Re: Swarm: Link authorization
The DataPermission solution works :) Thanks Andrea *Von:* users@wicket.apache.org *Gesendet:* 15.05.08 16:06:54 *An:* users@wicket.apache.org *Betreff:* Re: Swarm: Link authorization Yes there are other solutions :) In this case you would use a DataPermission. Something like permission ${DataPermission} "delete_product", "enable"; coupled with a DatasecurityCheck on your links like so: setSecurityCheck(new DataSecurityCheck("delete_product")); will do the trick. Maurice On Thu, May 15, 2008 at 3:22 PM, Andrea Jahn <[EMAIL PROTECTED]> wrote: > > > Hi, > > for every item in a table there's a "delete" link, which should be only > visible for certain users. > > ProductAreaListPage.html: > - > > > [id] > [name] > [description] > Edit… > Products… > Delete… > > > I created a class for the secure link: > --- > > public abstract class SecureLink extends Link implements ISecureComponent > { > private static final long serialVersionUID = 1L; > > public SecureLink(String id, Class c) > { > super(id); > setSecurityCheck(new LinkSecurityCheck(this, c)); > } > > public ISecurityCheck getSecurityCheck() > { > return SecureComponentHelper.getSecurityCheck(this); > } > > public boolean isActionAuthorized(String waspAction) > { > return SecureComponentHelper.isActionAuthorized(this, waspAction); > } > > public boolean isActionAuthorized(WaspAction action) > { > return SecureComponentHelper.isActionAuthorized(this, action); > } > > public boolean isAuthenticated() > { > return SecureComponentHelper.isAuthenticated(this); > } > > public void setSecurityCheck(ISecurityCheck check) > { > SecureComponentHelper.setSecurityCheck(this, check); > } > } > > First I tried to use the ComponentSecurityCheck, because I have no real click > target ( I used ProductAreaListPage.class as parameter in the constructor as > dummy). Because the LinkSecurityCheck behaves as ClassSecurityCheck per > default, I called setUseAlternativeRenderCheck to change to > ComponentSecurityCheck. > > > ProductAreaListPage.java: > - > private class ProductAreaVisibleDataView extends ProductAreaDataView > { > public ProductAreaVisibleDataView(String id, IDataProvider dataProvider) { > super(id, dataProvider); > } > > protected void populateItem(final Item item) { > super.populateItem(item); > final ProductArea productArea = (ProductArea) item.getModelObject(); > > SecureLink deleteLink = new SecureLink("deleteProductArea", > ProductAreaListPage.class) { > private static final long serialVersionUID = 1L; > > public void onClick() { > if (productArea.getDeleted()) > return; > > productArea.setDeleted(true); > productAreaService.save(productArea); > invalidateDataProviders(); > } > }; > ((LinkSecurityCheck)deleteLink.getSecurityCheck()).setUseAlternativeRenderCheck(true); > item.add(deleteLink); > } > } > > > > Because the wicket id deleteProductArea exists for each item in the list, my > policy file would need such permission for each item. This is no real > solution, because I don't know, how many items the list will contain (But it > worked in the example for the first 4 items). > > > Appl.hive: > > // Product area list page - Delete link > permission ${ComponentPermission} > "${front}.ProductAreaListPage:resultPanel:productAreaTable:1:deleteProductArea", > "inherit, render"; > permission ${ComponentPermission} > "${front}.ProductAreaListPage:resultPanel:productAreaTable:2:deleteProductArea", > "inherit, render"; > permission ${ComponentPermission} > "${front}.ProductAreaListPage:resultPanel:productAreaTable:3:deleteProductArea", > "inherit, render"; > permission ${ComponentPermission} > "${front}.ProductAreaListPage:resultPanel:productAreaTable:4:deleteProductArea", > "inherit, render"; > > > So I tried to change to use the ClassSecurityCheck. There the user must have > rights for the target class. I created a dummy class: > > ClickTargetDummy.java: > --* > > *package xxx.yyy.zzz.front.security; > > public class ClickTargetDummy > { > } > > ProductAreaListPage.java: > - > > SecureLink deleteLink = new SecureLink("deleteProductArea", > ClickTargetDummy.class) { > private static final long serialVersionUID = 1L; > > public void onClick() { > if (productArea.getDeleted()) >
Re: Swarm: Link authorization
Yes there are other solutions :) In this case you would use a DataPermission. Something like permission ${DataPermission} "delete_product", "enable"; coupled with a DatasecurityCheck on your links like so: setSecurityCheck(new DataSecurityCheck("delete_product")); will do the trick. Maurice On Thu, May 15, 2008 at 3:22 PM, Andrea Jahn <[EMAIL PROTECTED]> wrote: > > > Hi, > > for every item in a table there's a "delete" link, which should be only > visible for certain users. > > ProductAreaListPage.html: > - > > > [id] > [name] > [description] > Edit… > Products… > Delete… > > > I created a class for the secure link: > --- > > public abstract class SecureLink extends Link implements ISecureComponent > { > private static final long serialVersionUID = 1L; > > public SecureLink(String id, Class c) > { > super(id); > setSecurityCheck(new LinkSecurityCheck(this, c)); > } > > public ISecurityCheck getSecurityCheck() > { > return SecureComponentHelper.getSecurityCheck(this); > } > > public boolean isActionAuthorized(String waspAction) > { > return SecureComponentHelper.isActionAuthorized(this, waspAction); > } > > public boolean isActionAuthorized(WaspAction action) > { > return SecureComponentHelper.isActionAuthorized(this, action); > } > > public boolean isAuthenticated() > { > return SecureComponentHelper.isAuthenticated(this); > } > > public void setSecurityCheck(ISecurityCheck check) > { > SecureComponentHelper.setSecurityCheck(this, check); > } > } > > First I tried to use the ComponentSecurityCheck, because I have no real click > target ( I used ProductAreaListPage.class as parameter in the constructor as > dummy). Because the LinkSecurityCheck behaves as ClassSecurityCheck per > default, I called setUseAlternativeRenderCheck to change to > ComponentSecurityCheck. > > > ProductAreaListPage.java: > - > private class ProductAreaVisibleDataView extends ProductAreaDataView > { > public ProductAreaVisibleDataView(String id, IDataProvider dataProvider) { > super(id, dataProvider); > } > > protected void populateItem(final Item item) { > super.populateItem(item); > final ProductArea productArea = (ProductArea) item.getModelObject(); > > SecureLink deleteLink = new SecureLink("deleteProductArea", > ProductAreaListPage.class) { > private static final long serialVersionUID = 1L; > > public void onClick() { > if (productArea.getDeleted()) > return; > > productArea.setDeleted(true); > productAreaService.save(productArea); > invalidateDataProviders(); > } > }; > > ((LinkSecurityCheck)deleteLink.getSecurityCheck()).setUseAlternativeRenderCheck(true); > item.add(deleteLink); > } > } > > > > Because the wicket id deleteProductArea exists for each item in the list, my > policy file would need such permission for each item. This is no real > solution, because I don't know, how many items the list will contain (But it > worked in the example for the first 4 items). > > > Appl.hive: > > // Product area list page - Delete link > permission ${ComponentPermission} > "${front}.ProductAreaListPage:resultPanel:productAreaTable:1:deleteProductArea", > "inherit, render"; > permission ${ComponentPermission} > "${front}.ProductAreaListPage:resultPanel:productAreaTable:2:deleteProductArea", > "inherit, render"; > permission ${ComponentPermission} > "${front}.ProductAreaListPage:resultPanel:productAreaTable:3:deleteProductArea", > "inherit, render"; > permission ${ComponentPermission} > "${front}.ProductAreaListPage:resultPanel:productAreaTable:4:deleteProductArea", > "inherit, render"; > > > So I tried to change to use the ClassSecurityCheck. There the user must have > rights for the target class. I created a dummy class: > > ClickTargetDummy.java: > --* > > *package xxx.yyy.zzz.front.security; > > public class ClickTargetDummy > { > } > > ProductAreaListPage.java: > - > > SecureLink deleteLink = new SecureLink("deleteProductArea", > ClickTargetDummy.class) { > private static final long serialVersionUID = 1L; > > public void onClick() { > if (productArea.getDeleted()) > return; > > productArea.setDeleted(true); > productAreaService.save(productArea); > invalidateDataProviders(); > } > }; > > Appl.hive: > - > permission ${ComponentPermission} "${front}.security.ClickTargetDummy", > "inherit, render, enable"; > > > > This solution works, but I have to create the dummy class. Perhaps other > solutions are possible ??? > > Thanks in advance > Andrea > > > > > > > > > > Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! > *http://smartsurfer.web.de/?mc=100071&distributionid=0066* > [http://smartsurfer.web.de/?mc=100071&distributionid=0066] > - To unsubscribe, e-mail:
Swarm: Link authorization
Hi, for every item in a table there's a "delete" link, which should be only visible for certain users. ProductAreaListPage.html: - [id] [name] [description] Edit… Products… Delete… I created a class for the secure link: --- public abstract class SecureLink extends Link implements ISecureComponent { private static final long serialVersionUID = 1L; public SecureLink(String id, Class c) { super(id); setSecurityCheck(new LinkSecurityCheck(this, c)); } public ISecurityCheck getSecurityCheck() { return SecureComponentHelper.getSecurityCheck(this); } public boolean isActionAuthorized(String waspAction) { return SecureComponentHelper.isActionAuthorized(this, waspAction); } public boolean isActionAuthorized(WaspAction action) { return SecureComponentHelper.isActionAuthorized(this, action); } public boolean isAuthenticated() { return SecureComponentHelper.isAuthenticated(this); } public void setSecurityCheck(ISecurityCheck check) { SecureComponentHelper.setSecurityCheck(this, check); } } First I tried to use the ComponentSecurityCheck, because I have no real click target ( I used ProductAreaListPage.class as parameter in the constructor as dummy). Because the LinkSecurityCheck behaves as ClassSecurityCheck per default, I called setUseAlternativeRenderCheck to change to ComponentSecurityCheck. ProductAreaListPage.java: - private class ProductAreaVisibleDataView extends ProductAreaDataView { public ProductAreaVisibleDataView(String id, IDataProvider dataProvider) { super(id, dataProvider); } protected void populateItem(final Item item) { super.populateItem(item); final ProductArea productArea = (ProductArea) item.getModelObject(); SecureLink deleteLink = new SecureLink("deleteProductArea", ProductAreaListPage.class) { private static final long serialVersionUID = 1L; public void onClick() { if (productArea.getDeleted()) return; productArea.setDeleted(true); productAreaService.save(productArea); invalidateDataProviders(); } }; ((LinkSecurityCheck)deleteLink.getSecurityCheck()).setUseAlternativeRenderCheck(true); item.add(deleteLink); } } Because the wicket id deleteProductArea exists for each item in the list, my policy file would need such permission for each item. This is no real solution, because I don't know, how many items the list will contain (But it worked in the example for the first 4 items). Appl.hive: // Product area list page - Delete link permission ${ComponentPermission} "${front}.ProductAreaListPage:resultPanel:productAreaTable:1:deleteProductArea", "inherit, render"; permission ${ComponentPermission} "${front}.ProductAreaListPage:resultPanel:productAreaTable:2:deleteProductArea", "inherit, render"; permission ${ComponentPermission} "${front}.ProductAreaListPage:resultPanel:productAreaTable:3:deleteProductArea", "inherit, render"; permission ${ComponentPermission} "${front}.ProductAreaListPage:resultPanel:productAreaTable:4:deleteProductArea", "inherit, render"; So I tried to change to use the ClassSecurityCheck. There the user must have rights for the target class. I created a dummy class: ClickTargetDummy.java: --* *package xxx.yyy.zzz.front.security; public class ClickTargetDummy { } ProductAreaListPage.java: - SecureLink deleteLink = new SecureLink("deleteProductArea", ClickTargetDummy.class) { private static final long serialVersionUID = 1L; public void onClick() { if (productArea.getDeleted()) return; productArea.setDeleted(true); productAreaService.save(productArea); invalidateDataProviders(); } }; Appl.hive: - permission ${ComponentPermission} "${front}.security.ClickTargetDummy", "inherit, render, enable"; This solution works, but I have to create the dummy class. Perhaps other solutions are possible ??? Thanks in advance Andrea Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! *http://smartsurfer.web.de/?mc=100071&distributionid=0066* [http://smartsurfer.web.de/?mc=100071&distributionid=0066]