You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2021/04/15 07:52:18 UTC
[isis-app-helloworld] branch jdo-secman updated: adds roles for
isis applib etc.
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch jdo-secman
in repository https://gitbox.apache.org/repos/asf/isis-app-helloworld.git
The following commit(s) were added to refs/heads/jdo-secman by this push:
new 46234bf adds roles for isis applib etc.
46234bf is described below
commit 46234bfe732539a9a6fdf1e0011cbb7f52af68c7
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Thu Apr 15 08:52:04 2021 +0100
adds roles for isis applib etc.
---
.../modules/hello/dom/hwo/HelloWorldObjects.java | 3 ---
.../java/domainapp/security/SeedUsersAndRoles.java | 14 +++++++++-
.../RoleAndPerms__ApplibConfiguration__Veto.java | 30 ++++++++++++++++++++++
.../isisroles/RoleAndPerms__Applib__Allow.java | 28 ++++++++++++++++++++
.../RoleAndPerms__ExtFixtures__Allow.java | 28 ++++++++++++++++++++
.../RoleAndPerms__ExtH2Console__Allow.java | 28 ++++++++++++++++++++
.../isisroles/RoleAndPerms__MetaModel_Allow.java | 28 ++++++++++++++++++++
.../RoleAndPerms__PersistenceJdo_Allow.java | 28 ++++++++++++++++++++
.../security/isisroles/SecmanRoleNames.java | 11 ++++++++
.../security/scripts/SecmanConstants.java | 11 --------
.../security/scripts/UserToRole__bob_UserRw.java | 14 +++++++++-
.../security/scripts/UserToRole__dick_UserRo.java | 12 ++++++++-
.../UserToRole__joe_UserRw_but_NoDelete.java | 18 +++++++++++--
src/main/java/domainapp/webapp/AppManifest.java | 6 ++---
14 files changed, 237 insertions(+), 22 deletions(-)
diff --git a/src/main/java/domainapp/modules/hello/dom/hwo/HelloWorldObjects.java b/src/main/java/domainapp/modules/hello/dom/hwo/HelloWorldObjects.java
index d5c42bb..5d28b08 100644
--- a/src/main/java/domainapp/modules/hello/dom/hwo/HelloWorldObjects.java
+++ b/src/main/java/domainapp/modules/hello/dom/hwo/HelloWorldObjects.java
@@ -2,8 +2,6 @@ package domainapp.modules.hello.dom.hwo;
import java.util.List;
-import javax.jdo.JDOQLTypedQuery;
-
import org.apache.isis.applib.annotation.Action;
import org.apache.isis.applib.annotation.ActionLayout;
import org.apache.isis.applib.annotation.DomainService;
@@ -13,7 +11,6 @@ import org.apache.isis.applib.annotation.RestrictTo;
import org.apache.isis.applib.annotation.SemanticsOf;
import org.apache.isis.applib.query.Query;
import org.apache.isis.applib.services.repository.RepositoryService;
-import org.apache.isis.persistence.jdo.applib.services.JdoSupportService;
import domainapp.modules.hello.types.Name;
diff --git a/src/main/java/domainapp/security/SeedUsersAndRoles.java b/src/main/java/domainapp/security/SeedUsersAndRoles.java
index 557796e..e070c77 100644
--- a/src/main/java/domainapp/security/SeedUsersAndRoles.java
+++ b/src/main/java/domainapp/security/SeedUsersAndRoles.java
@@ -12,6 +12,12 @@ import org.apache.isis.core.metamodel.events.MetamodelEvent;
import org.apache.isis.testing.fixtures.applib.fixturescripts.FixtureScript;
import org.apache.isis.testing.fixtures.applib.fixturescripts.FixtureScripts;
+import domainapp.security.isisroles.RoleAndPerms__ApplibConfiguration__Veto;
+import domainapp.security.isisroles.RoleAndPerms__Applib__Allow;
+import domainapp.security.isisroles.RoleAndPerms__ExtFixtures__Allow;
+import domainapp.security.isisroles.RoleAndPerms__ExtH2Console__Allow;
+import domainapp.security.isisroles.RoleAndPerms__MetaModel_Allow;
+import domainapp.security.isisroles.RoleAndPerms__PersistenceJdo_Allow;
import domainapp.security.scripts.RoleAndPerms__NoDelete;
import domainapp.security.scripts.RoleAndPerms__UserRo;
import domainapp.security.scripts.RoleAndPerms__UserRw;
@@ -47,7 +53,13 @@ public class SeedUsersAndRoles {
@Override
protected void execute(ExecutionContext ec) {
ec.executeChildren(this,
- new RoleAndPerms__UserRw()
+ new RoleAndPerms__Applib__Allow()
+ , new RoleAndPerms__ApplibConfiguration__Veto()
+ , new RoleAndPerms__ExtFixtures__Allow()
+ , new RoleAndPerms__ExtH2Console__Allow()
+ , new RoleAndPerms__MetaModel_Allow()
+ , new RoleAndPerms__PersistenceJdo_Allow()
+ , new RoleAndPerms__UserRw()
, new RoleAndPerms__UserRo()
, new RoleAndPerms__NoDelete()
, new UserToRole__bob_UserRw()
diff --git a/src/main/java/domainapp/security/isisroles/RoleAndPerms__ApplibConfiguration__Veto.java b/src/main/java/domainapp/security/isisroles/RoleAndPerms__ApplibConfiguration__Veto.java
new file mode 100644
index 0000000..398a92a
--- /dev/null
+++ b/src/main/java/domainapp/security/isisroles/RoleAndPerms__ApplibConfiguration__Veto.java
@@ -0,0 +1,30 @@
+package domainapp.security.isisroles;
+
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureId;
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureSort;
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionMode;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionRule;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractRoleAndPermissionsFixtureScript;
+
+public class RoleAndPerms__ApplibConfiguration__Veto extends AbstractRoleAndPermissionsFixtureScript {
+
+ public static final String ROLE_NAME = "isis-applib-configuration--veto";
+
+ public RoleAndPerms__ApplibConfiguration__Veto() {
+ super(ROLE_NAME, "Veto access to configuration menu");
+ }
+
+ @Override
+ protected void execute(ExecutionContext ec) {
+ newPermissions(
+ ApplicationPermissionRule.VETO,
+ ApplicationPermissionMode.VIEWING,
+ Can.of(
+ ApplicationFeatureId.newFeature(ApplicationFeatureSort.MEMBER, "isis.applib.ConfigurationMenu#configuration"),
+ ApplicationFeatureId.newFeature(ApplicationFeatureSort.TYPE, "isis.applib.ConfigurationProperty"),
+ ApplicationFeatureId.newFeature(ApplicationFeatureSort.TYPE, "isis.applib.ConfigurationViewModel")
+ )
+ );
+ }
+}
diff --git a/src/main/java/domainapp/security/isisroles/RoleAndPerms__Applib__Allow.java b/src/main/java/domainapp/security/isisroles/RoleAndPerms__Applib__Allow.java
new file mode 100644
index 0000000..2c3b423
--- /dev/null
+++ b/src/main/java/domainapp/security/isisroles/RoleAndPerms__Applib__Allow.java
@@ -0,0 +1,28 @@
+package domainapp.security.isisroles;
+
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureId;
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureSort;
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionMode;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionRule;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractRoleAndPermissionsFixtureScript;
+
+public class RoleAndPerms__Applib__Allow extends AbstractRoleAndPermissionsFixtureScript {
+
+ public static final String ROLE_NAME = "isis-applib--allow";
+
+ public RoleAndPerms__Applib__Allow() {
+ super(ROLE_NAME, "Access objects defined in isis' applib. Note that this includes access to configuration");
+ }
+
+ @Override
+ protected void execute(ExecutionContext ec) {
+ newPermissions(
+ ApplicationPermissionRule.ALLOW,
+ ApplicationPermissionMode.CHANGING,
+ Can.of(
+ ApplicationFeatureId.newFeature(ApplicationFeatureSort.NAMESPACE, "isis.applib")
+ )
+ );
+ }
+}
diff --git a/src/main/java/domainapp/security/isisroles/RoleAndPerms__ExtFixtures__Allow.java b/src/main/java/domainapp/security/isisroles/RoleAndPerms__ExtFixtures__Allow.java
new file mode 100644
index 0000000..3897753
--- /dev/null
+++ b/src/main/java/domainapp/security/isisroles/RoleAndPerms__ExtFixtures__Allow.java
@@ -0,0 +1,28 @@
+package domainapp.security.isisroles;
+
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureId;
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureSort;
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionMode;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionRule;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractRoleAndPermissionsFixtureScript;
+
+public class RoleAndPerms__ExtFixtures__Allow extends AbstractRoleAndPermissionsFixtureScript {
+
+ public static final String ROLE_NAME = "isis-ext-fixtures--allow";
+
+ public RoleAndPerms__ExtFixtures__Allow() {
+ super(ROLE_NAME, "Execute fixture scripts");
+ }
+
+ @Override
+ protected void execute(ExecutionContext ec) {
+ newPermissions(
+ ApplicationPermissionRule.ALLOW,
+ ApplicationPermissionMode.CHANGING,
+ Can.of(
+ ApplicationFeatureId.newFeature(ApplicationFeatureSort.NAMESPACE, "isis.ext.fixtures")
+ )
+ );
+ }
+}
diff --git a/src/main/java/domainapp/security/isisroles/RoleAndPerms__ExtH2Console__Allow.java b/src/main/java/domainapp/security/isisroles/RoleAndPerms__ExtH2Console__Allow.java
new file mode 100644
index 0000000..a847f11
--- /dev/null
+++ b/src/main/java/domainapp/security/isisroles/RoleAndPerms__ExtH2Console__Allow.java
@@ -0,0 +1,28 @@
+package domainapp.security.isisroles;
+
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureId;
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureSort;
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionMode;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionRule;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractRoleAndPermissionsFixtureScript;
+
+public class RoleAndPerms__ExtH2Console__Allow extends AbstractRoleAndPermissionsFixtureScript {
+
+ public static final String ROLE_NAME = "isis-ext-h2-console--allow";
+
+ public RoleAndPerms__ExtH2Console__Allow() {
+ super(ROLE_NAME, "Access the H2 Console");
+ }
+
+ @Override
+ protected void execute(ExecutionContext ec) {
+ newPermissions(
+ ApplicationPermissionRule.ALLOW,
+ ApplicationPermissionMode.CHANGING,
+ Can.of(
+ ApplicationFeatureId.newFeature(ApplicationFeatureSort.NAMESPACE, "isis.ext.h2Console")
+ )
+ );
+ }
+}
diff --git a/src/main/java/domainapp/security/isisroles/RoleAndPerms__MetaModel_Allow.java b/src/main/java/domainapp/security/isisroles/RoleAndPerms__MetaModel_Allow.java
new file mode 100644
index 0000000..a778c3c
--- /dev/null
+++ b/src/main/java/domainapp/security/isisroles/RoleAndPerms__MetaModel_Allow.java
@@ -0,0 +1,28 @@
+package domainapp.security.isisroles;
+
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureId;
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureSort;
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionMode;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionRule;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractRoleAndPermissionsFixtureScript;
+
+public class RoleAndPerms__MetaModel_Allow extends AbstractRoleAndPermissionsFixtureScript {
+
+ public static final String ROLE_NAME = "isis-metamodel--allow";
+
+ public RoleAndPerms__MetaModel_Allow() {
+ super(ROLE_NAME, "Access objects defined in isis' metamodel. Note that this includes access to configuration");
+ }
+
+ @Override
+ protected void execute(ExecutionContext ec) {
+ newPermissions(
+ ApplicationPermissionRule.ALLOW,
+ ApplicationPermissionMode.CHANGING,
+ Can.of(
+ ApplicationFeatureId.newFeature(ApplicationFeatureSort.NAMESPACE, "isis.applib")
+ )
+ );
+ }
+}
diff --git a/src/main/java/domainapp/security/isisroles/RoleAndPerms__PersistenceJdo_Allow.java b/src/main/java/domainapp/security/isisroles/RoleAndPerms__PersistenceJdo_Allow.java
new file mode 100644
index 0000000..9c435fc
--- /dev/null
+++ b/src/main/java/domainapp/security/isisroles/RoleAndPerms__PersistenceJdo_Allow.java
@@ -0,0 +1,28 @@
+package domainapp.security.isisroles;
+
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureId;
+import org.apache.isis.applib.services.appfeat.ApplicationFeatureSort;
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionMode;
+import org.apache.isis.extensions.secman.api.permission.ApplicationPermissionRule;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractRoleAndPermissionsFixtureScript;
+
+public class RoleAndPerms__PersistenceJdo_Allow extends AbstractRoleAndPermissionsFixtureScript {
+
+ public static final String ROLE_NAME = "isis-persistence-jdo--allow";
+
+ public RoleAndPerms__PersistenceJdo_Allow() {
+ super(ROLE_NAME, "Download the JDO metamodel");
+ }
+
+ @Override
+ protected void execute(ExecutionContext ec) {
+ newPermissions(
+ ApplicationPermissionRule.ALLOW,
+ ApplicationPermissionMode.CHANGING,
+ Can.of(
+ ApplicationFeatureId.newFeature(ApplicationFeatureSort.NAMESPACE, "isis.persistence.jdo")
+ )
+ );
+ }
+}
diff --git a/src/main/java/domainapp/security/isisroles/SecmanRoleNames.java b/src/main/java/domainapp/security/isisroles/SecmanRoleNames.java
new file mode 100644
index 0000000..3c0cfb7
--- /dev/null
+++ b/src/main/java/domainapp/security/isisroles/SecmanRoleNames.java
@@ -0,0 +1,11 @@
+package domainapp.security.isisroles;
+
+import org.apache.isis.commons.collections.Can;
+import org.apache.isis.extensions.secman.api.user.AccountType;
+import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractUserAndRolesFixtureScript;
+
+public class SecmanRoleNames {
+ private SecmanRoleNames(){}
+ public static final String ADMIN = "isis-ext-secman-admin";
+ public static final String USER = "isis-ext-secman-user";
+}
diff --git a/src/main/java/domainapp/security/scripts/SecmanConstants.java b/src/main/java/domainapp/security/scripts/SecmanConstants.java
deleted file mode 100644
index 0c8df8d..0000000
--- a/src/main/java/domainapp/security/scripts/SecmanConstants.java
+++ /dev/null
@@ -1,11 +0,0 @@
-package domainapp.security.scripts;
-
-import org.apache.isis.commons.collections.Can;
-import org.apache.isis.extensions.secman.api.user.AccountType;
-import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractUserAndRolesFixtureScript;
-
-public class SecmanConstants {
- private SecmanConstants(){}
- public static final String ADMIN_ROLE_NAME = "secman-admin-role";
- public static final String USER_ROLE_NAME = "secman-user-role";
-}
diff --git a/src/main/java/domainapp/security/scripts/UserToRole__bob_UserRw.java b/src/main/java/domainapp/security/scripts/UserToRole__bob_UserRw.java
index a44b92b..561a189 100644
--- a/src/main/java/domainapp/security/scripts/UserToRole__bob_UserRw.java
+++ b/src/main/java/domainapp/security/scripts/UserToRole__bob_UserRw.java
@@ -4,13 +4,25 @@ import org.apache.isis.commons.collections.Can;
import org.apache.isis.extensions.secman.api.user.AccountType;
import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractUserAndRolesFixtureScript;
+import domainapp.security.isisroles.RoleAndPerms__Applib__Allow;
+import domainapp.security.isisroles.RoleAndPerms__ExtFixtures__Allow;
+import domainapp.security.isisroles.RoleAndPerms__ExtH2Console__Allow;
+import domainapp.security.isisroles.RoleAndPerms__MetaModel_Allow;
+import domainapp.security.isisroles.RoleAndPerms__PersistenceJdo_Allow;
+import domainapp.security.isisroles.SecmanRoleNames;
+
public class UserToRole__bob_UserRw extends AbstractUserAndRolesFixtureScript {
public UserToRole__bob_UserRw() {
super("bob", "pass", AccountType.LOCAL,
Can.of(
RoleAndPerms__UserRw.ROLE_NAME
- , SecmanConstants.USER_ROLE_NAME
+ , SecmanRoleNames.USER
+ , RoleAndPerms__Applib__Allow.ROLE_NAME
+ , RoleAndPerms__ExtFixtures__Allow.ROLE_NAME
+ , RoleAndPerms__ExtH2Console__Allow.ROLE_NAME
+ , RoleAndPerms__PersistenceJdo_Allow.ROLE_NAME
+ , RoleAndPerms__MetaModel_Allow.ROLE_NAME
));
}
diff --git a/src/main/java/domainapp/security/scripts/UserToRole__dick_UserRo.java b/src/main/java/domainapp/security/scripts/UserToRole__dick_UserRo.java
index 2245fdb..2e62850 100644
--- a/src/main/java/domainapp/security/scripts/UserToRole__dick_UserRo.java
+++ b/src/main/java/domainapp/security/scripts/UserToRole__dick_UserRo.java
@@ -4,13 +4,23 @@ import org.apache.isis.commons.collections.Can;
import org.apache.isis.extensions.secman.api.user.AccountType;
import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractUserAndRolesFixtureScript;
+import domainapp.security.isisroles.RoleAndPerms__ApplibConfiguration__Veto;
+import domainapp.security.isisroles.RoleAndPerms__Applib__Allow;
+import domainapp.security.isisroles.RoleAndPerms__ExtFixtures__Allow;
+import domainapp.security.isisroles.RoleAndPerms__ExtH2Console__Allow;
+import domainapp.security.isisroles.RoleAndPerms__MetaModel_Allow;
+import domainapp.security.isisroles.SecmanRoleNames;
+
public class UserToRole__dick_UserRo extends AbstractUserAndRolesFixtureScript {
public UserToRole__dick_UserRo() {
super("dick", "pass", AccountType.LOCAL,
Can.of(
RoleAndPerms__UserRo.ROLE_NAME
- , SecmanConstants.USER_ROLE_NAME
+ , SecmanRoleNames.USER
+ , RoleAndPerms__Applib__Allow.ROLE_NAME
+ , RoleAndPerms__ApplibConfiguration__Veto.ROLE_NAME
+ , RoleAndPerms__MetaModel_Allow.ROLE_NAME
));
}
diff --git a/src/main/java/domainapp/security/scripts/UserToRole__joe_UserRw_but_NoDelete.java b/src/main/java/domainapp/security/scripts/UserToRole__joe_UserRw_but_NoDelete.java
index 9f98c23..6af2a88 100644
--- a/src/main/java/domainapp/security/scripts/UserToRole__joe_UserRw_but_NoDelete.java
+++ b/src/main/java/domainapp/security/scripts/UserToRole__joe_UserRw_but_NoDelete.java
@@ -4,14 +4,28 @@ import org.apache.isis.commons.collections.Can;
import org.apache.isis.extensions.secman.api.user.AccountType;
import org.apache.isis.extensions.secman.jdo.seed.scripts.AbstractUserAndRolesFixtureScript;
+import domainapp.security.isisroles.RoleAndPerms__ApplibConfiguration__Veto;
+import domainapp.security.isisroles.RoleAndPerms__Applib__Allow;
+import domainapp.security.isisroles.RoleAndPerms__ExtFixtures__Allow;
+import domainapp.security.isisroles.RoleAndPerms__ExtH2Console__Allow;
+import domainapp.security.isisroles.RoleAndPerms__MetaModel_Allow;
+import domainapp.security.isisroles.RoleAndPerms__PersistenceJdo_Allow;
+import domainapp.security.isisroles.SecmanRoleNames;
+
public class UserToRole__joe_UserRw_but_NoDelete extends AbstractUserAndRolesFixtureScript {
public UserToRole__joe_UserRw_but_NoDelete() {
super("joe", "pass", AccountType.LOCAL,
Can.of(
RoleAndPerms__UserRw.ROLE_NAME
- , RoleAndPerms__NoDelete.ROLE_NAME
- , SecmanConstants.USER_ROLE_NAME
+ , RoleAndPerms__NoDelete.ROLE_NAME // <<< veto application behaviour
+ , RoleAndPerms__Applib__Allow.ROLE_NAME
+ , RoleAndPerms__ApplibConfiguration__Veto.ROLE_NAME // <<< veto framework behaviour
+ , RoleAndPerms__ExtFixtures__Allow.ROLE_NAME
+ , RoleAndPerms__ExtH2Console__Allow.ROLE_NAME
+ , RoleAndPerms__MetaModel_Allow.ROLE_NAME
+ , RoleAndPerms__PersistenceJdo_Allow.ROLE_NAME
+ , SecmanRoleNames.USER
));
}
diff --git a/src/main/java/domainapp/webapp/AppManifest.java b/src/main/java/domainapp/webapp/AppManifest.java
index ad39712..d225e45 100644
--- a/src/main/java/domainapp/webapp/AppManifest.java
+++ b/src/main/java/domainapp/webapp/AppManifest.java
@@ -30,7 +30,7 @@ import org.apache.isis.viewer.wicket.viewer.IsisModuleViewerWicketViewer;
import domainapp.modules.hello.HelloWorldModule;
import domainapp.security.SeedUsersAndRoles;
-import domainapp.security.scripts.SecmanConstants;
+import domainapp.security.isisroles.SecmanRoleNames;
@Configuration
@Import({
@@ -61,8 +61,8 @@ public class AppManifest {
public SecmanConfiguration secmanConfiguration() {
return SecmanConfiguration.builder()
.adminUserName("sven").adminPassword("pass")
- .adminRoleName(SecmanConstants.ADMIN_ROLE_NAME)
- .regularUserRoleName(SecmanConstants.USER_ROLE_NAME)
+ .adminRoleName(SecmanRoleNames.ADMIN)
+ .regularUserRoleName(SecmanRoleNames.USER)
.build();
}