You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@isis.apache.org by Okwui <ok...@gmail.com> on 2013/06/21 23:54:49 UTC
Re: user management in isis
How do I implement a user management system?
Re: user management in isis
Posted by Jeroen van der Wal <je...@stromboli.it>.
You could model your user and role domain in Isis and write a Shiro
realm to make use of that [1].
HTH
[1] http://shiro.apache.org/realm.html
On Sat, Jun 22, 2013 at 8:54 PM, Okwui <ok...@gmail.com> wrote:
> I have read those. What I want to do is provide a UI to create users and assign roles. I also want to associate users with objects for instance I want to have a department object that refers to a user object as the manager of the department.
>
> Sent from my iPad
>
> On Jun 22, 2013, at 2:09 PM, Jeroen van der Wal <je...@stromboli.it> wrote:
>
>> Isis uses Apache Shiro for authentication and authorization You can
>> find further details in the documentation [1]
>>
>> [1] http://isis.apache.org/components/security/shiro/about.html
>>
>> On Fri, Jun 21, 2013 at 11:54 PM, Okwui <ok...@gmail.com> wrote:
>>> How do I implement a user management system?
Re: user management in isis
Posted by james agada <ok...@gmail.com>.
I will try this approach.
Sent from my iPhone
On Jun 23, 2013, at 9:17 AM, Dan Haywood <da...@haywood-associates.co.uk> wrote:
> Hi James,
> What you need to do for this requirement is to configure Shiro to use
> database tables, using its JdbcRealm or similar [1], [2], [3]
>
> Then, model these concepts as entities within Isis, such that (when using
> our JDO objectstore) that they map onto these tables.
>
> You'll then be able to configure access to your regular entities (ToDoItem
> or whatever) through Isis itself.
>
> I can see this being a useful "off-the-shelf" component that others might
> want to use, so you might want to do this as a little independent project
> in github or similar. (Getting ahead of myself... some day it might also
> be good to incorporate within Isis itself)
>
> HTH
> Dan
>
> [1]
> http://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/realm/jdbc/JdbcRealm.html
> [2] http://blog.pinateknoloji.com/shiro-jdbc-realm
> [3] http://java.dzone.com/articles/java-web-application-security-1
>
>
> On 23 June 2013 08:36, james agada <ok...@gmail.com> wrote:
>
>> No I am not building an Identity management system. I will take your advice
>> though. I will use pwm to manage users but then how will I be able to use
>> that in the domain model? When a user logs in, I want him to have access to
>> some data only. In the ToDo application this is achieved with the ownedby
>> property but I want to go beyond that and have the owned by to be an entity
>> to which I can assign users. I can model the entity but I cannot get list
>> of users from Isis.
>>
>> Sent from my iPhone
>>
>> On Jun 22, 2013, at 10:23 PM, David Tildesley <da...@yahoo.co.nz> wrote:
>>
>> Sent from Yahoo! Mail on Android
>>
>> Are you building an Identity Management system? If not then obviously the
>> first requirement is normally orthogonal to the business domain and is left
>> to whatever manages users in an LDAP directory including group membership.
>> The second requirement could be modeled as part of the business domain.
>>
>> David.
>>
>> ------------------------------
>> * From: * Okwui <ok...@gmail.com>;
>> * To: * users@isis.apache.org <us...@isis.apache.org>;
>> * Cc: * users@isis.apache.org <us...@isis.apache.org>;
>> * Subject: * Re: user management in isis
>> * Sent: * Sat, Jun 22, 2013 6:54:14 PM
>>
>> I have read those. What I want to do is provide a UI to create users and
>> assign roles. I also want to associate users with objects for instance I
>> want to have a department object that refers to a user object as the
>> manager of the department.
>>
>> Sent from my iPad
>>
>> On Jun 22, 2013, at 2:09 PM, Jeroen van der Wal
>> <jeroen@stromboli.it<javascript:return>>
>> wrote:
>>
>>> Isis uses Apache Shiro for authentication and authorization You can
>>> find further details in the documentation [1]
>>>
>>> [1] http://isis.apache.org/components/security/shiro/about.html
>>>
>>> On Fri, Jun 21, 2013 at 11:54 PM, Okwui <okwuiagada@gmail.com
>> <javascript:return>>
>> wrote:
>>>> How do I implement a user management system?
>>
Re: user management in isis
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
On 23 June 2013 18:59, Kevin Meyer - KMZ <ke...@kmz.co.za> wrote:
>
> Are the Shiro-enforced rules understood by the junit viewer ? I
> currently have domain tests that check that role rules are enforced
> (user A logs in and gets role Z, can / can not execute action Xxxx).
>
>
Um, no... I guess it could be done as an integration test, though. It
would require that the Isis bootstrapping installs the authentication facet
decorator, but it should (famous last words) then work.
Cheers
Dan
> Regards,
> Kevin
>
>
Re: user management in isis
Posted by Kevin Meyer - KMZ <ke...@kmz.co.za>.
A really good solution.
It has always bugged me that I didn't have a good solution to this
problem.
Thanks Dan!
I previously resorted to encoding the access control via "visibleXxx"
and "disabledXxxx" domain methods, but, as you can predict, this
requires uploading a new domain binary every time the access control
rules are updated.
Are the Shiro-enforced rules understood by the junit viewer ? I
currently have domain tests that check that role rules are enforced
(user A logs in and gets role Z, can / can not execute action Xxxx).
Regards,
Kevin
On 23 Jun 2013 at 9:16, Dan Haywood wrote:
> Hi James,
> What you need to do for this requirement is to configure Shiro to use
> database tables, using its JdbcRealm or similar [1], [2], [3]
>
> Then, model these concepts as entities within Isis, such that (when using
> our JDO objectstore) that they map onto these tables.
>
> You'll then be able to configure access to your regular entities (ToDoItem
> or whatever) through Isis itself.
>
> I can see this being a useful "off-the-shelf" component that others might
> want to use, so you might want to do this as a little independent project
> in github or similar. (Getting ahead of myself... some day it might also
> be good to incorporate within Isis itself)
>
> HTH
> Dan
>
> [1]
> http://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/realm/jdbc/JdbcRealm.html
> [2] http://blog.pinateknoloji.com/shiro-jdbc-realm
> [3] http://java.dzone.com/articles/java-web-application-security-1
>
>
> On 23 June 2013 08:36, james agada wrote:
>
> > No I am not building an Identity management system. I will take your advice
> > though. I will use pwm to manage users but then how will I be able to use
> > that in the domain model? When a user logs in, I want him to have access to
> > some data only. In the ToDo application this is achieved with the ownedby
> > property but I want to go beyond that and have the owned by to be an entity
> > to which I can assign users. I can model the entity but I cannot get list
> > of users from Isis.
> >
> > Sent from my iPhone
> >
> > ------------------------------
> >
> > I have read those. What I want to do is provide a UI to create users and
> > assign roles. I also want to associate users with objects for instance I
> > want to have a department object that refers to a user object as the
> > manager of the department.
> >
> > Sent from my iPad
> >
> > On Jun 22, 2013, at 2:09 PM, Jeroen van der Wal
> > wrote:
> >
> > > Isis uses Apache Shiro for authentication and authorization You can
> > > find further details in the documentation [1]
> > >
> > > [1] http://isis.apache.org/components/security/shiro/about.html
> > >
> > > On Fri, Jun 21, 2013 at 11:54 PM, Okwui wrote:
> > >> How do I implement a user management system?
Re: user management in isis
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
Hi James,
What you need to do for this requirement is to configure Shiro to use
database tables, using its JdbcRealm or similar [1], [2], [3]
Then, model these concepts as entities within Isis, such that (when using
our JDO objectstore) that they map onto these tables.
You'll then be able to configure access to your regular entities (ToDoItem
or whatever) through Isis itself.
I can see this being a useful "off-the-shelf" component that others might
want to use, so you might want to do this as a little independent project
in github or similar. (Getting ahead of myself... some day it might also
be good to incorporate within Isis itself)
HTH
Dan
[1]
http://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/realm/jdbc/JdbcRealm.html
[2] http://blog.pinateknoloji.com/shiro-jdbc-realm
[3] http://java.dzone.com/articles/java-web-application-security-1
On 23 June 2013 08:36, james agada <ok...@gmail.com> wrote:
> No I am not building an Identity management system. I will take your advice
> though. I will use pwm to manage users but then how will I be able to use
> that in the domain model? When a user logs in, I want him to have access to
> some data only. In the ToDo application this is achieved with the ownedby
> property but I want to go beyond that and have the owned by to be an entity
> to which I can assign users. I can model the entity but I cannot get list
> of users from Isis.
>
> Sent from my iPhone
>
> On Jun 22, 2013, at 10:23 PM, David Tildesley <da...@yahoo.co.nz> wrote:
>
> Sent from Yahoo! Mail on Android
>
> Are you building an Identity Management system? If not then obviously the
> first requirement is normally orthogonal to the business domain and is left
> to whatever manages users in an LDAP directory including group membership.
> The second requirement could be modeled as part of the business domain.
>
> David.
>
> ------------------------------
> * From: * Okwui <ok...@gmail.com>;
> * To: * users@isis.apache.org <us...@isis.apache.org>;
> * Cc: * users@isis.apache.org <us...@isis.apache.org>;
> * Subject: * Re: user management in isis
> * Sent: * Sat, Jun 22, 2013 6:54:14 PM
>
> I have read those. What I want to do is provide a UI to create users and
> assign roles. I also want to associate users with objects for instance I
> want to have a department object that refers to a user object as the
> manager of the department.
>
> Sent from my iPad
>
> On Jun 22, 2013, at 2:09 PM, Jeroen van der Wal
> <jeroen@stromboli.it<javascript:return>>
> wrote:
>
> > Isis uses Apache Shiro for authentication and authorization You can
> > find further details in the documentation [1]
> >
> > [1] http://isis.apache.org/components/security/shiro/about.html
> >
> > On Fri, Jun 21, 2013 at 11:54 PM, Okwui <okwuiagada@gmail.com
> <javascript:return>>
> wrote:
> >> How do I implement a user management system?
>
Re: user management in isis
Posted by james agada <ok...@gmail.com>.
Great. I'll try this out
Sent from my iPhone
On Jun 23, 2013, at 9:49 AM, David Tildesley <da...@yahoo.co.nz> wrote:
>
>
> James wrote:
>
>> No I am not building an Identity management system. I will take your advice
>> though. I will use pwm to manage users but then how will I be able to use
>> that in the domain model? When a user logs in, I want him to have access to
>> some data only. In the ToDo application this is achieved with the ownedby
>> property but I want to go beyond that and have the owned by to be an entity
>> to which I can assign users. I can model the entity but I cannot get list
>> of users from Isis.
>
> It's hard to offer advice when I don't know your problem domain.
> However generally speaking it sounds like your "user" may be represented in the application problem domain
> and has a <<party>>"Person" entity instance which has some sort of <<role>> relationship instance to one or more <<moment interval>> instances
> If you don't know already, the concepts between the chevrons are archetypes from Coad's colour modeling
> which is nicely summarized in Dan's Haywood's book: "DDD using Naked Objects"
> N.B. If the only thing of interest is the <<role>> and the "person" only has one role, then you don't need the <<party>>"Person" entity.
> So ... how do you get your <<party>>/<<role>> into your application as an instance? Well it could come from a variety of sources:
>
> - Some other system as an integration or a ETL load.
> - Synced from an LDAP directory
> - Entered manually by some business person with administrator role
> - via form based signup (for a service offered by your application
> - or it could be provisioned just in time when the authentication user first connects by using the user id to go and fetch Identity attributes from an LDAP server user entry. e.g. the Identity may have an employee number which fits in nicely with <<role>>Employee.
> - or something else
>
> Once your <<party>>/<<role>> is in the system as an object instance, then it's a matter of associating the <<role>> with the <<moment-interval>> and driving the rest by domain behaviour.
>
> e.g. in an HR domain: a <<party>>Person has a role of <<role>>Employee associated to an <<moment-interval>>Employment.
> The <<moment-interval>>Employment has an association to <<moment-interval>>PositionAssignment>> which has an association
> to <<thing>> Position. <<thing>>Position has a role association of "manager" to another <<thing>> Position.
> If you can match the (logged in) user principal with a <<party>>Person----<<role>>Employee then you can
> invoke an operation on the user's <<role>>Employee, delegated to Employment delegated to PositionAssignment
> delegated to "Position" asking for the list of direct reports (<List><<party>>Persons) managed by that <<role>>Employee
> which would then allow some other operation to be done on the list of direct reports by that user.
>
> Generally <<role>> archetypes have lots of domain specific behaviour revolving around authorisation to act on some particular entity instance in context.
>
> However don't get confused with roles that are used to map to coarse grained access entitlements.
> Shiro enforces down to what operation a user principal is able to invoke based on
> shiro configured role to operation mappings and what "roles" the Shiro realm has determined that the user has (lookup from ldap)
> (which in ISIS controls what behaviour a user "sees" in the application).
> Domain behaviour takes over from there to determine whether the user
> can do some action on a particular object instance.
>
> HTH.
> David.
Re: user management in isis
Posted by David Tildesley <da...@yahoo.co.nz>.
James wrote:
>No I am not building an Identity management system. I will take your advice
>though. I will use pwm to manage users but then how will I be able to use
>that in the domain model? When a user logs in, I want him to have access to
>some data only. In the ToDo application this is achieved with the ownedby
>property but I want to go beyond that and have the owned by to be an entity
>to which I can assign users. I can model the entity but I cannot get list
>of users from Isis.
It's hard to offer advice when I don't know your problem domain.
However generally speaking it sounds like your "user" may be represented in the application problem domain
and has a <<party>>"Person" entity instance which has some sort of <<role>> relationship instance to one or more <<moment interval>> instances
If you don't know already, the concepts between the chevrons are archetypes from Coad's colour modeling
which is nicely summarized in Dan's Haywood's book: "DDD using Naked Objects"
N.B. If the only thing of interest is the <<role>> and the "person" only has one role, then you don't need the <<party>>"Person" entity.
So ... how do you get your <<party>>/<<role>> into your application as an instance? Well it could come from a variety of sources:
- Some other system as an integration or a ETL load.
- Synced from an LDAP directory
- Entered manually by some business person with administrator role
- via form based signup (for a service offered by your application
- or it could be provisioned just in time when the authentication user first connects by using the user id to go and fetch Identity attributes from an LDAP server user entry. e.g. the Identity may have an employee number which fits in nicely with <<role>>Employee.
- or something else
Once your <<party>>/<<role>> is in the system as an object instance, then it's a matter of associating the <<role>> with the <<moment-interval>> and driving the rest by domain behaviour.
e.g. in an HR domain: a <<party>>Person has a role of <<role>>Employee associated to an <<moment-interval>>Employment.
The <<moment-interval>>Employment has an association to <<moment-interval>>PositionAssignment>> which has an association
to <<thing>> Position. <<thing>>Position has a role association of "manager" to another <<thing>> Position.
If you can match the (logged in) user principal with a <<party>>Person----<<role>>Employee then you can
invoke an operation on the user's <<role>>Employee, delegated to Employment delegated to PositionAssignment
delegated to "Position" asking for the list of direct reports (<List><<party>>Persons) managed by that <<role>>Employee
which would then allow some other operation to be done on the list of direct reports by that user.
Generally <<role>> archetypes have lots of domain specific behaviour revolving around authorisation to act on some particular entity instance in context.
However don't get confused with roles that are used to map to coarse grained access entitlements.
Shiro enforces down to what operation a user principal is able to invoke based on
shiro configured role to operation mappings and what "roles" the Shiro realm has determined that the user has (lookup from ldap)
(which in ISIS controls what behaviour a user "sees" in the application).
Domain behaviour takes over from there to determine whether the user
can do some action on a particular object instance.
HTH.
David.
Re: user management in isis
Posted by james agada <ok...@gmail.com>.
No I am not building an Identity management system. I will take your advice
though. I will use pwm to manage users but then how will I be able to use
that in the domain model? When a user logs in, I want him to have access to
some data only. In the ToDo application this is achieved with the ownedby
property but I want to go beyond that and have the owned by to be an entity
to which I can assign users. I can model the entity but I cannot get list
of users from Isis.
Sent from my iPhone
On Jun 22, 2013, at 10:23 PM, David Tildesley <da...@yahoo.co.nz> wrote:
Sent from Yahoo! Mail on Android
Are you building an Identity Management system? If not then obviously the
first requirement is normally orthogonal to the business domain and is left
to whatever manages users in an LDAP directory including group membership.
The second requirement could be modeled as part of the business domain.
David.
------------------------------
* From: * Okwui <ok...@gmail.com>;
* To: * users@isis.apache.org <us...@isis.apache.org>;
* Cc: * users@isis.apache.org <us...@isis.apache.org>;
* Subject: * Re: user management in isis
* Sent: * Sat, Jun 22, 2013 6:54:14 PM
I have read those. What I want to do is provide a UI to create users and
assign roles. I also want to associate users with objects for instance I
want to have a department object that refers to a user object as the
manager of the department.
Sent from my iPad
On Jun 22, 2013, at 2:09 PM, Jeroen van der Wal
<jeroen@stromboli.it<javascript:return>>
wrote:
> Isis uses Apache Shiro for authentication and authorization You can
> find further details in the documentation [1]
>
> [1] http://isis.apache.org/components/security/shiro/about.html
>
> On Fri, Jun 21, 2013 at 11:54 PM, Okwui <okwuiagada@gmail.com<javascript:return>>
wrote:
>> How do I implement a user management system?
Re: user management in isis
Posted by David Tildesley <da...@yahoo.co.nz>.
Sent from Yahoo! Mail on Android
Are you building an Identity Management system? If not then obviously the first requirement is normally orthogonal to the business domain and is left to whatever manages users in an LDAP directory including group membership. The second requirement could be modeled as part of the business domain.
David.
Re: user management in isis
Posted by Okwui <ok...@gmail.com>.
I have read those. What I want to do is provide a UI to create users and assign roles. I also want to associate users with objects for instance I want to have a department object that refers to a user object as the manager of the department.
Sent from my iPad
On Jun 22, 2013, at 2:09 PM, Jeroen van der Wal <je...@stromboli.it> wrote:
> Isis uses Apache Shiro for authentication and authorization You can
> find further details in the documentation [1]
>
> [1] http://isis.apache.org/components/security/shiro/about.html
>
> On Fri, Jun 21, 2013 at 11:54 PM, Okwui <ok...@gmail.com> wrote:
>> How do I implement a user management system?
Re: user management in isis
Posted by Jeroen van der Wal <je...@stromboli.it>.
Isis uses Apache Shiro for authentication and authorization You can
find further details in the documentation [1]
[1] http://isis.apache.org/components/security/shiro/about.html
On Fri, Jun 21, 2013 at 11:54 PM, Okwui <ok...@gmail.com> wrote:
> How do I implement a user management system?