You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2011/04/13 00:37:17 UTC
svn commit: r1091590 [4/4] - in /incubator/isis/trunk: ./
applib/src/docbkx/guide/
core/commons/src/main/java/org/apache/isis/core/commons/authentication/
core/commons/src/main/java/org/apache/isis/core/commons/components/
core/commons/src/main/java/or...
Modified: incubator/isis/trunk/progmodels/wrapper/src/site/site.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/progmodels/wrapper/src/site/site.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/progmodels/wrapper/src/site/site.xml (original)
+++ incubator/isis/trunk/progmodels/wrapper/src/site/site.xml Tue Apr 12 22:37:15 2011
@@ -22,11 +22,6 @@
<item name="Metamodel" href="./metamodel/index.html" />
</menu>
- <menu name="Documentation">
- <item name="${docbkxGuideTitle} (PDF)" href="docbkx/pdf/${docbkxGuideName}.pdf" />
- <item name="${docbkxGuideTitle} (HTML)" href="docbkx/html/guide/${docbkxGuideName}.html" />
- </menu>
-
<menu name="Maven Reports" ref="reports" />
</body>
</project>
Modified: incubator/isis/trunk/runtimes/dflt/bytecode/dflt/src/main/java/org/apache/isis/runtimes/dflt/bytecode/dflt/objectfactory/internal/ObjectResolveAndObjectChangedEnhancer.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/runtimes/dflt/bytecode/dflt/src/main/java/org/apache/isis/runtimes/dflt/bytecode/dflt/objectfactory/internal/ObjectResolveAndObjectChangedEnhancer.java?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/runtimes/dflt/bytecode/dflt/src/main/java/org/apache/isis/runtimes/dflt/bytecode/dflt/objectfactory/internal/ObjectResolveAndObjectChangedEnhancer.java (original)
+++ incubator/isis/trunk/runtimes/dflt/bytecode/dflt/src/main/java/org/apache/isis/runtimes/dflt/bytecode/dflt/objectfactory/internal/ObjectResolveAndObjectChangedEnhancer.java Tue Apr 12 22:37:15 2011
@@ -30,7 +30,6 @@ import net.sf.cglib.proxy.MethodIntercep
import net.sf.cglib.proxy.MethodProxy;
import org.apache.isis.core.commons.lang.ArrayUtils;
-import org.apache.isis.core.metamodel.facets.ImperativeFacet;
import org.apache.isis.core.metamodel.facets.ImperativeFacetUtils;
import org.apache.isis.core.metamodel.facets.ImperativeFacetUtils.ImperativeFacetFlags;
import org.apache.isis.core.metamodel.spec.SpecificationLoader;
Modified: incubator/isis/trunk/runtimes/dflt/profilestores/xml/src/main/java/org/apache/isis/runtimes/dflt/profilestores/xml/XmlUserProfileStoreInstaller.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/runtimes/dflt/profilestores/xml/src/main/java/org/apache/isis/runtimes/dflt/profilestores/xml/XmlUserProfileStoreInstaller.java?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/runtimes/dflt/profilestores/xml/src/main/java/org/apache/isis/runtimes/dflt/profilestores/xml/XmlUserProfileStoreInstaller.java (original)
+++ incubator/isis/trunk/runtimes/dflt/profilestores/xml/src/main/java/org/apache/isis/runtimes/dflt/profilestores/xml/XmlUserProfileStoreInstaller.java Tue Apr 12 22:37:15 2011
@@ -41,16 +41,6 @@ public class XmlUserProfileStoreInstalle
}
- @Override
- public Module getModule() {
- return new AbstractModule() {
- @Override
- protected void configure() {
- bind(UserProfileStore.class).to(XmlUserProfileStore.class);
- }
- };
- }
-
public List<Class<?>> getTypes() {
return listOf(UserProfileStore.class);
}
Modified: incubator/isis/trunk/runtimes/dflt/src/docbkx/guide/isis-default-runtime.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/runtimes/dflt/src/docbkx/guide/isis-default-runtime.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/runtimes/dflt/src/docbkx/guide/isis-default-runtime.xml (original)
+++ incubator/isis/trunk/runtimes/dflt/src/docbkx/guide/isis-default-runtime.xml Tue Apr 12 22:37:15 2011
@@ -1375,6 +1375,109 @@ isis.fixtures=ExpenseTypes, Employees, E
<para></para>
<sect1>
+ <title>Component loggers</title>
+
+ <para>The NOF provides a set of component loggers that specifically
+ log the use of a component, adding additional log messages to the
+ Log4j log or write out to a separate file. Additional logger can also
+ be defined for other components. These logger are designed to log the
+ parameters passed to and the the results return from the requests to a
+ component and tend to be more verbose than the general logging just
+ discussed. At present the following components have loggers
+ available:-</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>The object persistor -
+ <classname>ObjectPersistorLogger</classname></para>
+ </listitem>
+
+ <listitem>
+ <para>The object store -
+ <classname>ObjectStoreLogger</classname></para>
+ </listitem>
+
+ <listitem>
+ <para>The distibution interface -
+ <classname>DistributionLogger</classname></para>
+ </listitem>
+ </itemizedlist>
+
+ <para>To set up a logger create an instance of it passing in the
+ object you are logging. Then use the logger instance in place of the
+ original component. The constructors for each of the loggers are
+ overloaded so they take a component to decorate and possibly a file
+ name. If the filename is specified then the logging is done to that
+ file. If there is no file name then the events are logged via Log4j.
+ For example the object store persistor would logged by
+ replacing:</para>
+
+ <programlisting format="linespecific">ObjectAdapterPersistor persistor = new ObjectStorePersistor();
+isis.setObjectPersistor(persistor);</programlisting>
+
+ <para>with this, which will log request to the persistor the <filename
+ class="directory" moreinfo="none">sever-persistor.log</filename>
+ file:</para>
+
+ <programlisting format="linespecific">ObjectAdapterPersistor persistor = new ObjectStorePersistor();
+persistor = new ObjectManagerLogger(persistor, "server-persistor.log");
+isis.setObjectPersistor(persistor);</programlisting>
+
+ <para>Please note that the log files, when used, are created when the
+ logger is instantiated and will overwrite any exsiting file. This is
+ not normally a problem as we are interested in the activities during
+ an entire session. However on a stateless server where the component
+ is being recreated each time the continual recreation of the file
+ could be a problem.</para>
+
+ <sect2>
+ <title>Defining a logger</title>
+
+ <para>To define a logger extend the Logger class, providing a
+ suitable constructor, and implement the
+ <methodname>getDecoratedClass</methodname> so it passes back the
+ <classname>Class</classname> object of the class being decorated
+ (this allows the Log4j logger to log messages as that class rather
+ than as a separate class). Within the subclass you can use the
+ following methods:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><emphasis> <methodname>void log(String
+ message)</methodname> </emphasis></para>
+
+ <para>output a log entry with the specified message.</para>
+ </listitem>
+
+ <listitem>
+ <para><emphasis> <methodname>void log(String message, Object
+ result)</methodname> </emphasis></para>
+
+ <para>output a log entry with the specified message and the
+ specified result. This is useful when needing to show both the
+ entry and exit states, or the paramters and the return
+ value.</para>
+ </listitem>
+
+ <listitem>
+ <para><emphasis> <methodname>void close()</methodname>
+ </emphasis></para>
+
+ <para>closes the file that is being written to.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para></para>
+
+ <para></para>
+
+ <para></para>
+
+ <para></para>
+ </sect2>
+ </sect1>
+
+ <sect1>
<title>Diagnostics (Logging)</title>
<para></para>
@@ -1892,16 +1995,74 @@ $ mvn clean package</screen>
</part>
<appendix>
- <title>***</title>
+ <title>*** Deployment Principles</title>
<abstract>
- <para>*** yada yada</para>
+ <para>*** yada yada (have just pasted this chapter in from elsewhere;
+ need to think about where it lives in this doc)</para>
</abstract>
- <sect1 id="sec.module-ui">
- <title>***</title>
+ <sect1>
+ <title>Setting up perspectives</title>
+
+ <para></para>
+
+ <para></para>
+
+ <para></para>
+
+ <para>profilestore</para>
+
+ <para>x-ref alternatives/profilestore/xml</para>
+
+ <para></para>
+
+ <para>Perspectives allow the set of services available to a user (eg as
+ icons in the DnD viewer) to be customized for that user. Since these
+ services represent the "start points" for the user to interact with the
+ domain model, they in a sense define an application on a per-user
+ basis.</para>
+
+ <para>The perspectives are stored in user-profiles, which are a
+ persistence mechanism independent of the object store. (The intent is
+ for user profiles to store additional information for use by viewers,
+ for example allowing a user to reskin an application or change colors or
+ fonts. As of NOF 4.0 the functionality provided is still limited,
+ however).</para>
+
+ <para>The key here is that if a user logs in and no perspective exists
+ for that user then one will be created for them. The new perspective
+ will be a copy of the 'template' perspective, or, if none was defined, a
+ perspective containing all the known services. To create a template
+ perspective add a perspective fixture that calls
+ <methodname>saveAsDefault()</methodname>, rather than
+ <methodname>saveForUser()</methodname> for a named user, as shown
+ below.</para>
+
+ <programlisting>public class PerspectivesFixture extends UserProfileFixture {
+ @Override
+ protected void installProfiles() {
+ Profile profile = newUserProfile();
+ Perspective perspective = profile.newPerspective("ECS");
+ perspective.addToServices(LocationFactory.class);
+ perspective.addToServices(CustomerRepository.class);
+ perspective.addToServices(PaymentMethodFactory.class);
+
+ saveAsDefault(profile);
+ }
+}
+</programlisting>
- <para>*** yada yada</para>
+ <para>With that set up, when a new user now logs in they will see three
+ service icons on the screen for locations, customers and payment
+ methods. On the drag and drop user interface the user can add and remove
+ services from their perspective. To remove a service icon right-click on
+ the grey border and select the close option. To add a service select the
+ Services... option from the application menu (accessed by right-clicking
+ on the application background) and drag the required service onto the
+ desktop. Unfortunately there is no similar mechanism available on the
+ HTML user interface so you will need to modify the created perspectives
+ via the DND UI.</para>
</sect1>
</appendix>
</book>
Modified: incubator/isis/trunk/security/file/pom.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/file/pom.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/file/pom.xml (original)
+++ incubator/isis/trunk/security/file/pom.xml Tue Apr 12 22:37:15 2011
@@ -16,21 +16,8 @@
<properties>
<siteBaseDir>../..</siteBaseDir>
<relativeUrl>security/file/</relativeUrl>
-
- <docbkxGuideTitle>Apache Isis File Security</docbkxGuideTitle>
- <docbkxGuideName>isis-file-security</docbkxGuideName>
</properties>
- <build>
- <plugins>
- <plugin>
- <groupId>com.agilejava.docbkx</groupId>
- <artifactId>docbkx-maven-plugin</artifactId>
- <inherited>false</inherited>
- </plugin>
- </plugins>
- </build>
-
<url>http://incubator.apache.org/isis/${relativeUrl}</url>
<reporting>
Modified: incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authentication/FileAuthenticationManagerInstaller.java
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authentication/FileAuthenticationManagerInstaller.java?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authentication/FileAuthenticationManagerInstaller.java (original)
+++ incubator/isis/trunk/security/file/src/main/java/org/apache/isis/security/file/authentication/FileAuthenticationManagerInstaller.java Tue Apr 12 22:37:15 2011
@@ -41,13 +41,4 @@ public class FileAuthenticationManagerIn
return new FileAuthenticator(configuration);
}
- @Override
- public Module getModule() {
- return new AbstractModule() {
- @Override
- protected void configure() {
- bind(Authenticator.class);
- }
- };
- }
}
Modified: incubator/isis/trunk/security/file/src/site/site.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/file/src/site/site.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/file/src/site/site.xml (original)
+++ incubator/isis/trunk/security/file/src/site/site.xml Tue Apr 12 22:37:15 2011
@@ -17,11 +17,6 @@
<item name="LDAP" href="../ldap/index.html" />
</menu>
- <menu name="Documentation">
- <item name="${docbkxGuideTitle} (PDF)" href="docbkx/pdf/${docbkxGuideName}.pdf" />
- <item name="${docbkxGuideTitle} (HTML)" href="docbkx/html/guide/${docbkxGuideName}.html" />
- </menu>
-
<menu name="Maven Reports" ref="reports" />
</body>
</project>
Modified: incubator/isis/trunk/security/ldap/pom.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/ldap/pom.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/ldap/pom.xml (original)
+++ incubator/isis/trunk/security/ldap/pom.xml Tue Apr 12 22:37:15 2011
@@ -16,21 +16,8 @@
<properties>
<siteBaseDir>../..</siteBaseDir>
<relativeUrl>security/ldap/</relativeUrl>
-
- <docbkxGuideTitle>Apache Isis LDAP Security</docbkxGuideTitle>
- <docbkxGuideName>isis-ldap-security</docbkxGuideName>
</properties>
- <build>
- <plugins>
- <plugin>
- <groupId>com.agilejava.docbkx</groupId>
- <artifactId>docbkx-maven-plugin</artifactId>
- <inherited>false</inherited>
- </plugin>
- </plugins>
- </build>
-
<url>http://incubator.apache.org/isis/${relativeUrl}</url>
<reporting>
Modified: incubator/isis/trunk/security/ldap/src/site/site.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/ldap/src/site/site.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/ldap/src/site/site.xml (original)
+++ incubator/isis/trunk/security/ldap/src/site/site.xml Tue Apr 12 22:37:15 2011
@@ -17,11 +17,6 @@
<item name="LDAP" href="../ldap/index.html" />
</menu>
- <menu name="Documentation">
- <item name="${docbkxGuideTitle} (PDF)" href="docbkx/pdf/${docbkxGuideName}.pdf" />
- <item name="${docbkxGuideTitle} (HTML)" href="docbkx/html/guide/${docbkxGuideName}.html" />
- </menu>
-
<menu name="Maven Reports" ref="reports" />
</body>
</project>
Modified: incubator/isis/trunk/security/pom.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/pom.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/pom.xml (original)
+++ incubator/isis/trunk/security/pom.xml Tue Apr 12 22:37:15 2011
@@ -21,10 +21,23 @@
<properties>
<siteBaseDir>..</siteBaseDir>
<relativeUrl>security/</relativeUrl>
+
+ <docbkxGuideTitle>Apache Isis Security</docbkxGuideTitle>
+ <docbkxGuideName>isis-security</docbkxGuideName>
</properties>
<url>http://incubator.apache.org/isis/${relativeUrl}</url>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>com.agilejava.docbkx</groupId>
+ <artifactId>docbkx-maven-plugin</artifactId>
+ <inherited>false</inherited>
+ </plugin>
+ </plugins>
+ </build>
+
<modules>
<module>dflt</module>
<module>file</module>
Copied: incubator/isis/trunk/security/src/docbkx/guide/isis-security.xml (from r1091133, incubator/isis/trunk/security/ldap/src/docbkx/guide/isis-ldap-security.xml)
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/src/docbkx/guide/isis-security.xml?p2=incubator/isis/trunk/security/src/docbkx/guide/isis-security.xml&p1=incubator/isis/trunk/security/ldap/src/docbkx/guide/isis-ldap-security.xml&r1=1091133&r2=1091590&rev=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/ldap/src/docbkx/guide/isis-ldap-security.xml (original)
+++ incubator/isis/trunk/security/src/docbkx/guide/isis-security.xml Tue Apr 12 22:37:15 2011
@@ -35,9 +35,7 @@
</author>
<author>
- <firstname>Kevin</firstname>
-
- <surname>Meyer</surname>
+ <firstname>Dan Haywood</firstname>
</author>
</authorgroup>
@@ -55,235 +53,753 @@
<preface id="preface">
<title>Preface</title>
- <para><emphasis>Apache Isis</emphasis> is designed to allow programmers
- rapidly develop domain-driven applications following the <ulink
- url="http://en.wikipedia.org/wiki/Naked_Objects">Naked Objects</ulink>
- pattern. It is made up of a core framework plus a number of alternate
- implementations, and supports various viewers and object stores. Apache
- Isis is hosted at the <ulink url="http://incubator.apache.org/isis">Apache
- Foundation</ulink>, and is licensed under <ulink
+ <para><emphasis>*** Apache Isis</emphasis> is designed to allow
+ programmers rapidly develop domain-driven applications following the
+ <ulink url="http://en.wikipedia.org/wiki/Naked_Objects">Naked
+ Objects</ulink> pattern. It is made up of a core framework plus a number
+ of supporting implementations, and supports various viewers and object
+ stores. Apache Isis is hosted at the <ulink
+ url="http://incubator.apache.org/isis">Apache Foundation</ulink>, and is
+ licensed under <ulink
url="http://www.apache.org/licenses/LICENSE-2.0.html">Apache Software
License v2</ulink>.</para>
<para>This guide is written for ...</para>
- </preface>
- <!-- main content -->
+ <para></para>
+
+ <para></para>
+ </preface>
- <chapter id="chp.Intro">
- <title>Introduction</title>
+ <chapter id="chp.SecurityApi">
+ <title>*** Introduction</title>
<abstract>
- <para>*** yada yada</para>
+ <para>This chapter covers the authentication and authorization
+ APIs</para>
</abstract>
+ <para></para>
+
+ <para>*** go through these words and move around; get rid of this
+ introductory chapter.</para>
+
+ <para></para>
+
+ <para></para>
+
+ <para></para>
+
+ <para>Apache Isis supports authentication and role-based authorization.
+ Within the framework the user is represented by a
+ <classname>Session</classname> object. From the session object you can get
+ the name of the user and their roles.</para>
+
+ <para>The session is used within the distribution mechanism and the
+ security manager. The security manager uses the session to determine if a
+ user can access or manipulate an object member. The distribution mechanism
+ passes the session to the server so the server knows which user is
+ accessing it.</para>
+
+ <para></para>
+
+ <para></para>
+
+ <para></para>
+
+ <para></para>
+
+ <para>As with authentication, authorization may be executed via a file,
+ LDAP, or database. If no authorization mechanism is specified, all domain
+ calls, methods and properties will be available to all users.</para>
+
+ <para></para>
+
+ <para></para>
+
+ <note>
+ <para>TODO: tidy up the following paras, were just copied/pasted in from
+ APT</para>
+ </note>
+
+ <para><emphasis></emphasis></para>
+
+ <para><emphasis>Apache Isis</emphasis> applications support authentication
+ ("who are you"?) and authorization ("what can you do?"). This allows the
+ set of functionality to be restricted based upon the user's role, with no
+ security knowledge needing to be embedded within the domain objects. The
+ API is defined in {{{../core/runtime/index.html}runtime}}, along with two
+ implementations, one file-based and one using LDAP.</para>
+
+ <para></para>
+
+ <para></para>
+
+ <para>An <classname>Authoriser</classname> processes an
+ <classname>AuthorizationRequest</classname> and if granted generates a
+ <classname>Session</classname> object to represent the user.</para>
+
+ <para></para>
+
+ <para></para>
+
+ <para>There is an optional capability to authorise the visibility and
+ usability of fields independently. Thus a field may be visible to certain
+ roles but not editable. In order to configure this against a authorization
+ a flag must be added as follows.</para>
+
+ <para></para>
+
+ <para></para>
+
<sect1>
- <title>***</title>
+ <title>Capturing authorization requirements automatically</title>
+
+ <para>As a tool for helping to configure the initial security settings
+ there is a 'learn' property.</para>
+
+ <programlisting format="linespecific">isis.authorization.learn=true</programlisting>
+
+ <para>When this is present and set, all methods will be authorised for
+ all roles. However as each method is accessed through the user interface
+ authorization will be configured for that method and the current role.
+ Configuration will be saved in either the file (saved on shutdown),
+ database table or LDAP security settings depending upon the reflector
+ setup.</para>
+
+ <para>The settings can then be modified to conform to the required
+ security settings.</para>
+
+ <para></para>
+
+ <para></para>
+ </sect1>
+ </chapter>
+
+ <part>
+ <title>Default (No-op) Security Implementation</title>
+
+ <chapter>
+ <title></title>
+
+ <section>
+ <title></title>
+
+ <para></para>
+ </section>
+ </chapter>
+ </part>
+
+ <part>
+ <title>File Security Implementation</title>
+
+ <chapter id="chp.FileIntro">
+ <title>Introduction</title>
+
+ <abstract>
+ <para>*** yada yada</para>
+ </abstract>
+
+ <sect1>
+ <title>***</title>
+
+ <para><emphasis>*** yada yada</emphasis></para>
+ </sect1>
+
+ <sect1>
+ <title>Adding Security (Authentication and Authorization)</title>
+
+ <para><remark></remark></para>
+
+ <para>x-ref Core documentation.</para>
+
+ <para></para>
+
+ <para></para>
+
+ <para>... also, move into the next chapters</para>
+
+ <para></para>
+
+ <para>Starting [[NAME]] requires a user name and password . (The
+ exception is when running in exploration mode, which uses default
+ values). The simplest way to specify the list of user names and
+ passwords is in a passwords file.</para>
+
+ <sect2>
+ <title>Authentication using a passwords file</title>
+
+ <para>Create a file called <filename class="directory"
+ moreinfo="none">password</filename>s, and place into the <filename
+ class="directory" moreinfo="none">config</filename> directory as the
+ following example shows.</para>
+
+ <screen format="linespecific">config/
+ passwords
+</screen>
+
+ <para>The following example shows how user names (sven and dick) and
+ corresponding passwords (passwd1 and passwd2) should be specified in
+ the password file.</para>
+
+ <programlisting format="linespecific">sven:passwd1
+dick:passwd2</programlisting>
+ </sect2>
+
+ <sect2>
+ <title>Authentication through a passwords file</title>
+
+ <para>To explicitly use file-based authentication set the following
+ property. (Note, however, that if this property is absent, the
+ framework will anyway assume file-based authentication as the
+ default).</para>
+
+ <programlisting format="linespecific">isis.authentication=file</programlisting>
+
+ <para>The location and name of the passwords file may be specified
+ explicitly - if not it defaults to the <filename class="directory"
+ moreinfo="none">passwords</filename> file, assumed to be in the
+ <filename class="directory" moreinfo="none">config</filename>
+ directory (or under WEB-INF if running as a web application).</para>
+
+ <programlisting format="linespecific">isis.authentication.file.location= passwords </programlisting>
+
+ <para>The <filename class="directory"
+ moreinfo="none">passwords</filename> file contains users, passwords
+ and any roles, as follows.</para>
+
+ <programlisting format="linespecific"><user>:<password>:<role>|<role>|...</programlisting>
+
+ <para>For example, user 'sven', with password 'pass' and roles
+ 'role1' and 'role2' would be</para>
+
+ <programlisting format="linespecific">sven:pass:role1|role2 </programlisting>
+ </sect2>
+
+ <sect2>
+ <title>Authorization using Allow and/or Disallow files</title>
+
+ <para>Authorization allows access to actions and properties to be
+ controlled by configuration. Authorization is entirely optional and
+ is disabled by default - in which case every user is given access to
+ all actions and properties. A prerequisite for authorization is for
+ users to have roles. These should be added to the password file as
+ follows.</para>
+
+ <programlisting format="linespecific">sven:passwd1:ordinary_user
+dick:passwd2:special_user|admin</programlisting>
+
+ <para>Sven has the role 'ordinary_user', dick has the two roles
+ 'special_user' and 'admin'.</para>
+
+ <para>[[NAME]] needs to be told which actions and properties are
+ authorised for which roles. The simplest way to do this is in a file
+ i.e. <filename class="directory" moreinfo="none">allow</filename> in
+ the config directory.</para>
+
+ <screen format="linespecific">config/
+ <emphasis role="strong">password</emphasis>
+ <emphasis role="strong">allow</emphasis>
+ </screen>
+
+ <para>Each entry in the <filename class="directory"
+ moreinfo="none">allow</filename> file specifies either a class, or a
+ particular action or property within a class, together with the
+ roles that are allowed to access it. E.g.</para>
+
+ <screen format="linespecific">example.dom.PhoneNumber#Number:ordinary_user|special_user
+example.dom.Contact#Phones:ordinary_user|special_user
+example.dom.Contact#FullName:ordinary_user|special_user
+org.apache.isis.nof.core.service.SimpleRepository#FindByTitle(java.lang.String):ordinary_user|special_user
+example.dom.PhoneNumber#Type:ordinary_user|special_user
+example.dom.Contact#KnownAs:ordinary_user|special_user
+org.apache.isis.nof.core.service.SimpleRepository#NewPersistentInstance():ordinary_user|special_user
+example.dom.Contact#CreatePhone():special_user
+org.apache.isis.nof.core.service.SimpleRepository#NewTransientInstance():ordinary_user|special_user
+org.apache.isis.nof.core.service.SimpleRepository#AllInstances():ordinary_user|special_user
+</screen>
+
+ <para>The above file allows 'example.dom.Contact#CreatePhone()' only
+ for users with role 'special_user' all other actions and properties
+ are allowed for roles 'ordinary_user' and 'special_user'. A
+ different, terser implementation of this would be to use separate
+ <filename class="directory" moreinfo="none">allow</filename> and
+ <filename class="directory" moreinfo="none">disallow</filename>
+ files, or example, the <filename class="directory"
+ moreinfo="none">allow</filename> file:</para>
+
+ <screen format="linespecific">example.dom.PhoneNumber:ordinary_user|special_user
+example.dom.Contact:ordinary_user|special_user
+org.apache.isis.nof.core.service.SimpleRepository:ordinary_user|special_user
+</screen>
+
+ <para>and the <filename class="directory"
+ moreinfo="none">disallow</filename> file:</para>
+
+ <screen format="linespecific">example.dom.Contact#CreatePhone():ordinary_user</screen>
+
+ <para>For more details, see the section on Managing Security.</para>
+
+ <para></para>
+
+ <para></para>
+
+ <para></para>
+
+ <para></para>
+ </sect2>
+
+ <sect2>
+ <title>Authentication through a passwords file</title>
+
+ <para>from the "managing security" section</para>
+
+ <para></para>
+
+ <para>To explicitly use file-based authentication set the following
+ property. (Note, however, that if this property is absent, the
+ framework will anyway assume file-based authentication as the
+ default).</para>
+
+ <programlisting format="linespecific">isis.authentication=file</programlisting>
- <para><emphasis>*** yada yada</emphasis></para>
+ <para>The location and name of the passwords file may be specified
+ explicitly - if not it defaults to the <filename class="directory"
+ moreinfo="none">passwords</filename> file, assumed to be in the
+ <filename class="directory" moreinfo="none">config</filename>
+ directory (or under WEB-INF if running as a web application).</para>
- <sect2>
- <title>Authentication through an LDAP server</title>
+ <programlisting format="linespecific">isis.authentication.file.location= passwords </programlisting>
- <para>To authenticate through LDAP set</para>
+ <para>The <filename class="directory"
+ moreinfo="none">passwords</filename> file contains users, passwords
+ and any roles, as follows.</para>
- <programlisting format="linespecific">isis.authentication=ldap</programlisting>
+ <programlisting format="linespecific"><user>:<password>:<role>|<role>|...</programlisting>
- <para>LDAP needs a URL for the server and a 'dn' of the root of the
- users on the server. For example,</para>
+ <para>For example, user 'sven', with password 'pass' and roles
+ 'role1' and 'role2' would be</para>
- <programlisting format="linespecific">isis.authentication.ldap.dn= dc=isis, dc=org </programlisting>
+ <programlisting format="linespecific">sven:pass:role1|role2 </programlisting>
- <programlisting format="linespecific">isis.authentication.ldap.server=ldap://localhost:10389</programlisting>
+ <para></para>
- <para>The logon password check will be on uid='username', <dn> -
- For example, attempting to logon with user 'sven' with the above
- settings will check against the server on localhost, port = 10389,
- uid=sven, dc=isis, dc=org, using the password in the standard <literal
- moreinfo="none">userpassword</literal> attribute in that entry. Once
- logged in, roles will be picked up from cn='rolename' where
- objectclass =organizationalRole in child entries of the user
- entry.</para>
- </sect2>
+ <para></para>
- <sect2>
- <title>Authorization through LDAP server</title>
+ <para></para>
- <para>To enable authorization by LDAP server include facet for
- authorization and specifying the <literal
- moreinfo="none">ldap</literal> implementation for
- authorization.</para>
+ <para></para>
+ </sect2>
- <programlisting format="linespecific">isis.reflector.facets.include=\
+ <sect2>
+ <title>Authorization through 'allow' and 'disallow' files</title>
+
+ <para>To enable authorization by file including the facet and
+ specifying the authorization implementation in the settings</para>
+
+ <programlisting format="linespecific">isis.reflector.facets.include=\
+ org.apache.isis.runtime.authorization.standard.AuthorizationFacetFactoryImpl
+isis.authorization=file</programlisting>
+
+ <para>With file authorization the current user's role will be
+ authorised against a white and (optionally) a black list for each
+ method possibly available to them. The files are identified by
+ properties, e.g.</para>
+
+ <programlisting format="linespecific">isis.authorization.file.whitelist=allow
+isis.authorization.file.blacklist=disallow </programlisting>
+
+ <para>The white list file is mandatory, if there is no property it
+ defaults to 'allow' (picked up from the config directory or from
+ WEB-INF if running as a webapp). The black list file is optional.
+ The presence of the property indicates it is being used. If the
+ white list file default is being used then 'disallow' is suggested
+ as a setting for the black list.</para>
+
+ <para>Each file contains a signature to match against and a list of
+ roles. A match in the white list file permits the method and match
+ in the black list forbids it. The black list overrides the white
+ list. Matching occurs at three levels class, method (or property)
+ and parameters. Property matches are to the bean property name e.g.
+ 'phone' for getPhone and setPhone.</para>
+
+ <para>Formatted as follows:</para>
+
+ <para>If only class is to be matched: <fully qualified class>
+ :role1|role2|..</para>
+
+ <para>Class and method: <fully qualified
+ class>#<method>:role1|role2|..</para>
+
+ <para>Class and property: <fully qualified
+ class>#<property>:role1|role2|..</para>
+
+ <para>Parameters where method takes no parameters: <fully
+ qualified class>#<method>():role1|role2|...</para>
+
+ <para>Parameters where method takes one parameter: <fully
+ qualified class>#<method>(fully qualified parameter
+ class):role1|role2|...</para>
+
+ <para>Parameters where method takes two or more:</para>
+
+ <para><fully qualified class>#<method>(fully qualified
+ parameter class1, fully qualified parameter class2,
+ ...):role1|role2|...</para>
+
+ <para>Each line in the file is a separate match.</para>
+
+ <para>So, for example, in the white list file</para>
+
+ <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate:role1 </programlisting>
+
+ <para>will permit all actions/properties on <literal
+ moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
+ for role1</para>
+
+ <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.
+ ClaimantRepositoryHibernate#findClaimantByName:role1|role2</programlisting>
+
+ <para>will permit all overloaded methods named <literal
+ moreinfo="none">findClaimantByName</literal> on <literal
+ moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate</literal>
+ for role1 and role2 and</para>
+
+ <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate#findClaimantByIdentifier(java.lang.String):role3</programlisting>
+
+ <para>will permit <literal
+ moreinfo="none">findClaimantByIdentifier</literal> with parameter
+ <literal moreinfo="none">java.lang.String</literal> on <literal
+ moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate</literal>
+ for role3. In each case an identical entry in the black list file
+ will instead make the action or property unavailable. The
+ combination of white and black list allows some economy in the
+ settings. For example, if all but one method of a large class is to
+ be allowed, that could be configured with one entry per method in
+ the white list file or, better, a single entry for the class in the
+ white list and a single entry for the unavailable method in the
+ black list.</para>
+ </sect2>
+
+ <sect2>
+ <title>Authorization through 'allow' and 'disallow' files</title>
+
+ <para>To enable authorization by file including the facet and
+ specifying the authorization implementation in the settings</para>
+
+ <programlisting format="linespecific">isis.reflector.facets.include=\
+ org.apache.isis.runtime.authorization.standard.AuthorizationFacetFactoryImpl
+isis.authorization=file</programlisting>
+
+ <para>With file authorization the current user's role will be
+ authorised against a white and (optionally) a black list for each
+ method possibly available to them. The files are identified by
+ properties, e.g.</para>
+
+ <programlisting format="linespecific">isis.authorization.file.whitelist=allow
+isis.authorization.file.blacklist=disallow </programlisting>
+
+ <para>The white list file is mandatory, if there is no property it
+ defaults to 'allow' (picked up from the config directory or from
+ WEB-INF if running as a webapp). The black list file is optional.
+ The presence of the property indicates it is being used. If the
+ white list file default is being used then 'disallow' is suggested
+ as a setting for the black list.</para>
+
+ <para>Each file contains a signature to match against and a list of
+ roles. A match in the white list file permits the method and match
+ in the black list forbids it. The black list overrides the white
+ list. Matching occurs at three levels class, method (or property)
+ and parameters. Property matches are to the bean property name e.g.
+ 'phone' for getPhone and setPhone.</para>
+
+ <para>Formatted as follows:</para>
+
+ <para>If only class is to be matched: <fully qualified class>
+ :role1|role2|..</para>
+
+ <para>Class and method: <fully qualified
+ class>#<method>:role1|role2|..</para>
+
+ <para>Class and property: <fully qualified
+ class>#<property>:role1|role2|..</para>
+
+ <para>Parameters where method takes no parameters: <fully
+ qualified class>#<method>():role1|role2|...</para>
+
+ <para>Parameters where method takes one parameter: <fully
+ qualified class>#<method>(fully qualified parameter
+ class):role1|role2|...</para>
+
+ <para>Parameters where method takes two or more:</para>
+
+ <para><fully qualified class>#<method>(fully qualified
+ parameter class1, fully qualified parameter class2,
+ ...):role1|role2|...</para>
+
+ <para>Each line in the file is a separate match.</para>
+
+ <para>So, for example, in the white list file</para>
+
+ <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate:role1 </programlisting>
+
+ <para>will permit all actions/properties on <literal
+ moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
+ for role1</para>
+
+ <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.
+ ClaimantRepositoryHibernate#findClaimantByName:role1|role2</programlisting>
+
+ <para>will permit all overloaded methods named <literal
+ moreinfo="none">findClaimantByName</literal> on <literal
+ moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate</literal>
+ for role1 and role2 and</para>
+
+ <programlisting format="linespecific">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate#findClaimantByIdentifier(java.lang.String):role3</programlisting>
+
+ <para>will permit <literal
+ moreinfo="none">findClaimantByIdentifier</literal> with parameter
+ <literal moreinfo="none">java.lang.String</literal> on <literal
+ moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimantRepositoryHibernate</literal>
+ for role3. In each case an identical entry in the black list file
+ will instead make the action or property unavailable. The
+ combination of white and black list allows some economy in the
+ settings. For example, if all but one method of a large class is to
+ be allowed, that could be configured with one entry per method in
+ the white list file or, better, a single entry for the class in the
+ white list and a single entry for the unavailable method in the
+ black list.</para>
+
+ <para></para>
+
+ <para></para>
+
+ <para>There is an optional capability to authorise the visibility
+ and usability of fields independently. Thus a field may be visible
+ to certain roles but not editable. In order to configure this
+ against a authorization a flag must be added as follows.</para>
+
+ <para></para>
+
+ <para></para>
+
+ <para>As a tool for helping to configure the initial security
+ settings there is a 'learn' property.</para>
+
+ <programlisting format="linespecific">isis.authorization.learn=true</programlisting>
+
+ <para>When this is present and set, all methods will be authorised
+ for all roles. However as each method is accessed through the user
+ interface authorization will be configured for that method and the
+ current role. Configuration will be saved in either the file (saved
+ on shutdown), database table or LDAP security settings depending
+ upon the reflector setup.</para>
+
+ <para>The settings can then be modified to conform to the required
+ security settings.</para>
+
+ <para></para>
+
+ <para></para>
+
+ <para></para>
+ </sect2>
+ </sect1>
+ </chapter>
+ </part>
+
+ <part>
+ <title>LDAP Security Implementation</title>
+
+ <chapter>
+ <title>Introduction</title>
+
+ <abstract>
+ <para>*** yada yada</para>
+ </abstract>
+
+ <sect1>
+ <title>***</title>
+
+ <para><emphasis>*** yada yada</emphasis></para>
+
+ <sect2>
+ <title>Authentication through an LDAP server</title>
+
+ <para>To authenticate through LDAP set</para>
+
+ <programlisting format="linespecific">isis.authentication=ldap</programlisting>
+
+ <para>LDAP needs a URL for the server and a 'dn' of the root of the
+ users on the server. For example,</para>
+
+ <programlisting format="linespecific">isis.authentication.ldap.dn= dc=isis, dc=org </programlisting>
+
+ <programlisting format="linespecific">isis.authentication.ldap.server=ldap://localhost:10389</programlisting>
+
+ <para>The logon password check will be on uid='username', <dn>
+ - For example, attempting to logon with user 'sven' with the above
+ settings will check against the server on localhost, port = 10389,
+ uid=sven, dc=isis, dc=org, using the password in the standard
+ <literal moreinfo="none">userpassword</literal> attribute in that
+ entry. Once logged in, roles will be picked up from cn='rolename'
+ where objectclass =organizationalRole in child entries of the user
+ entry.</para>
+ </sect2>
+
+ <sect2>
+ <title>Authorization through LDAP server</title>
+
+ <para>To enable authorization by LDAP server include facet for
+ authorization and specifying the <literal
+ moreinfo="none">ldap</literal> implementation for
+ authorization.</para>
+
+ <programlisting format="linespecific">isis.reflector.facets.include=\
org.apache.isis.runtime.authorization.standard.AuthorizationFacetFactoryImpl
isis.authorization=ldap</programlisting>
- <para>With LDAP authorization the current user's role will be
- authorised against an entry in the LDAP server for each method
- possibly available to them. The URL of the server is obtained from the
- same property as for authentication.</para>
-
- <para>The authorization entries should exist under a DN configured in
- the property file. For example.</para>
-
- <programlisting format="linespecific">isis.authorization.ldap.application.dn= cn=expenses, dc=apps, dc=isis, dc=org </programlisting>
-
- <para>This will be checked anonymously.</para>
-
- <para>Entries to be matched against should exist under this dn.
- Expected configuration is a hierarchy of class, method and parameters.
- The cn of each entry is expected to be the fully qualified class name,
- method or parameter list ('()' for an empty parameter list). If an
- entry has a 'uniquemember' attribute equal to 'role' then that entry
- and all sub-entries are authorised.</para>
-
- <para>For example</para>
-
- <para>DN:
- cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
- cn=expenses, dc=apps, dc=isis, dc=org</para>
-
- <para>with uniquemember = role1 will authorise all members of <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
- for users with role1.</para>
-
- <para>DN: cn=(com.isisgroup.expenses.claimant.Claimant,
- java.lang.String),</para>
-
- <para>cn=createNewClaim,
- cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
- cn=expenses, dc=apps, dc=isis, dc=org</para>
-
- <para>with uniquemember = role1 will authorise the <literal
- moreinfo="none">createNewClaim(com.isisgroup.expenses.claimant.Claimant,
- String)</literal> member of <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
- for users with role1.</para>
- </sect2>
-
- <sect2>
- <title>Authorization through LDAP server</title>
-
- <para>To enable authorization by LDAP server include facet for
- authorization and specifying the <literal
- moreinfo="none">ldap</literal> implementation for
- authorization.</para>
+ <para>With LDAP authorization the current user's role will be
+ authorised against an entry in the LDAP server for each method
+ possibly available to them. The URL of the server is obtained from
+ the same property as for authentication.</para>
+
+ <para>The authorization entries should exist under a DN configured
+ in the property file. For example.</para>
+
+ <programlisting format="linespecific">isis.authorization.ldap.application.dn= cn=expenses, dc=apps, dc=isis, dc=org </programlisting>
+
+ <para>This will be checked anonymously.</para>
+
+ <para>Entries to be matched against should exist under this dn.
+ Expected configuration is a hierarchy of class, method and
+ parameters. The cn of each entry is expected to be the fully
+ qualified class name, method or parameter list ('()' for an empty
+ parameter list). If an entry has a 'uniquemember' attribute equal to
+ 'role' then that entry and all sub-entries are authorised.</para>
+
+ <para>For example</para>
+
+ <para>DN:
+ cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
+ cn=expenses, dc=apps, dc=isis, dc=org</para>
+
+ <para>with uniquemember = role1 will authorise all members of
+ <literal
+ moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
+ for users with role1.</para>
+
+ <para>DN: cn=(com.isisgroup.expenses.claimant.Claimant,
+ java.lang.String),</para>
+
+ <para>cn=createNewClaim,
+ cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
+ cn=expenses, dc=apps, dc=isis, dc=org</para>
+
+ <para>with uniquemember = role1 will authorise the <literal
+ moreinfo="none">createNewClaim(com.isisgroup.expenses.claimant.Claimant,
+ String)</literal> member of <literal
+ moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
+ for users with role1.</para>
+ </sect2>
+
+ <sect2>
+ <title>Authorization through LDAP server</title>
+
+ <para>To enable authorization by LDAP server include facet for
+ authorization and specifying the <literal
+ moreinfo="none">ldap</literal> implementation for
+ authorization.</para>
- <programlisting format="linespecific">isis.reflector.facets.include=\
+ <programlisting format="linespecific">isis.reflector.facets.include=\
org.apache.isis.runtime.authorization.standard.AuthorizationFacetFactoryImpl
isis.authorization=ldap</programlisting>
- <para>With LDAP authorization the current user's role will be
- authorised against an entry in the LDAP server for each method
- possibly available to them. The URL of the server is obtained from the
- same property as for authentication.</para>
-
- <para>The authorization entries should exist under a DN configured in
- the property file. For example.</para>
-
- <programlisting format="linespecific">isis.authorization.ldap.application.dn= cn=expenses, dc=apps, dc=isis, dc=org </programlisting>
-
- <para>This will be checked anonymously.</para>
-
- <para>Entries to be matched against should exist under this dn.
- Expected configuration is a hierarchy of class, method and parameters.
- The cn of each entry is expected to be the fully qualified class name,
- method or parameter list ('()' for an empty parameter list). If an
- entry has a 'uniquemember' attribute equal to 'role' then that entry
- and all sub-entries are authorised.</para>
-
- <para>For example</para>
-
- <para>DN:
- cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
- cn=expenses, dc=apps, dc=isis, dc=org</para>
-
- <para>with uniquemember = role1 will authorise all members of <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
- for users with role1.</para>
-
- <para>DN: cn=(com.isisgroup.expenses.claimant.Claimant,
- java.lang.String),</para>
-
- <para>cn=createNewClaim,
- cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
- cn=expenses, dc=apps, dc=isis, dc=org</para>
-
- <para>with uniquemember = role1 will authorise the <literal
- moreinfo="none">createNewClaim(com.isisgroup.expenses.claimant.Claimant,
- String)</literal> member of <literal
- moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
- for users with role1.</para>
+ <para>With LDAP authorization the current user's role will be
+ authorised against an entry in the LDAP server for each method
+ possibly available to them. The URL of the server is obtained from
+ the same property as for authentication.</para>
- <para></para>
+ <para>The authorization entries should exist under a DN configured
+ in the property file. For example.</para>
- <para></para>
+ <programlisting format="linespecific">isis.authorization.ldap.application.dn= cn=expenses, dc=apps, dc=isis, dc=org </programlisting>
- <para>There is an optional capability to authorise the visibility and
- usability of fields independently. Thus a field may be visible to
- certain roles but not editable. In order to configure this against a
- authorization a flag must be added as follows.</para>
+ <para>This will be checked anonymously.</para>
- <para></para>
+ <para>Entries to be matched against should exist under this dn.
+ Expected configuration is a hierarchy of class, method and
+ parameters. The cn of each entry is expected to be the fully
+ qualified class name, method or parameter list ('()' for an empty
+ parameter list). If an entry has a 'uniquemember' attribute equal to
+ 'role' then that entry and all sub-entries are authorised.</para>
- <para>Add a flags attribute to the entry with the role. If it's set to
- 'rw' editing will be allowed, any other value (typically 'ro') will
- disallow editing.</para>
+ <para>For example</para>
- <para>In each case absence of the flag will mean that visibility and
- usability and are always the same.</para>
+ <para>DN:
+ cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
+ cn=expenses, dc=apps, dc=isis, dc=org</para>
- <para></para>
+ <para>with uniquemember = role1 will authorise all members of
+ <literal
+ moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
+ for users with role1.</para>
- <para></para>
+ <para>DN: cn=(com.isisgroup.expenses.claimant.Claimant,
+ java.lang.String),</para>
- <para>As a tool for helping to configure the initial security settings
- there is a 'learn' property.</para>
+ <para>cn=createNewClaim,
+ cn=com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate,
+ cn=expenses, dc=apps, dc=isis, dc=org</para>
- <programlisting format="linespecific">isis.authorization.learn=true</programlisting>
+ <para>with uniquemember = role1 will authorise the <literal
+ moreinfo="none">createNewClaim(com.isisgroup.expenses.claimant.Claimant,
+ String)</literal> member of <literal
+ moreinfo="none">com.isisgroup.expenses.services.hibernate.ClaimRepositoryHibernate</literal>
+ for users with role1.</para>
- <para>When this is present and set, all methods will be authorised for
- all roles. However as each method is accessed through the user
- interface authorization will be configured for that method and the
- current role. Configuration will be saved in either the file (saved on
- shutdown), database table or LDAP security settings depending upon the
- reflector setup.</para>
+ <para></para>
- <para>The settings can then be modified to conform to the required
- security settings.</para>
+ <para></para>
- <para></para>
+ <para>There is an optional capability to authorise the visibility
+ and usability of fields independently. Thus a field may be visible
+ to certain roles but not editable. In order to configure this
+ against a authorization a flag must be added as follows.</para>
- <para></para>
- </sect2>
- </sect1>
- </chapter>
+ <para></para>
- <chapter>
- <title>***</title>
+ <para>Add a flags attribute to the entry with the role. If it's set
+ to 'rw' editing will be allowed, any other value (typically 'ro')
+ will disallow editing.</para>
- <abstract>
- <para>*** yada yada</para>
- </abstract>
+ <para>In each case absence of the flag will mean that visibility and
+ usability and are always the same.</para>
- <sect1>
- <title>***</title>
+ <para></para>
- <para><emphasis>*** yada yada</emphasis></para>
- </sect1>
- </chapter>
+ <para></para>
- <appendix>
- <title>***</title>
+ <para>As a tool for helping to configure the initial security
+ settings there is a 'learn' property.</para>
- <abstract>
- <para>*** yada yada</para>
- </abstract>
+ <programlisting format="linespecific">isis.authorization.learn=true</programlisting>
- <sect1 id="sec.module-ui">
- <title>***</title>
+ <para>When this is present and set, all methods will be authorised
+ for all roles. However as each method is accessed through the user
+ interface authorization will be configured for that method and the
+ current role. Configuration will be saved in either the file (saved
+ on shutdown), database table or LDAP security settings depending
+ upon the reflector setup.</para>
- <para>*** yada yada</para>
- </sect1>
- </appendix>
+ <para>The settings can then be modified to conform to the required
+ security settings.</para>
+
+ <para></para>
+
+ <para></para>
+ </sect2>
+ </sect1>
+ </chapter>
+ </part>
</book>
Modified: incubator/isis/trunk/security/src/site/site.xml
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/security/src/site/site.xml?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/security/src/site/site.xml (original)
+++ incubator/isis/trunk/security/src/site/site.xml Tue Apr 12 22:37:15 2011
@@ -17,6 +17,11 @@
<item name="LDAP" href="./ldap/index.html" />
</menu>
+ <menu name="Documentation">
+ <item name="${docbkxGuideTitle} (PDF)" href="docbkx/pdf/${docbkxGuideName}.pdf" />
+ <item name="${docbkxGuideTitle} (HTML)" href="docbkx/html/guide/${docbkxGuideName}.html" />
+ </menu>
+
<menu name="Maven Reports" ref="reports" />
</body>
</project>
Modified: incubator/isis/trunk/src/site/apt/documentation.apt
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/apt/documentation.apt?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/src/site/apt/documentation.apt (original)
+++ incubator/isis/trunk/src/site/apt/documentation.apt Tue Apr 12 22:37:15 2011
@@ -45,13 +45,9 @@ Documentation
*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
|core |Core Framework |Architecture, APIs and Customization |{{{./core/docbkx/pdf/isis-core.pdf}PDF}} |{{{./core/docbkx/html/guide/isis-core.html}HTML}} |50% |Dan, Rob |
*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
-|progmodels:groovy |Groovy Programming Model |Configuration and Deployment Guide |{{{./progmodels/groovy/docbkx/pdf/isis-groovy-support.pdf}PDF}} |{{{./progmodels/groovy/docbkx/html/guide/isis-groovy-support.html}HTML}} |Done |Dan |
+|progmodels |Programming Models |Configuration and Customization Guide |{{{./progmodels/docbkx/pdf/isis-progmodels.pdf}PDF}} |{{{./progmodels/docbkx/html/guide/isis-progmodels.html}HTML}} |33% |Dan |
*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
-|progmodels:wrapper |Wrapper Programming Model |Configuration and Deployment Guide |{{{./progmodels/wrapper/docbkx/pdf/isis-wrapper.pdf}PDF}} |{{{./progmodels/wrapper/docbkx/html/guide/isis-wrapper.html}HTML}} |0% |Dan |
-*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
-|security:file |File Security |Configuration and Deployment Guide |{{{./security/file/docbkx/pdf/isis-file-security.pdf}PDF}} |{{{./security/file/docbkx/html/guide/isis-file-security.html}HTML}} |10% |Dan,Rob |
-*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
-|security:ldap |LDAP Security |Configuration and Deployment Guide |{{{./security/ldap/docbkx/pdf/isis-ldap-security.pdf}PDF}} |{{{./security/ldap/docbkx/html/guide/isis-ldap-security.html}HTML}} |10% |Rob |
+|security |Security |Configuration and Deployment Guide |{{{./security/docbkx/pdf/isis-security.pdf}PDF}} |{{{./security/docbkx/html/guide/isis-security.html}HTML}} |10% |Dan,Rob |
*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
|runtimes:dflt |Default Runtime |Programming, Configuration and Deployment Guide |{{{./runtimes/dflt/docbkx/pdf/isis-default-runtime.pdf}PDF}} |{{{./runtimes/dflt/docbkx/html/guide/isis-default-runtime.html}HTML}} |0% |Dan |
*--------------------------------+------------------------------------+------------------------------------------------+---------------------------------------------------------------------------------*------------------------------------------------------------------------------------------*----------*---------+
Modified: incubator/isis/trunk/src/site/apt/quickstart-app.apt
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/apt/quickstart-app.apt?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
--- incubator/isis/trunk/src/site/apt/quickstart-app.apt (original)
+++ incubator/isis/trunk/src/site/apt/quickstart-app.apt Tue Apr 12 22:37:15 2011
@@ -24,7 +24,7 @@ QuickStart App
+------------------------------------------------------------
mvn archetype:generate \
- -D archetypeCatalog=https://incubator.apache.org/isis \
+ -D archetypeCatalog=http://incubator.apache.org/isis \
-D archetypeGroupId=org.apache.isis.support \
-D archetypeArtifactId=quickstart-archetype
Modified: incubator/isis/trunk/src/site/resources/images/HexagonalArchitectureOverview.odg
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/images/HexagonalArchitectureOverview.odg?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.
Modified: incubator/isis/trunk/src/site/resources/images/HexagonalArchitectureOverview.png
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/images/HexagonalArchitectureOverview.png?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.
Modified: incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis-notes.pdf
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis-notes.pdf?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.
Modified: incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis-slides.pdf
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis-slides.pdf?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.
Modified: incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis.odp
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis.odp?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.
Modified: incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis.ppt
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis.ppt?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.
Modified: incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis.pptx
URL: http://svn.apache.org/viewvc/incubator/isis/trunk/src/site/resources/presentations/IntroducingApacheIsis.pptx?rev=1091590&r1=1091589&r2=1091590&view=diff
==============================================================================
Binary files - no diff available.