You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by Chris Lewis <ch...@bellsouth.net> on 2008/01/06 00:43:09 UTC

T5: access control (again)

Dear list - specifically all those having successful access control 
implementations,

I'd like to poll you for how you did it. Not so much the action of 
authentication, but more so how access is monitored and restricted. This 
is a well-known problem in general, but I've yet to see a satisfactory 
and pluggable implementation. First, the basic details:

A user can have one or more roles, and roles determine what that user 
can and can't do/see/access. As I said, this is a well-known problem and 
there's even an existing library for the task: tapestry-acegi.

The good thing about tapestry-acegi is its 2 simple components. The make 
perfect sense and make integration feel smooth and water-tight (ie, not 
leaky). The bad things are:
1) The documentation is basically non-existent and I have no idea how to 
get it set up. Using the components is a no brainer - its the 
infrastructure that loses me.
2) It requires foreknowledge of acegi. Ok, so I checked out those docs, 
which led me to:
3) Acegi docs explicitly state that knowledge of spring is required, so 
you must first know (or learn) that.

That's where I draw the line. If you've read many posts from me, you may 
know that while I've been developing in Java for about 6 years I've 
specifically avoided using it for web because I've never felt it "had it 
together." Yes its capable, but its been overly complex and fragmented. 
Yes there are open source options but none of them, including struts and 
spring, have been enough to convince me that investing my time in 
learning them was worth it. This changed when I started toying with 
tapestry and its perspective of development (so this probably includes 
wicket, web objects, and prado).

I'm not bashing tapestry-acegi by any means. In fact I commend, thank, 
and cite in code the project as I used the idea of the IfLoggedIn 
component. It's both simple and elegant - but it requires knowledge that 
I don't have am not convinced is worth my having.

So... what are any of you other ambitious T5ers using for this? Packaged 
tools? Home grown? I'm home growing one at the moment (specific to a 
project) and would love to share, but I want to know what anyone else is 
doing to solve this classic problem.

sincerely,
chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5: access control (again)

Posted by Chris Lewis <ch...@bellsouth.net>.

Ok :-). Here's my wish list:

1. Remove Spring as a dependency. However "stupid" this is according to 
the Spring developers, it would be valuable to me (and I;m sure others 
like me). Apparently this isn't too difficult to do: 
http://www.acegisecurity.org/standalone.html

2. Provide some kind of quick start that includes what you shared in the 
wiki, but also covers getting acegi bootstrapped properly (schema, etc 
etc). Of course the line between what you should provide and what is 
already provided is a bit blurry. I've started reading through 
http://www.acegisecurity.org/guide/springsecurity.html, which covers 
pretty much everything from A-Z. The unfortunate part, and unfortunately 
unexpected given "java's" rep, is that it is so complex and verbose. I 
don't personally think that implementing a simple but secure 
authentication system with users and roles has to be so complicated. 
Again it's clearly not your job to document acegi, but a simple quick 
start or common use case would get us close to not needing spring docs, 
or require us to digest the whole acegi manual.

My 2 cents. Thanks for listening and contributing.

chris

Robin Helgelin wrote:
> On Jan 6, 2008 11:35 AM, Chris Lewis <ch...@bellsouth.net> wrote:
>   
>> Let me close by clarifying my tone as I've been told I come across as
>> harsh. I am not bashing spring, acegi, or the tapestry integration. What
>> I am saying is that as a developer with no use for spring, using the t5
>> acegi module appears to be a bad choice for me as I do not know acegi at
>> all, and learning it, by way of transitive dependencies, requires me to
>> learn spring.
>>     
>
> I can't disagree with that, it's true :). However, I'm glad to help
> with adding things to the acegi module that will make things even
> easier, so that you don't have to look at spring at all.
>
>

Re: T5: access control (again)

Posted by Robin Helgelin <lo...@gmail.com>.

On Jan 6, 2008 11:35 AM, Chris Lewis <ch...@bellsouth.net> wrote:
> Let me close by clarifying my tone as I've been told I come across as
> harsh. I am not bashing spring, acegi, or the tapestry integration. What
> I am saying is that as a developer with no use for spring, using the t5
> acegi module appears to be a bad choice for me as I do not know acegi at
> all, and learning it, by way of transitive dependencies, requires me to
> learn spring.

I can't disagree with that, it's true :). However, I'm glad to help
with adding things to the acegi module that will make things even
easier, so that you don't have to look at spring at all.

-- 
        regards,
        Robin

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5: access control (again)

Posted by Chris Lewis <ch...@bellsouth.net>.

I understand - I have looked through the tapestry-acegi wiki and the 
site, and they only talk about the T5 side (where as you agreed that the 
docs are lacking, your are right in that they are sufficient). Where I'm 
lost is how to set up acegi, how its invocations work, what the schema 
requirements are, how its loaded, etc etc. The acegi site clearly says 
spring can be removed from acegi, but it basically says that would be 
dumb, and of course says you must know spring to follow the docs. That's 
seems a bit circular. Of course the response could be that I'm too lazy 
to learn spring and perhaps that'd be somewhat water proof. I'd word it 
by saying I have no legitimate need and zero interest in learning spring 
- I want access control, not another ioc container.
Let me close by clarifying my tone as I've been told I come across as 
harsh. I am not bashing spring, acegi, or the tapestry integration. What 
I am saying is that as a developer with no use for spring, using the t5 
acegi module appears to be a bad choice for me as I do not know acegi at 
all, and learning it, by way of transitive dependencies, requires me to 
learn spring.

chris

Robin Helgelin wrote:
> On Jan 6, 2008 10:29 AM, Chris Lewis <ch...@bellsouth.net> wrote:
>   
>> I remember reading in the acegi docs that it was possible to swap-out
>> the usage of spring. I feel like you'll find it's not too difficult to
>> do. I realize I say this out of ignorance but T5 IoC is quite easy to
>> get your head around, and as you know your way around spring and acegi...
>> Anyway, thanks for the input and do let me know how you find it.
>>     
>
> My acegi package tapestry5-acegi, doesn't require any knowledge or
> explicit use of spring. Yes, acegi uses spring internally, but it's
> completely transparent from the developer if they choose not to use
> spring.
>
> As far as the documentation is lacking, I agree, but there should be
> enought information on the wiki and webpage to get you started.
>
> http://www.localhost.nu/java/tapestry5-acegi
>
>

Re: T5: access control (again)

Posted by Robin Helgelin <lo...@gmail.com>.

On Jan 6, 2008 10:29 AM, Chris Lewis <ch...@bellsouth.net> wrote:
> I remember reading in the acegi docs that it was possible to swap-out
> the usage of spring. I feel like you'll find it's not too difficult to
> do. I realize I say this out of ignorance but T5 IoC is quite easy to
> get your head around, and as you know your way around spring and acegi...
> Anyway, thanks for the input and do let me know how you find it.

My acegi package tapestry5-acegi, doesn't require any knowledge or
explicit use of spring. Yes, acegi uses spring internally, but it's
completely transparent from the developer if they choose not to use
spring.

As far as the documentation is lacking, I agree, but there should be
enought information on the wiki and webpage to get you started.

http://www.localhost.nu/java/tapestry5-acegi

-- 
        regards,
        Robin

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5: access control (again)

Posted by Chris Lewis <ch...@bellsouth.net>.

I remember reading in the acegi docs that it was possible to swap-out 
the usage of spring. I feel like you'll find it's not too difficult to 
do. I realize I say this out of ignorance but T5 IoC is quite easy to 
get your head around, and as you know your way around spring and acegi...
Anyway, thanks for the input and do let me know how you find it.

sincerely,
chris

Jonathan Barker wrote:
> Chris,
>
> I'm about to embark on access control for a T5 app I'm building.  Two years
> ago, I built a T4 app with Spring / Hibernate / Acegi.  I had already
> digested much of the Spring docs even though I hadn't really used it, the
> Acegi docs obviously referred to Spring, and re-doing it in Hivemind when I
> was a rookie at Acegi, Spring and Hivemind didn't seem very bright. 
>
> The key is that tapestry-ioc in T5 (and Hivemind for T4) can be used
> *instead* of Spring.  The challenge is having the knowledge to accomplish
> this when all of the documentation on Acegi talks about Spring.  Spring is
> mainly just a means to configure Acegi, and make sure that Acegi information
> gets moved in and out of the session.  
>
> Now, I'm about to try tapestry-aceci.  Fortunately, the access control for
> this app is far simpler than what I had to do in T4, and my knowledge of
> Acegi and Spring grew dramatically through that old project.  I'll probably
> take the time to understand tapestry-ioc this time.
>
> Hopefully I'll have some real pearls of wisdom to offer in a few days.
>
>
> Jonathan
>
>
>   
>> -----Original Message-----
>> From: Chris Lewis [mailto:chris_lewis@bellsouth.net]
>> Sent: Saturday, January 05, 2008 6:43 PM
>> To: Tapestry users
>> Subject: T5: access control (again)
>>
>> Dear list - specifically all those having successful access control
>> implementations,
>>
>> I'd like to poll you for how you did it. Not so much the action of
>> authentication, but more so how access is monitored and restricted. This
>> is a well-known problem in general, but I've yet to see a satisfactory
>> and pluggable implementation. First, the basic details:
>>
>> A user can have one or more roles, and roles determine what that user
>> can and can't do/see/access. As I said, this is a well-known problem and
>> there's even an existing library for the task: tapestry-acegi.
>>
>> The good thing about tapestry-acegi is its 2 simple components. The make
>> perfect sense and make integration feel smooth and water-tight (ie, not
>> leaky). The bad things are:
>> 1) The documentation is basically non-existent and I have no idea how to
>> get it set up. Using the components is a no brainer - its the
>> infrastructure that loses me.
>> 2) It requires foreknowledge of acegi. Ok, so I checked out those docs,
>> which led me to:
>> 3) Acegi docs explicitly state that knowledge of spring is required, so
>> you must first know (or learn) that.
>>
>> That's where I draw the line. If you've read many posts from me, you may
>> know that while I've been developing in Java for about 6 years I've
>> specifically avoided using it for web because I've never felt it "had it
>> together." Yes its capable, but its been overly complex and fragmented.
>> Yes there are open source options but none of them, including struts and
>> spring, have been enough to convince me that investing my time in
>> learning them was worth it. This changed when I started toying with
>> tapestry and its perspective of development (so this probably includes
>> wicket, web objects, and prado).
>>
>> I'm not bashing tapestry-acegi by any means. In fact I commend, thank,
>> and cite in code the project as I used the idea of the IfLoggedIn
>> component. It's both simple and elegant - but it requires knowledge that
>> I don't have am not convinced is worth my having.
>>
>> So... what are any of you other ambitious T5ers using for this? Packaged
>> tools? Home grown? I'm home growing one at the moment (specific to a
>> project) and would love to share, but I want to know what anyone else is
>> doing to solve this classic problem.
>>
>> sincerely,
>> chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>     
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
>

RE: T5: access control (again)

Posted by Jonathan Barker <jo...@gmail.com>.

Chris,

I'm about to embark on access control for a T5 app I'm building.  Two years
ago, I built a T4 app with Spring / Hibernate / Acegi.  I had already
digested much of the Spring docs even though I hadn't really used it, the
Acegi docs obviously referred to Spring, and re-doing it in Hivemind when I
was a rookie at Acegi, Spring and Hivemind didn't seem very bright. 

The key is that tapestry-ioc in T5 (and Hivemind for T4) can be used
*instead* of Spring.  The challenge is having the knowledge to accomplish
this when all of the documentation on Acegi talks about Spring.  Spring is
mainly just a means to configure Acegi, and make sure that Acegi information
gets moved in and out of the session.  

Now, I'm about to try tapestry-aceci.  Fortunately, the access control for
this app is far simpler than what I had to do in T4, and my knowledge of
Acegi and Spring grew dramatically through that old project.  I'll probably
take the time to understand tapestry-ioc this time.

Hopefully I'll have some real pearls of wisdom to offer in a few days.


Jonathan


> -----Original Message-----
> From: Chris Lewis [mailto:chris_lewis@bellsouth.net]
> Sent: Saturday, January 05, 2008 6:43 PM
> To: Tapestry users
> Subject: T5: access control (again)
> 
> Dear list - specifically all those having successful access control
> implementations,
> 
> I'd like to poll you for how you did it. Not so much the action of
> authentication, but more so how access is monitored and restricted. This
> is a well-known problem in general, but I've yet to see a satisfactory
> and pluggable implementation. First, the basic details:
> 
> A user can have one or more roles, and roles determine what that user
> can and can't do/see/access. As I said, this is a well-known problem and
> there's even an existing library for the task: tapestry-acegi.
> 
> The good thing about tapestry-acegi is its 2 simple components. The make
> perfect sense and make integration feel smooth and water-tight (ie, not
> leaky). The bad things are:
> 1) The documentation is basically non-existent and I have no idea how to
> get it set up. Using the components is a no brainer - its the
> infrastructure that loses me.
> 2) It requires foreknowledge of acegi. Ok, so I checked out those docs,
> which led me to:
> 3) Acegi docs explicitly state that knowledge of spring is required, so
> you must first know (or learn) that.
> 
> That's where I draw the line. If you've read many posts from me, you may
> know that while I've been developing in Java for about 6 years I've
> specifically avoided using it for web because I've never felt it "had it
> together." Yes its capable, but its been overly complex and fragmented.
> Yes there are open source options but none of them, including struts and
> spring, have been enough to convince me that investing my time in
> learning them was worth it. This changed when I started toying with
> tapestry and its perspective of development (so this probably includes
> wicket, web objects, and prado).
> 
> I'm not bashing tapestry-acegi by any means. In fact I commend, thank,
> and cite in code the project as I used the idea of the IfLoggedIn
> component. It's both simple and elegant - but it requires knowledge that
> I don't have am not convinced is worth my having.
> 
> So... what are any of you other ambitious T5ers using for this? Packaged
> tools? Home grown? I'm home growing one at the moment (specific to a
> project) and would love to share, but I want to know what anyone else is
> doing to solve this classic problem.
> 
> sincerely,
> chris
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org