Well, I got hold of a isis-security pdf and following that this is what I did. But still I could not achieve what I want with authorization. Please comment if I am going in the right direction.
I have a service class *EmployeeSql* with two actions *newEmployee(String name, String designation, String department)* and *findEmployee()*. I want two roles namely *ADMIN* and *USER* so that only ADMIN can see the menu "New Employee". As I have mentioned in my earlier mail that I am now able to use SQL authentication, I added a column called *roles* in that SQL table and added this property in *isis.properties* file. *isis.authentication.sql.roleField=roles* Now I am still using file authorization. *isis.authorization=file* In authorization_file.properties I have added the following. *isis.authorization.file.whitelist=authorization_file.allow isis.authorization.file.blacklist=authorization_file.disallow* In authorization_file.allow file I have added *EmployeeSql#findEmployee():ADMIN|USER* And in authorization_file.disallow file I have added * EmployeeSql#newEmployee(java.lang.String,java.lang.String,java.lang.String):USER * But when I login with either of the users with ADMIN and USER role, I am able to see both the menu links. Can you please suggest where I am going wrong. Thanks, Sudipto. On Mon, Jun 11, 2012 at 11:22 AM, Sudipto Majumder <[email protected]>wrote: > Kevin, I am not too sure that I could fully follow you on this. I was > already using *isis.persistor=sql* and had the following sql dependencies > in my pom. > * <dependency> > <groupId>org.apache.isis.runtimes.dflt.objectstores</groupId> > <artifactId>sql-impl</artifactId> > <version>${isis.version}</version> > </dependency> > > <dependency> > <groupId>mysql</groupId> > <artifactId>mysql-connector-java</artifactId> > <version>5.1.6</version> > </dependency>* > > But with that things were not working. Did you mean this as sql-os? Sorry > if I got you all wrong. > > However, from Dan's mail I realized that the sql security class was not in > classpath. I added the following dependency in my pom and things are > working now. I am just mentioning this here so that others can get a quick > pointer in the future. > > *<dependency> > <groupId>org.apache.isis.security</groupId> > <artifactId>sql</artifactId> > <version>${isis.version}</version> > </dependency>* > > So, authentication is all good at least with database. Coming back to > authorization, can you please guide me on that a little. > > Suppose, there are two actions for a domain class, one create and one > search, if I want to show search to all but create to a specific role, how > do I accomplish that? > > I am not too clear about role1, role2, role3 and what if I want to have my > own roles. A little help on this will be much appreciated. > > Thanks, > Sudipto. > > However, from Dan's response I had the idea t > > On Fri, Jun 8, 2012 at 9:43 PM, Dan Haywood > <[email protected]>wrote: > >> Just to add to Kevin's reply... >> >> The way that Isis loads components is using the InstallerLookupDefault >> class. When it reads the following: >> >> isis.authentication=sql >> >> then this is ultimately read by >> InstallerLookupDefault#authenticationManagerInstaller() method. >> >> If you trace it through you'll see that the method reads the key value >> "sql" and looks for a component that implements >> AuthenticationManagerInstaller interface. >> >> The available components are listed in the installer-registry.properties >> file, that lives in oai.runtimes.dflt:runtime module, in the >> oai.runtimes.dflt.runtime package (src/main/resources). >> >> One of the components listed there >> is >> org.apache.isis.security.sql.authentication.SqlAuthenticationManagerInstaller; >> if present on the classpath then this will indicate that its name is >> "sql", >> and thus be loaded by InstallerLookupDefault. >> >> If the component is not on the classpath, then the entry in the >> installer-registry.properties file is ignored. >> >> One day we might chuck all this out and just use CDI, but for now it works >> and is reasonably straight-forward. >> >> NB: none of the above alters Kevin's advice: you just need to make sure >> that the sql-os modules are on your classpath by adding them into your >> pom. >> >> HTH, >> Dan >> ~~~~~~~ >> >> On 8 June 2012 12:46, Sudipto Majumder <[email protected]> wrote: >> >> > Okay, I found some info on the website. I was trying to use sql >> > authentication since ldap server is not yet available. I used the >> following >> > configuration in isis.properties - >> > >> > *isis.authentication=sql >> > isis.authentication.sql.jdbc.driver=com.mysql.jdbc.Driver >> > >> > >> isis.authentication.sql.jdbc.connection=jdbc:mysql://localhost:3306/tutorial >> > isis.authentication.sql.jdbc.user=*** >> > isis.authentication.sql.jdbc.password=*** >> > >> > isis.authentication.sql.userTable=user_authentication >> > isis.authentication.sql.userNameField=username >> > isis.authentication.sql.passwordField=password >> > * >> > But getting the following error while deploying - >> > >> > *Error in custom provider, >> > org.apache.isis.core.commons.factory.InstanceCreationException: Failed >> to >> > load installer; named/class:'sql' (of type >> > >> > >> org.apache.isis.core.runtime.authentication.AuthenticationManagerInstaller)* >> > >> > Where I am going wrong? I'm using isis version >> > *0.3.0-incubating-SNAPSHOT*and file authentication is working fine for >> > me. >> > >> > Thanks, >> > Sudipto. >> > On Fri, Jun 8, 2012 at 11:07 AM, Sudipto Majumder < >> [email protected] >> > >wrote: >> > >> > > Hi Dan, >> > > >> > > After some initial POC success, there is an actual opportunity of >> using >> > > Isis framework in a rapid development project. We have little time to >> > > ponder on whether we should use Isis or go for some other traditional >> > > framework. The use cases for this project is not very complex and >> hence >> > we >> > > were thinking of Isis in the first place. But before we can decide, we >> > need >> > > to be sure of the feasibility of a few facts. >> > > >> > > And the first thing to look into is the authentication and >> authorization >> > > part. So, far I have only used and seen file based authentication but >> in >> > > the framework code I noticed some classes for LDAP authentication. >> So, my >> > > first question is can we integrate easily with an LDAP for the >> > > authentication part? If yes, is there any documentation available on >> the >> > > same? >> > > As for authorization, we need to show/hide some service and menu links >> > > based on roles and these roles would be maintained in application >> > database. >> > > So this brings up to my second question, whether that can be achieved >> or >> > > not. In the password files I noticed some mention of roles but did not >> > > understand much about that. >> > > >> > > I would really appreciate if you can kindly comment on these items. >> > > >> > > Thanks, >> > > Sudipto. >> > > >> > >> > >
