Hi all,
I am currently running through Apache OFBiz Development: The Beginner's
Tutorial by Howell and Wong.
I have my dev environment setup in IntelliJ and so far the examples have
all more-or-less worked. I am up to Chapter 11, Permissions and the Service
Engine and have hit some issues.
The example setup in the "learning" component is as follows:
${component:learning}\servicedef\services.xml
---------------------------------------------
<service name="learningCallingServiceOneWithPermission" engine="java"
location="org.ofbiz.learning.learning.LearningServices"
invoke="callingServiceOne">
<description>First Service Called From The Controller</description>
<required-permissions join-type="OR">
<check-permission permission="LEARN_VIEW"/>
</required-permissions>
<implements service="learningInterface"/>
</service>
${webapp:learning}\WEB-INF\controller.xml
-----------------------------------------
<request-map uri="TestPermissions">
<security auth="true" https="true"/>
<response name="success" type="view"
value="TestCallingServicesWithPermission"/>
<response name="error" type="view" value="login"/>
</request-map>
<request-map uri="TestCallingServicesWithPermission">
<security auth="true" https="true"/>
<event type="service" invoke="learningCallingServiceOneWithPermission"/>
<response name="success" type="view"
value="TestCallingServicesWithPermission"/>
<response name="error" type="view"
value="TestCallingServicesWithPermission"/>
</request-map>
and
<view-map name="TestCallingServicesWithPermission" type="screen"
page="component://learning/widget/learning/LearningScreens.xml#TestCallingServicesWithPermission"/>
${component:learning}\widget\learning\LearningScreens.xml
---------------------------------------------------------
<screen name="TestFirstService">
<section>
<widgets>
<section>
<condition><if-empty field-name="formTarget"/></condition>
<actions>
<set field="formTarget" value="TestFirstService"/>
<set field="title" value="Testing Our First Service"/>
</actions>
<widgets/>
</section>
<decorator-screen name="main-decorator"
location="${parameters.mainDecoratorLocation}">
<decorator-section name="body">
<include-form name="TestingServices"
location="component://learning/widget/learning/LearningForms.xml"/>
<label text="Full Name: ${parameters.fullName}"/>
</decorator-section>
</decorator-screen>
</widgets>
</section>
</screen>
...
<screen name="TestCallingServicesWithPermission">
<section>
<actions><set field="formTarget"
value="TestCallingServicesWithPermission"/>
</actions>
<widgets>
<include-screen name="TestFirstService"/>
</widgets>
</section>
</screen>
${component:learning}\widget\learning\LearningForms.xml
-------------------------------------------------------
<form name="TestingServices" type="single" target="${formTarget}">
<field name="firstName"><text/></field>
<field name="lastName"><text/></field>
<field name="planetId"><text/></field>
<field name="submit"><submit/></field>
</form>
With regards to permissions, I have them set up as follows as per Chapter 9:
User Security Group SecurityPermission
User/Security Group From Date User/Security Group Thru Date
-------------------------------------------------------------------------------------------------------------------------------------
allowed LEARNSCREENS LEARN_VIEW 2015-06-15
19:34:15.832 NULL
denied LEARNSCREENS LEARN_VIEW 2015-06-13
18:57:44.724 2015-06-13 18:57:44.724
" LEARNSCREENS LEARN_VIEW 2015-06-13
18:57:44.000 2015-06-13 19:33:47.000
Under the above configuration, the permissions checks work as advertised,
and "allowed" is able to call the service while "denied" is not.
The next section of the chapter talks about two-part permissions, and makes
the following changes to the configuration. Apparently, OFBiz is supposed
to interpret the underscore in permission attribute as some sort of
tokenising character, where the first token "LEARN" becomes the permission,
and the second part "VIEW" becomes an action. This seems "loose" to me but
nevertheless.
${component:learning}\servicedef\services.xml
---------------------------------------------
<check-permission permission="LEARN_VIEW"/>
becomes
<check-permission permission="LEARN" action="VIEW"/>
According to the text, the authorisation behaviour should remain exactly
the same. In other words, the check-permission elements are equivalent. But
this is not the case. Under the modified configuration, neither "allowed"
nor "denied" are able to call the service. I also don't see a "LEARN" item
in the SecurityPermission entity anywhere, so I don't see how this should
work in the first place.
Is this tokenised approach deprecated? Or is there something else going on?
