Thanks Kevin, it is working now. Is there anything on sql based authorization?
On Mon, Jun 11, 2012 at 4:01 PM, Kevin Meyer - KMZ <[email protected]> wrote: > Hi Sudipto, > > There is a decorator that needs to be installed via the isis.properties > file. > > > isis.reflector.facets.include=org.apache.isis.runtimes.dflt.runtime.authorization.AuthorizationFacetFactoryForDfltRuntime > > See [1] - but there may still be some issues - I used the file authorizor > a long time ago for a demo (when it worked), but I now use my own > authentication service that is called by the visible* and disabled* > methods of any actions whose state or visibility I need to control. > > Regards, > Kevin > > > [1] https://issues.apache.org/jira/browse/ISIS-211 > > On 11 Jun 2012 at 14:53, Sudipto Majumder wrote: > > > Well, I got hold of a isis-security pdf and following that this is what I > > did. But still I could not achieve what I want with authorization. Please > > comment if I am going in the right direction. > > > > I have a service class *EmployeeSql* with two actions *newEmployee(String > > name, String designation, String department)* and *findEmployee()*. > > I want two roles namely *ADMIN* and *USER* so that only ADMIN can see the > > menu "New Employee". > > As I have mentioned in my earlier mail that I am now able to use SQL > > authentication, I added a column called *roles* in that SQL table and > added > > this property in *isis.properties* file. > > *isis.authentication.sql.roleField=roles* > > > > Now I am still using file authorization. > > *isis.authorization=file* > > > > In authorization_file.properties I have added the following. > > *isis.authorization.file.whitelist=authorization_file.allow > > isis.authorization.file.blacklist=authorization_file.disallow* > > > > In authorization_file.allow file I have added > > *EmployeeSql#findEmployee():ADMIN|USER* > > > > And in authorization_file.disallow file I have added > > * > > > EmployeeSql#newEmployee(java.lang.String,java.lang.String,java.lang.String):USER > > * > > > > But when I login with either of the users with ADMIN and USER role, I am > > able to see both the menu links. Can you please suggest where I am going > > wrong. > > > > Thanks, > > Sudipto. > > On Mon, Jun 11, 2012 at 11:22 AM, Sudipto Majumder > > <[email protected]>wrote: > > > > > Kevin, I am not too sure that I could fully follow you on this. I was > > > already using *isis.persistor=sql* and had the following sql > dependencies > > > in my pom. > > > * <dependency> > > > > <groupId>org.apache.isis.runtimes.dflt.objectstores</groupId> > > > <artifactId>sql-impl</artifactId> > > > <version>${isis.version}</version> > > > </dependency> > > > > > > <dependency> > > > <groupId>mysql</groupId> > > > <artifactId>mysql-connector-java</artifactId> > > > <version>5.1.6</version> > > > </dependency>* > > > > > > But with that things were not working. Did you mean this as sql-os? > Sorry > > > if I got you all wrong. > > > > > > However, from Dan's mail I realized that the sql security class was > not in > > > classpath. I added the following dependency in my pom and things are > > > working now. I am just mentioning this here so that others can get a > quick > > > pointer in the future. > > > > > > *<dependency> > > > <groupId>org.apache.isis.security</groupId> > > > <artifactId>sql</artifactId> > > > <version>${isis.version}</version> > > > </dependency>* > > > > > > So, authentication is all good at least with database. Coming back to > > > authorization, can you please guide me on that a little. > > > > > > Suppose, there are two actions for a domain class, one create and one > > > search, if I want to show search to all but create to a specific role, > how > > > do I accomplish that? > > > > > > I am not too clear about role1, role2, role3 and what if I want to > have my > > > own roles. A little help on this will be much appreciated. > > > > > > Thanks, > > > Sudipto. > > > > > > However, from Dan's response I had the idea t > > > > > > On Fri, Jun 8, 2012 at 9:43 PM, Dan Haywood < > [email protected]>wrote: > > > > > >> Just to add to Kevin's reply... > > >> > > >> The way that Isis loads components is using the InstallerLookupDefault > > >> class. When it reads the following: > > >> > > >> isis.authentication=sql > > >> > > >> then this is ultimately read by > > >> InstallerLookupDefault#authenticationManagerInstaller() method. > > >> > > >> If you trace it through you'll see that the method reads the key value > > >> "sql" and looks for a component that implements > > >> AuthenticationManagerInstaller interface. > > >> > > >> The available components are listed in the > installer-registry.properties > > >> file, that lives in oai.runtimes.dflt:runtime module, in the > > >> oai.runtimes.dflt.runtime package (src/main/resources). > > >> > > >> One of the components listed there > > >> is > > >> > org.apache.isis.security.sql.authentication.SqlAuthenticationManagerInstaller; > > >> if present on the classpath then this will indicate that its name is > > >> "sql", > > >> and thus be loaded by InstallerLookupDefault. > > >> > > >> If the component is not on the classpath, then the entry in the > > >> installer-registry.properties file is ignored. > > >> > > >> One day we might chuck all this out and just use CDI, but for now it > works > > >> and is reasonably straight-forward. > > >> > > >> NB: none of the above alters Kevin's advice: you just need to make > sure > > >> that the sql-os modules are on your classpath by adding them into your > > >> pom. > > >> > > >> HTH, > > >> Dan > > >> ~~~~~~~ > > >> > > >> On 8 June 2012 12:46, Sudipto Majumder <[email protected]> wrote: > > >> > > >> > Okay, I found some info on the website. I was trying to use sql > > >> > authentication since ldap server is not yet available. I used the > > >> following > > >> > configuration in isis.properties - > > >> > > > >> > *isis.authentication=sql > > >> > isis.authentication.sql.jdbc.driver=com.mysql.jdbc.Driver > > >> > > > >> > > > >> > isis.authentication.sql.jdbc.connection=jdbc:mysql://localhost:3306/tutorial > > >> > isis.authentication.sql.jdbc.user=*** > > >> > isis.authentication.sql.jdbc.password=*** > > >> > > > >> > isis.authentication.sql.userTable=user_authentication > > >> > isis.authentication.sql.userNameField=username > > >> > isis.authentication.sql.passwordField=password > > >> > * > > >> > But getting the following error while deploying - > > >> > > > >> > *Error in custom provider, > > >> > org.apache.isis.core.commons.factory.InstanceCreationException: > Failed > > >> to > > >> > load installer; named/class:'sql' (of type > > >> > > > >> > > > >> > org.apache.isis.core.runtime.authentication.AuthenticationManagerInstaller)* > > >> > > > >> > Where I am going wrong? I'm using isis version > > >> > *0.3.0-incubating-SNAPSHOT*and file authentication is working fine > for > > >> > me. > > >> > > > >> > Thanks, > > >> > Sudipto. > > >> > On Fri, Jun 8, 2012 at 11:07 AM, Sudipto Majumder < > > >> [email protected] > > >> > >wrote: > > >> > > > >> > > Hi Dan, > > >> > > > > >> > > After some initial POC success, there is an actual opportunity of > > >> using > > >> > > Isis framework in a rapid development project. We have little > time to > > >> > > ponder on whether we should use Isis or go for some other > traditional > > >> > > framework. The use cases for this project is not very complex and > > >> hence > > >> > we > > >> > > were thinking of Isis in the first place. But before we can > decide, we > > >> > need > > >> > > to be sure of the feasibility of a few facts. > > >> > > > > >> > > And the first thing to look into is the authentication and > > >> authorization > > >> > > part. So, far I have only used and seen file based authentication > but > > >> in > > >> > > the framework code I noticed some classes for LDAP authentication. > > >> So, my > > >> > > first question is can we integrate easily with an LDAP for the > > >> > > authentication part? If yes, is there any documentation available > on > > >> the > > >> > > same? > > >> > > As for authorization, we need to show/hide some service and menu > links > > >> > > based on roles and these roles would be maintained in application > > >> > database. > > >> > > So this brings up to my second question, whether that can be > achieved > > >> or > > >> > > not. In the password files I noticed some mention of roles but > did not > > >> > > understand much about that. > > >> > > > > >> > > I would really appreciate if you can kindly comment on these > items. > > >> > > > > >> > > Thanks, > > >> > > Sudipto. > > >> > > > > >> > > > >> > > > > > > > > > > > -- > Kevin Meyer, PhD, Pr.Sci.Nat > KMZ P.O. Box 9822, Sharon Park, South Africa. > Tel: +27 11 363 2001 Cell: +27 83 346 3045 > > >
