Thanks Dan, We'll have a play around with these ideas.
Regards, David. ________________________________ From: Dan Haywood <[email protected]> To: users <[email protected]>; David Tildesley <[email protected]> Sent: Friday, 16 August 2013 7:19 AM Subject: Re: Allow the user to choose a role to work within that role context. Apols for not replying on this sooner. I suppose you might have figured out an approach already, but the only approach I can think of is (as alluded to in another thread quite recently) is to have a custom Authenticator (plugged into AuthenticationManager) that loops back to the domain itself, to determine the roles. I could imagine we would then make this mutable, so that the end-user manipulate the roles in effect. There might need to be some way to the invalidate/refresh user/roles as held in the AuthenticationSession, but as that is an interface I guess the Authenticator could do whatever it needs. For example, in our domain we would have: [User]-permitted-*>[Role] [User]-inEffect-*>[Role] The Authenticator would only return those roles that are tagged as being "in effect". The application would provide a page for the user to access their corresponding "User" object (eg a "me()" action). On this page the user could selected/deselect other roles that are permitted. ~~~ If using Shiro, then it already has its own ShiroAuthenticatorOrAuthorizor. This really has three responsibilities: a. as an Authenticator, to check the credentials (user/password), identfiying a principal b. as an Authenticator, to determine the roles for the principal c. as an Authorizor, to perform permission checks for the roles of the principal. What we might want, for this requirement, is for (b) to be pluggable - not necessarily use a Shiro realm. With that in mind I've just done a two-second edit to change its getRoles() method from private to protected visibility such that this could be done if need be. HTH Dan On 7 August 2013 08:02, David Tildesley <[email protected]> wrote: > Hi, > > A question. A user may have a number of roles when using ISIS (i.e. > org.apache.isis.security.UserMemento has a list of roles > 1). How hard > would it be to let the user choose which role they want to use for the > session. > > The story: > > 1. As an administrator of the application I am also a "normal user" of the > application and I would like to see the "reduced" view of the application > that a normal user would see by choosing my "normal user" role to be used > in the session. > > Any ideas/ pointers would be appreciated. > > Thanks, > David. >
