You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Chris Lewis <ch...@bellsouth.net> on 2008/01/06 00:43:09 UTC
T5: access control (again)
Dear list - specifically all those having successful access control
implementations,
I'd like to poll you for how you did it. Not so much the action of
authentication, but more so how access is monitored and restricted. This
is a well-known problem in general, but I've yet to see a satisfactory
and pluggable implementation. First, the basic details:
A user can have one or more roles, and roles determine what that user
can and can't do/see/access. As I said, this is a well-known problem and
there's even an existing library for the task: tapestry-acegi.
The good thing about tapestry-acegi is its 2 simple components. The make
perfect sense and make integration feel smooth and water-tight (ie, not
leaky). The bad things are:
1) The documentation is basically non-existent and I have no idea how to
get it set up. Using the components is a no brainer - its the
infrastructure that loses me.
2) It requires foreknowledge of acegi. Ok, so I checked out those docs,
which led me to:
3) Acegi docs explicitly state that knowledge of spring is required, so
you must first know (or learn) that.
That's where I draw the line. If you've read many posts from me, you may
know that while I've been developing in Java for about 6 years I've
specifically avoided using it for web because I've never felt it "had it
together." Yes its capable, but its been overly complex and fragmented.
Yes there are open source options but none of them, including struts and
spring, have been enough to convince me that investing my time in
learning them was worth it. This changed when I started toying with
tapestry and its perspective of development (so this probably includes
wicket, web objects, and prado).
I'm not bashing tapestry-acegi by any means. In fact I commend, thank,
and cite in code the project as I used the idea of the IfLoggedIn
component. It's both simple and elegant - but it requires knowledge that
I don't have am not convinced is worth my having.
So... what are any of you other ambitious T5ers using for this? Packaged
tools? Home grown? I'm home growing one at the moment (specific to a
project) and would love to share, but I want to know what anyone else is
doing to solve this classic problem.
sincerely,
chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: T5: access control (again)
Posted by Chris Lewis <ch...@bellsouth.net>.
Ok :-). Here's my wish list:
1. Remove Spring as a dependency. However "stupid" this is according to
the Spring developers, it would be valuable to me (and I;m sure others
like me). Apparently this isn't too difficult to do:
http://www.acegisecurity.org/standalone.html
2. Provide some kind of quick start that includes what you shared in the
wiki, but also covers getting acegi bootstrapped properly (schema, etc
etc). Of course the line between what you should provide and what is
already provided is a bit blurry. I've started reading through
http://www.acegisecurity.org/guide/springsecurity.html, which covers
pretty much everything from A-Z. The unfortunate part, and unfortunately
unexpected given "java's" rep, is that it is so complex and verbose. I
don't personally think that implementing a simple but secure
authentication system with users and roles has to be so complicated.
Again it's clearly not your job to document acegi, but a simple quick
start or common use case would get us close to not needing spring docs,
or require us to digest the whole acegi manual.
My 2 cents. Thanks for listening and contributing.
chris
Robin Helgelin wrote:
> On Jan 6, 2008 11:35 AM, Chris Lewis <ch...@bellsouth.net> wrote:
>
>> Let me close by clarifying my tone as I've been told I come across as
>> harsh. I am not bashing spring, acegi, or the tapestry integration. What
>> I am saying is that as a developer with no use for spring, using the t5
>> acegi module appears to be a bad choice for me as I do not know acegi at
>> all, and learning it, by way of transitive dependencies, requires me to
>> learn spring.
>>
>
> I can't disagree with that, it's true :). However, I'm glad to help
> with adding things to the acegi module that will make things even
> easier, so that you don't have to look at spring at all.
>
>
Re: T5: access control (again)
Posted by Robin Helgelin <lo...@gmail.com>.
On Jan 6, 2008 11:35 AM, Chris Lewis <ch...@bellsouth.net> wrote:
> Let me close by clarifying my tone as I've been told I come across as
> harsh. I am not bashing spring, acegi, or the tapestry integration. What
> I am saying is that as a developer with no use for spring, using the t5
> acegi module appears to be a bad choice for me as I do not know acegi at
> all, and learning it, by way of transitive dependencies, requires me to
> learn spring.
I can't disagree with that, it's true :). However, I'm glad to help
with adding things to the acegi module that will make things even
easier, so that you don't have to look at spring at all.
--
regards,
Robin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: T5: access control (again)
Posted by Chris Lewis <ch...@bellsouth.net>.
I understand - I have looked through the tapestry-acegi wiki and the
site, and they only talk about the T5 side (where as you agreed that the
docs are lacking, your are right in that they are sufficient). Where I'm
lost is how to set up acegi, how its invocations work, what the schema
requirements are, how its loaded, etc etc. The acegi site clearly says
spring can be removed from acegi, but it basically says that would be
dumb, and of course says you must know spring to follow the docs. That's
seems a bit circular. Of course the response could be that I'm too lazy
to learn spring and perhaps that'd be somewhat water proof. I'd word it
by saying I have no legitimate need and zero interest in learning spring
- I want access control, not another ioc container.
Let me close by clarifying my tone as I've been told I come across as
harsh. I am not bashing spring, acegi, or the tapestry integration. What
I am saying is that as a developer with no use for spring, using the t5
acegi module appears to be a bad choice for me as I do not know acegi at
all, and learning it, by way of transitive dependencies, requires me to
learn spring.
chris
Robin Helgelin wrote:
> On Jan 6, 2008 10:29 AM, Chris Lewis <ch...@bellsouth.net> wrote:
>
>> I remember reading in the acegi docs that it was possible to swap-out
>> the usage of spring. I feel like you'll find it's not too difficult to
>> do. I realize I say this out of ignorance but T5 IoC is quite easy to
>> get your head around, and as you know your way around spring and acegi...
>> Anyway, thanks for the input and do let me know how you find it.
>>
>
> My acegi package tapestry5-acegi, doesn't require any knowledge or
> explicit use of spring. Yes, acegi uses spring internally, but it's
> completely transparent from the developer if they choose not to use
> spring.
>
> As far as the documentation is lacking, I agree, but there should be
> enought information on the wiki and webpage to get you started.
>
> http://www.localhost.nu/java/tapestry5-acegi
>
>
Re: T5: access control (again)
Posted by Robin Helgelin <lo...@gmail.com>.
On Jan 6, 2008 10:29 AM, Chris Lewis <ch...@bellsouth.net> wrote:
> I remember reading in the acegi docs that it was possible to swap-out
> the usage of spring. I feel like you'll find it's not too difficult to
> do. I realize I say this out of ignorance but T5 IoC is quite easy to
> get your head around, and as you know your way around spring and acegi...
> Anyway, thanks for the input and do let me know how you find it.
My acegi package tapestry5-acegi, doesn't require any knowledge or
explicit use of spring. Yes, acegi uses spring internally, but it's
completely transparent from the developer if they choose not to use
spring.
As far as the documentation is lacking, I agree, but there should be
enought information on the wiki and webpage to get you started.
http://www.localhost.nu/java/tapestry5-acegi
--
regards,
Robin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: T5: access control (again)
Posted by Chris Lewis <ch...@bellsouth.net>.
I remember reading in the acegi docs that it was possible to swap-out
the usage of spring. I feel like you'll find it's not too difficult to
do. I realize I say this out of ignorance but T5 IoC is quite easy to
get your head around, and as you know your way around spring and acegi...
Anyway, thanks for the input and do let me know how you find it.
sincerely,
chris
Jonathan Barker wrote:
> Chris,
>
> I'm about to embark on access control for a T5 app I'm building. Two years
> ago, I built a T4 app with Spring / Hibernate / Acegi. I had already
> digested much of the Spring docs even though I hadn't really used it, the
> Acegi docs obviously referred to Spring, and re-doing it in Hivemind when I
> was a rookie at Acegi, Spring and Hivemind didn't seem very bright.
>
> The key is that tapestry-ioc in T5 (and Hivemind for T4) can be used
> *instead* of Spring. The challenge is having the knowledge to accomplish
> this when all of the documentation on Acegi talks about Spring. Spring is
> mainly just a means to configure Acegi, and make sure that Acegi information
> gets moved in and out of the session.
>
> Now, I'm about to try tapestry-aceci. Fortunately, the access control for
> this app is far simpler than what I had to do in T4, and my knowledge of
> Acegi and Spring grew dramatically through that old project. I'll probably
> take the time to understand tapestry-ioc this time.
>
> Hopefully I'll have some real pearls of wisdom to offer in a few days.
>
>
> Jonathan
>
>
>
>> -----Original Message-----
>> From: Chris Lewis [mailto:chris_lewis@bellsouth.net]
>> Sent: Saturday, January 05, 2008 6:43 PM
>> To: Tapestry users
>> Subject: T5: access control (again)
>>
>> Dear list - specifically all those having successful access control
>> implementations,
>>
>> I'd like to poll you for how you did it. Not so much the action of
>> authentication, but more so how access is monitored and restricted. This
>> is a well-known problem in general, but I've yet to see a satisfactory
>> and pluggable implementation. First, the basic details:
>>
>> A user can have one or more roles, and roles determine what that user
>> can and can't do/see/access. As I said, this is a well-known problem and
>> there's even an existing library for the task: tapestry-acegi.
>>
>> The good thing about tapestry-acegi is its 2 simple components. The make
>> perfect sense and make integration feel smooth and water-tight (ie, not
>> leaky). The bad things are:
>> 1) The documentation is basically non-existent and I have no idea how to
>> get it set up. Using the components is a no brainer - its the
>> infrastructure that loses me.
>> 2) It requires foreknowledge of acegi. Ok, so I checked out those docs,
>> which led me to:
>> 3) Acegi docs explicitly state that knowledge of spring is required, so
>> you must first know (or learn) that.
>>
>> That's where I draw the line. If you've read many posts from me, you may
>> know that while I've been developing in Java for about 6 years I've
>> specifically avoided using it for web because I've never felt it "had it
>> together." Yes its capable, but its been overly complex and fragmented.
>> Yes there are open source options but none of them, including struts and
>> spring, have been enough to convince me that investing my time in
>> learning them was worth it. This changed when I started toying with
>> tapestry and its perspective of development (so this probably includes
>> wicket, web objects, and prado).
>>
>> I'm not bashing tapestry-acegi by any means. In fact I commend, thank,
>> and cite in code the project as I used the idea of the IfLoggedIn
>> component. It's both simple and elegant - but it requires knowledge that
>> I don't have am not convinced is worth my having.
>>
>> So... what are any of you other ambitious T5ers using for this? Packaged
>> tools? Home grown? I'm home growing one at the moment (specific to a
>> project) and would love to share, but I want to know what anyone else is
>> doing to solve this classic problem.
>>
>> sincerely,
>> chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
>
RE: T5: access control (again)
Posted by Jonathan Barker <jo...@gmail.com>.
Chris,
I'm about to embark on access control for a T5 app I'm building. Two years
ago, I built a T4 app with Spring / Hibernate / Acegi. I had already
digested much of the Spring docs even though I hadn't really used it, the
Acegi docs obviously referred to Spring, and re-doing it in Hivemind when I
was a rookie at Acegi, Spring and Hivemind didn't seem very bright.
The key is that tapestry-ioc in T5 (and Hivemind for T4) can be used
*instead* of Spring. The challenge is having the knowledge to accomplish
this when all of the documentation on Acegi talks about Spring. Spring is
mainly just a means to configure Acegi, and make sure that Acegi information
gets moved in and out of the session.
Now, I'm about to try tapestry-aceci. Fortunately, the access control for
this app is far simpler than what I had to do in T4, and my knowledge of
Acegi and Spring grew dramatically through that old project. I'll probably
take the time to understand tapestry-ioc this time.
Hopefully I'll have some real pearls of wisdom to offer in a few days.
Jonathan
> -----Original Message-----
> From: Chris Lewis [mailto:chris_lewis@bellsouth.net]
> Sent: Saturday, January 05, 2008 6:43 PM
> To: Tapestry users
> Subject: T5: access control (again)
>
> Dear list - specifically all those having successful access control
> implementations,
>
> I'd like to poll you for how you did it. Not so much the action of
> authentication, but more so how access is monitored and restricted. This
> is a well-known problem in general, but I've yet to see a satisfactory
> and pluggable implementation. First, the basic details:
>
> A user can have one or more roles, and roles determine what that user
> can and can't do/see/access. As I said, this is a well-known problem and
> there's even an existing library for the task: tapestry-acegi.
>
> The good thing about tapestry-acegi is its 2 simple components. The make
> perfect sense and make integration feel smooth and water-tight (ie, not
> leaky). The bad things are:
> 1) The documentation is basically non-existent and I have no idea how to
> get it set up. Using the components is a no brainer - its the
> infrastructure that loses me.
> 2) It requires foreknowledge of acegi. Ok, so I checked out those docs,
> which led me to:
> 3) Acegi docs explicitly state that knowledge of spring is required, so
> you must first know (or learn) that.
>
> That's where I draw the line. If you've read many posts from me, you may
> know that while I've been developing in Java for about 6 years I've
> specifically avoided using it for web because I've never felt it "had it
> together." Yes its capable, but its been overly complex and fragmented.
> Yes there are open source options but none of them, including struts and
> spring, have been enough to convince me that investing my time in
> learning them was worth it. This changed when I started toying with
> tapestry and its perspective of development (so this probably includes
> wicket, web objects, and prado).
>
> I'm not bashing tapestry-acegi by any means. In fact I commend, thank,
> and cite in code the project as I used the idea of the IfLoggedIn
> component. It's both simple and elegant - but it requires knowledge that
> I don't have am not convinced is worth my having.
>
> So... what are any of you other ambitious T5ers using for this? Packaged
> tools? Home grown? I'm home growing one at the moment (specific to a
> project) and would love to share, but I want to know what anyone else is
> doing to solve this classic problem.
>
> sincerely,
> chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org