You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Alex Kotchnev <ak...@gmail.com> on 2009/12/29 21:32:55 UTC
Re: [Tapestry Central] Securing Tapestry pages with Annotations, Part
1
Howard,
having looked at the T5-spring-security code (and spring security
itself) I see quite a number of similarities with what you describe as an
approach. As Thiago already mentioned, there are at least a few more
solutions that attempt to provide this (e.g. Thiago's own,
chenillekit-access, and a bunch more). As much as people have a tendency to
complain that spring security is too complicated, it seems that any other
solution (e.g. based on T5 IoC) that attempts to provide the same level of
flexibility and generality will eventually end up with similar complexity (
and will most likely never have the mind & market share of spring security).
Thus, it seems to me that the effort to provide a "new" framework to do all
of this is somewhat futile.
An alternative approach (which seems to be quite successful in Grails
land) seems to be to provide integration & simplification w/ existing
security frameworks that already have all of the flexibility (and
complexity) that you talk about . For example. in Grails using the spring
security plugin comes down to installing the plugin and annotating your
controllers w/ Roles - it certainly reduces the number of available options
(thus making it less flexible) but the ease of getting started with it is
quite attractive . If the desire is to provide a pure T5 based solution,
why not take one of the existing security modules (e.g. chenillekit-access)
and analyze its approach and improve it instead of starting from scratch
(and use the forum as an opportunity to improve & extend the same existing
component) ?
Regards,
Alex K
On Tue, Dec 29, 2009 at 6:45 AM, Vangel V. Ajanovski <aj...@ii.edu.mk> wrote:
> On 28.12.2009 23:49, Howard wrote:
> > Instead, let's pursue a more declarative approach, where we use an
> > annotation to mark pages that require that the user be logged in. We'll
> > start with these ground rules:
> >
> We changed several approaches since the start of our app, and this
> approach is the last we have.
>
> But as Howard discussed many times, such a solution is not fit for
> everyone, and we don't have that special requirements.
> We use this approach only for authorization, while the authentication is
> completely done by JASIG CAS client that sits configured as a filter in
> front of Tapestry.
> In this case, if the visitor is not authenticated, he will never be able
> to get a request thru to tapestry.
> For authorization we have several different page annotations (similar to
> the @RequiresLogin annotation) that we can combine and they tell us the
> groups of users that are allowed to access a page.
> Then a cross check is done in the requesthandler contribution whether
> the annotation on the page corresponds to some of the groups the user is
> member of read from the database.
>
> Before that we had spring-security and i didn't like it, although the
> point of it was that it already supported many type of authentication
> methods. But it turns out we don't need them now, and the change was not
> that big.
>
> The information on how to implement all this was already discussed on
> this mailing list, the wiki and other places and I managed to glue that
> up in our working solution in less than a week working in free time.
> Some of the wiki guides were outdated and hindered the process. With
> such a guide I would have finished in just 1 day.
>
> +1 from me for putting such article in the official documentation on the
> website, because blogs are (by nature) relevant for a moment in time and
> if it's put in the official documentation one would have to check and
> "sign" that this works on every new release.
>
>
>
Re: [Tapestry Central] Securing Tapestry pages with Annotations, Part
1
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
Em Thu, 31 Dec 2009 09:16:15 -0200, Alessandro Bottoni
<al...@gmail.com> escreveu:
> Il 29/12/2009 21:32, Alex Kotchnev ha scritto:
>> approach. As Thiago already mentioned, there are at least a few more
>> solutions that attempt to provide this (e.g. Thiago's own,
>> chenillekit-access, and a bunch more).
>
> Let's me play the Devil's advocate for a moment...
I guess Alex suggested to start the development of a Tapestry security
package based on some package that already exists, not adopting them as
part of the Tapestry project as they are now. We all agree that
documentation is key and should be improved.
> Moreover, in many cases it would be very hard to convince the project
> leader or the end user to accept a (sorry Thiago ....) not-canonical,
> little known, little documented, maybe-risky library like this one.
I never suggested that someone should use a little documented package, so
I don't know why you're apologizing to me. :)
Little-known library? Unfortunately, Tapestry is not a very well-known
library AFAIK. :(
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, software architect and developer, Ars Machina Tecnologia da
Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: [Tapestry Central] Securing Tapestry pages with Annotations, Part
1
Posted by Toby Hobson <to...@googlemail.com>.
Just to add my 2 cents ... imho it's best to build on an exiting framework
like spring-security rather than trying to re-invent the wheel.
acegi/spring-security has great traction in the market and it's very well
documented. Recent versions are becoming much simpler due to sensible
defaults but more esoteric use-cases are still supported.
Toby
2009/12/31 Sven Homburg <ho...@googlemail.com>
> Hi Allesandro,
>
> i totally agree with you.
> The documentation of the ChenilleKit-Modules
> is bad or lacks at some points.
>
> One of our good intentions for 2010 is to
> write more and better docs.
>
>
> with regards
> Sven Homburg
> Founder of the Chenille Kit Project
> http://chenillekit.codehaus.org
>
>
>
>
> 2009/12/31 Alessandro Bottoni <al...@gmail.com>
>
> > Il 29/12/2009 21:32, Alex Kotchnev ha scritto:
> > > approach. As Thiago already mentioned, there are at least a few more
> > > solutions that attempt to provide this (e.g. Thiago's own,
> > > chenillekit-access, and a bunch more).
> >
> > Let's me play the Devil's advocate for a moment...
> >
> > ChenilleKit-Access is an example of why the typical new user (like me)
> > will NOT use such a solution, no matter how good and elegant it could
> > be. The reason is that the ONLY official documentation you can find
> > using Google is the following....
> >
> > <quote>
> > Introduction
> >
> > ChenilleKit Access module sits in between your page processing logic and
> > the client HTTP request, doing so it is able to decide when and how the
> > request can pass through or not.
> >
> > For doing so it needs two different steps. First it put RestrictedWorker
> > into the ComponentClassTranformWorker pipeline, this class is
> > responsible to read the annotation class and store various meta
> > information needed by AccessValidator. Second it put two Dispatcher into
> > two different pipelines for intercepting page render and component event
> > action requests to check if they're directed to restricted class/events
> > and to apply the needed constraints.
> > </quote>
> >
> > I'm sorry but I have to say that many (or most?) new users will not have
> > neither the time nor the patience to study the JavaDoc or the source
> > code just to figure out how to use this (or any other) library, no
> > matter how simple it can be.
> >
> > Moreover, in many cases it would be very hard to convince the project
> > leader or the end user to accept a (sorry Thiago ....) not-canonical,
> > little known, little documented, maybe-risky library like this one.
> >
> > For what regards me, for example, I would be forced to look for a
> > widely-recognized, well-tested, well-documented, standard module, inside
> > or outside the Tapestry world (Acegi?) or, as an alternative, to
> > demonstrate that ChenilleKit is the right tool for the task at hand
> > (being ready to pay for any possible error about my judgment...).
> >
> > Just the voice of the Devil, anyway... ;-)
> >
> > PS: Yes, I'm aware of this article:
> > http://www.equanda.org/templates/login.html .
> >
> > --
> >
> > Alessandro Bottoni
> > Website: http://www.alessandrobottoni.it/
> >
> > "They say if you play a Microsoft CD backwards,
> > you hear satanic messages.
> > That's nothing, cause if you play it forwards,
> > it installs Windows."
> > -- Unknown
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> > For additional commands, e-mail: users-help@tapestry.apache.org
> >
>
Re: [Tapestry Central] Securing Tapestry pages with Annotations, Part
1
Posted by Sven Homburg <ho...@googlemail.com>.
Hi Allesandro,
i totally agree with you.
The documentation of the ChenilleKit-Modules
is bad or lacks at some points.
One of our good intentions for 2010 is to
write more and better docs.
with regards
Sven Homburg
Founder of the Chenille Kit Project
http://chenillekit.codehaus.org
2009/12/31 Alessandro Bottoni <al...@gmail.com>
> Il 29/12/2009 21:32, Alex Kotchnev ha scritto:
> > approach. As Thiago already mentioned, there are at least a few more
> > solutions that attempt to provide this (e.g. Thiago's own,
> > chenillekit-access, and a bunch more).
>
> Let's me play the Devil's advocate for a moment...
>
> ChenilleKit-Access is an example of why the typical new user (like me)
> will NOT use such a solution, no matter how good and elegant it could
> be. The reason is that the ONLY official documentation you can find
> using Google is the following....
>
> <quote>
> Introduction
>
> ChenilleKit Access module sits in between your page processing logic and
> the client HTTP request, doing so it is able to decide when and how the
> request can pass through or not.
>
> For doing so it needs two different steps. First it put RestrictedWorker
> into the ComponentClassTranformWorker pipeline, this class is
> responsible to read the annotation class and store various meta
> information needed by AccessValidator. Second it put two Dispatcher into
> two different pipelines for intercepting page render and component event
> action requests to check if they're directed to restricted class/events
> and to apply the needed constraints.
> </quote>
>
> I'm sorry but I have to say that many (or most?) new users will not have
> neither the time nor the patience to study the JavaDoc or the source
> code just to figure out how to use this (or any other) library, no
> matter how simple it can be.
>
> Moreover, in many cases it would be very hard to convince the project
> leader or the end user to accept a (sorry Thiago ....) not-canonical,
> little known, little documented, maybe-risky library like this one.
>
> For what regards me, for example, I would be forced to look for a
> widely-recognized, well-tested, well-documented, standard module, inside
> or outside the Tapestry world (Acegi?) or, as an alternative, to
> demonstrate that ChenilleKit is the right tool for the task at hand
> (being ready to pay for any possible error about my judgment...).
>
> Just the voice of the Devil, anyway... ;-)
>
> PS: Yes, I'm aware of this article:
> http://www.equanda.org/templates/login.html .
>
> --
>
> Alessandro Bottoni
> Website: http://www.alessandrobottoni.it/
>
> "They say if you play a Microsoft CD backwards,
> you hear satanic messages.
> That's nothing, cause if you play it forwards,
> it installs Windows."
> -- Unknown
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
Re: [Tapestry Central] Securing Tapestry pages with Annotations, Part
1
Posted by Sven Homburg <ho...@googlemail.com>.
sometimes i am wondered about people,
the hopes, that they "learn" tapestry at their REM phase.
with regards
Sven Homburg
Founder of the Chenille Kit Project
http://chenillekit.codehaus.org
2010/1/2 cleverpig <gr...@gmail.com>
> On Sun, Jan 3, 2010 at 4:40 AM, Alessandro Bottoni
> <al...@gmail.com> wrote:
> > Il 02/01/2010 20:18, Massimo Lusetti ha scritto:
> >> On Thu, Dec 31, 2009 at 12:16 PM, Alessandro Bottoni
> >> <al...@gmail.com> wrote:
> >>
> >>> Let's me play the Devil's advocate for a moment...
> >>>
> >>> ChenilleKit-Access is an example of why the typical new user (like me)
> >>> will NOT use such a solution, no matter how good and elegant it could
> >>> be. The reason is that the ONLY official documentation you can find
> >>> using Google is the following....
> >>
> >> Unfortunately i can't see any code nor docs from you.
> >
> > Massimo, of course you are right when you underline this but...
> >
> > "Let's me play the Devil's advocate for a moment..."
> >
> > :-)
> >
> > I'm not accusing any of the Tapesty/ChenilleKit guys of anything. I'm
> > just trying to understand why Tapestry does not have the same level of
> > appreciation by the large public as Wicket, despite its evident
> > technical superiority.
> >
> > I'll be happy to contribute some code/docu when I'll be able to write
> > it. Of course, the less docu I find, the less code and docu I'll be able
> > to write in the short/medium term. :-)
>
> tapestry document are really less,and not fit with the friends from
> non-english country.
> code example were a little no practical .. it's my advice...
> so we should do more and complain less..
>
> >
> > Cheers
> > --
> >
> > Alessandro Bottoni
> > Website: http://www.alessandrobottoni.it/
> >
> > "Some subjects are so serious that one can only joke about them."
> > -- Niels Bohr
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> > For additional commands, e-mail: users-help@tapestry.apache.org
> >
>
>
>
> --
> cleverpig(Dan)
> Location: Beijing
> Address: Room 4018,No.A2 South Avenue Fuxingmen Beijing,P.R.China
> Zipcode: 100031
> MSN: great_liudan@hotmail.com
> QQ: 149291732
> Skype: cleverpigatmatrix
> Facebook ID:cleverpig
> Blog: www.cleverpig.name
> Tags: del.icio.us/cleverpig
> Twitter: twitter.com/cleverpig
> 新浪微博: t.sina.com.cn/cleverpig
> Organization: www.beijing-open-party.org
> Organ@Facebook: http://www.facebook.com/group.php?gid=8159558294
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: [Tapestry Central] Securing Tapestry pages with Annotations, Part
1
Posted by cleverpig <gr...@gmail.com>.
On Sun, Jan 3, 2010 at 4:40 AM, Alessandro Bottoni
<al...@gmail.com> wrote:
> Il 02/01/2010 20:18, Massimo Lusetti ha scritto:
>> On Thu, Dec 31, 2009 at 12:16 PM, Alessandro Bottoni
>> <al...@gmail.com> wrote:
>>
>>> Let's me play the Devil's advocate for a moment...
>>>
>>> ChenilleKit-Access is an example of why the typical new user (like me)
>>> will NOT use such a solution, no matter how good and elegant it could
>>> be. The reason is that the ONLY official documentation you can find
>>> using Google is the following....
>>
>> Unfortunately i can't see any code nor docs from you.
>
> Massimo, of course you are right when you underline this but...
>
> "Let's me play the Devil's advocate for a moment..."
>
> :-)
>
> I'm not accusing any of the Tapesty/ChenilleKit guys of anything. I'm
> just trying to understand why Tapestry does not have the same level of
> appreciation by the large public as Wicket, despite its evident
> technical superiority.
>
> I'll be happy to contribute some code/docu when I'll be able to write
> it. Of course, the less docu I find, the less code and docu I'll be able
> to write in the short/medium term. :-)
tapestry document are really less,and not fit with the friends from
non-english country.
code example were a little no practical .. it's my advice...
so we should do more and complain less..
>
> Cheers
> --
>
> Alessandro Bottoni
> Website: http://www.alessandrobottoni.it/
>
> "Some subjects are so serious that one can only joke about them."
> -- Niels Bohr
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
--
cleverpig(Dan)
Location: Beijing
Address: Room 4018,No.A2 South Avenue Fuxingmen Beijing,P.R.China
Zipcode: 100031
MSN: great_liudan@hotmail.com
QQ: 149291732
Skype: cleverpigatmatrix
Facebook ID:cleverpig
Blog: www.cleverpig.name
Tags: del.icio.us/cleverpig
Twitter: twitter.com/cleverpig
新浪微博: t.sina.com.cn/cleverpig
Organization: www.beijing-open-party.org
Organ@Facebook: http://www.facebook.com/group.php?gid=8159558294
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: [Tapestry Central] Securing Tapestry pages with Annotations,
Part 1
Posted by Alessandro Bottoni <al...@gmail.com>.
Il 02/01/2010 20:18, Massimo Lusetti ha scritto:
> On Thu, Dec 31, 2009 at 12:16 PM, Alessandro Bottoni
> <al...@gmail.com> wrote:
>
>> Let's me play the Devil's advocate for a moment...
>>
>> ChenilleKit-Access is an example of why the typical new user (like me)
>> will NOT use such a solution, no matter how good and elegant it could
>> be. The reason is that the ONLY official documentation you can find
>> using Google is the following....
>
> Unfortunately i can't see any code nor docs from you.
Massimo, of course you are right when you underline this but...
"Let's me play the Devil's advocate for a moment..."
:-)
I'm not accusing any of the Tapesty/ChenilleKit guys of anything. I'm
just trying to understand why Tapestry does not have the same level of
appreciation by the large public as Wicket, despite its evident
technical superiority.
I'll be happy to contribute some code/docu when I'll be able to write
it. Of course, the less docu I find, the less code and docu I'll be able
to write in the short/medium term. :-)
Cheers
--
Alessandro Bottoni
Website: http://www.alessandrobottoni.it/
"Some subjects are so serious that one can only joke about them."
-- Niels Bohr
Re: [Tapestry Central] Securing Tapestry pages with Annotations, Part
1
Posted by Massimo Lusetti <ml...@gmail.com>.
On Thu, Dec 31, 2009 at 12:16 PM, Alessandro Bottoni
<al...@gmail.com> wrote:
> Let's me play the Devil's advocate for a moment...
>
> ChenilleKit-Access is an example of why the typical new user (like me)
> will NOT use such a solution, no matter how good and elegant it could
> be. The reason is that the ONLY official documentation you can find
> using Google is the following....
Unfortunately i can't see any code nor docs from you.
Cheers
--
Massimo
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: [Tapestry Central] Securing Tapestry pages with Annotations,
Part 1
Posted by Alessandro Bottoni <al...@gmail.com>.
Il 29/12/2009 21:32, Alex Kotchnev ha scritto:
> approach. As Thiago already mentioned, there are at least a few more
> solutions that attempt to provide this (e.g. Thiago's own,
> chenillekit-access, and a bunch more).
Let's me play the Devil's advocate for a moment...
ChenilleKit-Access is an example of why the typical new user (like me)
will NOT use such a solution, no matter how good and elegant it could
be. The reason is that the ONLY official documentation you can find
using Google is the following....
<quote>
Introduction
ChenilleKit Access module sits in between your page processing logic and
the client HTTP request, doing so it is able to decide when and how the
request can pass through or not.
For doing so it needs two different steps. First it put RestrictedWorker
into the ComponentClassTranformWorker pipeline, this class is
responsible to read the annotation class and store various meta
information needed by AccessValidator. Second it put two Dispatcher into
two different pipelines for intercepting page render and component event
action requests to check if they're directed to restricted class/events
and to apply the needed constraints.
</quote>
I'm sorry but I have to say that many (or most?) new users will not have
neither the time nor the patience to study the JavaDoc or the source
code just to figure out how to use this (or any other) library, no
matter how simple it can be.
Moreover, in many cases it would be very hard to convince the project
leader or the end user to accept a (sorry Thiago ....) not-canonical,
little known, little documented, maybe-risky library like this one.
For what regards me, for example, I would be forced to look for a
widely-recognized, well-tested, well-documented, standard module, inside
or outside the Tapestry world (Acegi?) or, as an alternative, to
demonstrate that ChenilleKit is the right tool for the task at hand
(being ready to pay for any possible error about my judgment...).
Just the voice of the Devil, anyway... ;-)
PS: Yes, I'm aware of this article:
http://www.equanda.org/templates/login.html .
--
Alessandro Bottoni
Website: http://www.alessandrobottoni.it/
"They say if you play a Microsoft CD backwards,
you hear satanic messages.
That's nothing, cause if you play it forwards,
it installs Windows."
-- Unknown
Re: [Tapestry Central] Securing Tapestry pages with Annotations,
Part 1
Posted by "Vangel V. Ajanovski" <aj...@ii.edu.mk>.
On 31.12.2009 11:44, Alessandro Bottoni wrote:
> 2) An enterprise-level module, like Spring Security. This solution
> should have to be flexible and extendible. It should be able to deal
> with LDAP, OpenID, JASIG CAS and other providers. It would be used for
> complex, enterprise-level apps.
>
When you mention CAS, do you know that by using it you can in fact use
both JDBC, LDAP, Active Directory, Radius, JAAS, Kerberos behind it all
at the same time..
CAS can authenticate your users from many sources and they will see only
a single login page. I have pretty positive experience with JASIG CAS
and we have been using it for 4 years now. We use it for single-sign-on
accross several applications (uPortal, Moodle, Trac, our Course
Enrollment project based on Tapestry, another ASP.Net project, few other
PHP apps etc).
Why we decided on CAS. The userbase is mostly US universities with tens
of thousands of students. If they trust it to keep users in or out of
their services, why wouldn't we?
1. CAS has a service, which is a relatively small java web app (13MB
war) that presents a login screen and redirects to your application if
the user is authenticated. Very easy to configure. The setup is very
very easy (XML based) and there are many configuration examples on the
web and I was able to set it in under Tomcat and configure to connect to
two active directory domains in just half an hour. So users from both
domains can use my application and any other application that will be
casified.
2. How to use it in the app?
a. In your app you include a CAS client that checks the service if any
user is logged in and what is the name of the user. This is again
simple, you just read the username via some method from the client classes.
b. If you don't like to put the client in your app, you can set it as a
filter on the web server (in web.xml) to listen to several paths. So on
each request if the user is logged in, a session variable will be set
with the validated username.
c. Both ways you get the username and you can then decide what to do
about it.
I think that's simple. Few XML configurations for the CAS service and a
single line of code to get the username in your app.
Re: [Tapestry Central] Securing Tapestry pages with Annotations, Part
1
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
Em Thu, 31 Dec 2009 08:44:00 -0200, Alessandro Bottoni
<al...@gmail.com> escreveu:
> 1) A quite basic module, or even a well-documented demo, that just takes
> into account the most common requirements and uses a set of sensible
> defaults. This basic "package" should not have to be extensible or
> flexible.
A demo with this features would be a very good idea.
> 2) An enterprise-level module, like Spring Security. This solution
> should have to be flexible and extendible. It should be able to deal
> with LDAP, OpenID, JASIG CAS and other providers. It would be used for
> complex, enterprise-level apps.
Re-implement something like Spring Security is not feasible, IMHO. It
would need people who know a lot about security, and Tapestry is a Web
framework. In addition, that's an awful lot of code to write and, AFAIK,
very few projects use these security providers (besides OpenID). We should
focus on what will be useful for the most people.
I don't think using Spring Security the Tapestry security module because
it forces the use of Spring. I still need to take a look at
JSecurity/Apache Shiro, but I guess it would fill this need better.
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, software architect and developer, Ars Machina Tecnologia da
Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: [Tapestry Central] Securing Tapestry pages with Annotations,
Part 1
Posted by Alessandro Bottoni <al...@gmail.com>.
Il 29/12/2009 21:32, Alex Kotchnev ha scritto:
> chenillekit-access, and a bunch more). As much as people have a tendency to
> complain that spring security is too complicated, it seems that any other
> solution (e.g. based on T5 IoC) that attempts to provide the same level of
> flexibility and generality will eventually end up with similar complexity (
> and will most likely never have the mind & market share of spring security).
> Thus, it seems to me that the effort to provide a "new" framework to do all
> of this is somewhat futile.
Actually, maybe there is a need for TWO different solutions:
1) A quite basic module, or even a well-documented demo, that just takes
into account the most common requirements and uses a set of sensible
defaults. This basic "package" should not have to be extensible or
flexible. It should just have to be usable and understandable. It would
be mostly used to study this problem and to see how to solve it in a
Tapestry-like way. It would also be used as a quick&dirty solution for
the most basic applications. IMHO, this solution should be developed
with Tapestry annotations (see:
http://tapestryjava.blogspot.com/2009/12/securing-tapestry-pages-with.html)
and used as a demo of such programming technique, as well.
2) An enterprise-level module, like Spring Security. This solution
should have to be flexible and extendible. It should be able to deal
with LDAP, OpenID, JASIG CAS and other providers. It would be used for
complex, enterprise-level apps.
> An alternative approach (which seems to be quite successful in Grails
> land) seems to be to provide integration & simplification w/ existing
> security frameworks that already have all of the flexibility (and
> complexity) that you talk about . For example. in Grails using the spring
> security plugin comes down to installing the plugin and annotating your
> controllers w/ Roles - it certainly reduces the number of available options
> (thus making it less flexible) but the ease of getting started with it is
> quite attractive .
This would a very good solution for this problem and I vote for it.
Despite this, it would be very little "tapestrystic" (it rhimes with
"pythonistic")... I mean: it would miss the apportunity to contribute in
making a more componentized, elegant working environment for all of us.
> If the desire is to provide a pure T5 based solution,
> why not take one of the existing security modules (e.g. chenillekit-access)
> and analyze its approach and improve it instead of starting from scratch
> (and use the forum as an opportunity to improve & extend the same existing
> component) ?
This approach is exactly what I would expect for the "enterprise-level
module" I described above (case 2). It could/should be something like
ACEGI or Swarm/Wasp and it should be very standardized, quite
extensible/flexible and very well tested. It could be based on
annotations or on other techniques, depending on the judgment of the
developing community. Most likely, it would deserve a separated project.
JM2C
--
Alessandro Bottoni
Website: http://www.alessandrobottoni.it/
"Life is a sexually transmitted disease, and it's 100% fatal."
-- Unknown