Re: Swarm: Link authorization

2008-05-16 Thread Andrea Jahn 


 

The DataPermission solution works :)

Thanks
Andrea


*Von:* users@wicket.apache.org
*Gesendet:* 15.05.08 16:06:54
*An:* users@wicket.apache.org
*Betreff:* Re: Swarm: Link authorization



Yes there are other solutions :)

In this case you would use a DataPermission.
Something like
permission ${DataPermission} delete_product, enable;
coupled with a DatasecurityCheck on your links like so:
setSecurityCheck(new DataSecurityCheck(delete_product));
will do the trick.

Maurice

On Thu, May 15, 2008 at 3:22 PM, Andrea Jahn [EMAIL PROTECTED] wrote:


 Hi,

 for every item in a table there's a delete link, which should be only 
 visible for certain users.

 ProductAreaListPage.html:
 -

 tr wicket:id=productAreaTable class=list
 tdspan wicket:id=id[id]/span/td
 tdspan wicket:id=name[name]/span/td
 tdspan wicket:id=description[description]/span/td
 tda wicket:id=editProductAreaEdithellip;/a/td
 tda wicket:id=adminProductsProductshellip;/a/td
 tda wicket:id=deleteProductAreaDeletehellip;/a/td
 /tr

 I created a class for the secure link:
 ---

 public abstract class SecureLink extends Link implements ISecureComponent
 {
 private static final long serialVersionUID = 1L;

 public SecureLink(String id, Class c)
 {
 super(id);
 setSecurityCheck(new LinkSecurityCheck(this, c));
 }

 public ISecurityCheck getSecurityCheck()
 {
 return SecureComponentHelper.getSecurityCheck(this);
 }

 public boolean isActionAuthorized(String waspAction)
 {
 return SecureComponentHelper.isActionAuthorized(this, waspAction);
 }

 public boolean isActionAuthorized(WaspAction action)
 {
 return SecureComponentHelper.isActionAuthorized(this, action);
 }

 public boolean isAuthenticated()
 {
 return SecureComponentHelper.isAuthenticated(this);
 }

 public void setSecurityCheck(ISecurityCheck check)
 {
 SecureComponentHelper.setSecurityCheck(this, check);
 }
 }

 First I tried to use the ComponentSecurityCheck, because I have no real click 
 target ( I used ProductAreaListPage.class as parameter in the constructor as 
 dummy). Because the LinkSecurityCheck behaves as ClassSecurityCheck per 
 default, I called setUseAlternativeRenderCheck to change to 
 ComponentSecurityCheck.


 ProductAreaListPage.java:
 -
 private class ProductAreaVisibleDataView extends ProductAreaDataView
 {
 public ProductAreaVisibleDataView(String id, IDataProvider dataProvider) {
 super(id, dataProvider);
 }

 protected void populateItem(final Item item) {
 super.populateItem(item);
 final ProductArea productArea = (ProductArea) item.getModelObject();

 SecureLink deleteLink = new SecureLink(deleteProductArea, 
 ProductAreaListPage.class) {
 private static final long serialVersionUID = 1L;

 public void onClick() {
 if (productArea.getDeleted())
 return;

 productArea.setDeleted(true);
 productAreaService.save(productArea);
 invalidateDataProviders();
 }
 };
 ((LinkSecurityCheck)deleteLink.getSecurityCheck()).setUseAlternativeRenderCheck(true);
 item.add(deleteLink);
 }
 }



 Because the wicket id deleteProductArea exists for each item in the list, my 
 policy file would need such permission for each item. This is no real 
 solution, because I don't know, how many items the list will contain (But it 
 worked in the example for the first 4 items).


 Appl.hive:
 
 // Product area list page - Delete link
 permission ${ComponentPermission} 
 ${front}.ProductAreaListPage:resultPanel:productAreaTable:1:deleteProductArea,
  inherit, render;
 permission ${ComponentPermission} 
 ${front}.ProductAreaListPage:resultPanel:productAreaTable:2:deleteProductArea,
  inherit, render;
 permission ${ComponentPermission} 
 ${front}.ProductAreaListPage:resultPanel:productAreaTable:3:deleteProductArea,
  inherit, render;
 permission ${ComponentPermission} 
 ${front}.ProductAreaListPage:resultPanel:productAreaTable:4:deleteProductArea,
  inherit, render;


 So I tried to change to use the ClassSecurityCheck. There the user must have 
 rights for the target class. I created a dummy class:

 ClickTargetDummy.java:
 --*

 *package xxx.yyy.zzz.front.security;

 public class ClickTargetDummy
 {
 }

 ProductAreaListPage.java:
 -

 SecureLink deleteLink = new SecureLink(deleteProductArea, 
 ClickTargetDummy.class) {
 private static final long serialVersionUID = 1L;

 public void onClick() {
 if (productArea.getDeleted())
 return;

 productArea.setDeleted(true);
 productAreaService.save(productArea);
 invalidateDataProviders();
 }
 };

 Appl.hive:
 -
 permission ${ComponentPermission} ${front}.security.ClickTargetDummy, 
 inherit, render, enable;



 This solution works, but I have to create the dummy class. Perhaps other 
 solutions are possible ???

 Thanks in advance
 Andrea









 Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
 *http://smartsurfer.web.de/?mc

Re: Swarm: Link authorization

2008-05-15 Thread Maurice Marrink 
Yes there are other solutions :)

In this case you would use a DataPermission.
Something like
permission ${DataPermission} delete_product, enable;
coupled with a DatasecurityCheck on your links  like so:
setSecurityCheck(new DataSecurityCheck(delete_product));
will do the trick.

Maurice

On Thu, May 15, 2008 at 3:22 PM, Andrea Jahn [EMAIL PROTECTED] wrote:


 Hi,

 for every item in a table there's a delete link, which should be only 
 visible for certain users.

 ProductAreaListPage.html:
 -

 tr wicket:id=productAreaTable class=list
  tdspan wicket:id=id[id]/span/td
  tdspan wicket:id=name[name]/span/td
  tdspan wicket:id=description[description]/span/td
  tda wicket:id=editProductAreaEdithellip;/a/td
  tda wicket:id=adminProductsProductshellip;/a/td
  tda wicket:id=deleteProductAreaDeletehellip;/a/td
 /tr

 I created a class for the secure link:
 ---

 public abstract class SecureLink extends Link implements ISecureComponent
 {
  private static final long serialVersionUID = 1L;

  public SecureLink(String id, Class c)
  {
  super(id);
  setSecurityCheck(new LinkSecurityCheck(this, c));
  }

  public ISecurityCheck getSecurityCheck()
  {
  return SecureComponentHelper.getSecurityCheck(this);
  }

  public boolean isActionAuthorized(String waspAction)
  {
  return SecureComponentHelper.isActionAuthorized(this, waspAction);
  }

  public boolean isActionAuthorized(WaspAction action)
  {
  return SecureComponentHelper.isActionAuthorized(this, action);
  }

  public boolean isAuthenticated()
  {
  return SecureComponentHelper.isAuthenticated(this);
  }

  public void setSecurityCheck(ISecurityCheck check)
  {
  SecureComponentHelper.setSecurityCheck(this, check);
  }
 }

 First I tried to use the ComponentSecurityCheck, because I have no real click 
 target ( I used ProductAreaListPage.class as parameter in the constructor as 
 dummy). Because the LinkSecurityCheck behaves as ClassSecurityCheck per 
 default, I called setUseAlternativeRenderCheck to change to 
 ComponentSecurityCheck.


 ProductAreaListPage.java:
 -
 private class ProductAreaVisibleDataView extends ProductAreaDataView
 {
  public ProductAreaVisibleDataView(String id, IDataProvider dataProvider) {
  super(id, dataProvider);
  }

  protected void populateItem(final Item item) {
  super.populateItem(item);
  final ProductArea productArea = (ProductArea) item.getModelObject();

  SecureLink deleteLink = new SecureLink(deleteProductArea, 
 ProductAreaListPage.class) {
  private static final long serialVersionUID = 1L;

  public void onClick() {
  if (productArea.getDeleted())
  return;

  productArea.setDeleted(true);
  productAreaService.save(productArea);
  invalidateDataProviders();
  }
  };
  
 ((LinkSecurityCheck)deleteLink.getSecurityCheck()).setUseAlternativeRenderCheck(true);
  item.add(deleteLink);
  }
  }



 Because the wicket id deleteProductArea exists for each item in the list, my 
 policy file would need such permission for each item. This is no real 
 solution, because I don't know, how many items the list will contain (But it 
 worked in the example for the first 4 items).


 Appl.hive:
 
 // Product area list page - Delete link
 permission ${ComponentPermission} 
 ${front}.ProductAreaListPage:resultPanel:productAreaTable:1:deleteProductArea,
  inherit, render;
 permission ${ComponentPermission} 
 ${front}.ProductAreaListPage:resultPanel:productAreaTable:2:deleteProductArea,
  inherit, render;
 permission ${ComponentPermission} 
 ${front}.ProductAreaListPage:resultPanel:productAreaTable:3:deleteProductArea,
  inherit, render;
 permission ${ComponentPermission} 
 ${front}.ProductAreaListPage:resultPanel:productAreaTable:4:deleteProductArea,
  inherit, render;


 So I tried to change to use the ClassSecurityCheck. There the user must have 
 rights for the target class. I created a dummy class:

 ClickTargetDummy.java:
 --*

 *package xxx.yyy.zzz.front.security;

 public class ClickTargetDummy
 {
 }

 ProductAreaListPage.java:
 -

 SecureLink deleteLink = new SecureLink(deleteProductArea, 
 ClickTargetDummy.class) {
 private static final long serialVersionUID = 1L;

 public void onClick() {
  if (productArea.getDeleted())
  return;

  productArea.setDeleted(true);
  productAreaService.save(productArea);
  invalidateDataProviders();
 }
 };

 Appl.hive:
 -
 permission ${ComponentPermission} ${front}.security.ClickTargetDummy, 
 inherit, render, enable;



 This solution works, but I have to create the dummy class. Perhaps other 
 solutions are possible ???

 Thanks in advance
 Andrea









 Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
 *http://smartsurfer.web.de/?mc=100071distributionid=0066* 
 [http://smartsurfer.web.de/?mc=100071distributionid=0066]