You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2021/05/30 19:47:44 UTC
[isis] branch ISIS-2699 updated (2329561 -> b5facd3)
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a change to branch ISIS-2699
in repository https://gitbox.apache.org/repos/asf/isis.git.
from 2329561 ISIS-2699: deprecates SecmanConfiguration in favour of config properties
new 0abc75f ISIS-2699: adds config props for PermissionsEvaluationService also
new b5facd3 ISIS-2699: updates docs for secman
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../apache/isis/core/config/IsisConfiguration.java | 18 +++-
.../adoc/modules/secman/pages/setting-up.adoc | 109 +++++++++------------
.../secman/applib/IsisModuleExtSecmanApplib.java | 12 ++-
.../secman/applib/SecmanAutoConfiguration.java | 48 ++++-----
.../secman/applib/SecmanConfiguration.java | 14 +--
...PermissionsEvaluationServiceAllowBeatsVeto.java | 3 +
...PermissionsEvaluationServiceVetoBeatsAllow.java | 3 +
7 files changed, 109 insertions(+), 98 deletions(-)
[isis] 01/02: ISIS-2699: adds config props for
PermissionsEvaluationService also
Posted by da...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch ISIS-2699
in repository https://gitbox.apache.org/repos/asf/isis.git
commit 0abc75f089e15dbbca6bf41da16af55c17c80562
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Sun May 30 20:32:53 2021 +0100
ISIS-2699: adds config props for PermissionsEvaluationService also
---
.../apache/isis/core/config/IsisConfiguration.java | 14 +++++++
.../secman/applib/IsisModuleExtSecmanApplib.java | 12 +++++-
.../secman/applib/SecmanAutoConfiguration.java | 48 +++++++++-------------
.../secman/applib/SecmanConfiguration.java | 14 +++----
...PermissionsEvaluationServiceAllowBeatsVeto.java | 3 ++
...PermissionsEvaluationServiceVetoBeatsAllow.java | 3 ++
6 files changed, 58 insertions(+), 36 deletions(-)
diff --git a/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java b/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java
index f790afd..7b7f29a 100644
--- a/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java
+++ b/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java
@@ -3182,6 +3182,20 @@ public class IsisConfiguration {
}
+ public enum PermissionsEvaluationPolicy {
+ ALLOW_BEATS_VETO,
+ VETO_BEATS_ALLOW
+ }
+
+ /**
+ * If there are conflicting (allow vs veto) permissions at the same scope, then this policy determines
+ * whether to prefer to allow the permission or to veto it.
+ *
+ * <p>
+ * This is only used if a {@link org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationService} has not been declared explicitly.
+ * </p>
+ */
+ private PermissionsEvaluationPolicy permissionsEvaluationPolicy = PermissionsEvaluationPolicy.ALLOW_BEATS_VETO;
private final UserRegistration userRegistration = new UserRegistration();
@Data
diff --git a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/IsisModuleExtSecmanApplib.java b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/IsisModuleExtSecmanApplib.java
index c0db454..542ebd9 100644
--- a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/IsisModuleExtSecmanApplib.java
+++ b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/IsisModuleExtSecmanApplib.java
@@ -18,10 +18,15 @@
*/
package org.apache.isis.extensions.secman.applib;
+import org.springframework.boot.autoconfigure.AutoConfigureOrder;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
+import org.apache.isis.applib.annotation.OrderPrecedence;
+import org.apache.isis.core.config.IsisConfiguration;
import org.apache.isis.extensions.secman.applib.feature.api.ApplicationFeatureChoices;
import org.apache.isis.extensions.secman.applib.feature.contributions.ApplicationFeatureViewModel_permissions;
import org.apache.isis.extensions.secman.applib.permission.app.ApplicationOrphanedPermissionManager;
@@ -34,6 +39,9 @@ import org.apache.isis.extensions.secman.applib.permission.dom.mixins.Applicatio
import org.apache.isis.extensions.secman.applib.permission.dom.mixins.ApplicationPermission_veto;
import org.apache.isis.extensions.secman.applib.permission.dom.mixins.ApplicationPermission_viewing;
import org.apache.isis.extensions.secman.applib.permission.menu.ApplicationPermissionMenu;
+import org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationService;
+import org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationServiceAllowBeatsVeto;
+import org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationServiceVetoBeatsAllow;
import org.apache.isis.extensions.secman.applib.role.dom.mixins.ApplicationRole_addPermission;
import org.apache.isis.extensions.secman.applib.role.dom.mixins.ApplicationRole_addUser;
import org.apache.isis.extensions.secman.applib.role.dom.mixins.ApplicationRole_delete;
@@ -77,6 +85,8 @@ import org.apache.isis.extensions.secman.applib.user.dom.mixins.perms.UserPermis
import org.apache.isis.extensions.secman.applib.user.menu.ApplicationUserMenu;
import org.apache.isis.extensions.secman.applib.user.menu.MeService;
+import lombok.val;
+
/**
* @since 2.0 {@index}
*/
@@ -167,7 +177,6 @@ import org.apache.isis.extensions.secman.applib.user.menu.MeService;
// SecmanAutoConfiguration.class,
})
-//@EnableAutoConfiguration()
public class IsisModuleExtSecmanApplib {
public static final String NAMESPACE = "isis.ext.secman";
@@ -181,4 +190,5 @@ public class IsisModuleExtSecmanApplib {
public abstract static class PropertyDomainEvent<S, T>
extends org.apache.isis.applib.events.domain.PropertyDomainEvent<S, T> {}
+
}
diff --git a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanAutoConfiguration.java b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanAutoConfiguration.java
index df8b7d8..0120cc9 100644
--- a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanAutoConfiguration.java
+++ b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanAutoConfiguration.java
@@ -1,39 +1,16 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
package org.apache.isis.extensions.secman.applib;
-import javax.inject.Inject;
-import javax.inject.Named;
-
-import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.AutoConfigureOrder;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
-import org.springframework.core.annotation.Order;
-import org.springframework.stereotype.Service;
import org.apache.isis.applib.annotation.OrderPrecedence;
import org.apache.isis.core.config.IsisConfiguration;
+import org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationService;
+import org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationServiceAllowBeatsVeto;
+import org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationServiceVetoBeatsAllow;
-import lombok.RequiredArgsConstructor;
-import lombok.extern.log4j.Log4j2;
import lombok.val;
@AutoConfigureOrder(OrderPrecedence.LAST)
@@ -41,11 +18,11 @@ import lombok.val;
public class SecmanAutoConfiguration {
/**
- * Provides a default implementation of {@link SecmanConfiguration}.
+ * Provides a default implementation of {@link SecmanConfiguration} based on configuration properties.
*/
@Bean
@ConditionalOnMissingBean(SecmanConfiguration.class)
- public SecmanConfiguration bean(final IsisConfiguration isisConfiguration) {
+ public SecmanConfiguration secmanConfiguration(final IsisConfiguration isisConfiguration) {
val secman = isisConfiguration.getExtensions().getSecman();
return SecmanConfiguration.builder()
.adminUserName(secman.getSeed().getAdmin().getUserName())
@@ -58,4 +35,19 @@ public class SecmanAutoConfiguration {
.build();
}
+ /**
+ * Provides a default implementation of {@link PermissionsEvaluationService} based on configuration properties.
+ */
+ @Bean
+ @ConditionalOnMissingBean(PermissionsEvaluationService.class)
+ public PermissionsEvaluationService permissionsEvaluationService(final IsisConfiguration isisConfiguration) {
+ val policy = isisConfiguration.getExtensions().getSecman().getPermissionsEvaluationPolicy();
+ switch (policy) {
+ case ALLOW_BEATS_VETO:
+ return new PermissionsEvaluationServiceAllowBeatsVeto();
+ case VETO_BEATS_ALLOW:
+ return new PermissionsEvaluationServiceVetoBeatsAllow();
+ }
+ throw new IllegalArgumentException(String.format("PermissionsEvaluationPolicy '%s' not recognised", policy));
+ }
}
diff --git a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanConfiguration.java b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanConfiguration.java
index 88dfcfb..f484383 100644
--- a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanConfiguration.java
+++ b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanConfiguration.java
@@ -61,7 +61,7 @@ public class SecmanConfiguration {
/**
* @see IsisConfiguration.Extensions.Secman.Seed.Admin#getUserName()
*
- * @deprecated
+ * @deprecated - use <code>application.yml</code> config properties instead.
*/
@Deprecated
@Getter
@@ -74,7 +74,7 @@ public class SecmanConfiguration {
/**
* @see IsisConfiguration.Extensions.Secman.Seed.Admin#getPassword()
*
- * @deprecated
+ * @deprecated - use <code>application.yml</code> config properties instead.
*/
@Deprecated
@Getter
@@ -86,7 +86,7 @@ public class SecmanConfiguration {
/**
* @see IsisConfiguration.Extensions.Secman.Seed.Admin#getRoleName()
*
- * @deprecated
+ * @deprecated - use <code>application.yml</code> config properties instead.
*/
@Deprecated
@Getter
@@ -97,7 +97,7 @@ public class SecmanConfiguration {
/**
* @see IsisConfiguration.Extensions.Secman.Seed.Admin.NamespacePermissions#getSticky()
*
- * @deprecated
+ * @deprecated - use <code>application.yml</code> config properties instead.
*/
@Deprecated
@Getter
@@ -108,7 +108,7 @@ public class SecmanConfiguration {
/**
* @see IsisConfiguration.Extensions.Secman.Seed.Admin.NamespacePermissions#getAdditional()
*
- * @deprecated
+ * @deprecated - use <code>application.yml</code> config properties instead.
*/
@Deprecated
@Getter
@@ -122,7 +122,7 @@ public class SecmanConfiguration {
/**
* @see IsisConfiguration.Extensions.Secman.Seed.RegularUser#getRoleName()
*
- * @deprecated
+ * @deprecated - use <code>application.yml</code> config properties instead.
*/
@Deprecated
@Getter
@@ -133,7 +133,7 @@ public class SecmanConfiguration {
/**
* @see IsisConfiguration.Extensions.Secman.DelegatedUsers#getAutoCreatePolicy()
*
- * @deprecated
+ * @deprecated - use <code>application.yml</code> config properties instead.
*/
@Deprecated
@Getter
diff --git a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceAllowBeatsVeto.java b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceAllowBeatsVeto.java
index d7a15e3..6cdedd2 100644
--- a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceAllowBeatsVeto.java
+++ b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceAllowBeatsVeto.java
@@ -27,7 +27,10 @@ import org.apache.isis.extensions.secman.applib.permission.dom.ApplicationPermis
* An implementation whereby a VETO permission for a feature overrides an ALLOW (for same scope).
*
* @since 2.0 {@index}
+ *
+ * @deprecated - use <code>application.yml</code> config properties instead.
*/
+@Deprecated
public class PermissionsEvaluationServiceAllowBeatsVeto extends PermissionsEvaluationServiceAbstract {
private static final long serialVersionUID = 1L;
diff --git a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceVetoBeatsAllow.java b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceVetoBeatsAllow.java
index c08b795..1b493db 100644
--- a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceVetoBeatsAllow.java
+++ b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceVetoBeatsAllow.java
@@ -31,7 +31,10 @@ import lombok.val;
* An implementation whereby a VETO permission for a feature overrides an ALLOW (for same scope).
*
* @since 2.0 {@index}
+ *
+ * @deprecated - use <code>application.yml</code> config properties instead.
*/
+@Deprecated
public class PermissionsEvaluationServiceVetoBeatsAllow extends PermissionsEvaluationServiceAbstract {
private static final long serialVersionUID = 1L;
[isis] 02/02: ISIS-2699: updates docs for secman
Posted by da...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch ISIS-2699
in repository https://gitbox.apache.org/repos/asf/isis.git
commit b5facd393dfbeb31b4f8e03f6f1eb0afb4e6562a
Author: danhaywood <da...@haywood-associates.co.uk>
AuthorDate: Sun May 30 20:47:30 2021 +0100
ISIS-2699: updates docs for secman
---
.../apache/isis/core/config/IsisConfiguration.java | 4 +-
.../adoc/modules/secman/pages/setting-up.adoc | 109 +++++++++------------
2 files changed, 51 insertions(+), 62 deletions(-)
diff --git a/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java b/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java
index 7b7f29a..6657dd9 100644
--- a/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java
+++ b/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java
@@ -3052,7 +3052,7 @@ public class IsisConfiguration {
* </p>
*
* <p>
- * The password for this user is set in {@link #getAdminPassword()}.
+ * The password for this user is set in {@link Admin#getPassword()}.
* </p>
*
* @see #getPassword()
@@ -3115,7 +3115,7 @@ public class IsisConfiguration {
* {@link NamespacePermissions#getAdditional()}.
* </p>
*
- * @see #getAdminAdditionalNamespacePermissions()
+ * @see NamespacePermissions#getAdditional()
*/
private List<String> sticky = ADMIN_STICKY_NAMESPACE_PERMISSIONS_DEFAULT;
diff --git a/extensions/security/secman/adoc/modules/secman/pages/setting-up.adoc b/extensions/security/secman/adoc/modules/secman/pages/setting-up.adoc
index 670ced5..ea48b29 100644
--- a/extensions/security/secman/adoc/modules/secman/pages/setting-up.adoc
+++ b/extensions/security/secman/adoc/modules/secman/pages/setting-up.adoc
@@ -96,71 +96,60 @@ Ensure that no other `IsisModuleSecurityXxx` module is imported.
<.> fixture script support
-[#configure-services]
-=== Configure Services
+[#configure-properties]
+== Configuration Properties
-It is also necessary to configure some aspects of SecMan.
-This is most easily done using `Bean` definitions within the `AppManifest`:
+Add the database schema used by the SecMan entities to the configuration file:
-[source,java]
-.AppManifest.java
+[source,yaml]
+.application.yml
+----
+isis:
+ persistence:
+ schema:
+ auto-create-schemas: isisExtensionsSecman
----
-//...
-public class AppManifest {
-
- @Bean
- public SecmanConfiguration secmanConfiguration() {
- return SecmanConfiguration.builder()
- .adminUserName("sven").adminPassword("pass") // <.>
- // .adminRoleName("isis-ext-secman-admin") // <.>
- // .regularUserRoleName("isis-ext-secman-user") // <.>
- .build();
- }
- @Bean
- public PermissionsEvaluationService permissionsEvaluationService() {
- return new PermissionsEvaluationServiceAllowBeatsVeto(); // <.>
- }
+Optionally, modify the configuration properties for Secman itself:
- @Bean
- public SecurityRealmService securityRealmService() {
- return new SecurityRealmService() {
- @Override
- public SecurityRealm getCurrentRealm() {
- return () ->
- EnumSet.noneOf(SecurityRealmCharacteristic.class); // <.>
- }
- };
- }
-}
+[source,yaml]
+.application.yml
+----
+isis:
+ extensions:
+ secman:
+ seed:
+ admin:
+ user-name: "secman-admin" <.>
+ password: "pass" <1>
+ role-name: "isis-ext-secman-admin" <.>
+ namespace-permissions:
+ sticky: ... <.>
+ additional: ... <.>
+ regular-user:
+ role-name: "isis-ext-secman-user" <.>
+ permissionsEvaluationPolicy: ALLOW_BEATS_VETO <.>
+ delegated-users:
+ auto-create-policy: AUTO_CREATE_AS_LOCKED <.>
+ user-registration:
+ initial-role-names: ... <.>
----
<.> indicates the security super-user and password
<.> indicates the name of the role granted to this security super-user.
-This can be any name; if not overridden will default to `SecmanConfiguration.DEFAULT_ADMIN_ROLE_NAME`
-
+This can be any name.
+<.> the "sticky" namespace permissions granted to the admin role.
+These cannot be removed (through the UI).
+<.> any additional namespace permissions to be granted to the admin role.
+These can be removed (through the UI).
<.> indicates the name of the role that should be granted to regular users of the application.
-This can be any name; if not overridden will default to `SecmanConfiguration.DEFAULT_REGULAR_USER_ROLE_NAME`
-+
-IMPORTANT: This role grants regular users the ability to logout (among other things).
+<.> if there are conflicted (allow vs veto) permissions at the same scope, then whether the allow wins or the veto wins
<.> indicates that only local users are supported (no delegate realm is in used).
+
See <<delegate-realms,below>> to configure for a delegate realm.
-
-
-== Configuration
-
-Add the database schema used by the SecMan entities to the configuration file:
-
-[source,yaml]
-.application.yml
-----
-isis:
- persistence:
- schema:
- auto-create-schemas: isisExtensionsSecman
-----
-
+<.> if self-user registration is enabled in the viewer, this defines the set of roles to be granted to said user.
++
+This is discussed in more detail <<user-registration-aka-sign-up,below>>.
[#default-roles]
== Default Roles
@@ -171,13 +160,13 @@ These are summarised here:
* Available in both production and prototype mode
-** `SecmanConfiguration#getAdminRoleName()`
+** Admin role (as defined in the configuration, see <<configure-properties,above>>)
+
Admin permissions for Secman itself.
This is the role granted to the security super-user, and whose exact name is configured using .
This role should therefore be extremely tightly locked down.
-** `SecmanConfiguration#getRegularUserRoleName()`
+** Regular user role (as defined in the configuration, see <<configure-properties,above>>)
+
Regular user permissions for Secman.
This should be granted to all users (in particular, it includes the ability to logout!)
@@ -384,11 +373,11 @@ The exact roles to setup are specified using configuration property:
.application.yaml
----
isis:
- extensions:
- secman:
- user-registration:
- initial-roles:
- - "self-registered-user-role"
- - "regular-user-role"
+ extensions:
+ secman:
+ user-registration:
+ initial-roles:
+ - "self-registered-user-role"
+ - "regular-user-role"
----