You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@isis.apache.org by Sudipto Majumder <sm...@gmail.com> on 2012/06/08 07:37:17 UTC
LDAP Authentication and DB Authorization
Hi Dan,
After some initial POC success, there is an actual opportunity of using
Isis framework in a rapid development project. We have little time to
ponder on whether we should use Isis or go for some other traditional
framework. The use cases for this project is not very complex and hence we
were thinking of Isis in the first place. But before we can decide, we need
to be sure of the feasibility of a few facts.
And the first thing to look into is the authentication and authorization
part. So, far I have only used and seen file based authentication but in
the framework code I noticed some classes for LDAP authentication. So, my
first question is can we integrate easily with an LDAP for the
authentication part? If yes, is there any documentation available on the
same?
As for authorization, we need to show/hide some service and menu links
based on roles and these roles would be maintained in application database.
So this brings up to my second question, whether that can be achieved or
not. In the password files I noticed some mention of roles but did not
understand much about that.
I would really appreciate if you can kindly comment on these items.
Thanks,
Sudipto.
Re: LDAP Authentication and DB Authorization
Posted by Kevin Meyer - KMZ <ke...@kmz.co.za>.
Hi Sudipto,
It looks like you need to add the sql-os dependencies to your project.
See [1] - I still need to update the documentation.
Regards,
Kevin
[1] https://issues.apache.org/jira/browse/ISIS-223
On 8 Jun 2012 at 17:16, Sudipto Majumder wrote:
> Okay, I found some info on the website. I was trying to use sql
> authentication since ldap server is not yet available. I used the following
> configuration in isis.properties -
>
> *isis.authentication=sql
> isis.authentication.sql.jdbc.driver=com.mysql.jdbc.Driver
> isis.authentication.sql.jdbc.connection=jdbc:mysql://localhost:3306/tutorial
> isis.authentication.sql.jdbc.user=***
> isis.authentication.sql.jdbc.password=***
>
> isis.authentication.sql.userTable=user_authentication
> isis.authentication.sql.userNameField=username
> isis.authentication.sql.passwordField=password
> *
> But getting the following error while deploying -
>
> *Error in custom provider,
> org.apache.isis.core.commons.factory.InstanceCreationException: Failed to
> load installer; named/class:'sql' (of type
> org.apache.isis.core.runtime.authentication.AuthenticationManagerInstaller)*
>
> Where I am going wrong? I'm using isis version
> *0.3.0-incubating-SNAPSHOT*and file authentication is working fine for
> me.
>
> Thanks,
> Sudipto.
> On Fri, Jun 8, 2012 at 11:07 AM, Sudipto Majumder <sm...@gmail.com>wrote:
>
> > Hi Dan,
> >
> > After some initial POC success, there is an actual opportunity of using
> > Isis framework in a rapid development project. We have little time to
> > ponder on whether we should use Isis or go for some other traditional
> > framework. The use cases for this project is not very complex and hence we
> > were thinking of Isis in the first place. But before we can decide, we need
> > to be sure of the feasibility of a few facts.
> >
> > And the first thing to look into is the authentication and authorization
> > part. So, far I have only used and seen file based authentication but in
> > the framework code I noticed some classes for LDAP authentication. So, my
> > first question is can we integrate easily with an LDAP for the
> > authentication part? If yes, is there any documentation available on the
> > same?
> > As for authorization, we need to show/hide some service and menu links
> > based on roles and these roles would be maintained in application database.
> > So this brings up to my second question, whether that can be achieved or
> > not. In the password files I noticed some mention of roles but did not
> > understand much about that.
> >
> > I would really appreciate if you can kindly comment on these items.
> >
> > Thanks,
> > Sudipto.
Re: LDAP Authentication and DB Authorization
Posted by Sudipto Majumder <sm...@gmail.com>.
Yes Kevin you are right. Actually I read in one of the manuals that the
white list file is mandatory and the black list file is optional and it
overrides the white list file. So I don't even require the *
authorization_file.disallow* file. Adding the following lines to the *
authorization_file.allow* file served my purpose.
*EmployeeSql#findEmployee():ADMIN|USER
EmployeeSql#newEmployee(java.lang.String,java.lang.String,java.lang.String):ADMIN
*
Thanks again for your quick responses. By the way, can I move this
authorization part to the SQL database as well? Some pointers on that would
be great.
On Mon, Jun 11, 2012 at 5:08 PM, Kevin Meyer - KMZ <ke...@kmz.co.za> wrote:
> Hi Sudipto,
>
> > However, from Dan's mail I realized that the sql security class was not
> in
> > classpath. I added the following dependency in my pom and things are
> > working now. I am just mentioning this here so that others can get a
> quick
> > pointer in the future.
> >
> > *<dependency>
> > <groupId>org.apache.isis.security</groupId>
> > <artifactId>sql</artifactId>
> > <version>${isis.version}</version>
> > </dependency>*
>
> Ah, excellent. This should go into the JIRA ticket - and eventually - the
> manual.
>
> > So, authentication is all good at least with database. Coming back to
> > authorization, can you please guide me on that a little.
> >
> > Suppose, there are two actions for a domain class, one create and one
> > search, if I want to show search to all but create to a specific role,
> how
> > do I accomplish that?
>
> By default, every class or action should appear in one of either
> allow.properties and disallow.properties. If memory serves, if it is not in
> either, then it is disallowed.
>
> I provided a "allow by default" override[1], but I don't think it is in the
> distributed artifacts, you'll have to fetch and build the sources from
> subversion to get the functionality.
>
> Anyway - the idea is that if you have a roles "user" and "administrator",
> you'll need:
> a passwords file that contains:
> username:userpassword:user
> adminname:adminpassword:administrator
>
> an allow.properties that contains:
> <fully qualified class>#<search_method>:user|administrator
> <fully qualified class>#<create_method>:administrator
>
> or a disallow.properties that contains:
> <fully qualified class>#<create_method>:user
>
>
> I'm working from help files here, not a running application, so your
> mileage may vary...
>
> Regards,
> Kevin
>
> > I am not too clear about role1, role2, role3 and what if I want to have
> my
> > own roles. A little help on this will be much appreciated.
> >
>
> [1] https://issues.apache.org/jira/browse/ISIS-218
>
>
>
Re: LDAP Authentication and DB Authorization
Posted by Kevin Meyer - KMZ <ke...@kmz.co.za>.
Hi Sudipto,
> However, from Dan's mail I realized that the sql security class was not in
> classpath. I added the following dependency in my pom and things are
> working now. I am just mentioning this here so that others can get a quick
> pointer in the future.
>
> *<dependency>
> <groupId>org.apache.isis.security</groupId>
> <artifactId>sql</artifactId>
> <version>${isis.version}</version>
> </dependency>*
Ah, excellent. This should go into the JIRA ticket - and eventually - the
manual.
> So, authentication is all good at least with database. Coming back to
> authorization, can you please guide me on that a little.
>
> Suppose, there are two actions for a domain class, one create and one
> search, if I want to show search to all but create to a specific role, how
> do I accomplish that?
By default, every class or action should appear in one of either
allow.properties and disallow.properties. If memory serves, if it is not in
either, then it is disallowed.
I provided a "allow by default" override[1], but I don't think it is in the
distributed artifacts, you'll have to fetch and build the sources from
subversion to get the functionality.
Anyway - the idea is that if you have a roles "user" and "administrator",
you'll need:
a passwords file that contains:
username:userpassword:user
adminname:adminpassword:administrator
an allow.properties that contains:
<fully qualified class>#<search_method>:user|administrator
<fully qualified class>#<create_method>:administrator
or a disallow.properties that contains:
<fully qualified class>#<create_method>:user
I'm working from help files here, not a running application, so your
mileage may vary...
Regards,
Kevin
> I am not too clear about role1, role2, role3 and what if I want to have my
> own roles. A little help on this will be much appreciated.
>
[1] https://issues.apache.org/jira/browse/ISIS-218
Re: LDAP Authentication and DB Authorization
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
Hi Jeroen,
Had a quick look at Shiro ... yes, seems to fit the bill. It has an API so
that Isis can call into it, and it has an SPI (realms) provide the actual
authentication/authorization data from various data sources as need be.
Could you raise an Isis JIRA ticket to track this?
If you want to get a head start on the implementation, you could hack away
in the isis-extras site [1]. There's nothing there as of yet, but it's
good staging ground for stuff that hasn't gone through the whole ICLA legal
stuff [2]. At any rate, I've added your email as a committer.
Cheers
Dan
[1] http://code.google.com/a/apache-extras.org/p/isis-extras/
[2] http://www.apache.org/licenses/icla.txt
On 16 June 2012 22:51, Jeroen van der Wal <je...@stromboli.it> wrote:
> Would it be feasable to integrate Apache Shiro [1] into Isis? A lot of
> frameworks use it to handle authentication, authorization and session
> management. It supports LDAP, JDBC and ActiveDirectory out-of-the-box
> and from what I've seen it shouldn't be hard to make it use domain
> objects too.
>
> In the the project I'm currently working on we have a future desire to
> hook up ActiveDirectory with Isis. I don't expect to be working on
> this in the next 6 months but if more people share this idea we might
> be able to give it some thrust.
>
> Cheers,
>
> Jeroen
>
> [1] http://shiro.apache.org/index.html
>
> On Mon, Jun 11, 2012 at 2:09 PM, Dan Haywood
> <da...@haywood-associates.co.uk> wrote:
> >
> > On 11 June 2012 12:58, Kevin Meyer - KMZ <ke...@kmz.co.za> wrote:
> >
> > >
> > > > Thanks Kevin, it is working now. Is there anything on sql based
> > > > authorization?
> > >
> > > Errrmm... good question.
> > >
> > > I think I once toyed with a proto sql authorization that was a more-or-
> > > less direct copy of the file based one, just that it fetched data from
> a
> > > table.. but I don't recall if I committed it.
> > >
> >
> > There does seem to be a SqlAuthorizationManagerInstaller, however the
> > implementation of SqlAuthorizer appears to be a no-op.
> >
> >
> >
> > >
> > > My issue is that I never had a UI to edit the roles - so all the
> back-end
> > > stuff (adding roles, methods, etc) had to be managed via another tool
> > > (e.g. phpMyAdmin!).
> > >
> >
> > The big project over in Ireland has the roles/permissions stuff as domain
> > objects, so you get the UI for free ;-) !
> >
> > Basically, the Authorizor implementation would connect directly (via JDBC
> > or equiv) to the underlying tables to which the domain objects are
> > persisted.
> >
> > As a good practice, probably worth defining some SQL views to create a
> > level of decoupling.
> >
> >
> >
> >
> >
> > >
> > > And don't ask about auto-learning!
> > >
> >
> > This would require the Authorizor impl to automatically insert rows into
> > the domain object tables ... not sure if that's a good idea myself,
> either.
> >
> >
> > I don't think you'll find it particularly difficult to write an
> > implementation... with a following wind you could probably get something
> > workable in an afternoon.
> >
> > Dan
>
Re: LDAP Authentication and DB Authorization
Posted by Jeroen van der Wal <je...@stromboli.it>.
Would it be feasable to integrate Apache Shiro [1] into Isis? A lot of
frameworks use it to handle authentication, authorization and session
management. It supportsĀ LDAP, JDBC and ActiveDirectory out-of-the-box
and from what I've seen it shouldn't be hard to make it use domain
objects too.
In the the project I'm currently working on we have a future desire to
hook up ActiveDirectory with Isis. I don't expect to be working on
this in the next 6 months but if more people share this idea we might
be able to give it some thrust.
Cheers,
Jeroen
[1] http://shiro.apache.org/index.html
On Mon, Jun 11, 2012 at 2:09 PM, Dan Haywood
<da...@haywood-associates.co.uk> wrote:
>
> On 11 June 2012 12:58, Kevin Meyer - KMZ <ke...@kmz.co.za> wrote:
>
> >
> > > Thanks Kevin, it is working now. Is there anything on sql based
> > > authorization?
> >
> > Errrmm... good question.
> >
> > I think I once toyed with a proto sql authorization that was a more-or-
> > less direct copy of the file based one, just that it fetched data from a
> > table.. but I don't recall if I committed it.
> >
>
> There does seem to be a SqlAuthorizationManagerInstaller, however the
> implementation of SqlAuthorizer appears to be a no-op.
>
>
>
> >
> > My issue is that I never had a UI to edit the roles - so all the back-end
> > stuff (adding roles, methods, etc) had to be managed via another tool
> > (e.g. phpMyAdmin!).
> >
>
> The big project over in Ireland has the roles/permissions stuff as domain
> objects, so you get the UI for free ;-) !
>
> Basically, the Authorizor implementation would connect directly (via JDBC
> or equiv) to the underlying tables to which the domain objects are
> persisted.
>
> As a good practice, probably worth defining some SQL views to create a
> level of decoupling.
>
>
>
>
>
> >
> > And don't ask about auto-learning!
> >
>
> This would require the Authorizor impl to automatically insert rows into
> the domain object tables ... not sure if that's a good idea myself, either.
>
>
> I don't think you'll find it particularly difficult to write an
> implementation... with a following wind you could probably get something
> workable in an afternoon.
>
> Dan
Re: LDAP Authentication and DB Authorization
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
On 11 June 2012 12:58, Kevin Meyer - KMZ <ke...@kmz.co.za> wrote:
>
> > Thanks Kevin, it is working now. Is there anything on sql based
> > authorization?
>
> Errrmm... good question.
>
> I think I once toyed with a proto sql authorization that was a more-or-
> less direct copy of the file based one, just that it fetched data from a
> table.. but I don't recall if I committed it.
>
There does seem to be a SqlAuthorizationManagerInstaller, however the
implementation of SqlAuthorizer appears to be a no-op.
>
> My issue is that I never had a UI to edit the roles - so all the back-end
> stuff (adding roles, methods, etc) had to be managed via another tool
> (e.g. phpMyAdmin!).
>
The big project over in Ireland has the roles/permissions stuff as domain
objects, so you get the UI for free ;-) !
Basically, the Authorizor implementation would connect directly (via JDBC
or equiv) to the underlying tables to which the domain objects are
persisted.
As a good practice, probably worth defining some SQL views to create a
level of decoupling.
>
> And don't ask about auto-learning!
>
This would require the Authorizor impl to automatically insert rows into
the domain object tables ... not sure if that's a good idea myself, either.
I don't think you'll find it particularly difficult to write an
implementation... with a following wind you could probably get something
workable in an afternoon.
Dan
Re: LDAP Authentication and DB Authorization
Posted by Kevin Meyer - KMZ <ke...@kmz.co.za>.
> Thanks Kevin, it is working now. Is there anything on sql based
> authorization?
Errrmm... good question.
I think I once toyed with a proto sql authorization that was a more-or-
less direct copy of the file based one, just that it fetched data from a
table.. but I don't recall if I committed it.
My issue is that I never had a UI to edit the roles - so all the back-end
stuff (adding roles, methods, etc) had to be managed via another tool
(e.g. phpMyAdmin!).
And don't ask about auto-learning!
As I say, In my deployed application, I use my own SQL login
authenticator (sqlLogin) and authorization service.
The login authenticator overrides
PasswordRequestAuthenticatorAbstract and fetches the roles from the
SQL table.
The authorizor e.g. sqlAuthorizor with methods "hasAdminRole()" uses
the internal method "hasRole()" to check if the current logged in user
has the desired role (determined by my own AdminState enum):
protected boolean hasRole(AdminState adminState) {
UserMemento user = getContainer().getUser();
String role = adminState.toString();
return user.hasRole(role);
}
Then, in my domain services, I have, e.g. for domain factory method
"newMember",
public boolean hideNewMember() {
return hasRole(AdminState.SECRETARY);
}
This is not the technique advised in the Isis manuals, which advocates
that authorization is outside the scope of the domain, but it works for
me.
Of course, it does mean that I have dozens of "hide" and "disable"
methods instead of entries in the alternative "allow" or "disallow"
files/tables, but it gives me finegrained runtime control over visibility
and access.
Regards,
Kevin
Re: LDAP Authentication and DB Authorization
Posted by Sudipto Majumder <sm...@gmail.com>.
Thanks Kevin, it is working now. Is there anything on sql based
authorization?
On Mon, Jun 11, 2012 at 4:01 PM, Kevin Meyer - KMZ <ke...@kmz.co.za> wrote:
> Hi Sudipto,
>
> There is a decorator that needs to be installed via the isis.properties
> file.
>
>
> isis.reflector.facets.include=org.apache.isis.runtimes.dflt.runtime.authorization.AuthorizationFacetFactoryForDfltRuntime
>
> See [1] - but there may still be some issues - I used the file authorizor
> a long time ago for a demo (when it worked), but I now use my own
> authentication service that is called by the visible* and disabled*
> methods of any actions whose state or visibility I need to control.
>
> Regards,
> Kevin
>
>
> [1] https://issues.apache.org/jira/browse/ISIS-211
>
> On 11 Jun 2012 at 14:53, Sudipto Majumder wrote:
>
> > Well, I got hold of a isis-security pdf and following that this is what I
> > did. But still I could not achieve what I want with authorization. Please
> > comment if I am going in the right direction.
> >
> > I have a service class *EmployeeSql* with two actions *newEmployee(String
> > name, String designation, String department)* and *findEmployee()*.
> > I want two roles namely *ADMIN* and *USER* so that only ADMIN can see the
> > menu "New Employee".
> > As I have mentioned in my earlier mail that I am now able to use SQL
> > authentication, I added a column called *roles* in that SQL table and
> added
> > this property in *isis.properties* file.
> > *isis.authentication.sql.roleField=roles*
> >
> > Now I am still using file authorization.
> > *isis.authorization=file*
> >
> > In authorization_file.properties I have added the following.
> > *isis.authorization.file.whitelist=authorization_file.allow
> > isis.authorization.file.blacklist=authorization_file.disallow*
> >
> > In authorization_file.allow file I have added
> > *EmployeeSql#findEmployee():ADMIN|USER*
> >
> > And in authorization_file.disallow file I have added
> > *
> >
> EmployeeSql#newEmployee(java.lang.String,java.lang.String,java.lang.String):USER
> > *
> >
> > But when I login with either of the users with ADMIN and USER role, I am
> > able to see both the menu links. Can you please suggest where I am going
> > wrong.
> >
> > Thanks,
> > Sudipto.
> > On Mon, Jun 11, 2012 at 11:22 AM, Sudipto Majumder
> > <sm...@gmail.com>wrote:
> >
> > > Kevin, I am not too sure that I could fully follow you on this. I was
> > > already using *isis.persistor=sql* and had the following sql
> dependencies
> > > in my pom.
> > > * <dependency>
> > >
> <groupId>org.apache.isis.runtimes.dflt.objectstores</groupId>
> > > <artifactId>sql-impl</artifactId>
> > > <version>${isis.version}</version>
> > > </dependency>
> > >
> > > <dependency>
> > > <groupId>mysql</groupId>
> > > <artifactId>mysql-connector-java</artifactId>
> > > <version>5.1.6</version>
> > > </dependency>*
> > >
> > > But with that things were not working. Did you mean this as sql-os?
> Sorry
> > > if I got you all wrong.
> > >
> > > However, from Dan's mail I realized that the sql security class was
> not in
> > > classpath. I added the following dependency in my pom and things are
> > > working now. I am just mentioning this here so that others can get a
> quick
> > > pointer in the future.
> > >
> > > *<dependency>
> > > <groupId>org.apache.isis.security</groupId>
> > > <artifactId>sql</artifactId>
> > > <version>${isis.version}</version>
> > > </dependency>*
> > >
> > > So, authentication is all good at least with database. Coming back to
> > > authorization, can you please guide me on that a little.
> > >
> > > Suppose, there are two actions for a domain class, one create and one
> > > search, if I want to show search to all but create to a specific role,
> how
> > > do I accomplish that?
> > >
> > > I am not too clear about role1, role2, role3 and what if I want to
> have my
> > > own roles. A little help on this will be much appreciated.
> > >
> > > Thanks,
> > > Sudipto.
> > >
> > > However, from Dan's response I had the idea t
> > >
> > > On Fri, Jun 8, 2012 at 9:43 PM, Dan Haywood <
> dan@haywood-associates.co.uk>wrote:
> > >
> > >> Just to add to Kevin's reply...
> > >>
> > >> The way that Isis loads components is using the InstallerLookupDefault
> > >> class. When it reads the following:
> > >>
> > >> isis.authentication=sql
> > >>
> > >> then this is ultimately read by
> > >> InstallerLookupDefault#authenticationManagerInstaller() method.
> > >>
> > >> If you trace it through you'll see that the method reads the key value
> > >> "sql" and looks for a component that implements
> > >> AuthenticationManagerInstaller interface.
> > >>
> > >> The available components are listed in the
> installer-registry.properties
> > >> file, that lives in oai.runtimes.dflt:runtime module, in the
> > >> oai.runtimes.dflt.runtime package (src/main/resources).
> > >>
> > >> One of the components listed there
> > >> is
> > >>
> org.apache.isis.security.sql.authentication.SqlAuthenticationManagerInstaller;
> > >> if present on the classpath then this will indicate that its name is
> > >> "sql",
> > >> and thus be loaded by InstallerLookupDefault.
> > >>
> > >> If the component is not on the classpath, then the entry in the
> > >> installer-registry.properties file is ignored.
> > >>
> > >> One day we might chuck all this out and just use CDI, but for now it
> works
> > >> and is reasonably straight-forward.
> > >>
> > >> NB: none of the above alters Kevin's advice: you just need to make
> sure
> > >> that the sql-os modules are on your classpath by adding them into your
> > >> pom.
> > >>
> > >> HTH,
> > >> Dan
> > >> ~~~~~~~
> > >>
> > >> On 8 June 2012 12:46, Sudipto Majumder <sm...@gmail.com> wrote:
> > >>
> > >> > Okay, I found some info on the website. I was trying to use sql
> > >> > authentication since ldap server is not yet available. I used the
> > >> following
> > >> > configuration in isis.properties -
> > >> >
> > >> > *isis.authentication=sql
> > >> > isis.authentication.sql.jdbc.driver=com.mysql.jdbc.Driver
> > >> >
> > >> >
> > >>
> isis.authentication.sql.jdbc.connection=jdbc:mysql://localhost:3306/tutorial
> > >> > isis.authentication.sql.jdbc.user=***
> > >> > isis.authentication.sql.jdbc.password=***
> > >> >
> > >> > isis.authentication.sql.userTable=user_authentication
> > >> > isis.authentication.sql.userNameField=username
> > >> > isis.authentication.sql.passwordField=password
> > >> > *
> > >> > But getting the following error while deploying -
> > >> >
> > >> > *Error in custom provider,
> > >> > org.apache.isis.core.commons.factory.InstanceCreationException:
> Failed
> > >> to
> > >> > load installer; named/class:'sql' (of type
> > >> >
> > >> >
> > >>
> org.apache.isis.core.runtime.authentication.AuthenticationManagerInstaller)*
> > >> >
> > >> > Where I am going wrong? I'm using isis version
> > >> > *0.3.0-incubating-SNAPSHOT*and file authentication is working fine
> for
> > >> > me.
> > >> >
> > >> > Thanks,
> > >> > Sudipto.
> > >> > On Fri, Jun 8, 2012 at 11:07 AM, Sudipto Majumder <
> > >> smajumder82@gmail.com
> > >> > >wrote:
> > >> >
> > >> > > Hi Dan,
> > >> > >
> > >> > > After some initial POC success, there is an actual opportunity of
> > >> using
> > >> > > Isis framework in a rapid development project. We have little
> time to
> > >> > > ponder on whether we should use Isis or go for some other
> traditional
> > >> > > framework. The use cases for this project is not very complex and
> > >> hence
> > >> > we
> > >> > > were thinking of Isis in the first place. But before we can
> decide, we
> > >> > need
> > >> > > to be sure of the feasibility of a few facts.
> > >> > >
> > >> > > And the first thing to look into is the authentication and
> > >> authorization
> > >> > > part. So, far I have only used and seen file based authentication
> but
> > >> in
> > >> > > the framework code I noticed some classes for LDAP authentication.
> > >> So, my
> > >> > > first question is can we integrate easily with an LDAP for the
> > >> > > authentication part? If yes, is there any documentation available
> on
> > >> the
> > >> > > same?
> > >> > > As for authorization, we need to show/hide some service and menu
> links
> > >> > > based on roles and these roles would be maintained in application
> > >> > database.
> > >> > > So this brings up to my second question, whether that can be
> achieved
> > >> or
> > >> > > not. In the password files I noticed some mention of roles but
> did not
> > >> > > understand much about that.
> > >> > >
> > >> > > I would really appreciate if you can kindly comment on these
> items.
> > >> > >
> > >> > > Thanks,
> > >> > > Sudipto.
> > >> > >
> > >> >
> > >>
> > >
> > >
> >
>
>
> --
> Kevin Meyer, PhD, Pr.Sci.Nat
> KMZ P.O. Box 9822, Sharon Park, South Africa.
> Tel: +27 11 363 2001 Cell: +27 83 346 3045
>
>
>
Re: LDAP Authentication and DB Authorization
Posted by Kevin Meyer - KMZ <ke...@kmz.co.za>.
Hi Sudipto,
There is a decorator that needs to be installed via the isis.properties
file.
isis.reflector.facets.include=org.apache.isis.runtimes.dflt.runtime.authorization.AuthorizationFacetFactoryForDfltRuntime
See [1] - but there may still be some issues - I used the file authorizor
a long time ago for a demo (when it worked), but I now use my own
authentication service that is called by the visible* and disabled*
methods of any actions whose state or visibility I need to control.
Regards,
Kevin
[1] https://issues.apache.org/jira/browse/ISIS-211
On 11 Jun 2012 at 14:53, Sudipto Majumder wrote:
> Well, I got hold of a isis-security pdf and following that this is what I
> did. But still I could not achieve what I want with authorization. Please
> comment if I am going in the right direction.
>
> I have a service class *EmployeeSql* with two actions *newEmployee(String
> name, String designation, String department)* and *findEmployee()*.
> I want two roles namely *ADMIN* and *USER* so that only ADMIN can see the
> menu "New Employee".
> As I have mentioned in my earlier mail that I am now able to use SQL
> authentication, I added a column called *roles* in that SQL table and added
> this property in *isis.properties* file.
> *isis.authentication.sql.roleField=roles*
>
> Now I am still using file authorization.
> *isis.authorization=file*
>
> In authorization_file.properties I have added the following.
> *isis.authorization.file.whitelist=authorization_file.allow
> isis.authorization.file.blacklist=authorization_file.disallow*
>
> In authorization_file.allow file I have added
> *EmployeeSql#findEmployee():ADMIN|USER*
>
> And in authorization_file.disallow file I have added
> *
> EmployeeSql#newEmployee(java.lang.String,java.lang.String,java.lang.String):USER
> *
>
> But when I login with either of the users with ADMIN and USER role, I am
> able to see both the menu links. Can you please suggest where I am going
> wrong.
>
> Thanks,
> Sudipto.
> On Mon, Jun 11, 2012 at 11:22 AM, Sudipto Majumder
> <sm...@gmail.com>wrote:
>
> > Kevin, I am not too sure that I could fully follow you on this. I was
> > already using *isis.persistor=sql* and had the following sql dependencies
> > in my pom.
> > * <dependency>
> > <groupId>org.apache.isis.runtimes.dflt.objectstores</groupId>
> > <artifactId>sql-impl</artifactId>
> > <version>${isis.version}</version>
> > </dependency>
> >
> > <dependency>
> > <groupId>mysql</groupId>
> > <artifactId>mysql-connector-java</artifactId>
> > <version>5.1.6</version>
> > </dependency>*
> >
> > But with that things were not working. Did you mean this as sql-os? Sorry
> > if I got you all wrong.
> >
> > However, from Dan's mail I realized that the sql security class was not in
> > classpath. I added the following dependency in my pom and things are
> > working now. I am just mentioning this here so that others can get a quick
> > pointer in the future.
> >
> > *<dependency>
> > <groupId>org.apache.isis.security</groupId>
> > <artifactId>sql</artifactId>
> > <version>${isis.version}</version>
> > </dependency>*
> >
> > So, authentication is all good at least with database. Coming back to
> > authorization, can you please guide me on that a little.
> >
> > Suppose, there are two actions for a domain class, one create and one
> > search, if I want to show search to all but create to a specific role, how
> > do I accomplish that?
> >
> > I am not too clear about role1, role2, role3 and what if I want to have my
> > own roles. A little help on this will be much appreciated.
> >
> > Thanks,
> > Sudipto.
> >
> > However, from Dan's response I had the idea t
> >
> > On Fri, Jun 8, 2012 at 9:43 PM, Dan Haywood <da...@haywood-associates.co.uk>wrote:
> >
> >> Just to add to Kevin's reply...
> >>
> >> The way that Isis loads components is using the InstallerLookupDefault
> >> class. When it reads the following:
> >>
> >> isis.authentication=sql
> >>
> >> then this is ultimately read by
> >> InstallerLookupDefault#authenticationManagerInstaller() method.
> >>
> >> If you trace it through you'll see that the method reads the key value
> >> "sql" and looks for a component that implements
> >> AuthenticationManagerInstaller interface.
> >>
> >> The available components are listed in the installer-registry.properties
> >> file, that lives in oai.runtimes.dflt:runtime module, in the
> >> oai.runtimes.dflt.runtime package (src/main/resources).
> >>
> >> One of the components listed there
> >> is
> >> org.apache.isis.security.sql.authentication.SqlAuthenticationManagerInstaller;
> >> if present on the classpath then this will indicate that its name is
> >> "sql",
> >> and thus be loaded by InstallerLookupDefault.
> >>
> >> If the component is not on the classpath, then the entry in the
> >> installer-registry.properties file is ignored.
> >>
> >> One day we might chuck all this out and just use CDI, but for now it works
> >> and is reasonably straight-forward.
> >>
> >> NB: none of the above alters Kevin's advice: you just need to make sure
> >> that the sql-os modules are on your classpath by adding them into your
> >> pom.
> >>
> >> HTH,
> >> Dan
> >> ~~~~~~~
> >>
> >> On 8 June 2012 12:46, Sudipto Majumder <sm...@gmail.com> wrote:
> >>
> >> > Okay, I found some info on the website. I was trying to use sql
> >> > authentication since ldap server is not yet available. I used the
> >> following
> >> > configuration in isis.properties -
> >> >
> >> > *isis.authentication=sql
> >> > isis.authentication.sql.jdbc.driver=com.mysql.jdbc.Driver
> >> >
> >> >
> >> isis.authentication.sql.jdbc.connection=jdbc:mysql://localhost:3306/tutorial
> >> > isis.authentication.sql.jdbc.user=***
> >> > isis.authentication.sql.jdbc.password=***
> >> >
> >> > isis.authentication.sql.userTable=user_authentication
> >> > isis.authentication.sql.userNameField=username
> >> > isis.authentication.sql.passwordField=password
> >> > *
> >> > But getting the following error while deploying -
> >> >
> >> > *Error in custom provider,
> >> > org.apache.isis.core.commons.factory.InstanceCreationException: Failed
> >> to
> >> > load installer; named/class:'sql' (of type
> >> >
> >> >
> >> org.apache.isis.core.runtime.authentication.AuthenticationManagerInstaller)*
> >> >
> >> > Where I am going wrong? I'm using isis version
> >> > *0.3.0-incubating-SNAPSHOT*and file authentication is working fine for
> >> > me.
> >> >
> >> > Thanks,
> >> > Sudipto.
> >> > On Fri, Jun 8, 2012 at 11:07 AM, Sudipto Majumder <
> >> smajumder82@gmail.com
> >> > >wrote:
> >> >
> >> > > Hi Dan,
> >> > >
> >> > > After some initial POC success, there is an actual opportunity of
> >> using
> >> > > Isis framework in a rapid development project. We have little time to
> >> > > ponder on whether we should use Isis or go for some other traditional
> >> > > framework. The use cases for this project is not very complex and
> >> hence
> >> > we
> >> > > were thinking of Isis in the first place. But before we can decide, we
> >> > need
> >> > > to be sure of the feasibility of a few facts.
> >> > >
> >> > > And the first thing to look into is the authentication and
> >> authorization
> >> > > part. So, far I have only used and seen file based authentication but
> >> in
> >> > > the framework code I noticed some classes for LDAP authentication.
> >> So, my
> >> > > first question is can we integrate easily with an LDAP for the
> >> > > authentication part? If yes, is there any documentation available on
> >> the
> >> > > same?
> >> > > As for authorization, we need to show/hide some service and menu links
> >> > > based on roles and these roles would be maintained in application
> >> > database.
> >> > > So this brings up to my second question, whether that can be achieved
> >> or
> >> > > not. In the password files I noticed some mention of roles but did not
> >> > > understand much about that.
> >> > >
> >> > > I would really appreciate if you can kindly comment on these items.
> >> > >
> >> > > Thanks,
> >> > > Sudipto.
> >> > >
> >> >
> >>
> >
> >
>
--
Kevin Meyer, PhD, Pr.Sci.Nat
KMZ P.O. Box 9822, Sharon Park, South Africa.
Tel: +27 11 363 2001 Cell: +27 83 346 3045
Re: LDAP Authentication and DB Authorization
Posted by Sudipto Majumder <sm...@gmail.com>.
Well, I got hold of a isis-security pdf and following that this is what I
did. But still I could not achieve what I want with authorization. Please
comment if I am going in the right direction.
I have a service class *EmployeeSql* with two actions *newEmployee(String
name, String designation, String department)* and *findEmployee()*.
I want two roles namely *ADMIN* and *USER* so that only ADMIN can see the
menu "New Employee".
As I have mentioned in my earlier mail that I am now able to use SQL
authentication, I added a column called *roles* in that SQL table and added
this property in *isis.properties* file.
*isis.authentication.sql.roleField=roles*
Now I am still using file authorization.
*isis.authorization=file*
In authorization_file.properties I have added the following.
*isis.authorization.file.whitelist=authorization_file.allow
isis.authorization.file.blacklist=authorization_file.disallow*
In authorization_file.allow file I have added
*EmployeeSql#findEmployee():ADMIN|USER*
And in authorization_file.disallow file I have added
*
EmployeeSql#newEmployee(java.lang.String,java.lang.String,java.lang.String):USER
*
But when I login with either of the users with ADMIN and USER role, I am
able to see both the menu links. Can you please suggest where I am going
wrong.
Thanks,
Sudipto.
On Mon, Jun 11, 2012 at 11:22 AM, Sudipto Majumder
<sm...@gmail.com>wrote:
> Kevin, I am not too sure that I could fully follow you on this. I was
> already using *isis.persistor=sql* and had the following sql dependencies
> in my pom.
> * <dependency>
> <groupId>org.apache.isis.runtimes.dflt.objectstores</groupId>
> <artifactId>sql-impl</artifactId>
> <version>${isis.version}</version>
> </dependency>
>
> <dependency>
> <groupId>mysql</groupId>
> <artifactId>mysql-connector-java</artifactId>
> <version>5.1.6</version>
> </dependency>*
>
> But with that things were not working. Did you mean this as sql-os? Sorry
> if I got you all wrong.
>
> However, from Dan's mail I realized that the sql security class was not in
> classpath. I added the following dependency in my pom and things are
> working now. I am just mentioning this here so that others can get a quick
> pointer in the future.
>
> *<dependency>
> <groupId>org.apache.isis.security</groupId>
> <artifactId>sql</artifactId>
> <version>${isis.version}</version>
> </dependency>*
>
> So, authentication is all good at least with database. Coming back to
> authorization, can you please guide me on that a little.
>
> Suppose, there are two actions for a domain class, one create and one
> search, if I want to show search to all but create to a specific role, how
> do I accomplish that?
>
> I am not too clear about role1, role2, role3 and what if I want to have my
> own roles. A little help on this will be much appreciated.
>
> Thanks,
> Sudipto.
>
> However, from Dan's response I had the idea t
>
> On Fri, Jun 8, 2012 at 9:43 PM, Dan Haywood <da...@haywood-associates.co.uk>wrote:
>
>> Just to add to Kevin's reply...
>>
>> The way that Isis loads components is using the InstallerLookupDefault
>> class. When it reads the following:
>>
>> isis.authentication=sql
>>
>> then this is ultimately read by
>> InstallerLookupDefault#authenticationManagerInstaller() method.
>>
>> If you trace it through you'll see that the method reads the key value
>> "sql" and looks for a component that implements
>> AuthenticationManagerInstaller interface.
>>
>> The available components are listed in the installer-registry.properties
>> file, that lives in oai.runtimes.dflt:runtime module, in the
>> oai.runtimes.dflt.runtime package (src/main/resources).
>>
>> One of the components listed there
>> is
>> org.apache.isis.security.sql.authentication.SqlAuthenticationManagerInstaller;
>> if present on the classpath then this will indicate that its name is
>> "sql",
>> and thus be loaded by InstallerLookupDefault.
>>
>> If the component is not on the classpath, then the entry in the
>> installer-registry.properties file is ignored.
>>
>> One day we might chuck all this out and just use CDI, but for now it works
>> and is reasonably straight-forward.
>>
>> NB: none of the above alters Kevin's advice: you just need to make sure
>> that the sql-os modules are on your classpath by adding them into your
>> pom.
>>
>> HTH,
>> Dan
>> ~~~~~~~
>>
>> On 8 June 2012 12:46, Sudipto Majumder <sm...@gmail.com> wrote:
>>
>> > Okay, I found some info on the website. I was trying to use sql
>> > authentication since ldap server is not yet available. I used the
>> following
>> > configuration in isis.properties -
>> >
>> > *isis.authentication=sql
>> > isis.authentication.sql.jdbc.driver=com.mysql.jdbc.Driver
>> >
>> >
>> isis.authentication.sql.jdbc.connection=jdbc:mysql://localhost:3306/tutorial
>> > isis.authentication.sql.jdbc.user=***
>> > isis.authentication.sql.jdbc.password=***
>> >
>> > isis.authentication.sql.userTable=user_authentication
>> > isis.authentication.sql.userNameField=username
>> > isis.authentication.sql.passwordField=password
>> > *
>> > But getting the following error while deploying -
>> >
>> > *Error in custom provider,
>> > org.apache.isis.core.commons.factory.InstanceCreationException: Failed
>> to
>> > load installer; named/class:'sql' (of type
>> >
>> >
>> org.apache.isis.core.runtime.authentication.AuthenticationManagerInstaller)*
>> >
>> > Where I am going wrong? I'm using isis version
>> > *0.3.0-incubating-SNAPSHOT*and file authentication is working fine for
>> > me.
>> >
>> > Thanks,
>> > Sudipto.
>> > On Fri, Jun 8, 2012 at 11:07 AM, Sudipto Majumder <
>> smajumder82@gmail.com
>> > >wrote:
>> >
>> > > Hi Dan,
>> > >
>> > > After some initial POC success, there is an actual opportunity of
>> using
>> > > Isis framework in a rapid development project. We have little time to
>> > > ponder on whether we should use Isis or go for some other traditional
>> > > framework. The use cases for this project is not very complex and
>> hence
>> > we
>> > > were thinking of Isis in the first place. But before we can decide, we
>> > need
>> > > to be sure of the feasibility of a few facts.
>> > >
>> > > And the first thing to look into is the authentication and
>> authorization
>> > > part. So, far I have only used and seen file based authentication but
>> in
>> > > the framework code I noticed some classes for LDAP authentication.
>> So, my
>> > > first question is can we integrate easily with an LDAP for the
>> > > authentication part? If yes, is there any documentation available on
>> the
>> > > same?
>> > > As for authorization, we need to show/hide some service and menu links
>> > > based on roles and these roles would be maintained in application
>> > database.
>> > > So this brings up to my second question, whether that can be achieved
>> or
>> > > not. In the password files I noticed some mention of roles but did not
>> > > understand much about that.
>> > >
>> > > I would really appreciate if you can kindly comment on these items.
>> > >
>> > > Thanks,
>> > > Sudipto.
>> > >
>> >
>>
>
>
Re: LDAP Authentication and DB Authorization
Posted by Sudipto Majumder <sm...@gmail.com>.
Kevin, I am not too sure that I could fully follow you on this. I was
already using *isis.persistor=sql* and had the following sql dependencies
in my pom.
* <dependency>
<groupId>org.apache.isis.runtimes.dflt.objectstores</groupId>
<artifactId>sql-impl</artifactId>
<version>${isis.version}</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.6</version>
</dependency>*
But with that things were not working. Did you mean this as sql-os? Sorry
if I got you all wrong.
However, from Dan's mail I realized that the sql security class was not in
classpath. I added the following dependency in my pom and things are
working now. I am just mentioning this here so that others can get a quick
pointer in the future.
*<dependency>
<groupId>org.apache.isis.security</groupId>
<artifactId>sql</artifactId>
<version>${isis.version}</version>
</dependency>*
So, authentication is all good at least with database. Coming back to
authorization, can you please guide me on that a little.
Suppose, there are two actions for a domain class, one create and one
search, if I want to show search to all but create to a specific role, how
do I accomplish that?
I am not too clear about role1, role2, role3 and what if I want to have my
own roles. A little help on this will be much appreciated.
Thanks,
Sudipto.
However, from Dan's response I had the idea t
On Fri, Jun 8, 2012 at 9:43 PM, Dan Haywood <da...@haywood-associates.co.uk>wrote:
> Just to add to Kevin's reply...
>
> The way that Isis loads components is using the InstallerLookupDefault
> class. When it reads the following:
>
> isis.authentication=sql
>
> then this is ultimately read by
> InstallerLookupDefault#authenticationManagerInstaller() method.
>
> If you trace it through you'll see that the method reads the key value
> "sql" and looks for a component that implements
> AuthenticationManagerInstaller interface.
>
> The available components are listed in the installer-registry.properties
> file, that lives in oai.runtimes.dflt:runtime module, in the
> oai.runtimes.dflt.runtime package (src/main/resources).
>
> One of the components listed there
> is
> org.apache.isis.security.sql.authentication.SqlAuthenticationManagerInstaller;
> if present on the classpath then this will indicate that its name is "sql",
> and thus be loaded by InstallerLookupDefault.
>
> If the component is not on the classpath, then the entry in the
> installer-registry.properties file is ignored.
>
> One day we might chuck all this out and just use CDI, but for now it works
> and is reasonably straight-forward.
>
> NB: none of the above alters Kevin's advice: you just need to make sure
> that the sql-os modules are on your classpath by adding them into your pom.
>
> HTH,
> Dan
> ~~~~~~~
>
> On 8 June 2012 12:46, Sudipto Majumder <sm...@gmail.com> wrote:
>
> > Okay, I found some info on the website. I was trying to use sql
> > authentication since ldap server is not yet available. I used the
> following
> > configuration in isis.properties -
> >
> > *isis.authentication=sql
> > isis.authentication.sql.jdbc.driver=com.mysql.jdbc.Driver
> >
> >
> isis.authentication.sql.jdbc.connection=jdbc:mysql://localhost:3306/tutorial
> > isis.authentication.sql.jdbc.user=***
> > isis.authentication.sql.jdbc.password=***
> >
> > isis.authentication.sql.userTable=user_authentication
> > isis.authentication.sql.userNameField=username
> > isis.authentication.sql.passwordField=password
> > *
> > But getting the following error while deploying -
> >
> > *Error in custom provider,
> > org.apache.isis.core.commons.factory.InstanceCreationException: Failed to
> > load installer; named/class:'sql' (of type
> >
> >
> org.apache.isis.core.runtime.authentication.AuthenticationManagerInstaller)*
> >
> > Where I am going wrong? I'm using isis version
> > *0.3.0-incubating-SNAPSHOT*and file authentication is working fine for
> > me.
> >
> > Thanks,
> > Sudipto.
> > On Fri, Jun 8, 2012 at 11:07 AM, Sudipto Majumder <smajumder82@gmail.com
> > >wrote:
> >
> > > Hi Dan,
> > >
> > > After some initial POC success, there is an actual opportunity of using
> > > Isis framework in a rapid development project. We have little time to
> > > ponder on whether we should use Isis or go for some other traditional
> > > framework. The use cases for this project is not very complex and hence
> > we
> > > were thinking of Isis in the first place. But before we can decide, we
> > need
> > > to be sure of the feasibility of a few facts.
> > >
> > > And the first thing to look into is the authentication and
> authorization
> > > part. So, far I have only used and seen file based authentication but
> in
> > > the framework code I noticed some classes for LDAP authentication. So,
> my
> > > first question is can we integrate easily with an LDAP for the
> > > authentication part? If yes, is there any documentation available on
> the
> > > same?
> > > As for authorization, we need to show/hide some service and menu links
> > > based on roles and these roles would be maintained in application
> > database.
> > > So this brings up to my second question, whether that can be achieved
> or
> > > not. In the password files I noticed some mention of roles but did not
> > > understand much about that.
> > >
> > > I would really appreciate if you can kindly comment on these items.
> > >
> > > Thanks,
> > > Sudipto.
> > >
> >
>
Re: LDAP Authentication and DB Authorization
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
Just to add to Kevin's reply...
The way that Isis loads components is using the InstallerLookupDefault
class. When it reads the following:
isis.authentication=sql
then this is ultimately read by
InstallerLookupDefault#authenticationManagerInstaller() method.
If you trace it through you'll see that the method reads the key value
"sql" and looks for a component that implements
AuthenticationManagerInstaller interface.
The available components are listed in the installer-registry.properties
file, that lives in oai.runtimes.dflt:runtime module, in the
oai.runtimes.dflt.runtime package (src/main/resources).
One of the components listed there
is org.apache.isis.security.sql.authentication.SqlAuthenticationManagerInstaller;
if present on the classpath then this will indicate that its name is "sql",
and thus be loaded by InstallerLookupDefault.
If the component is not on the classpath, then the entry in the
installer-registry.properties file is ignored.
One day we might chuck all this out and just use CDI, but for now it works
and is reasonably straight-forward.
NB: none of the above alters Kevin's advice: you just need to make sure
that the sql-os modules are on your classpath by adding them into your pom.
HTH,
Dan
~~~~~~~
On 8 June 2012 12:46, Sudipto Majumder <sm...@gmail.com> wrote:
> Okay, I found some info on the website. I was trying to use sql
> authentication since ldap server is not yet available. I used the following
> configuration in isis.properties -
>
> *isis.authentication=sql
> isis.authentication.sql.jdbc.driver=com.mysql.jdbc.Driver
>
> isis.authentication.sql.jdbc.connection=jdbc:mysql://localhost:3306/tutorial
> isis.authentication.sql.jdbc.user=***
> isis.authentication.sql.jdbc.password=***
>
> isis.authentication.sql.userTable=user_authentication
> isis.authentication.sql.userNameField=username
> isis.authentication.sql.passwordField=password
> *
> But getting the following error while deploying -
>
> *Error in custom provider,
> org.apache.isis.core.commons.factory.InstanceCreationException: Failed to
> load installer; named/class:'sql' (of type
>
> org.apache.isis.core.runtime.authentication.AuthenticationManagerInstaller)*
>
> Where I am going wrong? I'm using isis version
> *0.3.0-incubating-SNAPSHOT*and file authentication is working fine for
> me.
>
> Thanks,
> Sudipto.
> On Fri, Jun 8, 2012 at 11:07 AM, Sudipto Majumder <smajumder82@gmail.com
> >wrote:
>
> > Hi Dan,
> >
> > After some initial POC success, there is an actual opportunity of using
> > Isis framework in a rapid development project. We have little time to
> > ponder on whether we should use Isis or go for some other traditional
> > framework. The use cases for this project is not very complex and hence
> we
> > were thinking of Isis in the first place. But before we can decide, we
> need
> > to be sure of the feasibility of a few facts.
> >
> > And the first thing to look into is the authentication and authorization
> > part. So, far I have only used and seen file based authentication but in
> > the framework code I noticed some classes for LDAP authentication. So, my
> > first question is can we integrate easily with an LDAP for the
> > authentication part? If yes, is there any documentation available on the
> > same?
> > As for authorization, we need to show/hide some service and menu links
> > based on roles and these roles would be maintained in application
> database.
> > So this brings up to my second question, whether that can be achieved or
> > not. In the password files I noticed some mention of roles but did not
> > understand much about that.
> >
> > I would really appreciate if you can kindly comment on these items.
> >
> > Thanks,
> > Sudipto.
> >
>
Re: LDAP Authentication and DB Authorization
Posted by Sudipto Majumder <sm...@gmail.com>.
Okay, I found some info on the website. I was trying to use sql
authentication since ldap server is not yet available. I used the following
configuration in isis.properties -
*isis.authentication=sql
isis.authentication.sql.jdbc.driver=com.mysql.jdbc.Driver
isis.authentication.sql.jdbc.connection=jdbc:mysql://localhost:3306/tutorial
isis.authentication.sql.jdbc.user=***
isis.authentication.sql.jdbc.password=***
isis.authentication.sql.userTable=user_authentication
isis.authentication.sql.userNameField=username
isis.authentication.sql.passwordField=password
*
But getting the following error while deploying -
*Error in custom provider,
org.apache.isis.core.commons.factory.InstanceCreationException: Failed to
load installer; named/class:'sql' (of type
org.apache.isis.core.runtime.authentication.AuthenticationManagerInstaller)*
Where I am going wrong? I'm using isis version
*0.3.0-incubating-SNAPSHOT*and file authentication is working fine for
me.
Thanks,
Sudipto.
On Fri, Jun 8, 2012 at 11:07 AM, Sudipto Majumder <sm...@gmail.com>wrote:
> Hi Dan,
>
> After some initial POC success, there is an actual opportunity of using
> Isis framework in a rapid development project. We have little time to
> ponder on whether we should use Isis or go for some other traditional
> framework. The use cases for this project is not very complex and hence we
> were thinking of Isis in the first place. But before we can decide, we need
> to be sure of the feasibility of a few facts.
>
> And the first thing to look into is the authentication and authorization
> part. So, far I have only used and seen file based authentication but in
> the framework code I noticed some classes for LDAP authentication. So, my
> first question is can we integrate easily with an LDAP for the
> authentication part? If yes, is there any documentation available on the
> same?
> As for authorization, we need to show/hide some service and menu links
> based on roles and these roles would be maintained in application database.
> So this brings up to my second question, whether that can be achieved or
> not. In the password files I noticed some mention of roles but did not
> understand much about that.
>
> I would really appreciate if you can kindly comment on these items.
>
> Thanks,
> Sudipto.
>