used; not every viewer has necessarily implemented
+ this feature.</para>
+ </note></para>
+ </sect1>
- <para>Add a flags attribute to the entry with the role. If it's set
- to 'rw' editing will be allowed, any other value (typically 'ro')
- will disallow editing.</para>
+ <sect1>
+ <title>No Configuration</title>
- <para>In each case absence of the flag will mean that visibility and
- usability and are always the same.</para>
+ <para></para>
- <para></para>
+ <para>If no authenticator is configured, then the behaviour depends on
+ the system:</para>
- <para></para>
+ <itemizedlist>
+ <listitem>
+ <para>Exploration Mode</para>
- <para>As a tool for helping to configure the initial security
- settings there is a 'learn' property.</para>
+ <para>*** yada yada</para>
+ </listitem>
- <programlisting format="linespecific">isis.authorization.learn=true</programlisting>
+ <listitem>
+ <para>Prototype Mode</para>
- <para>When this is present and set, all methods will be authorised
- for all roles. However as each method is accessed through the user
- interface authorization will be configured for that method and the
- current role. Configuration will be saved in either the file (saved
- on shutdown), database table or LDAP security settings depending
- upon the reflector setup.</para>
+ <para>*** yada yada</para>
+ </listitem>
- <para>The settings can then be modified to conform to the required
- security settings.</para>
+ <listitem>
+ <para>Any other mode</para>
- <para></para>
+ <para>Defaults to file-based</para>
+ </listitem>
+ </itemizedlist>
- <para></para>
- </sect2>
+ <para></para>
</sect1>
- </chapter>
- </part>
- <part>
- <title>Configuring the Runtime</title>
-
- <partintro>
- <para>***</para>
+ <sect1>
+ <title>Configuring Authentication</title>
- <para></para>
- </partintro>
+ <para></para>
- <chapter>
- <title>Configuring the Default Runtime</title>
+ <para>To explicitly use file-based authentication set the following
+ property.</para>
- <abstract>
- <para>*** yada yada</para>
- </abstract>
+ <programlisting format="linespecific">isis.authentication=file</programlisting>
- <para></para>
+ <para></para>
- <sect1>
- <title>Exploration Mode</title>
+ <para>To authenticate through LDAP set</para>
- <para></para>
+ <programlisting format="linespecific">isis.authentication=ldap</programlisting>
<para></para>
</sect1>
<sect1>
- <title>Prototype Mode</title>
+ <title>Configuring Authorization</title>
<para></para>
+ <para>To enable authorization within the default runtime, including
+ the facet and specifying the authorization implementation in the
+ settings</para>
+
+ <programlisting format="linespecific">isis.reflector.facets.include=\
+ org.apache.isis.runtimes.dflt.runtime.authorization.standard.AuthorizationFacetFactoryForDfltRuntime
+</programlisting>
+
<para></para>
+
+ <para>To specify file-based authorization, use:</para>
+
+ <programlisting format="linespecific">isis.authorization=file</programlisting>
+
+ <para></para>
+
+ <para>To specify LDAP-based authorization, use:</para>
+
+ <programlisting format="linespecific">isis.authorization=ldap</programlisting>
</sect1>
</chapter>
</part>
- <part>
+ <part id="prt.ImplementingACustomImplementation">
<title>Implementing a custom Security Implementation</title>
<chapter>
Modified: incubator/isis/trunk/src/site/apt/documentation.apt
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/apt/documentation.apt?rev=1096936&r1=1096935&r2=1096936&view=diff
==============================================================================
--- incubator/isis/trunk/src/site/apt/documentation.apt (original)
+++ incubator/isis/trunk/src/site/apt/documentation.apt Tue Apr 26 22:38:18 2011
@@ -52,9 +52,9 @@ Documentation
*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
|progmodels |Programming Models |Configuration and Customization Guide |{{{./progmodels/docbkx/pdf/isis-progmodels.pdf}PDF}} |{{{./progmodels/docbkx/html/guide/isis-progmodels.html}HTML}} |40% |Dan |
*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
-|security |Security |Configuration and Deployment Guide |{{{./security/docbkx/pdf/isis-security.pdf}PDF}} |{{{./security/docbkx/html/guide/isis-security.html}HTML}} |10% |Dan,Rob |
+|security |Security |Configuration and Deployment Guide |{{{./security/docbkx/pdf/isis-security.pdf}PDF}} |{{{./security/docbkx/html/guide/isis-security.html}HTML}} |60% |Dan,Rob |
*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
-|runtimes:dflt |Default Runtime |Programming, Configuration and Deployment Guide |{{{./runtimes/dflt/docbkx/pdf/isis-default-runtime.pdf}PDF}} |{{{./runtimes/dflt/docbkx/html/guide/isis-default-runtime.html}HTML}} |0% |Dan |
+|runtimes:dflt |Default Runtime |Programming, Configuration and Deployment Guide |{{{./runtimes/dflt/docbkx/pdf/isis-default-runtime.pdf}PDF}} |{{{./runtimes/dflt/docbkx/html/guide/isis-default-runtime.html}HTML}} |20% |Dan,Rob |
*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
|runtimes.dflt.objectstores:xml |Default Runtime XML Object Store |Configuration and Deployment Guide |{{{./runtimes/dflt/objectstores/xml/docbkx/pdf/isis-xml-objectstore.pdf}PDF}} |{{{./runtimes/dflt/objectstores/xml/docbkx/html/guide/isis-xml-objectstore.html}HTML}} |0% |Rob |
*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
Modified: incubator/isis/trunk/viewer/dnd/src/main/java/org/apache/isis/viewer/dnd/view/debug/DebugDumpSnapshotOption.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/viewer/dnd/src/main/java/org/apache/isis/viewer/dnd/view/debug/DebugDumpSnapshotOption.java?rev=1096936&r1=1096935&r2=1096936&view=diff
==============================================================================
--- incubator/isis/trunk/viewer/dnd/src/main/java/org/apache/isis/viewer/dnd/view/debug/DebugDumpSnapshotOption.java (original)
+++ incubator/isis/trunk/viewer/dnd/src/main/java/org/apache/isis/viewer/dnd/view/debug/DebugDumpSnapshotOption.java Tue Apr 26 22:38:18 2011
@@ -31,7 +31,7 @@ import org.apache.isis.core.metamodel.co
import org.apache.isis.core.metamodel.consent.Consent;
import org.apache.isis.core.metamodel.consent.Veto;
import org.apache.isis.core.metamodel.spec.ActionType;
-import org.apache.isis.runtimes.dflt.runtime.logging.SnapshotAppender;
+import org.apache.isis.core.runtime.logging.SnapshotAppender;
import org.apache.isis.viewer.dnd.drawing.Location;
import org.apache.isis.viewer.dnd.view.View;
import org.apache.isis.viewer.dnd.view.Workspace;