[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[ https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645638#comment-17645638 ] ASF subversion and git services commented on ISIS-3303: --- Commit 60cb4e55d783d98116edb4f3969b20761af6e4fb in isis's branch refs/heads/master from Dan Haywood [ https://gitbox.apache.org/repos/asf?p=isis.git;h=60cb4e55d7 ] ISIS-3303: makes stable regression tests artifacts consistent > Redefine UserMemento#isSystemUser to instead take into account > SudoService#accessAll role > - > > Key: ISIS-3303 > URL: https://issues.apache.org/jira/browse/ISIS-3303 > Project: Isis > Issue Type: Improvement > Components: Isis Extensions SecMan >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Assignee: Daniel Keir Haywood >Priority: Minor > Fix For: 2.0.0-RC1 > > > We currently have two very similar notions that are meant to disable > permission checking (typically for integration tests), > `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role, > as set up by the `NoPermissionsCheck` junit 5 extension. > However, the `TenantedAuthorizationFacetDefault` is only aware of the former > of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because > the UserMemento#isSystem is an equality check, the two mechanisms are > incompatible. > Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API. > Therefore, the purpose of this improvement is to combine these two notions, > and refactor names from (real) "system user" (aka root) to (effective) user > (aka sudo). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[ https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645640#comment-17645640 ] ASF subversion and git services commented on ISIS-3303: --- Commit f8dd79967c6ebf49488036b2f9484e6e473265e1 in isis's branch refs/heads/master from Daniel Keir Haywood [ https://gitbox.apache.org/repos/asf?p=isis.git;h=f8dd79967c ] Merge pull request #1252 from apache/ISIS-3303 ISIS-3303: reworks UserMemento#isSystem to instead be a check ... > Redefine UserMemento#isSystemUser to instead take into account > SudoService#accessAll role > - > > Key: ISIS-3303 > URL: https://issues.apache.org/jira/browse/ISIS-3303 > Project: Isis > Issue Type: Improvement > Components: Isis Extensions SecMan >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Assignee: Daniel Keir Haywood >Priority: Minor > Fix For: 2.0.0-RC1 > > > We currently have two very similar notions that are meant to disable > permission checking (typically for integration tests), > `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role, > as set up by the `NoPermissionsCheck` junit 5 extension. > However, the `TenantedAuthorizationFacetDefault` is only aware of the former > of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because > the UserMemento#isSystem is an equality check, the two mechanisms are > incompatible. > Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API. > Therefore, the purpose of this improvement is to combine these two notions, > and refactor names from (real) "system user" (aka root) to (effective) user > (aka sudo). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[ https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645639#comment-17645639 ] ASF subversion and git services commented on ISIS-3303: --- Commit 3f9e51b0383124b598cf8f556a973177dfc50b02 in isis's branch refs/heads/master from Dan Haywood [ https://gitbox.apache.org/repos/asf?p=isis.git;h=3f9e51b038 ] ISIS-3303: fixes unit test by locking down the value semantics of UserMemento and RoleMemento more clearly > Redefine UserMemento#isSystemUser to instead take into account > SudoService#accessAll role > - > > Key: ISIS-3303 > URL: https://issues.apache.org/jira/browse/ISIS-3303 > Project: Isis > Issue Type: Improvement > Components: Isis Extensions SecMan >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Assignee: Daniel Keir Haywood >Priority: Minor > Fix For: 2.0.0-RC1 > > > We currently have two very similar notions that are meant to disable > permission checking (typically for integration tests), > `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role, > as set up by the `NoPermissionsCheck` junit 5 extension. > However, the `TenantedAuthorizationFacetDefault` is only aware of the former > of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because > the UserMemento#isSystem is an equality check, the two mechanisms are > incompatible. > Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API. > Therefore, the purpose of this improvement is to combine these two notions, > and refactor names from (real) "system user" (aka root) to (effective) user > (aka sudo). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[ https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645635#comment-17645635 ] ASF subversion and git services commented on ISIS-3303: --- Commit 6883fee9b764504f8ecbaeb387375e630cb322b0 in isis's branch refs/heads/master from Dan Haywood [ https://gitbox.apache.org/repos/asf?p=isis.git;h=6883fee9b7 ] ISIS-3303: adds trivial improvements to build.sh > Redefine UserMemento#isSystemUser to instead take into account > SudoService#accessAll role > - > > Key: ISIS-3303 > URL: https://issues.apache.org/jira/browse/ISIS-3303 > Project: Isis > Issue Type: Improvement > Components: Isis Extensions SecMan >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Assignee: Daniel Keir Haywood >Priority: Minor > Fix For: 2.0.0-RC1 > > > We currently have two very similar notions that are meant to disable > permission checking (typically for integration tests), > `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role, > as set up by the `NoPermissionsCheck` junit 5 extension. > However, the `TenantedAuthorizationFacetDefault` is only aware of the former > of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because > the UserMemento#isSystem is an equality check, the two mechanisms are > incompatible. > Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API. > Therefore, the purpose of this improvement is to combine these two notions, > and refactor names from (real) "system user" (aka root) to (effective) user > (aka sudo). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[
https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645634#comment-17645634
]
ASF subversion and git services commented on ISIS-3303:
---
Commit fb8d558496088726299a84b03836d5d0b3b0cb54 in isis's branch
refs/heads/master from Dan Haywood
[ https://gitbox.apache.org/repos/asf?p=isis.git;h=fb8d558496 ]
ISIS-3303: fixes (?) 'Invalid automatic module name' error for
regressiontests-cmdexecauditsess-persistence-{jpa|jdo}
> Redefine UserMemento#isSystemUser to instead take into account
> SudoService#accessAll role
> -
>
> Key: ISIS-3303
> URL: https://issues.apache.org/jira/browse/ISIS-3303
> Project: Isis
> Issue Type: Improvement
> Components: Isis Extensions SecMan
>Affects Versions: 2.0.0-M9
>Reporter: Daniel Keir Haywood
>Assignee: Daniel Keir Haywood
>Priority: Minor
> Fix For: 2.0.0-RC1
>
>
> We currently have two very similar notions that are meant to disable
> permission checking (typically for integration tests),
> `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role,
> as set up by the `NoPermissionsCheck` junit 5 extension.
> However, the `TenantedAuthorizationFacetDefault` is only aware of the former
> of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because
> the UserMemento#isSystem is an equality check, the two mechanisms are
> incompatible.
> Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API.
> Therefore, the purpose of this improvement is to combine these two notions,
> and refactor names from (real) "system user" (aka root) to (effective) user
> (aka sudo).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[
https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645636#comment-17645636
]
ASF subversion and git services commented on ISIS-3303:
---
Commit ca9f44fae90d66f6d8dfac6574815e2730f4405c in isis's branch
refs/heads/master from Dan Haywood
[ https://gitbox.apache.org/repos/asf?p=isis.git;h=ca9f44fae9 ]
ISIS-3303: fixes (?) 'Invalid automatic module name' error for
regressiontests-cmdexecauditsess-persistence-{jpa|jdo} (2)
> Redefine UserMemento#isSystemUser to instead take into account
> SudoService#accessAll role
> -
>
> Key: ISIS-3303
> URL: https://issues.apache.org/jira/browse/ISIS-3303
> Project: Isis
> Issue Type: Improvement
> Components: Isis Extensions SecMan
>Affects Versions: 2.0.0-M9
>Reporter: Daniel Keir Haywood
>Assignee: Daniel Keir Haywood
>Priority: Minor
> Fix For: 2.0.0-RC1
>
>
> We currently have two very similar notions that are meant to disable
> permission checking (typically for integration tests),
> `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role,
> as set up by the `NoPermissionsCheck` junit 5 extension.
> However, the `TenantedAuthorizationFacetDefault` is only aware of the former
> of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because
> the UserMemento#isSystem is an equality check, the two mechanisms are
> incompatible.
> Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API.
> Therefore, the purpose of this improvement is to combine these two notions,
> and refactor names from (real) "system user" (aka root) to (effective) user
> (aka sudo).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[ https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645633#comment-17645633 ] ASF subversion and git services commented on ISIS-3303: --- Commit 3dc857a473347f88d2a7077a4ab65bc4caf33aa7 in isis's branch refs/heads/master from Dan Haywood [ https://gitbox.apache.org/repos/asf?p=isis.git;h=3dc857a473 ] ISIS-3303: fixes regression test, adds a new one > Redefine UserMemento#isSystemUser to instead take into account > SudoService#accessAll role > - > > Key: ISIS-3303 > URL: https://issues.apache.org/jira/browse/ISIS-3303 > Project: Isis > Issue Type: Improvement > Components: Isis Extensions SecMan >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Assignee: Daniel Keir Haywood >Priority: Minor > Fix For: 2.0.0-RC1 > > > We currently have two very similar notions that are meant to disable > permission checking (typically for integration tests), > `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role, > as set up by the `NoPermissionsCheck` junit 5 extension. > However, the `TenantedAuthorizationFacetDefault` is only aware of the former > of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because > the UserMemento#isSystem is an equality check, the two mechanisms are > incompatible. > Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API. > Therefore, the purpose of this improvement is to combine these two notions, > and refactor names from (real) "system user" (aka root) to (effective) user > (aka sudo). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[ https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645632#comment-17645632 ] ASF subversion and git services commented on ISIS-3303: --- Commit 9cce8147b08c20321018d13c497446ae752344ca in isis's branch refs/heads/master from Dan Haywood [ https://gitbox.apache.org/repos/asf?p=isis.git;h=9cce8147b0 ] ISIS-3303: reworks UserMemento#isSystem to instead be a check for SudoService#ACCESS_ALL_ROLE > Redefine UserMemento#isSystemUser to instead take into account > SudoService#accessAll role > - > > Key: ISIS-3303 > URL: https://issues.apache.org/jira/browse/ISIS-3303 > Project: Isis > Issue Type: Improvement > Components: Isis Extensions SecMan >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Assignee: Daniel Keir Haywood >Priority: Minor > Fix For: 2.0.0-RC1 > > > We currently have two very similar notions that are meant to disable > permission checking (typically for integration tests), > `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role, > as set up by the `NoPermissionsCheck` junit 5 extension. > However, the `TenantedAuthorizationFacetDefault` is only aware of the former > of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because > the UserMemento#isSystem is an equality check, the two mechanisms are > incompatible. > Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API. > Therefore, the purpose of this improvement is to combine these two notions, > and refactor names from (real) "system user" (aka root) to (effective) user > (aka sudo). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[ https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645637#comment-17645637 ] ASF subversion and git services commented on ISIS-3303: --- Commit 13d3dacec81e3cca7ff7bee66302d4395d062002 in isis's branch refs/heads/master from Dan Haywood [ https://gitbox.apache.org/repos/asf?p=isis.git;h=13d3dacec8 ] ISIS-3303: adds back in automaticModuleName etc for all regression tests as still failing in my local build... > Redefine UserMemento#isSystemUser to instead take into account > SudoService#accessAll role > - > > Key: ISIS-3303 > URL: https://issues.apache.org/jira/browse/ISIS-3303 > Project: Isis > Issue Type: Improvement > Components: Isis Extensions SecMan >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Assignee: Daniel Keir Haywood >Priority: Minor > Fix For: 2.0.0-RC1 > > > We currently have two very similar notions that are meant to disable > permission checking (typically for integration tests), > `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role, > as set up by the `NoPermissionsCheck` junit 5 extension. > However, the `TenantedAuthorizationFacetDefault` is only aware of the former > of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because > the UserMemento#isSystem is an equality check, the two mechanisms are > incompatible. > Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API. > Therefore, the purpose of this improvement is to combine these two notions, > and refactor names from (real) "system user" (aka root) to (effective) user > (aka sudo). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [isis] danhaywood merged pull request #1252: ISIS-3303: reworks UserMemento#isSystem to instead be a check ...
danhaywood merged PR #1252: URL: https://github.com/apache/isis/pull/1252 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@isis.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[ https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645628#comment-17645628 ] ASF subversion and git services commented on ISIS-3303: --- Commit 3f9e51b0383124b598cf8f556a973177dfc50b02 in isis's branch refs/heads/ISIS-3303 from Dan Haywood [ https://gitbox.apache.org/repos/asf?p=isis.git;h=3f9e51b038 ] ISIS-3303: fixes unit test by locking down the value semantics of UserMemento and RoleMemento more clearly > Redefine UserMemento#isSystemUser to instead take into account > SudoService#accessAll role > - > > Key: ISIS-3303 > URL: https://issues.apache.org/jira/browse/ISIS-3303 > Project: Isis > Issue Type: Improvement > Components: Isis Extensions SecMan >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Assignee: Daniel Keir Haywood >Priority: Minor > Fix For: 2.0.0-RC1 > > > We currently have two very similar notions that are meant to disable > permission checking (typically for integration tests), > `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role, > as set up by the `NoPermissionsCheck` junit 5 extension. > However, the `TenantedAuthorizationFacetDefault` is only aware of the former > of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because > the UserMemento#isSystem is an equality check, the two mechanisms are > incompatible. > Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API. > Therefore, the purpose of this improvement is to combine these two notions, > and refactor names from (real) "system user" (aka root) to (effective) user > (aka sudo). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[ https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645614#comment-17645614 ] ASF subversion and git services commented on ISIS-3303: --- Commit 60cb4e55d783d98116edb4f3969b20761af6e4fb in isis's branch refs/heads/ISIS-3303 from Dan Haywood [ https://gitbox.apache.org/repos/asf?p=isis.git;h=60cb4e55d7 ] ISIS-3303: makes stable regression tests artifacts consistent > Redefine UserMemento#isSystemUser to instead take into account > SudoService#accessAll role > - > > Key: ISIS-3303 > URL: https://issues.apache.org/jira/browse/ISIS-3303 > Project: Isis > Issue Type: Improvement > Components: Isis Extensions SecMan >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Assignee: Daniel Keir Haywood >Priority: Minor > Fix For: 2.0.0-RC1 > > > We currently have two very similar notions that are meant to disable > permission checking (typically for integration tests), > `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role, > as set up by the `NoPermissionsCheck` junit 5 extension. > However, the `TenantedAuthorizationFacetDefault` is only aware of the former > of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because > the UserMemento#isSystem is an equality check, the two mechanisms are > incompatible. > Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API. > Therefore, the purpose of this improvement is to combine these two notions, > and refactor names from (real) "system user" (aka root) to (effective) user > (aka sudo). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[ https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645611#comment-17645611 ] ASF subversion and git services commented on ISIS-3303: --- Commit 13d3dacec81e3cca7ff7bee66302d4395d062002 in isis's branch refs/heads/ISIS-3303 from Dan Haywood [ https://gitbox.apache.org/repos/asf?p=isis.git;h=13d3dacec8 ] ISIS-3303: adds back in automaticModuleName etc for all regression tests as still failing in my local build... > Redefine UserMemento#isSystemUser to instead take into account > SudoService#accessAll role > - > > Key: ISIS-3303 > URL: https://issues.apache.org/jira/browse/ISIS-3303 > Project: Isis > Issue Type: Improvement > Components: Isis Extensions SecMan >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Assignee: Daniel Keir Haywood >Priority: Minor > Fix For: 2.0.0-RC1 > > > We currently have two very similar notions that are meant to disable > permission checking (typically for integration tests), > `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role, > as set up by the `NoPermissionsCheck` junit 5 extension. > However, the `TenantedAuthorizationFacetDefault` is only aware of the former > of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because > the UserMemento#isSystem is an equality check, the two mechanisms are > incompatible. > Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API. > Therefore, the purpose of this improvement is to combine these two notions, > and refactor names from (real) "system user" (aka root) to (effective) user > (aka sudo). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3305) [DISCUSS] Re-platform on top of Spring security.
[ https://issues.apache.org/jira/browse/ISIS-3305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645610#comment-17645610 ] Andi Huber commented on ISIS-3305: -- Thanks for shedding some light on the greater picture behind our security stuff. You did answer quite a few questions I had. And I basically agree with your suggestions. > [DISCUSS] Re-platform on top of Spring security. > > > Key: ISIS-3305 > URL: https://issues.apache.org/jira/browse/ISIS-3305 > Project: Isis > Issue Type: Improvement >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Priority: Major > Fix For: 2.1.0 > > > as per [https://the-asf.slack.com/archives/CFC42LWBV/p1670661588201299] > > Andi's wish list of changes is: > # drop Shiro support > # drop Keycloak support > # instead fully integrate with Spring Security > # drop SudoService > # instead provide impersonation via a specialized login page > # drop Wicket's .../login, .../logout > # instead provide simple replacements under /security/... central to the > application (not using Wicket) > Why? Focus on one security stack and do that integration well > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3305) [DISCUSS] Re-platform on top of Spring security.
[ https://issues.apache.org/jira/browse/ISIS-3305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645609#comment-17645609 ] Daniel Keir Haywood commented on ISIS-3305: --- re: (2) keycloak - as I say, today we do have a couple of classes that during login do claim/role/authority conversion, and for logout provide a callback for keycloak. This code could perhaps just be moved into our causeway-spring-security module, but there is some useful functionality there so it need be reside somewhere. And I am happy to maintain the docs rather than just refer folks to Baeldung, as it takes a while (for me at least) to piece together the parts, so having "our" procedure in one place is helpful (at least, I've found it to be helpful). > [DISCUSS] Re-platform on top of Spring security. > > > Key: ISIS-3305 > URL: https://issues.apache.org/jira/browse/ISIS-3305 > Project: Isis > Issue Type: Improvement >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Priority: Major > Fix For: 2.1.0 > > > as per [https://the-asf.slack.com/archives/CFC42LWBV/p1670661588201299] > > Andi's wish list of changes is: > # drop Shiro support > # drop Keycloak support > # instead fully integrate with Spring Security > # drop SudoService > # instead provide impersonation via a specialized login page > # drop Wicket's .../login, .../logout > # instead provide simple replacements under /security/... central to the > application (not using Wicket) > Why? Focus on one security stack and do that integration well > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (ISIS-3305) [DISCUSS] Re-platform on top of Spring security.
[ https://issues.apache.org/jira/browse/ISIS-3305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645605#comment-17645605 ] Daniel Keir Haywood edited comment on ISIS-3305 at 12/10/22 12:58 PM: -- In general, I like the idea of reducing proprietary stuff, and I like the idea that any login pages/logout would be reusable across all viewers. However, for Estatio we have been doing some work in this space, integrating Causeway v2 with an external OAuth provider (Azure AD/Office 365), whereby that external provider handles the login pages completely (same as Keycloak would). For the Wicket viewer, I don't think we had to make any changes to Causeway, but for Restful Objects it _will_ be necessary to make some small changes, to be tackled in Jan 2023... i expect one or two small PRs for that. So it might make sense to let that work come in first. Regarding dropping SudoService etc, I would rather not, as that impacts integration testing code. These days it's just syntax sugar on top of the InteractionService. Should InteractionService itself be refactored to integrate with Spring's SecurityContextHolder etc? Maybe, but only if it continues to expose the same API for integration testing. Should we change impersonation? What I like about our current implementation is that it isn't necessary to logout and login with a different user, the effective user can be changed. We use this feature a lot for Estatio, eg in doing demos and debugging issues. Requiring a logout would be a retrograde step. Below, in more detail: re: (1) drop Shiro support Yes, I would be ok about this re: (2) drop Keycloak support ... My recollection is that our Keycloak support is not much more than configuring Spring security's Oauth support. but looking at our code I see we have just a couple of classes there, that are mostly to handle the logout oauth flow. So, yes, I could see that this module could perhaps be removed, with the logout stuff instead becoming generic and usable across all viewers. All that would remain of the keycloak module itself would be some docs/screenshots on how to set up Causeway for OAuth against Causeway. re: (3) fully integrate with Spring Security Yes, this makes sense, but let's wait until the PRs due in Jan 2023 arrive re: (4) drop SudoService No, SudoService is useful syntactical sugar over InteractionService, we use both in integration tests and also use InteractionService in quartz background cron jobs. I would suggest that their APIs need to be preserved, but their implementation could indeed change to work with Spring Security in the various contexts. For the record, the various contexts I see are: * a server-side auth flow for HTML viewers such as Wicket (where there's a redirect to the login pages of the OAuth provider etc) * a client-side auth flow for Rest APIs ... this is the PR for Jan 2023. * integration testing, where we programmatically create a session with arbitrary user/roles. * Quartz cron jobs, where we again programmatically create a session with arbitrary user/roles re: (5) impersonation via a login page Not keen on this, feels retrograde from what we support at the moment re: (6) drop Wicket's /login, /logout, & (7) replace with Spring /security/ Think this is ok, to instead become generic support for all viewers. However, we do today have support for custom registration pages etc, so I would want to make sure that the equivalent capabilities were still supported through OAuth (I suspect they are). Or, at a very minimum, survey current users to see if these features can be removed. was (Author: danhaywood): re: (1) for dropping Keycloak support ... I don't think we want to do this, because actually our Keycloak support is really nothing more than docs on how to configure Spring security's Oauth support. > [DISCUSS] Re-platform on top of Spring security. > > > Key: ISIS-3305 > URL: https://issues.apache.org/jira/browse/ISIS-3305 > Project: Isis > Issue Type: Improvement >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Priority: Major > Fix For: 2.1.0 > > > as per [https://the-asf.slack.com/archives/CFC42LWBV/p1670661588201299] > > Andi's wish list of changes is: > # drop Shiro support > # drop Keycloak support > # instead fully integrate with Spring Security > # drop SudoService > # instead provide impersonation via a specialized login page > # drop Wicket's .../login, .../logout > # instead provide simple replacements under /security/... central to the > application (not using Wicket) > Why? Focus on one security stack and do that integration well > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3305) [DISCUSS] Re-platform on top of Spring security.
[ https://issues.apache.org/jira/browse/ISIS-3305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645608#comment-17645608 ] Andi Huber commented on ISIS-3305: -- re: (2) dropping Keycloak support ... Why provide this with Apache Causeway, if there is already a Spring Security integration for Keycloak. (Let Spring do the documentation) https://www.baeldung.com/spring-boot-keycloak > [DISCUSS] Re-platform on top of Spring security. > > > Key: ISIS-3305 > URL: https://issues.apache.org/jira/browse/ISIS-3305 > Project: Isis > Issue Type: Improvement >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Priority: Major > Fix For: 2.1.0 > > > as per [https://the-asf.slack.com/archives/CFC42LWBV/p1670661588201299] > > Andi's wish list of changes is: > # drop Shiro support > # drop Keycloak support > # instead fully integrate with Spring Security > # drop SudoService > # instead provide impersonation via a specialized login page > # drop Wicket's .../login, .../logout > # instead provide simple replacements under /security/... central to the > application (not using Wicket) > Why? Focus on one security stack and do that integration well > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (ISIS-3305) [DISCUSS] Re-platform on top of Spring security.
[ https://issues.apache.org/jira/browse/ISIS-3305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andi Huber updated ISIS-3305: - Description: as per [https://the-asf.slack.com/archives/CFC42LWBV/p1670661588201299] Andi's wish list of changes is: # drop Shiro support # drop Keycloak support # instead fully integrate with Spring Security # drop SudoService # instead provide impersonation via a specialized login page # drop Wicket's .../login, .../logout # instead provide simple replacements under /security/... central to the application (not using Wicket) Why? Focus on one security stack and do that integration well was: as per [https://the-asf.slack.com/archives/CFC42LWBV/p1670661588201299] Andi's wish list of changes is: # drop Shiro support # drop Keycloak support # instead fully integrate with Spring Security # drop SudoService # instead provide impersonation via a specialized login page # drop Wicket's .../login, .../logout # instead provide simple replacements under /security/... central to the application (not using Wicket) Why? Focus on one security stack and do that integration well > [DISCUSS] Re-platform on top of Spring security. > > > Key: ISIS-3305 > URL: https://issues.apache.org/jira/browse/ISIS-3305 > Project: Isis > Issue Type: Improvement >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Priority: Major > Fix For: 2.1.0 > > > as per [https://the-asf.slack.com/archives/CFC42LWBV/p1670661588201299] > > Andi's wish list of changes is: > # drop Shiro support > # drop Keycloak support > # instead fully integrate with Spring Security > # drop SudoService > # instead provide impersonation via a specialized login page > # drop Wicket's .../login, .../logout > # instead provide simple replacements under /security/... central to the > application (not using Wicket) > Why? Focus on one security stack and do that integration well > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[
https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645607#comment-17645607
]
ASF subversion and git services commented on ISIS-3303:
---
Commit ca9f44fae90d66f6d8dfac6574815e2730f4405c in isis's branch
refs/heads/ISIS-3303 from Dan Haywood
[ https://gitbox.apache.org/repos/asf?p=isis.git;h=ca9f44fae9 ]
ISIS-3303: fixes (?) 'Invalid automatic module name' error for
regressiontests-cmdexecauditsess-persistence-{jpa|jdo} (2)
> Redefine UserMemento#isSystemUser to instead take into account
> SudoService#accessAll role
> -
>
> Key: ISIS-3303
> URL: https://issues.apache.org/jira/browse/ISIS-3303
> Project: Isis
> Issue Type: Improvement
> Components: Isis Extensions SecMan
>Affects Versions: 2.0.0-M9
>Reporter: Daniel Keir Haywood
>Assignee: Daniel Keir Haywood
>Priority: Minor
> Fix For: 2.0.0-RC1
>
>
> We currently have two very similar notions that are meant to disable
> permission checking (typically for integration tests),
> `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role,
> as set up by the `NoPermissionsCheck` junit 5 extension.
> However, the `TenantedAuthorizationFacetDefault` is only aware of the former
> of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because
> the UserMemento#isSystem is an equality check, the two mechanisms are
> incompatible.
> Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API.
> Therefore, the purpose of this improvement is to combine these two notions,
> and refactor names from (real) "system user" (aka root) to (effective) user
> (aka sudo).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (ISIS-3305) [DISCUSS] Re-platform on top of Spring security.
[ https://issues.apache.org/jira/browse/ISIS-3305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645605#comment-17645605 ] Daniel Keir Haywood commented on ISIS-3305: --- re: (1) for dropping Keycloak support ... I don't think we want to do this, because actually our Keycloak support is really nothing more than docs on how to configure Spring security's Oauth support. > [DISCUSS] Re-platform on top of Spring security. > > > Key: ISIS-3305 > URL: https://issues.apache.org/jira/browse/ISIS-3305 > Project: Isis > Issue Type: Improvement >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Priority: Major > Fix For: 2.1.0 > > > as per [https://the-asf.slack.com/archives/CFC42LWBV/p1670661588201299] > > Andi's wish list of changes is: # drop Shiro support > # drop Keycloak support > # instead fully integrate with Spring Security > # drop SudoService > # instead provide impersonation via a specialized login page > # drop Wicket's .../login, .../logout > # instead provide simple replacements under /security/... central to the > application (not using Wicket) > Why? Focus on one security stack and do that integration well > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (ISIS-3305) [DISCUSS] Re-platform on top of Spring security.
[ https://issues.apache.org/jira/browse/ISIS-3305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Keir Haywood updated ISIS-3305: -- Fix Version/s: 2.1.0 > [DISCUSS] Re-platform on top of Spring security. > > > Key: ISIS-3305 > URL: https://issues.apache.org/jira/browse/ISIS-3305 > Project: Isis > Issue Type: Improvement >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Priority: Major > Fix For: 2.1.0 > > > as per [https://the-asf.slack.com/archives/CFC42LWBV/p1670661588201299] > > Andi's wish list of changes is: # drop Shiro support > # drop Keycloak support > # instead fully integrate with Spring Security > # drop SudoService > # instead provide impersonation via a specialized login page > # drop Wicket's .../login, .../logout > # instead provide simple replacements under /security/... central to the > application (not using Wicket) > Why? Focus on one security stack and do that integration well > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (ISIS-3305) [DISCUSS] Re-platform on top of Spring security.
Daniel Keir Haywood created ISIS-3305: - Summary: [DISCUSS] Re-platform on top of Spring security. Key: ISIS-3305 URL: https://issues.apache.org/jira/browse/ISIS-3305 Project: Isis Issue Type: Improvement Affects Versions: 2.0.0-M9 Reporter: Daniel Keir Haywood as per [https://the-asf.slack.com/archives/CFC42LWBV/p1670661588201299] Andi's wish list of changes is: # drop Shiro support # drop Keycloak support # instead fully integrate with Spring Security # drop SudoService # instead provide impersonation via a specialized login page # drop Wicket's .../login, .../logout # instead provide simple replacements under /security/... central to the application (not using Wicket) Why? Focus on one security stack and do that integration well -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[
https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645600#comment-17645600
]
ASF subversion and git services commented on ISIS-3303:
---
Commit fb8d558496088726299a84b03836d5d0b3b0cb54 in isis's branch
refs/heads/ISIS-3303 from Dan Haywood
[ https://gitbox.apache.org/repos/asf?p=isis.git;h=fb8d558496 ]
ISIS-3303: fixes (?) 'Invalid automatic module name' error for
regressiontests-cmdexecauditsess-persistence-{jpa|jdo}
> Redefine UserMemento#isSystemUser to instead take into account
> SudoService#accessAll role
> -
>
> Key: ISIS-3303
> URL: https://issues.apache.org/jira/browse/ISIS-3303
> Project: Isis
> Issue Type: Improvement
> Components: Isis Extensions SecMan
>Affects Versions: 2.0.0-M9
>Reporter: Daniel Keir Haywood
>Assignee: Daniel Keir Haywood
>Priority: Minor
> Fix For: 2.0.0-RC1
>
>
> We currently have two very similar notions that are meant to disable
> permission checking (typically for integration tests),
> `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role,
> as set up by the `NoPermissionsCheck` junit 5 extension.
> However, the `TenantedAuthorizationFacetDefault` is only aware of the former
> of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because
> the UserMemento#isSystem is an equality check, the two mechanisms are
> incompatible.
> Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API.
> Therefore, the purpose of this improvement is to combine these two notions,
> and refactor names from (real) "system user" (aka root) to (effective) user
> (aka sudo).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (ISIS-3303) Redefine UserMemento#isSystemUser to instead take into account SudoService#accessAll role
[ https://issues.apache.org/jira/browse/ISIS-3303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17645601#comment-17645601 ] ASF subversion and git services commented on ISIS-3303: --- Commit 6883fee9b764504f8ecbaeb387375e630cb322b0 in isis's branch refs/heads/ISIS-3303 from Dan Haywood [ https://gitbox.apache.org/repos/asf?p=isis.git;h=6883fee9b7 ] ISIS-3303: adds trivial improvements to build.sh > Redefine UserMemento#isSystemUser to instead take into account > SudoService#accessAll role > - > > Key: ISIS-3303 > URL: https://issues.apache.org/jira/browse/ISIS-3303 > Project: Isis > Issue Type: Improvement > Components: Isis Extensions SecMan >Affects Versions: 2.0.0-M9 >Reporter: Daniel Keir Haywood >Assignee: Daniel Keir Haywood >Priority: Minor > Fix For: 2.0.0-RC1 > > > We currently have two very similar notions that are meant to disable > permission checking (typically for integration tests), > `UserMemento#isSystemUser`, and separately the `SudoService#ACCESS_ALL` role, > as set up by the `NoPermissionsCheck` junit 5 extension. > However, the `TenantedAuthorizationFacetDefault` is only aware of the former > of these, via `UserService#isCurrentUserWithSystemPrivileges`, and because > the UserMemento#isSystem is an equality check, the two mechanisms are > incompatible. > Luckily, `TenantedAuthorizationFacetDefault` is the only usage of this API. > Therefore, the purpose of this improvement is to combine these two notions, > and refactor names from (real) "system user" (aka root) to (effective) user > (aka sudo). -- This message was sent by Atlassian Jira (v8.20.10#820010)
