You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2021/04/15 07:00:55 UTC
[isis-app-helloworld] branch jdo-secman updated: adds in perms for
app users
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch jdo-secman
in repository https://gitbox.apache.org/repos/asf/isis-app-helloworld.git
The following commit(s) were added to refs/heads/jdo-secman by this push:
new f5d1ec6 adds in perms for app users
f5d1ec6 is described below
commit f5d1ec65c0ee7029bd2101b5b5c7f2ac1f65b893
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Thu Apr 15 08:00:35 2021 +0100
adds in perms for app users
---
.../java/domainapp/security/SeedUsersAndRoles.java | 61 ++++++++++++++++++++
.../security/scripts/RoleAndPerms__NoDelete.java | 26 +++++++++
.../security/scripts/RoleAndPerms__UserRo.java | 32 +++++++++++
.../security/scripts/RoleAndPerms__UserRw.java | 34 +++++++++++
.../security/scripts/SecmanConstants.java | 11 ++++
.../security/scripts/UserToRole__bob_UserRw.java | 17 ++++++
.../security/scripts/UserToRole__dick_UserRo.java | 17 ++++++
.../UserToRole__joe_UserRw_but_NoDelete.java | 18 ++++++
src/main/java/domainapp/webapp/AppManifest.java | 67 ++--------------------
9 files changed, 222 insertions(+), 61 deletions(-)
diff --git a/src/main/java/domainapp/security/SeedUsersAndRoles.java b/src/main/java/domainapp/security/SeedUsersAndRoles.java
new file mode 100644
index 0000000..557796e
--- /dev/null
+++ b/src/main/java/domainapp/security/SeedUsersAndRoles.java
@@ -0,0 +1,61 @@
+package domainapp.security;
+
+import javax.inject.Inject;
+
+import org.springframework.context.event.EventListener;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Service;
+
+import org.apache.isis.applib.annotation.OrderPrecedence;
+import org.apache.isis.applib.services.xactn.TransactionService;
+import org.apache.isis.core.metamodel.events.MetamodelEvent;
+import org.apache.isis.testing.fixtures.applib.fixturescripts.FixtureScript;
+import org.apache.isis.testing.fixtures.applib.fixturescripts.FixtureScripts;
+
+import domainapp.security.scripts.RoleAndPerms__NoDelete;
+import domainapp.security.scripts.RoleAndPerms__UserRo;
+import domainapp.security.scripts.RoleAndPerms__UserRw;
+import domainapp.security.scripts.UserToRole__bob_UserRw;
+import domainapp.security.scripts.UserToRole__dick_UserRo;
+import domainapp.security.scripts.UserToRole__joe_UserRw_but_NoDelete;
+
+@Service
+@Order(OrderPrecedence.MIDPOINT + 10)
+public class SeedUsersAndRoles {
+
+ private final FixtureScripts fixtureScripts;
+ private final TransactionService transactionService;
+
+ @Inject
+ public SeedUsersAndRoles(
+ final FixtureScripts fixtureScripts,
+ final TransactionService transactionService) {
+ this.fixtureScripts = fixtureScripts;
+ this.transactionService = transactionService;
+ }
+
+ @EventListener(MetamodelEvent.class)
+ public void onMetamodelEvent(final MetamodelEvent event) {
+ if (event.isPostMetamodel()) {
+ runScripts();
+ }
+ transactionService.flushTransaction();
+ }
+
+ private void runScripts() {
+ fixtureScripts.run(new FixtureScript() {
+ @Override
+ protected void execute(ExecutionContext ec) {
+ ec.executeChildren(this,
+ new RoleAndPerms__UserRw()
+ , new RoleAndPerms__UserRo()
+ , new RoleAndPerms__NoDelete()
+ , new UserToRole__bob_UserRw()
+ , new UserToRole__dick_UserRo()
+ , new UserToRole__joe_UserRw_but_NoDelete()
+ );
+ }
+ });
+ }
+
+}
diff --git a/src/main/java/domainapp/security/scripts/RoleAndPerms__NoDelete.java b/src/main/java/domainapp/security/scripts/RoleAndPerms__NoDelete.java
new file mode 100644
index 0000000..32d65ea
--- /dev/null
+++ b/src/main/java/domainapp/security/scripts/RoleAndPerms__NoDelete.java
@@ -0,0 +1,26 @@
+package domainapp.security.scripts;
+
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureId;
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureSort;
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionMode;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionRule;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractRoleAndPermissionsFixtureScript;
+
+public class RoleAndPerms__NoDelete extends AbstractRoleAndPermissionsFixtureScript {
+
+ public static final String ROLE_NAME = "no-delete";
+
+ public RoleAndPerms__NoDelete() {
+ super(ROLE_NAME, "Veto access to deleting HelloWorld objects");
+ }
+
+ @Override
+ protected void execute(ExecutionContext ec) {
+ newPermissions(
+ ApplicationPermissionRule.VETO,
+ ApplicationPermissionMode.VIEWING,
+ Can.of(ApplicationFeatureId.newFeature(ApplicationFeatureSort.MEMBER, "hello.HelloWorldObject#delete"))
+ );
+ }
+}
diff --git a/src/main/java/domainapp/security/scripts/RoleAndPerms__UserRo.java b/src/main/java/domainapp/security/scripts/RoleAndPerms__UserRo.java
new file mode 100644
index 0000000..6bd585f
--- /dev/null
+++ b/src/main/java/domainapp/security/scripts/RoleAndPerms__UserRo.java
@@ -0,0 +1,32 @@
+package domainapp.security.scripts;
+
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureId;
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureSort;
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionMode;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionRule;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractRoleAndPermissionsFixtureScript;
+
+public class RoleAndPerms__UserRo extends AbstractRoleAndPermissionsFixtureScript {
+
+ public static final String ROLE_NAME = "user-ro";
+
+ public RoleAndPerms__UserRo() {
+ super(ROLE_NAME, "Read-only access to entire application");
+ }
+
+ @Override
+ protected void execute(ExecutionContext ec) {
+ newPermissions(
+ ApplicationPermissionRule.ALLOW,
+ ApplicationPermissionMode.VIEWING,
+ Can.of(ApplicationFeatureId.newNamespace("hello")));
+ newPermissions(
+ ApplicationPermissionRule.ALLOW,
+ ApplicationPermissionMode.CHANGING,
+ Can.of(
+ ApplicationFeatureId.newFeature(ApplicationFeatureSort.MEMBER, "hello.HelloWorldObjects#findByName"),
+ ApplicationFeatureId.newFeature(ApplicationFeatureSort.MEMBER, "hello.HelloWorldObjects#listAll")
+ ));
+ }
+}
diff --git a/src/main/java/domainapp/security/scripts/RoleAndPerms__UserRw.java b/src/main/java/domainapp/security/scripts/RoleAndPerms__UserRw.java
new file mode 100644
index 0000000..50870af
--- /dev/null
+++ b/src/main/java/domainapp/security/scripts/RoleAndPerms__UserRw.java
@@ -0,0 +1,34 @@
+package domainapp.security.scripts;
+
+import java.util.Arrays;
+
+import javax.inject.Inject;
+
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureId;
+import org.apache.isis.applib.value.Password;
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionMode;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionRule;
+import org.apache.isis.extensions.secman.jdo.dom.role.ApplicationRole;
+import org.apache.isis.extensions.secman.jdo.dom.role.ApplicationRoleRepository;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractRoleAndPermissionsFixtureScript;
+import org.apache.isis.extensions.secman.model.dom.user.ApplicationUserMenu;
+import org.apache.isis.testing.fixtures.applib.fixturescripts.FixtureScript;
+
+public class RoleAndPerms__UserRw extends AbstractRoleAndPermissionsFixtureScript {
+
+ public static final String ROLE_NAME = "user-rw";
+
+ public RoleAndPerms__UserRw() {
+ super(ROLE_NAME, "Read-write access to entire application");
+ }
+
+ @Override
+ protected void execute(ExecutionContext ec) {
+ newPermissions(
+ ApplicationPermissionRule.ALLOW,
+ ApplicationPermissionMode.CHANGING,
+ Can.of(ApplicationFeatureId.newNamespace("hello"))
+ );
+ }
+}
diff --git a/src/main/java/domainapp/security/scripts/SecmanConstants.java b/src/main/java/domainapp/security/scripts/SecmanConstants.java
new file mode 100644
index 0000000..0c8df8d
--- /dev/null
+++ b/src/main/java/domainapp/security/scripts/SecmanConstants.java
@@ -0,0 +1,11 @@
+package domainapp.security.scripts;
+
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.user.AccountType;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractUserAndRolesFixtureScript;
+
+public class SecmanConstants {
+ private SecmanConstants(){}
+ public static final String ADMIN_ROLE_NAME = "secman-admin-role";
+ public static final String USER_ROLE_NAME = "secman-user-role";
+}
diff --git a/src/main/java/domainapp/security/scripts/UserToRole__bob_UserRw.java b/src/main/java/domainapp/security/scripts/UserToRole__bob_UserRw.java
new file mode 100644
index 0000000..a44b92b
--- /dev/null
+++ b/src/main/java/domainapp/security/scripts/UserToRole__bob_UserRw.java
@@ -0,0 +1,17 @@
+package domainapp.security.scripts;
+
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.user.AccountType;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractUserAndRolesFixtureScript;
+
+public class UserToRole__bob_UserRw extends AbstractUserAndRolesFixtureScript {
+
+ public UserToRole__bob_UserRw() {
+ super("bob", "pass", AccountType.LOCAL,
+ Can.of(
+ RoleAndPerms__UserRw.ROLE_NAME
+ , SecmanConstants.USER_ROLE_NAME
+ ));
+ }
+
+}
diff --git a/src/main/java/domainapp/security/scripts/UserToRole__dick_UserRo.java b/src/main/java/domainapp/security/scripts/UserToRole__dick_UserRo.java
new file mode 100644
index 0000000..2245fdb
--- /dev/null
+++ b/src/main/java/domainapp/security/scripts/UserToRole__dick_UserRo.java
@@ -0,0 +1,17 @@
+package domainapp.security.scripts;
+
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.user.AccountType;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractUserAndRolesFixtureScript;
+
+public class UserToRole__dick_UserRo extends AbstractUserAndRolesFixtureScript {
+
+ public UserToRole__dick_UserRo() {
+ super("dick", "pass", AccountType.LOCAL,
+ Can.of(
+ RoleAndPerms__UserRo.ROLE_NAME
+ , SecmanConstants.USER_ROLE_NAME
+ ));
+ }
+
+}
diff --git a/src/main/java/domainapp/security/scripts/UserToRole__joe_UserRw_but_NoDelete.java b/src/main/java/domainapp/security/scripts/UserToRole__joe_UserRw_but_NoDelete.java
new file mode 100644
index 0000000..9f98c23
--- /dev/null
+++ b/src/main/java/domainapp/security/scripts/UserToRole__joe_UserRw_but_NoDelete.java
@@ -0,0 +1,18 @@
+package domainapp.security.scripts;
+
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.user.AccountType;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractUserAndRolesFixtureScript;
+
+public class UserToRole__joe_UserRw_but_NoDelete extends AbstractUserAndRolesFixtureScript {
+
+ public UserToRole__joe_UserRw_but_NoDelete() {
+ super("joe", "pass", AccountType.LOCAL,
+ Can.of(
+ RoleAndPerms__UserRw.ROLE_NAME
+ , RoleAndPerms__NoDelete.ROLE_NAME
+ , SecmanConstants.USER_ROLE_NAME
+ ));
+ }
+
+}
diff --git a/src/main/java/domainapp/webapp/AppManifest.java b/src/main/java/domainapp/webapp/AppManifest.java
index 8d5d8ae..ad39712 100644
--- a/src/main/java/domainapp/webapp/AppManifest.java
+++ b/src/main/java/domainapp/webapp/AppManifest.java
@@ -1,23 +1,14 @@
package domainapp.webapp;
-import java.util.Arrays;
import java.util.EnumSet;
-import javax.inject.Inject;
-
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.context.annotation.PropertySource;
import org.springframework.context.annotation.PropertySources;
-import org.springframework.context.event.EventListener;
-import org.springframework.core.annotation.Order;
-import org.springframework.stereotype.Service;
-import org.apache.isis.applib.annotation.OrderPrecedence;
-import org.apache.isis.applib.value.Password;
import org.apache.isis.core.config.presets.IsisPresets;
-import org.apache.isis.core.metamodel.events.MetamodelEvent;
import org.apache.isis.core.runtimeservices.IsisModuleCoreRuntimeServices;
import org.apache.isis.extensions.secman.api.IsisModuleExtSecmanApi;
import org.apache.isis.extensions.secman.api.SecmanConfiguration;
@@ -28,22 +19,18 @@ import org.apache.isis.extensions.secman.api.permission.PermissionsEvaluationSer
import org.apache.isis.extensions.secman.api.permission.PermissionsEvaluationServiceAllowBeatsVeto;
import org.apache.isis.extensions.secman.encryption.jbcrypt.IsisModuleExtSecmanEncryptionJbcrypt;
import org.apache.isis.extensions.secman.jdo.IsisModuleExtSecmanPersistenceJdo;
-import org.apache.isis.extensions.secman.jdo.dom.role.ApplicationRole;
-import org.apache.isis.extensions.secman.jdo.dom.role.ApplicationRoleRepository;
-import org.apache.isis.extensions.secman.jdo.seed.SeedUsersAndRolesFixtureScript;
import org.apache.isis.extensions.secman.model.IsisModuleExtSecmanModel;
-import org.apache.isis.extensions.secman.model.dom.user.ApplicationUserMenu;
import org.apache.isis.extensions.secman.shiro.IsisModuleExtSecmanRealmShiro;
import org.apache.isis.persistence.jdo.datanucleus.IsisModuleJdoDatanucleus;
import org.apache.isis.security.shiro.IsisModuleSecurityShiro;
import org.apache.isis.testing.fixtures.applib.IsisModuleTestingFixturesApplib;
-import org.apache.isis.testing.fixtures.applib.fixturescripts.FixtureScript;
-import org.apache.isis.testing.fixtures.applib.fixturescripts.FixtureScripts;
import org.apache.isis.testing.h2console.ui.IsisModuleTestingH2ConsoleUi;
import org.apache.isis.viewer.restfulobjects.jaxrsresteasy4.IsisModuleViewerRestfulObjectsJaxrsResteasy4;
import org.apache.isis.viewer.wicket.viewer.IsisModuleViewerWicketViewer;
import domainapp.modules.hello.HelloWorldModule;
+import domainapp.security.SeedUsersAndRoles;
+import domainapp.security.scripts.SecmanConstants;
@Configuration
@Import({
@@ -60,7 +47,7 @@ import domainapp.modules.hello.HelloWorldModule;
IsisModuleExtSecmanEncryptionJbcrypt.class,
IsisModuleTestingFixturesApplib.class,
- SeedUsersAndRolesFixtureScript.class,
+ SeedUsersAndRoles.class,
IsisModuleTestingH2ConsoleUi.class,
HelloWorldModule.class
@@ -73,10 +60,9 @@ public class AppManifest {
@Bean
public SecmanConfiguration secmanConfiguration() {
return SecmanConfiguration.builder()
- .adminUserName("sven")
- .adminPassword("admin")
- .adminRoleName("admin_role") // as per shiro.ini
- .regularUserRoleName("user_role")
+ .adminUserName("sven").adminPassword("pass")
+ .adminRoleName(SecmanConstants.ADMIN_ROLE_NAME)
+ .regularUserRoleName(SecmanConstants.USER_ROLE_NAME)
.build();
}
@@ -95,45 +81,4 @@ public class AppManifest {
};
}
- @Service
- @Order(OrderPrecedence.MIDPOINT + 10)
- static class SeedAppSecurity {
- private final FixtureScripts fixtureScripts;
- @Inject
- public SeedAppSecurity(final FixtureScripts fixtureScripts) {
- this.fixtureScripts = fixtureScripts;
- }
-
- @EventListener(MetamodelEvent.class)
- public void onMetamodelEvent(final MetamodelEvent event) {
-
- if (event.isPostMetamodel()) {
- fixtureScripts.run(new AppUsersAndRolesFixtureScript());
- }
- }
-
- static class AppUsersAndRolesFixtureScript extends FixtureScript {
-
- @Inject ApplicationUserMenu applicationUserMenu;
- @Inject ApplicationRoleRepository applicationRoleRepository;
-
- @Override
- protected void execute(ExecutionContext ec) {
- Arrays.asList("dick", "bob", "joe") // also as per shiro.ini
- .forEach(this::newRegularUser);
- }
-
- private void newRegularUser(String username) {
-
- final ApplicationRole userRole =
- applicationRoleRepository.findByName("user_role")
- // necessary because this script could (and is) called before SeedUsersAndRolesFixtureScript
- .orElseGet(() -> applicationRoleRepository.newRole("user_role", "Regular user role"));
- final Password password = new Password("pass");
- applicationUserMenu.newLocalUser(
- username, password, password,
- userRole, true, null);
- }
- }
- }
}