You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Muhammad Mohsen <m....@gmail.com> on 2010/10/18 17:52:46 UTC
[T5.2] What security framework do you recommend ?
Hi All,
I'm currently trying to decide what framework to use to secure my tapestry
applications efficiently and easily. So I found tapestry-acegi and
tynamo-security so far. Been reading some about tynamo's.
May be someone could share his experience with either frameworks or securing
tapestry applications in general.
Regards.
--
*Regards,*
*Muhammad Gelbana
Java Software Programmer*
Re: [T5.2] What security framework do you recommend ?
Posted by Muhammad Mohsen <m....@gmail.com>.
Tynamo\Shiro must've left quite an impression on you guys :D
Sounds like I was questioning the unquestionable lol
Well the most I like about tynamo, is securing method calls. I'm really
impressed by that. Maybe acegi supports that too but from the your messages,
I think tynamo wins :)
But have someone used ESAPI before ? OWASP's security framework ? I don't
know a more professional organisation specialized in web applications
security than OWASP. I guess their framework has much more potential than
any other security framework.
But i'll stick with tynamo for now, I need to get going with something and
not analyze every single framework for every aspect of my application !
Your time is highly appreciated, thank you all.
On Mon, Oct 18, 2010 at 11:39 PM, Borut Bolčina <bo...@gmail.com>wrote:
> +1 on that
>
> Very easy to use (read shiro documentation), very well integrated in
> Tapestry and the components are right there to use them.
>
> -Borut
>
> Another +1 for Kalle's responsiveness.
>
>
>
> 2010/10/18 Mark W. Shead <mw...@gmail.com>
>
> > I've been very pleased with tynamo's tapestry-security module (which
> > uses Shiro).
> >
> > One nice benefit is that it provides components you can use in your
> > tapestry templates to do stuf like:
> >
> > <t:security.hasRole role="user1role">
> > You have user1role
> > </t:security.hasRole>
> >
> > Other reasons I like tapestry-security:
> >
> > - Good documentation and examples in an actual tapestry application
> > (http://tynamo.org/tapestry-security+guide)
> >
> > - Kalle is very helpful.
> >
> > - Leverages the tapestry approach of doing things. Your knowledge base
> > of how tapestry works makes it easier to look at the source code of
> > tapestry-security to understand something if necessary. (Anything that
> > comes as a Tapestry module is likely to give you this benefit.)
> >
> >
> > Mark
> >
> > -
> > On Mon, Oct 18, 2010 at 10:52 AM, Muhammad Mohsen <m....@gmail.com>
> > wrote:
> > > Hi All,
> > >
> > > I'm currently trying to decide what framework to use to secure my
> > tapestry
> > > applications efficiently and easily. So I found tapestry-acegi and
> > > tynamo-security so far. Been reading some about tynamo's.
> > > May be someone could share his experience with either frameworks or
> > securing
> > > tapestry applications in general.
> > >
> > > Regards.
> > > --
> > > *Regards,*
> > > *Muhammad Gelbana
> > > Java Software Programmer*
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> > For additional commands, e-mail: users-help@tapestry.apache.org
> >
> >
>
--
*Regards,*
*Muhammad Gelbana
Java Software Programmer*
Re: [T5.2] What security framework do you recommend ?
Posted by Borut Bolčina <bo...@gmail.com>.
+1 on that
Very easy to use (read shiro documentation), very well integrated in
Tapestry and the components are right there to use them.
-Borut
Another +1 for Kalle's responsiveness.
2010/10/18 Mark W. Shead <mw...@gmail.com>
> I've been very pleased with tynamo's tapestry-security module (which
> uses Shiro).
>
> One nice benefit is that it provides components you can use in your
> tapestry templates to do stuf like:
>
> <t:security.hasRole role="user1role">
> You have user1role
> </t:security.hasRole>
>
> Other reasons I like tapestry-security:
>
> - Good documentation and examples in an actual tapestry application
> (http://tynamo.org/tapestry-security+guide)
>
> - Kalle is very helpful.
>
> - Leverages the tapestry approach of doing things. Your knowledge base
> of how tapestry works makes it easier to look at the source code of
> tapestry-security to understand something if necessary. (Anything that
> comes as a Tapestry module is likely to give you this benefit.)
>
>
> Mark
>
> -
> On Mon, Oct 18, 2010 at 10:52 AM, Muhammad Mohsen <m....@gmail.com>
> wrote:
> > Hi All,
> >
> > I'm currently trying to decide what framework to use to secure my
> tapestry
> > applications efficiently and easily. So I found tapestry-acegi and
> > tynamo-security so far. Been reading some about tynamo's.
> > May be someone could share his experience with either frameworks or
> securing
> > tapestry applications in general.
> >
> > Regards.
> > --
> > *Regards,*
> > *Muhammad Gelbana
> > Java Software Programmer*
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: [T5.2] What security framework do you recommend ?
Posted by "Juan E. Maya" <ma...@gmail.com>.
I agree with Mark. I have tried both Spring Security and Shiro and I
have found the integration with Tapestry is more transparent with
Shiro using tynamo.
It might be because a Tynamo commiter is also is part of the Shiro team! :)
One big disadvantage of Spring-security is that u r force Spring
although, If you r already using it then it's not a problem.
On Mon, Oct 18, 2010 at 8:46 PM, Mark W. Shead <mw...@gmail.com> wrote:
> I've been very pleased with tynamo's tapestry-security module (which
> uses Shiro).
>
> One nice benefit is that it provides components you can use in your
> tapestry templates to do stuf like:
>
> <t:security.hasRole role="user1role">
> You have user1role
> </t:security.hasRole>
>
> Other reasons I like tapestry-security:
>
> - Good documentation and examples in an actual tapestry application
> (http://tynamo.org/tapestry-security+guide)
>
> - Kalle is very helpful.
>
> - Leverages the tapestry approach of doing things. Your knowledge base
> of how tapestry works makes it easier to look at the source code of
> tapestry-security to understand something if necessary. (Anything that
> comes as a Tapestry module is likely to give you this benefit.)
>
>
> Mark
>
> -
> On Mon, Oct 18, 2010 at 10:52 AM, Muhammad Mohsen <m....@gmail.com> wrote:
>> Hi All,
>>
>> I'm currently trying to decide what framework to use to secure my tapestry
>> applications efficiently and easily. So I found tapestry-acegi and
>> tynamo-security so far. Been reading some about tynamo's.
>> May be someone could share his experience with either frameworks or securing
>> tapestry applications in general.
>>
>> Regards.
>> --
>> *Regards,*
>> *Muhammad Gelbana
>> Java Software Programmer*
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: [T5.2] What security framework do you recommend ?
Posted by "Mark W. Shead" <mw...@gmail.com>.
I've been very pleased with tynamo's tapestry-security module (which
uses Shiro).
One nice benefit is that it provides components you can use in your
tapestry templates to do stuf like:
<t:security.hasRole role="user1role">
You have user1role
</t:security.hasRole>
Other reasons I like tapestry-security:
- Good documentation and examples in an actual tapestry application
(http://tynamo.org/tapestry-security+guide)
- Kalle is very helpful.
- Leverages the tapestry approach of doing things. Your knowledge base
of how tapestry works makes it easier to look at the source code of
tapestry-security to understand something if necessary. (Anything that
comes as a Tapestry module is likely to give you this benefit.)
Mark
-
On Mon, Oct 18, 2010 at 10:52 AM, Muhammad Mohsen <m....@gmail.com> wrote:
> Hi All,
>
> I'm currently trying to decide what framework to use to secure my tapestry
> applications efficiently and easily. So I found tapestry-acegi and
> tynamo-security so far. Been reading some about tynamo's.
> May be someone could share his experience with either frameworks or securing
> tapestry applications in general.
>
> Regards.
> --
> *Regards,*
> *Muhammad Gelbana
> Java Software Programmer*
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Component parameters-unintended persistent binding
Posted by Howard Lewis Ship <hl...@gmail.com>.
I'm confused from your description. I'm sure its something minor, but
we'd need to know the version you are using, plus more details from
your .tml and .java files to figure out what's going on.
On Mon, Oct 18, 2010 at 12:19 PM, Jeshurun Daniel <sj...@yahoo.ca> wrote:
> Hi everyone,
> This is a really strange problem I'm having with component parameters and I've spent a whole day on this and I'm still clueless.
>
> I have three components, a custom layout component, a menu component and a breadcrumb component. The menu and breadcrumb components are contained within the layout component. They each have a required parameter, mainMenuId and breadcrumbId, which is used to render the menu / breadcrumb recursively from the database. These parameters are bound to the containing layout component, and I pass them to the layout component from the page. So for example say on one page I only want the menu and not the breadcrumbs, i use an if in the layout component to check if the menuId is bound like this.<t:if test="mainMenuId"><t:mainMenu /></t:if>The breadcrumbs work the same way.
> This works fine. Now here is where I am getting confused. In the Index page, I'm displaying the menu, but I'm not showing the breadcrumbs. No problem. In the next page, I'm just displaying the breadcrumbs without the menu. This works fine as well.
> But when I look at the logs when rendering the second page, I see that the mainMenuId getters have been called, and the database queries in the menu component have run, even though the menu itself is not shown in the page. I printed out the value and it is what I set on the index page, even though this page is in no way related to the index page, and this page does not provide any values for the mainMenuId parameter However, if I restart the server and go directly to the second page, then I dont see the queries and the values are not bound.
> Here is how I'm passing the value from the Index page<div t:type="MyTheme"
> t:mainMenuId="1" >
>
> And this is how it looks in the second page<div t:type="MyTheme" t:breadcrumbId="11" />
> I tried clearing the values using @afterrender in the layout component, and set the parameters as property bindings instead of literals, with no luck. I still don't completely understand the page / component life cycle and so this is a little confusing to me. If anyone could give me any pointers I would greatly appreciate it.
> Thanks in advance,Jeshurun
>
>
>
--
Howard M. Lewis Ship
Creator of Apache Tapestry
The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!
(971) 678-5210
http://howardlewisship.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Component parameters-unintended persistent binding
Posted by Rich M <ri...@moremagic.com>.
This may not be entirely your issue, but the t:if test parameter takes
in property bindings, so I believe that is why it would be calling the
getters on the mainMenuId even if it were blank/null on the second page.
What happens if you have the test parameter link to a boolean method
that handles whether or not the mainMenuId is null/blank rather than
relying on the property binding and String->boolean conversion? I can't
speak beyond as to why it would be loading a different value here in the
second page.
On 10/18/2010 03:19 PM, Jeshurun Daniel wrote:
> Hi everyone,
> This is a really strange problem I'm having with component parameters and I've spent a whole day on this and I'm still clueless.
>
> I have three components, a custom layout component, a menu component and a breadcrumb component. The menu and breadcrumb components are contained within the layout component. They each have a required parameter, mainMenuId and breadcrumbId, which is used to render the menu / breadcrumb recursively from the database. These parameters are bound to the containing layout component, and I pass them to the layout component from the page. So for example say on one page I only want the menu and not the breadcrumbs, i use an if in the layout component to check if the menuId is bound like this.<t:if test="mainMenuId"><t:mainMenu /></t:if>The breadcrumbs work the same way.
> This works fine. Now here is where I am getting confused. In the Index page, I'm displaying the menu, but I'm not showing the breadcrumbs. No problem. In the next page, I'm just displaying the breadcrumbs without the menu. This works fine as well.
> But when I look at the logs when rendering the second page, I see that the mainMenuId getters have been called, and the database queries in the menu component have run, even though the menu itself is not shown in the page. I printed out the value and it is what I set on the index page, even though this page is in no way related to the index page, and this page does not provide any values for the mainMenuId parameter However, if I restart the server and go directly to the second page, then I dont see the queries and the values are not bound.
> Here is how I'm passing the value from the Index page<div t:type="MyTheme"
> t:mainMenuId="1">
>
> And this is how it looks in the second page<div t:type="MyTheme" t:breadcrumbId="11" />
> I tried clearing the values using @afterrender in the layout component, and set the parameters as property bindings instead of literals, with no luck. I still don't completely understand the page / component life cycle and so this is a little confusing to me. If anyone could give me any pointers I would greatly appreciate it.
> Thanks in advance,Jeshurun
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Component parameters-unintended persistent binding
Posted by Jeshurun Daniel <sj...@yahoo.ca>.
Hi everyone,
This is a really strange problem I'm having with component parameters and I've spent a whole day on this and I'm still clueless.
I have three components, a custom layout component, a menu component and a breadcrumb component. The menu and breadcrumb components are contained within the layout component. They each have a required parameter, mainMenuId and breadcrumbId, which is used to render the menu / breadcrumb recursively from the database. These parameters are bound to the containing layout component, and I pass them to the layout component from the page. So for example say on one page I only want the menu and not the breadcrumbs, i use an if in the layout component to check if the menuId is bound like this.<t:if test="mainMenuId"><t:mainMenu /></t:if>The breadcrumbs work the same way.
This works fine. Now here is where I am getting confused. In the Index page, I'm displaying the menu, but I'm not showing the breadcrumbs. No problem. In the next page, I'm just displaying the breadcrumbs without the menu. This works fine as well.
But when I look at the logs when rendering the second page, I see that the mainMenuId getters have been called, and the database queries in the menu component have run, even though the menu itself is not shown in the page. I printed out the value and it is what I set on the index page, even though this page is in no way related to the index page, and this page does not provide any values for the mainMenuId parameter However, if I restart the server and go directly to the second page, then I dont see the queries and the values are not bound.
Here is how I'm passing the value from the Index page<div t:type="MyTheme"
t:mainMenuId="1" >
And this is how it looks in the second page<div t:type="MyTheme" t:breadcrumbId="11" />
I tried clearing the values using @afterrender in the layout component, and set the parameters as property bindings instead of literals, with no luck. I still don't completely understand the page / component life cycle and so this is a little confusing to me. If anyone could give me any pointers I would greatly appreciate it.
Thanks in advance,Jeshurun
Re: [T5.2] What security framework do you recommend ?
Posted by "Vangel V. Ajanovski" <aj...@ii.edu.mk>.
Depending on the application.
We use JASIG CAS server for authentication. It is used at many big US
universities and it is best used as a single sign on solution for many
websites. But it's pretty easy to setup and customizable that can be
used even on small sites.
- Once logged in on CAS, the user gets a ticket which is recognized by
any application
- CAS has many client libraries (so you can use it in php, .net, java,
...) and supports authentication to many user sources (sql, ldap, file, ...)
For our Tapestry application we needed to have role-based access control
to pages (depending on roles that the user has, he is given access to a
page or not).
We started with CAS authentication
- CAS is setup as a filter for the urls that need access-control, it
wont allow you to even open the url unless you have a log in and it is a
system that I trust, so I am sure that every page is visited only by
logged in users. After the user has logged in it is forwarded to the
protected pages and REMOTE_USER is setup in the request.
- So CAS is the first thing that is checked on each request, but it is
checked by the CAS filter itself without your application even knowing
about it
- We have each page annotated in the java source with custom annotations
- one for each user role (we only have few different user roles)
- You only have to check if the user has one of the roles that the page
requires (see the other thread about implementing security).
But ... this was all after I decided to drop out Spring Security (acegi
successor) from the Tapestry app because for our case it didn't help
much, the code I have writted and mentioned previously was the same in
both cases. On the other hand, CAS uses Spring internally to realize all
it's customizability
On 10/18/2010 05:52 PM, Muhammad Mohsen wrote:
> Hi All,
>
> I'm currently trying to decide what framework to use to secure my tapestry
> applications efficiently and easily. So I found tapestry-acegi and
> tynamo-security so far. Been reading some about tynamo's.
> May be someone could share his experience with either frameworks or securing
> tapestry applications in general.
>
> Regards.
Re: [T5.2] What security framework do you recommend ?
Posted by Katia Aresti Gonzalez <ka...@gmail.com>.
Hi,
It depends on your needs and on you.
I successfully used Spring Security 3.0 (without any additional library) and
it works very well. You can checkout the example here :
http://github.com/lguerin/tapestwitter
and Tynamo security with shiro too
http://github.com/ccordenier/tapestry5-hotel-booking/tree/tynamo
Both applications - tapestwitter and hotel-booking-tynamo - are full and
small demo applications, not much code to look at. Consider looking this
applications to give yourself an opinion.
My personal opinion is that I prefer spring because it looks more mature
than shiro (don't blame me Kalle :) ). In the other hand, Tynamo integration
is nice too and Tynamo committers are active members on this list, so you
will find help and you will help them to improve either shiro and tynamo.
Hope this helps
Katia
2010/10/18 Muhammad Mohsen <m....@gmail.com>
> Hi All,
>
> I'm currently trying to decide what framework to use to secure my tapestry
> applications efficiently and easily. So I found tapestry-acegi and
> tynamo-security so far. Been reading some about tynamo's.
> May be someone could share his experience with either frameworks or
> securing
> tapestry applications in general.
>
> Regards.
> --
> *Regards,*
> *Muhammad Gelbana
> Java Software Programmer*
>