This is an automated email from the ASF dual-hosted git repository. danhaywood pushed a commit to branch ISIS-2699 in repository https://gitbox.apache.org/repos/asf/isis.git
commit b5facd393dfbeb31b4f8e03f6f1eb0afb4e6562a Author: danhaywood <[email protected]> AuthorDate: Sun May 30 20:47:30 2021 +0100 ISIS-2699: updates docs for secman --- .../apache/isis/core/config/IsisConfiguration.java | 4 +- .../adoc/modules/secman/pages/setting-up.adoc | 109 +++++++++------------ 2 files changed, 51 insertions(+), 62 deletions(-) diff --git a/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java b/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java index 7b7f29a..6657dd9 100644 --- a/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java +++ b/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java @@ -3052,7 +3052,7 @@ public class IsisConfiguration { * </p> * * <p> - * The password for this user is set in {@link #getAdminPassword()}. + * The password for this user is set in {@link Admin#getPassword()}. * </p> * * @see #getPassword() @@ -3115,7 +3115,7 @@ public class IsisConfiguration { * {@link NamespacePermissions#getAdditional()}. * </p> * - * @see #getAdminAdditionalNamespacePermissions() + * @see NamespacePermissions#getAdditional() */ private List<String> sticky = ADMIN_STICKY_NAMESPACE_PERMISSIONS_DEFAULT; diff --git a/extensions/security/secman/adoc/modules/secman/pages/setting-up.adoc b/extensions/security/secman/adoc/modules/secman/pages/setting-up.adoc index 670ced5..ea48b29 100644 --- a/extensions/security/secman/adoc/modules/secman/pages/setting-up.adoc +++ b/extensions/security/secman/adoc/modules/secman/pages/setting-up.adoc @@ -96,71 +96,60 @@ Ensure that no other `IsisModuleSecurityXxx` module is imported. <.> fixture script support -[#configure-services] -=== Configure Services +[#configure-properties] +== Configuration Properties -It is also necessary to configure some aspects of SecMan. -This is most easily done using `Bean` definitions within the `AppManifest`: +Add the database schema used by the SecMan entities to the configuration file: -[source,java] -.AppManifest.java +[source,yaml] +.application.yml +---- +isis: + persistence: + schema: + auto-create-schemas: isisExtensionsSecman ---- -//... -public class AppManifest { - - @Bean - public SecmanConfiguration secmanConfiguration() { - return SecmanConfiguration.builder() - .adminUserName("sven").adminPassword("pass") // <.> - // .adminRoleName("isis-ext-secman-admin") // <.> - // .regularUserRoleName("isis-ext-secman-user") // <.> - .build(); - } - @Bean - public PermissionsEvaluationService permissionsEvaluationService() { - return new PermissionsEvaluationServiceAllowBeatsVeto(); // <.> - } +Optionally, modify the configuration properties for Secman itself: - @Bean - public SecurityRealmService securityRealmService() { - return new SecurityRealmService() { - @Override - public SecurityRealm getCurrentRealm() { - return () -> - EnumSet.noneOf(SecurityRealmCharacteristic.class); // <.> - } - }; - } -} +[source,yaml] +.application.yml +---- +isis: + extensions: + secman: + seed: + admin: + user-name: "secman-admin" <.> + password: "pass" <1> + role-name: "isis-ext-secman-admin" <.> + namespace-permissions: + sticky: ... <.> + additional: ... <.> + regular-user: + role-name: "isis-ext-secman-user" <.> + permissionsEvaluationPolicy: ALLOW_BEATS_VETO <.> + delegated-users: + auto-create-policy: AUTO_CREATE_AS_LOCKED <.> + user-registration: + initial-role-names: ... <.> ---- <.> indicates the security super-user and password <.> indicates the name of the role granted to this security super-user. -This can be any name; if not overridden will default to `SecmanConfiguration.DEFAULT_ADMIN_ROLE_NAME` - +This can be any name. +<.> the "sticky" namespace permissions granted to the admin role. +These cannot be removed (through the UI). +<.> any additional namespace permissions to be granted to the admin role. +These can be removed (through the UI). <.> indicates the name of the role that should be granted to regular users of the application. -This can be any name; if not overridden will default to `SecmanConfiguration.DEFAULT_REGULAR_USER_ROLE_NAME` -+ -IMPORTANT: This role grants regular users the ability to logout (among other things). +<.> if there are conflicted (allow vs veto) permissions at the same scope, then whether the allow wins or the veto wins <.> indicates that only local users are supported (no delegate realm is in used). + See <<delegate-realms,below>> to configure for a delegate realm. - - -== Configuration - -Add the database schema used by the SecMan entities to the configuration file: - -[source,yaml] -.application.yml ----- -isis: - persistence: - schema: - auto-create-schemas: isisExtensionsSecman ----- - +<.> if self-user registration is enabled in the viewer, this defines the set of roles to be granted to said user. ++ +This is discussed in more detail <<user-registration-aka-sign-up,below>>. [#default-roles] == Default Roles @@ -171,13 +160,13 @@ These are summarised here: * Available in both production and prototype mode -** `SecmanConfiguration#getAdminRoleName()` +** Admin role (as defined in the configuration, see <<configure-properties,above>>) + Admin permissions for Secman itself. This is the role granted to the security super-user, and whose exact name is configured using . This role should therefore be extremely tightly locked down. -** `SecmanConfiguration#getRegularUserRoleName()` +** Regular user role (as defined in the configuration, see <<configure-properties,above>>) + Regular user permissions for Secman. This should be granted to all users (in particular, it includes the ability to logout!) @@ -384,11 +373,11 @@ The exact roles to setup are specified using configuration property: .application.yaml ---- isis: - extensions: - secman: - user-registration: - initial-roles: - - "self-registered-user-role" - - "regular-user-role" + extensions: + secman: + user-registration: + initial-roles: + - "self-registered-user-role" + - "regular-user-role" ----
