You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2021/06/09 16:22:12 UTC
[isis] branch master updated: ISIS-2698: fixes docs for renamed
secman classes
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/isis.git
The following commit(s) were added to refs/heads/master by this push:
new 73323f2 ISIS-2698: fixes docs for renamed secman classes
73323f2 is described below
commit 73323f2f89fb0a217748bfdf7f1eceba216b27f5
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Wed Jun 9 17:21:51 2021 +0100
ISIS-2698: fixes docs for renamed secman classes
---
.../secman/adoc/modules/secman/pages/about.adoc | 36 +++++++++++-----------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/extensions/security/secman/adoc/modules/secman/pages/about.adoc b/extensions/security/secman/adoc/modules/secman/pages/about.adoc
index 63b3133..ccf7f14 100644
--- a/extensions/security/secman/adoc/modules/secman/pages/about.adoc
+++ b/extensions/security/secman/adoc/modules/secman/pages/about.adoc
@@ -72,15 +72,15 @@ SecMan's users, roles and permissions are entities, but application features are
Thus:
-* a user (represented by xref:refguide:extensions:index/secman/api/user/dom/ApplicationUser.adoc[ApplicationUser]) can belong to many roles (xref:refguide:extensions:index/secman/api/role/dom/ApplicationRole.adoc[ApplicationRole])
-* a role in turn holds a set of permissions (xref:refguide:extensions:index/secman/api/permission/dom/ApplicationPermission.adoc[ApplicationPermission]).
+* a user (represented by xref:refguide:extensions:index/secman/applib/user/dom/ApplicationUser.adoc[ApplicationUser]) can belong to many roles (xref:refguide:extensions:index/secman/applib/role/dom/ApplicationRole.adoc[ApplicationRole])
+* a role in turn holds a set of permissions (xref:refguide:extensions:index/secman/applib/permission/dom/ApplicationPermission.adoc[ApplicationPermission]).
Each such permission is either an ``ALLOW`` or a ``VETO`` to an application feature, represented by a fully qualified name
* this resolves to an xref:refguide:applib:index/services/appfeat/ApplicationFeatureId.adoc[ApplicationFeatureId] (from the core metamodel).
That feature will be either a namespace, a type or a member.
+
The core metamodel also provides xref:refguide:applib:index/services/appfeat/ApplicationFeature.adoc[ApplicationFeature] (each being identified with an xref:refguide:applib:index/services/appfeat/ApplicationFeatureId.adoc[ApplicationFeatureId] that makes it easier to navigate around the application feature hierarchy.
-The domain model also shows the xref:refguide:extensions:index/secman/api/tenancy/spi/ApplicationTenancyEvaluator.adoc[ApplicationTenancyEvaluator] interface and xref:refguide:extensions:index/secman/api/tenancy/dom/ApplicationTenancy.adoc[ApplicationTenancy] entity.
+The domain model also shows the xref:refguide:extensions:index/secman/applib/tenancy/spi/ApplicationTenancyEvaluator.adoc[ApplicationTenancyEvaluator] interface and xref:refguide:extensions:index/secman/applib/tenancy/dom/ApplicationTenancy.adoc[ApplicationTenancy] entity.
These are to support multitenancy, discussed in the section <<Multitenancy,below>>.
@@ -90,12 +90,12 @@ In addition to users, roles and permissions, SecMan also supports link:https://e
The idea is that the ownership of domain objects is logically partitioned into tenants; one tenant cannot see or access the data owned by another tenant.
Implementing multitenancy requires that both data and user is "tagged" in some way, and that these tags are compared against each other to determine if the user has access to the tagged data.
-This is represented in the domain model through the xref:refguide:extensions:index/secman/api/tenancy/spi/ApplicationTenancyEvaluator.adoc[ApplicationTenancyEvaluator] SPI interface.
+This is represented in the domain model through the xref:refguide:extensions:index/secman/applib/tenancy/spi/ApplicationTenancyEvaluator.adoc[ApplicationTenancyEvaluator] SPI interface.
The idea is that the application provides its own implementation of this interface, that performs the evaluation of whether the current user can view the domain object or not (and if they can, whether the domain object members are disabled/read-only).
One simple implementation is to tag domain objects with a "path", and similarly to store a "path" for each application user.
-The idea behind the xref:refguide:extensions:index/secman/api/tenancy/dom/ApplicationTenancy.adoc[ApplicationTenancy] is simply to name these tenancies; its `atPath` property is intended to be a primary key.
-The xref:refguide:extensions:index/secman/api/user/dom/ApplicationUser.adoc[ApplicationUser] entity also has an `atPath` property.
+The idea behind the xref:refguide:extensions:index/secman/applib/tenancy/dom/ApplicationTenancy.adoc[ApplicationTenancy] is simply to name these tenancies; its `atPath` property is intended to be a primary key.
+The xref:refguide:extensions:index/secman/applib/user/dom/ApplicationUser.adoc[ApplicationUser] entity also has an `atPath` property.
We could therefore use this "atPath" to represent a country, eg "/GBR", "/ITA", "/FRA", "/BEL" and so on.
For example, the example below uses implements the rule that a user can always view an object within (above or below) their place in the path "hierarchy", and can edit any object "under" them in the hierarchy:
@@ -132,7 +132,7 @@ public class ApplicationTenancyEvaluatorUsingAtPath implements ApplicationTenanc
}
}
----
-<.> SecMan provides the xref:refguide:extensions:index/secman/api/tenancy/dom/HasAtPath.adoc[HasAtPath] interface to standardize the way in which domain objects expose their "tag" (atPath) to the evaluator.
+<.> SecMan provides the xref:refguide:extensions:index/secman/applib/tenancy/dom/HasAtPath.adoc[HasAtPath] interface to standardize the way in which domain objects expose their "tag" (atPath) to the evaluator.
<.> can view all objects (above and below) within the user's hierarchy
+
For example:
@@ -189,9 +189,9 @@ More complex implementations are possible: ultimately the "atPath" properties ar
For example, to allow a user to be able to access objects from multiple countries, we could use a format such as "/ITA;/BEL".
The implementation would parse the string and allow access for any country.
-For this reason, the xref:refguide:extensions:index/secman/api/user/dom/ApplicationUser.adoc[ApplicationUser]'s `atPath` property is _not_ a foreign key to the xref:refguide:extensions:index/secman/api/tenancy/dom/ApplicationTenancy.adoc[ApplicationTenancy] entity.
+For this reason, the xref:refguide:extensions:index/secman/applib/user/dom/ApplicationUser.adoc[ApplicationUser]'s `atPath` property is _not_ a foreign key to the xref:refguide:extensions:index/secman/applib/tenancy/dom/ApplicationTenancy.adoc[ApplicationTenancy] entity.
-TIP: Another implementation of xref:refguide:extensions:index/secman/api/tenancy/spi/ApplicationTenancyEvaluator.adoc[ApplicationTenancyEvaluator] can be found in the xref:docs:demo:about.adoc[Demo App]..
+TIP: Another implementation of xref:refguide:extensions:index/secman/applib/tenancy/spi/ApplicationTenancyEvaluator.adoc[ApplicationTenancyEvaluator] can be found in the xref:docs:demo:about.adoc[Demo App]..
.Apache Isis' multi-tenancy is only skin deep
@@ -234,14 +234,14 @@ Thus:
* The `AuthenticatorShiro` calls to the Shiro Security Manager to obtain the authenticated principal.
* The Shiro Security Manager uses the `shiro.ini` configuration file to look up the realm to perform the authentication; in this case we configure it to use Secman's realm (xref:refguide:extensions:index/secman/shiro/IsisModuleExtSecmanShiroRealm.adoc[IsisModuleExtSecmanShiroRealm]).
* Secman's realm implementation queries the database and uses this to create an instance of `PrincipalForApplicationUser`, where the `Principal` interface is Shiro's representation of an authenticated user.
-The `PrincipalForApplicationUser` is backed by xref:refguide:extensions:index/secman/api/user/dom/ApplicationUser.adoc[ApplicationUser], which all of the permissions to object members for this particular user.
+The `PrincipalForApplicationUser` is backed by xref:refguide:extensions:index/secman/applib/user/dom/ApplicationUser.adoc[ApplicationUser], which all of the permissions to object members for this particular user.
* to render a page, the Apache Isis viewer uses configured `Authorizor`, in this case
-Secman's own xref:refguide:extensions:index/secman/api/authorizor/AuthorizorSecman.adoc[AuthorizorSecman].
-This looks up the current xref:refguide:extensions:index/secman/api/user/dom/ApplicationUser.adoc[ApplicationUser] (which will already reside in-memory) and renders the page according to which object members are visible or not.
+Secman's own xref:refguide:extensions:index/secman/integration/authorizor/AuthorizorSecman.adoc[AuthorizorSecman].
+This looks up the current xref:refguide:extensions:index/secman/applib/user/dom/ApplicationUser.adoc[ApplicationUser] (which will already reside in-memory) and renders the page according to which object members are visible or not.
-The above configuration allows Secman to be used to authenticate users; the password is stored as an (typically) encrypted property of the xref:refguide:extensions:index/secman/api/user/dom/ApplicationUser.adoc[ApplicationUser].
-These are called "local" users, as per the xref:refguide:extensions:index/secman/api/user/dom/ApplicationUser.adoc[ApplicationUser]'s `accountType` property.
+The above configuration allows Secman to be used to authenticate users; the password is stored as an (typically) encrypted property of the xref:refguide:extensions:index/secman/applib/user/dom/ApplicationUser.adoc[ApplicationUser].
+These are called "local" users, as per the xref:refguide:extensions:index/secman/applib/user/dom/ApplicationUser.adoc[ApplicationUser]'s `accountType` property.
Secman's xref:refguide:extensions:index/secman/shiro/IsisModuleExtSecmanShiroRealm.adoc[Realm implementation] also allows a "delegate" realm to be configured.
In such cases the authentication of "delegated" users is performed by the delegate realm rather than locally.
@@ -255,7 +255,7 @@ Configuring the delegate realm is performed using Shiro's "poor man's dependency
== Password encryption
-Secman provides the xref:refguide:extensions:index/secman/api/encryption/PasswordEncryptionService.adoc[PasswordEncryptionService] SPI to allow different algorithms to encrypt the user's password.
+Secman provides the xref:refguide:extensions:index/secman/applib/user/spi/PasswordEncryptionService.adoc[PasswordEncryptionService] SPI to allow different algorithms to encrypt the user's password.
The `encryption-jbcrypt` module provides an implementation using the link:https://www.mindrot.org/projects/jBCrypt/[jBCrypt] library.
@@ -264,8 +264,8 @@ The `encryption-jbcrypt` module provides an implementation using the link:https:
SecMan consists of a number of Maven submodules:
-* the API module (`isis-extensions-secman-api`) defines a set of interfaces for the xref:refguide:extensions:index/secman/api/user/dom/ApplicationUser.adoc[ApplicationUser], xref:refguide:extensions:index/secman/api/role/dom/ApplicationRole.adoc[ApplicationRole],
-xref:refguide:extensions:index/secman/api/permission/dom/ApplicationPermission.adoc[ApplicationPermission] and xref:refguide:extensions:index/secman/api/tenancy/dom/ApplicationTenancy.adoc[ApplicationTenancy] entities.
+* the API module (`isis-extensions-secman-api`) defines a set of interfaces for the xref:refguide:extensions:index/secman/applib/user/dom/ApplicationUser.adoc[ApplicationUser], xref:refguide:extensions:index/secman/applib/role/dom/ApplicationRole.adoc[ApplicationRole],
+xref:refguide:extensions:index/secman/applib/permission/dom/ApplicationPermission.adoc[ApplicationPermission] and xref:refguide:extensions:index/secman/applib/tenancy/dom/ApplicationTenancy.adoc[ApplicationTenancy] entities.
* the two persistence modules (`isis-extensions-secman-persistence-jpa` and `isis-extensions-secman-persistence-jdo`) provide concrete implementations of the APIs for JPA and JDO respectively.
As you might expect, they are intended for use with xref:pjpa:ROOT:about.adoc[JPA/Eclipselink] and xref:pjdo:ROOT:about.adoc[JDO/DataNucleus] persistence mechanisms respectively; use one or the other.
@@ -274,5 +274,5 @@ As you might expect, they are intended for use with xref:pjpa:ROOT:about.adoc[JP
* the Shiro realm module (`isis-extensions-secman-shiro-realm`) provides the Shiro realm interface that delegates to the Secman database (see discussion <<shiro-integration,above>>)
-* the jbcrypt encryption module (`isis-extensions-secman-encryption-jbcrypt`) provides an implementation of Secman's xref:refguide:extensions:index/secman/api/encryption/PasswordEncryptionService.adoc[PasswordEncryptionService] so that passwords are persisted securely using link:https://www.mindrot.org/projects/jBCrypt/[jBCrypt].
+* the jbcrypt encryption module (`isis-extensions-secman-encryption-jbcrypt`) provides an implementation of Secman's xref:refguide:extensions:index/secman/applib/user/spi/PasswordEncryptionService.adoc[PasswordEncryptionService] so that passwords are persisted securely using link:https://www.mindrot.org/projects/jBCrypt/[jBCrypt].