I needed to authorize some pages not just by annotation but also based on
PageParameters.
I came up with this:
App.init()
((CompoundAuthorizationStrategy)getSecuritySettings().getAuthorizationStrategy())
.add(new RequiresRolesUnlessAdminAuthorizationStrategy(new
Roles("ADMIN")));
public interface IRequiresRole
{
Roles requiresRoles();
}
public class ProfilePage extends MyWebPage implements IRequiresRole
{
private String id;
public ProfilePage(PageParameters p) {
id = p.get("id").toString();
}
public Roles requiresRoles() {
return new Roles(id); // I'm just using the id as a role for
testing but you can lookup your object and see what roles it needs here
}
}
And the fun one:
public class RequiresRolesUnlessAdminAuthorizationStrategy implements
IAuthorizationStrategy {
private Roles alwaysAllow;
public RequiresRolesUnlessAdminAuthorizationStrategy(Roles alwaysAllow)
{
this.alwaysAllow = alwaysAllow;
}
public boolean isActionAuthorized(Component component, Action action) {
if (component instanceof IRequiresRole)
{
Roles r = ((IRequiresRole) component).requiresRoles();
return AuthenticatedWebSession.get().isSignedIn() &&
(
AuthenticatedWebSession.get().getRoles().hasAllRoles(r)
||
(alwaysAllow != null &&
AuthenticatedWebSession.get().getRoles().hasAnyRole(alwaysAllow))
);
}
return true;
}
public <T extends IRequestableComponent> boolean
isInstantiationAuthorized(
Class<T> componentClass) {
return true;
}
}
So if you are ADMIN you can do anything, otherwise you need whatever role
corresponds to object identified by the PageParameter id.
Am I re-inventing someone's wheel here, or does this sound good?
Thanks,
-- Jim.
